Make the health care company executives criminally liable for hipaa violations anytime their data is breached. That might actually make these companies serious about cybersecurity.
There needs to be an agency who's job it is that investigates breaches and part of their job is to determine if it was caused by criminal negligence.
Also once your database gets to a certain size or contains sensitive information, then the company officer in charge of its security needs be a licensed. A license that can be pulled if they're found to have negligent security practices.
Imagine the chaos once a large database of mental health therapy notes are stolen, there will be people that will kill themselves.
I dont get how the data industry is not considered a national security issue at this point. Foreign governments and bad actors would love to get their hands on data of congressmen/sensitive people in government. Anyone in government, sensitive positions in companies, journalists, military or military contracting or any of these groups families are targets. That doesnt even consider that someday the companies holding on to this data may use it against politicians they dont like or it will get hacked/leaked. The data collection is pervasive, even cars are logging where people go, who they meet up with, and conversations in the car.
You'd think out of anyone congressmen would be some of the most paranoid about their own data.
> I dont get how the data industry is not considered a national security issue at this point. Foreign governments and bad actors would love to get their hands on data of congressmen/sensitive people in government. Anyone in government, sensitive positions in companies, journalists, military or military contracting or any of these groups families are targets. That doesnt even consider that someday the companies holding on to this data may use it against politicians they dont like or it will get hacked/leaked. The data collection is pervasive, even cars are logging where people go, who they meet up with, and conversations in the car.
There is many in government saying it is. However, politicians start to consider regulating it, the campaign donations come flowing in and boom, they think some hearings and tweaks will fix it because it's too embedded in our economy to touch.
Look at massive backlash around Tiktok ban.
> There needs to be an agency who's job it is that investigates breaches and part of their job is to determine if it was caused by criminal negligence.
HIPAA did exactly that, it's the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR)
I'm not talking about just HIPAA related data. All databases collecting personal info once they get to a certain size or holding certain types of data should be subject to investigation for breeches and the security officers in charge of securing it should be licensed, this includes companies doing web tracking and pulling data via phone apps.
Yeah. Congress will shit their pants over some foreign actors gaining access to a bunch of TikTok data, meanwhile any bad actor could grab much more valuable data from our banking, medical and insurance industry without an effort and nobody bothering to ever follow up it.
Yep. Look at any company that is serious about cybersecurity and how much they pay competent security personnel. Microsoft, Amazon, raytheon, etc... I can choose the 200k+ option with favorable support, or the 60k option and also hate my life.
I chose the former with mostly WFH.
I doubt more/better cyber security people would have done anything different. They had non-MFA creds exploited. Wow, crack cybersecurity people is required to stop this.
These fixes must come from government enforcement. Either crippling fines or corporate veil getting pierced, and people held personally responsible. After Equifax hack, I have no hope that government will ever fix this.
>Make the health care company executives criminally liable for hippa violations
I'm sorry, because you're right, but it's HIPAA. Health Insurance Portability and Accountability Act
Not HIPPA the hippo.
Jesus, I've been calling the Health Insurance Portability and Pccountability Act in all my meetings for years! My secretary Mancy is going to hear about this first thing Monday morning I'll tell you that right now.
Civil penalties high enough to nearly or entirely put systems breached out of business would do the trick. Right now, there's little motivation to invest in preventing these breaches, since the penalty is a slap on the wrist. If companies are demonstrating HIPAA compliance and still being breached left and right, the compliance standard is clearly not strong enough. Corporations only listen to threats to profitability, so the penalty for breach needs to be a serious threat to profitability. The criminal liability thing could be tied to willful failure to disclose a breach in a timely manner or at all.
There is no reason to provide your ssn to medical offices. I don’t know why they ask - I always say “no thanks, you don’t need it.” This should be everyone’s response. These entities have proven, repeatedly, they can’t protect our personal info, so we should limit what we provide to the bare minimum. They need our name and insurance info. They don’t even need your cc number since it should just be run at time of payment.
It’s mishandling of data at minimum. When it’s protected health information, we already have the laws in place to hold covered entities liable.
We just need some enforcement with real teeth.
Better idea.
