Jigar Kadakia's stints as a senior manager at Deloitte, and before that as a consultant at Accenture, gave him a wide, insider's view of information security and privacy issues across healthcare organizations big and small around the country.

It taught him about the nature of security and privacy and where the dangers lurk -- which way the wind is blowing, so to speak.

Today, Kadakia is steering his own ship, helming security operations at one of the premier healthcare systems in the nation -- in a city with more than a few top-notch hospitals. He joined Boston-based Partners HealthCare just a little more than a year ago.

While each healthcare organization is unique, Kadakia finds some tried-and-true principals apply, regardless of the prestige of the organization or its size.

As he sees it, security and privacy have always been about people much more than technology.

"It's always been a people issue," he told Healthcare IT News. "The toughest security problem is getting people to understand. It's the same issue we had five years ago; it's going to be the same issue five years from now."

Apparently, even savvy people don't truly understand they are vulnerable.

"They just think they're not going to get phished, they're not going to get hacked," he said.

It's a critical piece of Kadakia's work -- and that of his 40–45-member team -- to persuade them otherwise. Part of the training Kadakia and his team do is making sure all Partners personnel know they have to read websites and making sure they know what they're clicking.

[Learn more: Meet the speakers at HIMSS and Healthcare IT News Privacy & Security Forum.]

Kadakia's best advice is to provide everyone plenty of education and training on the security and privacy front -- and then some. Education alone is not enough. They also have to be tested on their knowledge to ascertain they know how best to be on the lookout.

Another way to keep the importance of security and privacy top of mind among every member of the organization, he said, is to highlight breaches that have occurred elsewhere.

"Use those as examples of 'here's what happened, and here's how it could happen to us,'" Kadakia suggests. "People can relate to it because it's closer to home, and they can see it, visualize it, so they're more cautious and more proactive in what they do."

Besides relentless training -- or rather in tandem with it -- Kadakia recommends that leadership always be thinking not merely about today or tomorrow, but years ahead.

As he sees it, CISOs and others in leadership need to be thinking at least three years ahead.

"We're going to come up with solutions that are good now," he said, "but are they really addressing an issue three years ahead? So, we need to be thinking three years down the line whether what we do now will still be relevant."

"It is really hard to do," he acknowledges. "But you have think it through from a technology perspective what you want to do and how you're going to do it and what's the impact."

CISOs: Healthcare's new rock stars

Cris Ewell, Seattle Children's Hospital Connie Barrera, Jackson Health System Mitchell Parker, Temple Health System Anahi Santiago, Christiana Care Health System Meredith Phillips, Henry Ford Health System Jigar Kadakia, Partners HealthCare System

CISO and CIOs: Why can't we be friends? Should CISOs have as much power as CIOs?

Infographics: Biggest barriers to better security Greatest areas of improvement in cybersecurity? Top 10 cybersecurity threats of the future