For Thaddeus Dickson, CEO of Xpio Health, security in behavioral health isn’t just about defending against threats. It’s about untangling complexity. As more systems come online, more staff work remotely, and more patient data flows between platforms, organizations are forced to confront a critical question: do we really know who has access to what?
Dickson has seen how digital infrastructure tends to grow in pieces with a new HR platform here, a productivity suite there, layered with EHR tools, billing systems, and scheduling software. “A lot of us tend to delegate the cybersecurity of our EHR to our vendors, and I think that that does work to an extent,” he says. “But I would remind everyone that ultimately the security of your electronic upgrade system still does fall on your shoulders as a covered entity.”
That distinction matters. Compliance may involve your vendors, but responsibility doesn’t stop with them. Behavioral health organizations, especially those handling PHI across multiple departments and vendors, must own the integrity of their access landscape. And owning it means understanding it.
It’s often in the most routine operational moments, like onboarding, offboarding, role transitions, where risk quietly builds. A staff member changes departments. A contractor wraps up a short-term engagement. A clinician leaves the organization. These are common occurrences. But unless there’s a structured, consistent process behind them, they can easily lead to oversights. “If your objective after somebody is offboarded is to remove their licenses from all relevant systems,” Dickson notes, “you need to know what systems that that person is provisioned into.”
That’s a deceptively simple requirement. In practice, very few organizations maintain a real-time, cross-system inventory of user access. One person might be removed from the EHR but still active in Slack. Another might lose email but retain access to shared drives. The risk isn’t just technical. It’s reputational, regulatory, and operational.
Dickson stresses the importance of seeing these systems not in isolation, but as parts of a unified landscape. “It’s important to fold that EHR into a global view of your overall IT landscape … so you can ensure there’s fidelity between the users and the roles across platforms,” he says. That word ‘fidelity’ captures something many organizations overlook. It’s not enough to have a list of users. There must be alignment between a person’s role and the access they’re granted, wherever they show up in your environment. That alignment is what builds trust in your systems, and in your ability to manage them.
Achieving that kind of alignment, however, is not realistic if everything runs on spreadsheets and tribal knowledge. As organizations grow, the manual methods break down. “We really are fans of automation, more and more,” Dickson adds, “as we look at how these different user accounts are spread across our organization.” Automation is how organizations shift from reacting to risk to anticipating it. It allows you to define rules. When a user is removed from one system, corresponding actions happen elsewhere, automatically. It also creates traceability, something auditors and compliance teams increasingly expect.
Still, automation on its own can be overwhelming unless it’s grounded in a larger framework. This is where Dickson points organizations toward established standards like HIPAA, SOC 2, NIST, and HITRUST. “They also dashboard it against those various frameworks, which have different rules, policies, and procedures and engineering tests that correlate to those,” he says. These frameworks don’t just check boxes. They help teams translate abstract goals, like improving security posture, into measurable practices that can evolve as the organization does.
What Dickson is ultimately advocating for is maturity. Not the kind that arrives after an incident, but the kind you plan for. The kind that makes it easier to scale, to adjust, and to respond without panic. For behavioral health leaders managing fragmented systems and lean teams, that kind of maturity isn’t a luxury. It’s the baseline.
“Know who has access, know why they have it, and make sure they lose it when they no longer need it,” Dickson says. “Everything else builds on that.”
How is your organization handling user access and security across multiple systems? If you’re looking for ways to automate and strengthen your security strategy, contact Xpio Health. We can help.
#EHR #HealthcareSecurity #BehavioralHealth #PeopleFirst #Compliance #Cybersecurity #XpioHealth