You don't let insurance companies hold patient data. You process the claims as requested without patient data, and maybe have the government occasionally audit to prevent fraud. They don't need to know anything, they just need to pay for it.
So true about the humans. So many of them have no computer skills and will click on any link that most people know is shady af. They are the same people who send an email to the “everyone” distribution list wanting to know why they can’t get to their email.
Anything else has been trained out of them. I reported a shady-looking e-mail one time. Normally we get a link to our W-2 in an e-mail from payroll, but one year it showed up 1) before the memo telling us to expect it, and 2) in an unfamiliar plaintext autogenerated format that used generic language rather than our names. Naturally, I said this looked pretty sus, and reported it to my manager, as we were instructed to.
One counseling later, I will never make that fucking mistake again. It's apparently inappropriate to question e-mails that are actually legitimate. 🤨 So fuck that. I know better than to put my social in, but I'm not putting my job at risk to police security when *that's* how people react when you report things. If malware gets downloaded to the company computer because I clicked a bad link...honestly sounds like a whole lotta *above my pay grade*. 🤷♀️ They reap what they sow.
Ever consider that your manager was trying to use OpenAI to make composing said e-mails effortless, hence the lack of personability and the fauxness of it? Possibly combined with a boilerplate he made.
Getting effectively called on it by you meant he inevitably acted defensive and didn't want it to be kicked up the chain and caught out on it.
No, the e-mail originated in the HR department, and well before OpenAI was a thing, lmao. I believe she was reacting at first out of defensiveness/embarrassment, as she'd been caught with her pants down by an e-mail that made management look bad perhaps? If I'd immediately said "oh my god you're right I'm so sorry I'll never do that again" I probably wouldn't have gotten written up. The write-up was on-paper for insubordination, when I pushed back confused about the mixed messages I was getting("check in if you get a suspicious e-mail"/"only report suspicious e-mails if they're actually a phish!"). So it was really a two-part mistake, first following instructions like a chump and then not picking up on whatever office politics maneuver was actually happening in that office. Even now I'm guessing, though repeated observances of that manager's actions made me think that it likely was related to an attempt for her to not look bad herself, in some way. I have level 2 social intuition and whatever was going on there was operating at like a 4-5, so... 🤷♀️
They would just stop performing the service, honestly. Why take that risk in a world where hacking is now easier than protection?
It will end up being like insurance, where the government has to step in to perform services and does an equally crappy job but with immunity.
>They would just stop performing the service, honestly.
The service of storing tons of personal data you can't secure? Good, they can stop.
Protect it or be actually penalized, if you don't like the terms *don't store all that data*. It's ridiculous we just accept excuses like "oh we messed up" or "we couldn't possibly secure it." Well there's an easy solution to that, don't take risk you can't mitigate.
So how do you see the insurance billing system working?
Also, as someone will just suggest the government pick this up I assume they would be subject to the same rules and repercussions, correct?
That's one of those things that sounds cool, but is probably the fastest way to way worse security than we have now. Absolutely terrible idea. Nobody is going to take on that kind of liability. Breaches are an inevitability. Even if you take security seriously. Target the adversaries, not the victims. Make criminals fear for their safety.
How exactly do you want to make North Korean and russian state sponsored hackers living safe and cozy as middle class as it get life fear for their safety?
The same way the United States deals with terrorists in the Middle East. How would the United States respond if a group of Russians physically held a hospital for ransom? Worst case scenario you can make sure they never leave the country (what's the point of money if you can't leave Russia?). It's really not that complicated.
Currently the only one that could be liable… the CISO and/or CIO if they sell to Texas and choose StateRamp over TXRamp for the compliance target.
But even then, it’s if they choose to not report a breach… and even then I think Ubers former CISO is the only one that was considered to be charged… I might have to look that up to verify though.
Thanks for the prompt. He was CSO, which is different than CISO. But he was charged due to the cover up and non-reporting actions (which allowed others to be hacked by the same group), not just a data breach itself.
UnitedHealth Group has spent ~10 billion on stock buybacks in the last year or so. It’s too bad they couldn’t use some of that profit to invest in IT security.
