I don't think the rule would be better with more detailed vulnerability scanning requirements! All these things inexorably become races to the bottom.
replyYes, exactly, the rules are intentionally broad and vague. You can wave paper at most of them and technically succeed. And then when you release accidentally PHI for the first time and your bullshit comes to light, your chickens will come home to roost. Doing a good job on compliance is less about security and more about staying out of jail.
replyThe ideal flow here is:
reply1. Do good security and operations.
2. Overlap the minimum subset of your existing good security and operations as evidence for whatever compliance regimes help you get paid.
3. Get paid.
Nobody is suggesting that you bullshit the auditors. They’re suggesting not letting the auditors accidentally trick you into letting step 2 get in front of step 1.