I reside in Michigan, U.S.A and just recently took over the IT of a small medical practice. There is no real security in place and I am still undoing the horrific damage and lockouts put in place by the previous company. I have noticed horrible browsing/security practices by the employees and the owner doesn't understand the seriousness of the situation. I don't know the specific regulations on medical security but I know the fines could be massive if there is a data breach. I want to make a presentation for him so that I can get him to understand, but he will not believe me without sources I can cite and information I can present to him like specific fine amounts and how we can avoid them by things like being able to remotely wipe phones used for work.
So my question is where can I find information on the type of fines we would look at for a breach, how easy it is to get into an unsecured system, how we can secure ourselves, and where I can learn about specific regulations like account and screen lockout, etc.?