Effective security programs require structure to understand what should be protected and the value of the asset to the organization to determine how protection should be implemented. No matter the methodology healthcare organizations choose, the framework needs to define measurable outcomes that allows IT teams to defend against attacks and recover quickly if an attack is successful.