Securosis Blog | What No One is Saying About that Big HIPAA Fine.

Rich Mogull at Securosis is claiming that security vendors should not use the HHS HIPAA fine to Cignet Health for $4.3 million as a motivator to improve information security.

While I agree that this HHS fine and the $1 million Mass General fine had nothing to do with IT security, it seems to me that HHS is signaling that it is serious about enforcing HIPAA security and privacy rules. After all, HIPAA was passed in 1996 and these are the first ever fines issued.

You certainly can take Rich’s approach that the Cignet fine is just about “big boxes of paper and a bad attitude.” But I would not want to be the organization that suffers an information security breach due to lax controls.

For example, if you had decided to use the SANS 20 Critical Security Controls as your prescriptive information security guide and had implemented all of the Quick Wins and Visibility/Attribution sub-controls, some/most of the Config/Hygiene sub-controls, with a plan for the rest and the appropriate Advanced sub-controls, and still suffered a breach, you surely could not be tagged with “willful negligence.”

We will see what if any fine HHS levies against the New York City hospital system which admitted to a breach affecting 1.7 million hospital staff, patients, vendors, and contractors.