Healthcare Organizations Under Siege From Cyberattacks, Study Says

BigVig209 sends this report from the Chicago Tribune: "A new study set to be officially released Wednesday found that networks and Internet-connected devices in places such as hospitals, insurance companies and pharmaceutical companies are under siege and in many cases have been infiltrated without their knowledge. ... In the report, the groups found from September 2012 to October 2013 that 375 healthcare organizations in the U.S. had been compromised, and in many cases are still compromised because they have not yet detected the attacks. ... 'What's concerning to us is the sheer lack of basic blocking and tackling within these organizations,' said Sam Glines, chief executive of Norse. 'Firewalls were on default settings. They used very simple passwords for devices. In some cases, an organization used the same password for everything.'"

Re:So much for HIPAA...

[rhsanborn]

Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

That's not the case at all. HIPAA makes a distinction between covered entities (usually hospitals, doctors, insurance companies), business associates (people providing services for covered entities such as medical coding, transcription, IT services, etc.) that require access to protected health information, and everyone else who isn't allowed to access protected health information. If a covered entity loses or discloses protected health information, or is breached, that entity is responsible for fines under HIPAA, which are being levied regularly. e.g. http://www.healthcareitnews.co... [healthcareitnews.com]