Did you know that not only are there HHS imposed civil penalties, there are criminal penalties, as well? Civil penalties are imposed when an incident happens unknowingly, whereas, criminal penalties, typically, occur when there is willful intention. HHS imposed fines are not cheap. In the past few weeks (April 2017), violations resulted in a $2.5 million settlement between CardioNet and HHS. CardioNet notes on their website that they provide “next-generation ambulatory cardiac monitoring service with beat-to-beat, real time analysis, automatic arrhythmia detection and wireless ECG transmission”. The HHS states that, “OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft” (HHS, 2017). Though CardioNet provides services that truly seek to help others, unfortunately, they are facing a large consequence.
A vulnerability assessment can reveal any vulnerabilities that exist in your network, while a risk analysis estimates the probability of the exploitability of those vulnerabilities. By having insight into your network’s potential threats, necessary patching and other mitigations can take place to better secure your infrastructure and help your business:
- Protect existing interests
- Prevent violations & penalties
- Prevent bad press
Though there are upfront costs, risk analyses and vulnerability assessments, can arm you with information to give your business the best chance of running smoothly without violations. It is unfortunate, because penalties can put good companies out of business (or severely impact them).
The upfront costs of a risk analysis and vulnerability assessment are minimal in comparison to the loss of a business or costly penalties.