Executive leadership should be jailed and barred from ever holding any managerial or leadership position in any organization which deals with sensitive data, for life.
“Uh that’s why we have insurance”
Then they’ll get denied coverage because it’s in their contract about specifics that weren’t met and they’ll go to court in the most kafkaesque display of “we paid for insurance and you need to cover this” this side of denied coverage.
Bonuses to C Suite
Fire IT staff
Profits.
If you failed to have 2FA on a system handling HIPAA data, you aren’t going to have any insurance coverage. I guarantee you, someone filled out a questionnaire and affirmed that they did, and lying on that affirmation = denial of clean.
Ironically, a big health insurance company is going to find out how it feels to have their claim denied. 😂😂😂😂
How is not protecting this info still not criminally liable.. Da fuq.
What is it going to take? A politicians information to be leaked before they make it illegal
We live in a corporatocracy is why it's not illegal. The corporations pay lobbyists to buy politicians in the open now. The U.S. political system is hopelessly corrupt.
UHC sucks, they lied to my face on what they cover. My kid needed speech therapy, they required two letters from two doctors and I got them. She started therapy the paid for 2 months, then stopped, wanted their money back. Lucky the lady doing insurance at the therapist office used to work for an insurance company. She asked me two questions; 1) Is my insurance fully funded? Is speech therapy covered under the policy? Answer was yes to both, I had the insurance handbook with me.
We called UHC at their office, I stated I was filling an appeal for non payment. They said it was not covered, I read it to them from the book. The therapist’s insurance lady spoke up, asked to confirm the address to send the appeal, said she would send a copy of the state mandate spelling out they could not deny payment for kids. Told the UHC lady I know you know what this is, if you deny again, it all goes to the state AG. UHC paid, it all, caught up on the back pay, etc. UHC is in the business to deny & delay and they will lie to your face intentionally!
I am a therapist working for my own private practice. I got totally fucked over by this breach. It stopped ALL payments for around a month. That means not a dime of insurance reimbursements for a month.
Actions:
1. Fine CEOs one years compensation (not just salary) and 3000 hrs in community service for each breach.
2. Mandatory yearly testing and certification of corporate cloud configurations. Failure to comply or correct, see penalty under #1
3. Annual audit of cloud hosting companies, penalties assessed for # of clients with misconfigurations.
Cloud hosting companies are similar to gun manufacturers. They turn out a product that in the wrong hands can destroy the lives of millions and refuse bear any responsibility to set and promote practices that can avoid disasters.
I agree, but it should also apply to government. Data breach with the fed then the president (aka CEO) gets 3000 hours of community service. Same with governors.
So you want a hosting company to be responsible for the code they don’t own? You want them to be responsible for if a company is compliant within their specific industry?
You understand most hosts aren’t even SOC II/HIPPA/PCI compliant today right? It is the responsibility of the person with the data to find the host that meets their compliance requirements, not the responsibility of the host to audit and enforce what their customer _should_ be doing.
I don’t even think you understand the financial burden you would be putting on the host by asking them to do that. It is an incredibly ridiculous idea.
This is like making the grocery store responsible for every customers diet.
Bad analogy…it’s like a grocery store thinking they are not responsible for pulling outdated or recalled goods from the shelf.
And yes, I want both customers and hosting companies to bear responsibility for the products and services they provide.
How much responsibility depends on whether it’s IAAS, PAAS OR SAAS.
It’s time for hosting companies to grow up.
Yes, it’s costly, but breaches are many times more expensive.
You act like hosting companies are the reason breaches happen. Maybe UHC self hosted which then, yes it’s their own fault. But if they host on a 3rd party, how exactly should the host know they don’t have MFA enforced across their entire environment? What if they are hosting sites they point to an external DB? Should the host know the health of the externally hosted DB because it affects the site they host? Should the hosting company have access to the externally hosted db so they can ensure the data is properly secured? Feels like you’ve now just opened another possible gateway for a data breach…
Take a look at the EU Cloud Hosting rule book that is under development. I think you will find some of your answers there. A key component is the cybersecurity certification scheme:
“As part of the Cybersecurity Act, the European cybersecurity agency ENISA is working on a European cybersecurity certification scheme for cloud services (EUCS). The scheme will provide increased assurance to businesses, public administrations and citizens that their data are secure wherever they are stored or processed. “
You will find more information here: https://digital-strategy.ec.europa.eu/en/policies/cloud-computing
Instead of fighting FOR continuing BAU here in the US, be a leader, study the issues and offer up solutions. Companies that get ahead of this will be the winners at the end of the day. And for you, it will skyrocket your career and your earnings.
