HIPPA honestly falls into the data protection pillar of zetotrust to me, and my experence in that space was people just got overwhelmed by it. Like old school ip/port security people can wrapped their heads around, but try to introduce the concept that data should accessed just in time of use by authorized people that need to use it and otherwise it should made technically infeasable (i.e. encryption), and bamm they lost all concept.
Like its hard, for sure, but even a little closer to the goal is better then nothing people!
from an org too the incentives are just wack, they almost want enough effort to appear they are doing something to accredited or pass audit but the consequences for the people affected are just way higher then any org has to deal with.
HIPPA is so strange in how much and how little it matters at the same time. Often in the same email.
HIPPA honestly falls into the data protection pillar of zetotrust to me, and my experence in that space was people just got overwhelmed by it. Like old school ip/port security people can wrapped their heads around, but try to introduce the concept that data should accessed just in time of use by authorized people that need to use it and otherwise it should made technically infeasable (i.e. encryption), and bamm they lost all concept.
Like its hard, for sure, but even a little closer to the goal is better then nothing people!
from an org too the incentives are just wack, they almost want enough effort to appear they are doing something to accredited or pass audit but the consequences for the people affected are just way higher then any org has to deal with.
And there’s so much low hanging fruit from end users or whole departments that have their IT managed separately by a 3rd party(occasionally doctors)