1

I reside in Michigan, U.S.A and just recently took over the IT of a small medical practice. There is no real security in place and I am still undoing the horrific damage and lockouts put in place by the previous company. I have noticed horrible browsing/security practices by the employees and the owner doesn't understand the seriousness of the situation. I don't know the specific regulations on medical security but I know the fines could be massive if there is a data breach. I want to make a presentation for him so that I can get him to understand, but he will not believe me without sources I can cite and information I can present to him like specific fine amounts and how we can avoid them by things like being able to remotely wipe phones used for work.

So my question is where can I find information on the type of fines we would look at for a breach, how easy it is to get into an unsecured system, how we can secure ourselves, and where I can learn about specific regulations like account and screen lockout, etc.?

Taxes45
  • 113
  • 3
  • 4
    Show him how the WannaCry crippled the UK National Health Service. Ask him to think what will happen when your place gets hit. Because it will. – ThoriumBR Sep 03 '18 at 18:25
  • 5
    You tagged HIPAA and in the US, that's where your regulations will come from – schroeder Sep 03 '18 at 18:33

1 Answers1

6

I had a similar issue in the past. Security is a rapidly-changing field, and it's easy for small companies to convince themselves they don't need to worry about security breaches. (and well...if you don't stay up to date with security information, it's easy to remain ignorant!)

As an American company, HIPAA is a great source for information on security and privacy standards in the healthcare industry. You can find their actual policies on their website, but they also have summaries available for their privacy rule and their security rule. (I personally tried reading their full 50-page documents, but they're very dense. Definitely try the summaries first.) Definitely check it out, you might find some good information.

For more information on hacking, data breaches, and malware, you can check out Bruce Schneier's blog. He's been writing this blog for a really long time, and has some truly excellent posts. He also has links to other helpful sources. Here are the links for posts tagged with data breaches, malware, and health care.

While fines can be dependant on states, you can find instances of people suing healthcare corporations over data breaches. Here's an instance of the Arc of Erie County being fined $200k for a security breach. (That instance was an example of HIPAA non-compliance) You can probably find other instances of hospitals and medical companies being sued over poor security practices here if you want some more examples.

Your situation is a tough one to be in. In my experience with employer's with poor security practices, I wrote a report on the security flaws and gave it to my boss when I left the job. I'm fairly certain nothing will come of it, but at least I tried. Good luck.

Brooke
  • 76
  • 4
  • 1
    You can also throw in PCI fines, which can be massive. Also SOX might be useful to be aware of and cite fines and etc. – bashCypher Sep 04 '18 at 20:36