The HIPAA Security Rule is due for an overhaul.
You must log in or register to comment.
What such a ruling needs are hard punishments for those responsible for data “losses”. Those who have unsecured servers, those who use weak passwords, or leave backdoors in their software need to be sanctioned as well as the actual hackers.
Definitely. Once the company reach certain level of annual turnover it must implement A-Z security measures or be fined out of existence would be great. I even go as far as making it personal liability for upper management if they deliberately try to circumvent those requirements.
I even go as far as making it personal liability for upper management
This needs to be a thing for SO many things across the board, from personal data to ecological damage and unsafe working conditions. Not just upper management, everyone down the chain. If Bob the (qualified)intern did it, Anna the manager checked it and Charlie the CEO approved it, they ALL need to get punished.
Punishing the lower level employees should only really be implemented once all the anti-whistleblower legislation and people in government have been purged though otherwise you just put the employees who are asked to do questionable things between a rock and a hard place with no way not to get punished.
HIPAA is a super vague standard on the tech side. PCI is much more specific and frankly better even though its meant for a different purpose and both were written by different types of entities. It may have changed since I worked with it, but one example I remember is HIPAA standards say to use a firewall. PCI standards say to use a firewall, document rules, review them quarterly with a formal process and separation of duties, and conduct external third party scans to look for vulnerabilities. I’m glad HIPAA is getting an update, but it could really use an overhaul.
One can avoid all rules when greedy enough