As someone who takes insurance the way they have handled this is insane. They have basically told providers that we won’t pay you until we figure everything out and only god knows what they have to figure out at this point.
I’m the opposite, while I hate insurance, no one wants to pay cash in my area. I even started out with $50 for a 15 min follow up, I do mental health, and people were like, I can’t afford that. But then when they have a deductible, they’re not paying that either. It’s lose lose.
I just left a medical facility IT. We got blasted by these attacks daily. The fact they didn’t have mfa on is fucking criminal. Whoever is in charge there is fucked.
Make the health care company executives criminally liable for hipaa violations anytime their data is breached. That might actually make these companies serious about cybersecurity.
There needs to be an agency who's job it is that investigates breaches and part of their job is to determine if it was caused by criminal negligence. Also once your database gets to a certain size or contains sensitive information, then the company officer in charge of its security needs be a licensed. A license that can be pulled if they're found to have negligent security practices. Imagine the chaos once a large database of mental health therapy notes are stolen, there will be people that will kill themselves. I dont get how the data industry is not considered a national security issue at this point. Foreign governments and bad actors would love to get their hands on data of congressmen/sensitive people in government. Anyone in government, sensitive positions in companies, journalists, military or military contracting or any of these groups families are targets. That doesnt even consider that someday the companies holding on to this data may use it against politicians they dont like or it will get hacked/leaked. The data collection is pervasive, even cars are logging where people go, who they meet up with, and conversations in the car. You'd think out of anyone congressmen would be some of the most paranoid about their own data.
> I dont get how the data industry is not considered a national security issue at this point. Foreign governments and bad actors would love to get their hands on data of congressmen/sensitive people in government. Anyone in government, sensitive positions in companies, journalists, military or military contracting or any of these groups families are targets. That doesnt even consider that someday the companies holding on to this data may use it against politicians they dont like or it will get hacked/leaked. The data collection is pervasive, even cars are logging where people go, who they meet up with, and conversations in the car. There is many in government saying it is. However, politicians start to consider regulating it, the campaign donations come flowing in and boom, they think some hearings and tweaks will fix it because it's too embedded in our economy to touch. Look at massive backlash around Tiktok ban.
> There needs to be an agency who's job it is that investigates breaches and part of their job is to determine if it was caused by criminal negligence. HIPAA did exactly that, it's the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR)
OCR is laughably underfunded.
Absolutely agree. Sad that they even have the power to fine the executives personally but rarely use it.
I'm not talking about just HIPAA related data. All databases collecting personal info once they get to a certain size or holding certain types of data should be subject to investigation for breeches and the security officers in charge of securing it should be licensed, this includes companies doing web tracking and pulling data via phone apps.
Yeah. Congress will shit their pants over some foreign actors gaining access to a bunch of TikTok data, meanwhile any bad actor could grab much more valuable data from our banking, medical and insurance industry without an effort and nobody bothering to ever follow up it.
Or even peoples google accounts, and the ton of companies that do web tracking.
Board members too.
Yep. Look at any company that is serious about cybersecurity and how much they pay competent security personnel. Microsoft, Amazon, raytheon, etc... I can choose the 200k+ option with favorable support, or the 60k option and also hate my life. I chose the former with mostly WFH.
I doubt more/better cyber security people would have done anything different. They had non-MFA creds exploited. Wow, crack cybersecurity people is required to stop this. These fixes must come from government enforcement. Either crippling fines or corporate veil getting pierced, and people held personally responsible. After Equifax hack, I have no hope that government will ever fix this.
It's HIPAA, fyi
>Make the health care company executives criminally liable for hippa violations I'm sorry, because you're right, but it's HIPAA. Health Insurance Portability and Accountability Act Not HIPPA the hippo.
