I’m sure you won't be surprised to learn that, despite our most valiant efforts as an IT consulting practice, not everyone follows our advice on regulatory compliance. Read on for our cautionary tale on the perils of a small healthcare clinic ignoring security basics.
In certain industries, such as healthcare and finance, there are very stringent rules around the protection of customer data, and regulatory compliance is a very big deal. The cost of non-compliance can be huge.
But be aware that ALL public and many private companies fall under compliance requirements when it comes to the protection of sensitive or private data!
Local Health Care Practice Grows Fast, Ignores Regulatory Compliance Needs
A local heath care practice was on a high growth path, acquiring other private practices and integrating them into their environment.
As they continued to add organizations, people and computers, it was becoming clear to us that their risk was increasing when it came to cyber security and data protection, and were risking non-compliance with industry requirements.
We recommended that basic data encryption software be installed across all laptops and workstations to prevent against compromised data, in the event of theft or loss.
In this case, we recommended Microsoft BitLocker which is included in Windows Enterprise.
The price point would have been about $60 per device for 300 devices.
They had a hard time justifying this expense, as it didn’t add directly add to their bottom line.
They also looked at their industry requirements and nowhere did it specifically say that they needed to encrypt devices such as workstations and laptops.
Sadly, our recommendation was turned down - and shortly thereafter, one of their laptops was stolen.
And because there was a possibility that there would be customer data on it, legally they had to report the incident to both the governing body and their entire customer base.
The costs mounted up, from the PR campaign to legal fees, and of course a fine was levied.
The company tried to file an insurance claim to recoup these costs, but it was rejected.
It was deemed that it was not commercially reasonable that they had neglected to implement the recommended protection.
Moral of the story - Regulatory Compliance Matters!
The roughly $18k for investment in data encryption software ended up costing the company hundreds of thousands of dollars.
And of course, we ended up installing the software anyway.
Not sure if you’re meeting industry requirements?
Contact us if you're looking to find out how you can ensure your company is protected!