Abstract “Beyond Good Practice: Why HIPAA only addresses part of the data security problem” presents special papers illustrating the complexities of deploying good data security practices for the protection of computerized information assets in the contemporary healthcare environment. From the perspective of the data security rules, HIPAA implements a broad approach based on standard industry good practice in information assurance. While healthcare organizations find implementing “good industry practice” difficult enough to accomplish, other issues such as the safe patching of security vulnerabilities in the software of biomedical devices, safely sharing information across enterprise boundaries, organizing information security programs in competition with other organizational missions, and managing risk in networked environments loom large and often unnoticed, especially for networks of hospitals seeking to manage information resources as an enterprise.