security vs common sense
In Healthcare, IT systems are regulated for GMP and financial compliance. (Others, like data security are currently internal decisions). The extra cost, ~x4, is considered an acceptable trade-off for audit paper, less and longer improvement cycles, and less own programming.
The problems currently present themselves as security layers being built in, but not open to discussion at any cost/value trade-off level. The separate internal groups go their own ways, trying to avoid each other's minefields.
Any data protection security legislation is likely to cause additional damage, except to security consultants. Legislation for things like laptop or USB-stick misuse looks out of reach of even the current nappy-monitoring government. So one aim of all IT departments should be solutions good enough to avoid extra legislation.