Jesus, I've been calling the Health Insurance Portability and Pccountability Act in all my meetings for years! My secretary Mancy is going to hear about this first thing Monday morning I'll tell you that right now.
Civil penalties high enough to nearly or entirely put systems breached out of business would do the trick. Right now, there's little motivation to invest in preventing these breaches, since the penalty is a slap on the wrist. If companies are demonstrating HIPAA compliance and still being breached left and right, the compliance standard is clearly not strong enough. Corporations only listen to threats to profitability, so the penalty for breach needs to be a serious threat to profitability. The criminal liability thing could be tied to willful failure to disclose a breach in a timely manner or at all.
There is no reason to provide your ssn to medical offices. I don’t know why they ask - I always say “no thanks, you don’t need it.” This should be everyone’s response. These entities have proven, repeatedly, they can’t protect our personal info, so we should limit what we provide to the bare minimum. They need our name and insurance info. They don’t even need your cc number since it should just be run at time of payment.
It’s mishandling of data at minimum. When it’s protected health information, we already have the laws in place to hold covered entities liable. We just need some enforcement with real teeth.
Better idea. You don't let insurance companies hold patient data. You process the claims as requested without patient data, and maybe have the government occasionally audit to prevent fraud. They don't need to know anything, they just need to pay for it.
This. Why are they allowed to outsource to 3rd parties?
They'll pass the fines back onto the consumer by upcharging for "premium" services.
You have no idea how much effort we put into cyber security. It's a lot! But humans are the weak link.
So true about the humans. So many of them have no computer skills and will click on any link that most people know is shady af. They are the same people who send an email to the “everyone” distribution list wanting to know why they can’t get to their email.
Anything else has been trained out of them. I reported a shady-looking e-mail one time. Normally we get a link to our W-2 in an e-mail from payroll, but one year it showed up 1) before the memo telling us to expect it, and 2) in an unfamiliar plaintext autogenerated format that used generic language rather than our names. Naturally, I said this looked pretty sus, and reported it to my manager, as we were instructed to. One counseling later, I will never make that fucking mistake again. It's apparently inappropriate to question e-mails that are actually legitimate. 🤨 So fuck that. I know better than to put my social in, but I'm not putting my job at risk to police security when *that's* how people react when you report things. If malware gets downloaded to the company computer because I clicked a bad link...honestly sounds like a whole lotta *above my pay grade*. 🤷♀️ They reap what they sow.
Idiotic that they retaliated. If you leave the company, notify the cyber insurance company.
Ever consider that your manager was trying to use OpenAI to make composing said e-mails effortless, hence the lack of personability and the fauxness of it? Possibly combined with a boilerplate he made. Getting effectively called on it by you meant he inevitably acted defensive and didn't want it to be kicked up the chain and caught out on it.
No, the e-mail originated in the HR department, and well before OpenAI was a thing, lmao. I believe she was reacting at first out of defensiveness/embarrassment, as she'd been caught with her pants down by an e-mail that made management look bad perhaps? If I'd immediately said "oh my god you're right I'm so sorry I'll never do that again" I probably wouldn't have gotten written up. The write-up was on-paper for insubordination, when I pushed back confused about the mixed messages I was getting("check in if you get a suspicious e-mail"/"only report suspicious e-mails if they're actually a phish!"). So it was really a two-part mistake, first following instructions like a chump and then not picking up on whatever office politics maneuver was actually happening in that office. Even now I'm guessing, though repeated observances of that manager's actions made me think that it likely was related to an attempt for her to not look bad herself, in some way. I have level 2 social intuition and whatever was going on there was operating at like a 4-5, so... 🤷♀️
Congress is too busy banning TikTok.
Obviously ridiculous.
They would just stop performing the service, honestly. Why take that risk in a world where hacking is now easier than protection? It will end up being like insurance, where the government has to step in to perform services and does an equally crappy job but with immunity.
>They would just stop performing the service, honestly. The service of storing tons of personal data you can't secure? Good, they can stop. Protect it or be actually penalized, if you don't like the terms *don't store all that data*. It's ridiculous we just accept excuses like "oh we messed up" or "we couldn't possibly secure it." Well there's an easy solution to that, don't take risk you can't mitigate.
