“If they want to do the attestation, they have to do the risk assessment. So you have both of those lining up together,” she said.

McGraw said the final omnibus rule is “a good start” for protecting patients in an era of more health information exchange.

The more that breach notifications occur and reports show how costly they are to the institutions that experience them, “the more we’re going to see entities encrypt data, mostly data at rest and then most certainly the protocols for exchange to encrypt data in transit,” McGraw said.

There is a growing acceptance of the importance to getting to the level of security that most other industries have adopted as a matter of course.

Security professionals, however, don’t exist throughout much of the healthcare provider community, which is significantly made up of small practices. As a result, “they’re highly dependent upon their vendors to tell them what to do, and that partly adds to the challenge,” she said.

It’s difficult for the healthcare industry to step up “when it’s largely run by people who are amateurs in security. And that’s not going to change,” she added. “Doctors are trained to take care of patients, not to take care of data, but we need them to take care of data.”