James Case, VP/CISO, Baptist Health, frames his program around a single theme: balance. Case seeks to harden the enterprise against modern threats while protecting the speed and reliability clinicians require to deliver care. He argues that the test of any control is whether it reduces material risk without creating unnecessary friction at the bedside, in the OR, or across back-office operations.
Identity sits at the center of that balancing act, as credentials have become the preferred path for attackers. He emphasizes automation across the joiner-mover-leaver lifecycle to prevent permission creep and to react instantly when HR records change. “The bad actors are not breaking in as much as they are logging in,” he said.
Case explained that standards are tuned to clinical context rather than imposed uniformly. He pointed to operating suites and other critical areas where default lockouts and session timeouts can undermine safety. He said those settings are adjusted with clinical leaders so authentication never interrupts patient care, yet still records accountability and deters misuse. Case likewise supports risk-based step-ups for higher-sensitivity actions, reserving the strongest checks for activities that create the greatest exposure.
Calibrating MFA, Sessions, and Clinical Context
Multi-factor authentication is treated as a precision instrument. He partners with the CMIO and nursing leadership to map where frequent re-prompts would slow throughput and where stronger verification is warranted. Case measures both attack interception and caregiver experience, using alert volume, prompt frequency, and help-desk trends to recalibrate policies. He summarized the principle: “Security that blocks care is not security.”

Case also ties identity analytics to real-world shifts in duty. He links role changes to automated removals as well as additions so legacy access does not accumulate. He said the organization validates these flows routinely to close gaps created by one-off exceptions, temporary assignments, or vendor on-site work. Case’s team builds dashboards that highlight outliers—accounts with unused elevated rights or unusual access patterns—so remediation becomes a steady operational rhythm.
Consolidation, Costs, and Measured Risk
Platform overlap has become an opportunity to simplify and save. He reviews vendor portfolios regularly to eliminate duplicative features and retire aging tools, freeing funds for higher-value controls such as identity threat detection or improved email defenses. “When we add something, we have to take something away,” he said, noting that every security dollar is ultimately a patient-care dollar.
Case expects vendors to meet that responsibility with transparent pricing and credible roadmaps; in return, he consolidates capabilities where doing so decreases integration burden and sharpens visibility. He evaluates investments through a risk lens that includes patient impact, operational disruption, and measurable reduction in attack paths. Case also experiments in targeted ways—such as considering internal-only mailboxes for specific job codes that have no external correspondence needs—to remove entire categories of phishing risk without touching roles that depend on outside communication.
Governance Built on Shared Accountability
Effective controls stick when business leaders share ownership of risk. He uses formal committees to record decisions and informal conversations to preview impacts, so operational and clinical leaders can surface workflow nuances before a change hits production. Case brings recommendations, not just options, and pairs each with resource and risk implications to make tradeoffs explicit. He views that clarity as essential to keeping both security and service reliable.
Case’s governance model blends documentation with relationships. He ensures privacy, legal, audit,