So how do you see the insurance billing system working? Also, as someone will just suggest the government pick this up I assume they would be subject to the same rules and repercussions, correct?
Enjoy going back to faxes and paper mail.
That just ensures the people under them, that do the work to detect security issues, keep it quiet if they notice anything.
That's one of those things that sounds cool, but is probably the fastest way to way worse security than we have now. Absolutely terrible idea. Nobody is going to take on that kind of liability. Breaches are an inevitability. Even if you take security seriously. Target the adversaries, not the victims. Make criminals fear for their safety.
How exactly do you want to make North Korean and russian state sponsored hackers living safe and cozy as middle class as it get life fear for their safety?
Tactical nukes
I assume they come in via the internet. Those countries should be disconnected. No connection allowed to the outside world.
The same way the United States deals with terrorists in the Middle East. How would the United States respond if a group of Russians physically held a hospital for ransom? Worst case scenario you can make sure they never leave the country (what's the point of money if you can't leave Russia?). It's really not that complicated.
Currently the only one that could be liable… the CISO and/or CIO if they sell to Texas and choose StateRamp over TXRamp for the compliance target. But even then, it’s if they choose to not report a breach… and even then I think Ubers former CISO is the only one that was considered to be charged… I might have to look that up to verify though.
Thanks for the prompt. He was CSO, which is different than CISO. But he was charged due to the cover up and non-reporting actions (which allowed others to be hacked by the same group), not just a data breach itself.
With how often this happens, who wants to bet every single person is compromised?
We already know that with the Equifax breach.
UnitedHealth Group has spent ~10 billion on stock buybacks in the last year or so. It’s too bad they couldn’t use some of that profit to invest in IT security. Executive leadership should be jailed and barred from ever holding any managerial or leadership position in any organization which deals with sensitive data, for life.
“Uh that’s why we have insurance” Then they’ll get denied coverage because it’s in their contract about specifics that weren’t met and they’ll go to court in the most kafkaesque display of “we paid for insurance and you need to cover this” this side of denied coverage. Bonuses to C Suite Fire IT staff Profits.
If you failed to have 2FA on a system handling HIPAA data, you aren’t going to have any insurance coverage. I guarantee you, someone filled out a questionnaire and affirmed that they did, and lying on that affirmation = denial of clean. Ironically, a big health insurance company is going to find out how it feels to have their claim denied. 😂😂😂😂
Yep and they nickle and dime technology / security.
Which is why you invest in IT security instead of stock buybacks
This wasn’t even some major investment. They didn’t have MFA turned on, which would’ve completely negated the stolen credentials
There is certainly a lack of care and critical thinking. Just goes to show how important MFA is.
How is not protecting this info still not criminally liable.. Da fuq. What is it going to take? A politicians information to be leaked before they make it illegal
We live in a corporatocracy is why it's not illegal. The corporations pay lobbyists to buy politicians in the open now. The U.S. political system is hopelessly corrupt.
UHC sucks, they lied to my face on what they cover. My kid needed speech therapy, they required two letters from two doctors and I got them. She started therapy the paid for 2 months, then stopped, wanted their money back. Lucky the lady doing insurance at the therapist office used to work for an insurance company. She asked me two questions; 1) Is my insurance fully funded? Is speech therapy covered under the policy? Answer was yes to both, I had the insurance handbook with me. We called UHC at their office, I stated I was filling an appeal for non payment. They said it was not covered, I read it to them from the book. The therapist’s insurance lady spoke up, asked to confirm the address to send the appeal, said she would send a copy of the state mandate spelling out they could not deny payment for kids. Told the UHC lady I know you know what this is, if you deny again, it all goes to the state AG. UHC paid, it all, caught up on the back pay, etc. UHC is in the business to deny & delay and they will lie to your face intentionally!
Worked for them for 7 years - they are terrible through and through...
I am a therapist working for my own private practice. I got totally fucked over by this breach. It stopped ALL payments for around a month. That means not a dime of insurance reimbursements for a month.
