Security is more than making sure your auditors are happy. Its more about juggling operational effectiveness, security as well as checking the boxes on a compliance checklist. It isnt a new problem, but compliance for the sake of compliance still seems to be a major theme in some quarters. One of the things I like about the HIPAA, in addition to its comprehensive approach to security, is the assertion that its standards and guidelines are to be implemented in a way that is reasonable and appropriate for each organization.”]
Source: https://www.csoonline.com/article/2137186/use-compliance-requirements-as-a-guide–not-a-strategy.html