Aske said he applauded the thinking behind such requirements, but he questioned how practical and realistic such efforts would be.

"That's nice on paper, but the challenge is going to be implementing that," he said. "You see how slow healthcare organizations have been in implementing the broader healthcare exchanges? Why would security be any different?"

Who are you, really?

For pure security – and regulatory – reasons, expect to see a lot of focus on improved authentication systems. But also expect resistance from physician offices. The reason is an unintended consequence of efficiency demands.

Many physician offices, especially specialists, would rather avoid strict authentication, a tactic that could expose the practice of physicians letting staff members use the physician's login/password to process prescriptions, among other things. 

"Although greatly discouraged, the practice of scribes, mid-levels and nurses placing orders and generating prescriptions under a provider login is an all too common occurrence," Mongelli said. 

One big-picture fix would be to simply lobby to get more states to allow physicians -- or anyone they designate -- to process prescriptions and other medical orders, as long as the decisions are being made by the physician. Doctors would be able to delegate the key-entry, but not the decisions.

Under that scenario, nurses and other medical and administrative staff could log in as themselves. The liability would presumably stay with the doctor, however, if someone got an instruction wrong and ordered a prescription that harmed a patient. (The legal case would be more murky if the designee deliberately disobeyed a doctor's prescription instruction and harmed a patient.)

In the meantime, Mongelli argues that IT must insist on some quick fixes.

"With computerized order entry systems, those systems need to evolve to make it easier for the doctors to do it themselves," he said, adding that this problem may work itself out eventually. "Young doctors have a much easier time working with electronic documentation."

The 'absent-minded professor' problem

Physicians carrying mobile devices has greatly advanced hospital medical care, but it's also presented new and serious security threats. Living up to their absent-minded professor reputations, physicians often misplace the devices. 

The risks associated with those misplaced mobile devices reads like a good news/bad news joke.

Good news: The health IT industry has generally been excellent at ensuring that as little data as possible is physically stored on the device, forcing almost all information to be wirelessly accessed from the network.

Bad news: That means that control of a device can potentially access far more information – anything stored on the connected servers.

Good news: Strong passwords will secure access to the network, meaning a thief would have a locked phone or tablet.

Bad news: Medical specialists tend to avoid strong passwords.