Andy Herman discusses the gap in the current healthcare cybersecurity approach – that there is no mandatory risk management framework for healthcare organizations. The author suggests introducing a mandatory implementation of a full cybersecurity framework with monitoring systems before receiving the incentives guaranteed by the meaningful use clause associated with electronic health records.