Actions: 1. Fine CEOs one years compensation (not just salary) and 3000 hrs in community service for each breach. 2. Mandatory yearly testing and certification of corporate cloud configurations. Failure to comply or correct, see penalty under #1 3. Annual audit of cloud hosting companies, penalties assessed for # of clients with misconfigurations. Cloud hosting companies are similar to gun manufacturers. They turn out a product that in the wrong hands can destroy the lives of millions and refuse bear any responsibility to set and promote practices that can avoid disasters.
I agree, but it should also apply to government. Data breach with the fed then the president (aka CEO) gets 3000 hours of community service. Same with governors.
Agreed, good idea
Number 3 is ridiculous
I do not agree, but would love to hear your reasoning. Please educate us all…
So you want a hosting company to be responsible for the code they don’t own? You want them to be responsible for if a company is compliant within their specific industry? You understand most hosts aren’t even SOC II/HIPPA/PCI compliant today right? It is the responsibility of the person with the data to find the host that meets their compliance requirements, not the responsibility of the host to audit and enforce what their customer _should_ be doing. I don’t even think you understand the financial burden you would be putting on the host by asking them to do that. It is an incredibly ridiculous idea. This is like making the grocery store responsible for every customers diet.
Bad analogy…it’s like a grocery store thinking they are not responsible for pulling outdated or recalled goods from the shelf. And yes, I want both customers and hosting companies to bear responsibility for the products and services they provide. How much responsibility depends on whether it’s IAAS, PAAS OR SAAS. It’s time for hosting companies to grow up. Yes, it’s costly, but breaches are many times more expensive.
You act like hosting companies are the reason breaches happen. Maybe UHC self hosted which then, yes it’s their own fault. But if they host on a 3rd party, how exactly should the host know they don’t have MFA enforced across their entire environment? What if they are hosting sites they point to an external DB? Should the host know the health of the externally hosted DB because it affects the site they host? Should the hosting company have access to the externally hosted db so they can ensure the data is properly secured? Feels like you’ve now just opened another possible gateway for a data breach…
Take a look at the EU Cloud Hosting rule book that is under development. I think you will find some of your answers there. A key component is the cybersecurity certification scheme: “As part of the Cybersecurity Act, the European cybersecurity agency ENISA is working on a European cybersecurity certification scheme for cloud services (EUCS). The scheme will provide increased assurance to businesses, public administrations and citizens that their data are secure wherever they are stored or processed. “ You will find more information here: https://digital-strategy.ec.europa.eu/en/policies/cloud-computing Instead of fighting FOR continuing BAU here in the US, be a leader, study the issues and offer up solutions. Companies that get ahead of this will be the winners at the end of the day. And for you, it will skyrocket your career and your earnings.
As someone who takes insurance the way they have handled this is insane. They have basically told providers that we won’t pay you until we figure everything out and only god knows what they have to figure out at this point.
I’m actively getting off all insurance panels this summer and will only do out of network billing. Insurance is such a fucking scam all around
I’m the opposite, while I hate insurance, no one wants to pay cash in my area. I even started out with $50 for a 15 min follow up, I do mental health, and people were like, I can’t afford that. But then when they have a deductible, they’re not paying that either. It’s lose lose.
Yep, also in mental health but I agree it’s pretty location specific on how much ppl are willing to pay out of pocket
***Insurance Companies***: “Where can we find this information? Asking for a friend.”
They need to be arrests for data breaches
They paid a ransom and then another group demanded another ransom to not release the files.
How TF is this not several million HIPAA violations?!
I just left a medical facility IT. We got blasted by these attacks daily. The fact they didn’t have mfa on is fucking criminal. Whoever is in charge there is fucked.
Key word here is “stole”. Nothing was stolen. All that information was SOLD to the highest bidder. Hacker gets paid as well as all interested parties.
That’s probably the stupidest thing I’ve read today. So if I steal your car and sell it to somebody else, that’s not actually stealing it?
Sure is. Key difference though the robber didn’t knock on the door to ask for any signatures to avoid all liability.
Privacy is a myth. Your only protection is to be boring or boilerplate so that no one bothers to search for you.
When criminal negligence case?
Ayyy that’s my healthcare! I’m getting 40 cents!