[MisterTea]

> First off, the field is heavily regulated (in the US anyway) and the penalties for violating regulations like HIPAA are incredibly high.

This is why heavy handed regulation is bad. The people on the end of the regulation have to deal with a ton of BS to the point where it becomes security theater. These systems need their own departments, experts, and even legal teams. The overhead is massive.You think a company is going to roll over and eat the costs without trying everything in their power to side step it? Loop holes to outright lies will be used. Anything to trim the fat.

Happened to a place I worked at. New regulations meant more overhead. During my tenure I watched the quality department grow from the side job of the head engineer to a department of three people (manager, assistant, engineer) and an outside contractor. I then watched the employee quality drop proportionately as they put more money into putting lipstick on a pig than actually fixing problems and improving quality. As long as you satisfy the auditor or customer you look like a well oiled machine. Just don't look under the rug.