• idlethreat
    +4

    Might be a good time to mention that the Verizon DBIR was recently released. I'll add that to the related links.

    Sadly, all the interaction that I have had with healthcare companies leaves a lot to be desired. None of their environments were setup for security in mind. Shared accounts, VPN's unmonitored, zero auditing or evidence of ongoing review.

    A lot of the blame goes to the HIPAA. If you hold up the HIPAA technical requirements and the PCI requirements you immediately see the difference. The HIPAA is labyrinthine, confusing, and hard to read for mortals. The PCI is straightforward bullet points "you will have a firewall. the firewall will be configured like so. you will review on a quarterly basis. you will document the review... etc, etc". Very straightforward to handle.

    I fear it will get worse before it gets better.