If the CTO says it's OK, what could go wrong?

Credit to Author: Sharky| Date: Wed, 02 Jan 2019 03:00:00 -0800

Medical rehab facility is facing a compliance deadline for HIPAA privacy regulations, and that could be a problem, says a cybersecurity pilot fish working there.

“The HIPAA regulations are strewn with potential issues,” fish says. “When some aspect isn’t followed and a patient’s data privacy is compromised, the fines can be substantial.”

And that’s the headache fish faces because of his facility’s use of Gmail. As the site’s cybersecurity engineer, fish knows that ordinary Gmail isn’t HIPAA compliant.

Fortunately, there’s a fix — one that involves additional paperwork and agreements, along with some added security verification. But that’s still easier and less complex than moving everyone off Gmail.

So fish works to make sure all HIPAA requirements and industry standards are met. After a thorough search of available documentation, he creates a to-do list for the roadmap to ensure the facility has everything in order to comply with HIPAA.

And fish has the CTO’s repeated assurances that all the necessary steps have been taken and followed per HIPAA.

There’s just one problem: “After asking for required Document A four times and required Document B three times — and given past issues with the CTO — it became increasingly apparent that none of the work had actually been done,” sighs fish.

“And without that documentation, if anything bad were to happen, everyone would be pointing at me…”

Document your true tale of IT life for Sharky. Send your story to me at sharky@computerworld.com. You can also comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

Get Sharky’s outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

http://www.computerworld.com/category/security/index.rss