HIPAA does require a lot of security. Having been a HIPAA architect, in reality no one in the industry cares since few are ever even accused of anything much less convicted. It's a toothless gums law.
Well, there are plenty provisions under the security chapter, funnily enough now that I look at it again (been long time) it seems both 'accountability' (tracking every media in and out) and 'protection from malicious software' are not listed as required. duh.
The emergency mode operation plan is however listed as required, and this place was basically shut for a week.
I remembered it being more stringent that what it really is.
Yes, I'd love for HIPAA to say: if we're talking about a medical centre, you've got to be able to snapshot and reimage within X hours with data loss of less than Y hours. One can dream...
Totally agree, but in 2016 that doesn't take much: spin up two instances in different AWS datacenters and fail between them and you have Disaster Recovery. Regularly operate in each datacenter and you have Sustained Resiliency. A small business probably won't have staff to maintain such a solution but surely this is a space for a nice niche startup?
That won't work you'd need the whole datacwnter to comply with the security restriction you can't just have the data in a place where you don't know whom can access
Assuming it's CryptoLocker style malware, they're probably one of the few hospitals fully satisfying the encryption requirements of HIPAA at the moment.