"You need to be on your toes, in terms of detecting what's going on with your network, knowing what's normal, knowing what's abnormal," she says.

Good staff is essential, she adds, key to "avoiding a situation where you have the best software and processes in the world that flag suspicious activity but there's a human on the other end that doesn't react quickly. That could spell disaster for millions of people through a data breach."

The tried-and-true principles of "people, process and technology" are the best defense, says Kim – even if the last of those three can be a huge help where the other two are hamstrung by humankind's essential fallibility.

Asked to point to some recent tactical success in this never-ending war against cyberthreats, Kim mentions some of "managed security solutions that cloud providers are offering. There's a demand for more automation, because there's so many potential incidents and potential threats."

Technology can "fill the gap where humans fail," she says. For instance, were an absent-minded clinicians to forward an email attachment with personal health information to their personal address, data loss prevention software might detect and prevent that.

Hosted security management that can conduct ongoing assessments and reporting can be a boon, says Kim.

"Providers are relying on it more because it's impossible for ordinary organization to be that vigilant and proactive," she says. "We leave that to specialists – outsourced providers that offer these special services.

"You might not notice that your system has been compromised. You might notice that your system has slowed, but if you're not noticing that network traffic is going in large amounts to a certain IP address that it shouldn't, how would you ever know? It's like an invisible breach."

"We need to get better at detecting anomalies and detecting breaches," says Gallagher. "We just aren't very good at that."

Unfortunately, that's where we are today. Being secure requires constant vigilance, even skill. Simply checking the boxes of a single risk-assessment is nowhere near enough. 

As Perakslis notes in NEJM, HIPAA privacy rules have "raised awareness of the importance of protecting personal health information and have provided a regulatory framework to encourage compliance -- but compliance does not necessarily translate into security."

"HIPAA requires you to do ongoing risk management," says Gallagher. "That's the core of the HIPAA security rule."

That's the right approach, she says. "Trying to set any minimal standards for security control would just be disastrous and not helpful."

So what does risk management mean? Gallagher likens it to a loop that needs to be closed: "Once you deal with the current breach and remediation, then you really need to go back and understand the threat and the threat motivator, and you need to factor those things into the adjustments you make to your controls. That would include contingency plans and resiliency as well."

"HIPAA does address the need for contingency plans, in case things go wrong," says Kim. "But it really doesn't spell out the whole complement of what I think most folks in the information security industry would generally think of to do when they try to plan."

When it comes to cyber security, "it's unfortunately a matter of time whether you have an incident," she says. "As to whether it breaches your system, that's another thing. That's why you need to keep on your toes."

All the compliance in the world "does not mean that at some point you won't have an attack and not have a breach," says Gallagher. "That's just the situation we're in with cybersecurity. It has nothing to do with HIPAA. It has to do with the changing threat factor."