And do you have something interesting to say as well, Eg, or did you just want to show everybody that you wanted to give Steve antipoints but couldn't? :)
Printable View
And do you have something interesting to say as well, Eg, or did you just want to show everybody that you wanted to give Steve antipoints but couldn't? :)
Hi Neg,
As you are well aware my interest in this is only in it's ethical implications and consequences...I am staying out of the legal aspects entirely...but I am enjoying the discussion...and steve's point did have ethical implications that I wanted to comment my approval on.
I'll gladly leave the legal debate to you guys and just enjoy the read.
besides there's nothing I could add to the legal debate that you guys haven't very well covered already. I've been starving for a good read for awhile...so...please continue :D
Eg ;)
EDIT : as for ' greening ' I should probably green almost everyone for providing possibly the most interesting thread in a month. :D
2A or 2B is responsible, however it's the doctor who's going to get sacked, and the hospital who's going to get sued, because there's no reason to rely only on a database.
Hospitals liable, this is a pure HIPPA case, the patiants records must be acessable and secure as per compliance standards...they wher enot secure. Any hospital that has its internal data on he same network as web faceing boxes is playing with fire, I doubt seriously the HIPPA auditors wold allow that to exist.
HIPPA is very lear, this information should have been kept acessable (quikly acessable to anyoe who has rights to view it). Secure (no unathorized access). Both of these bits of compliance where viloated, regardles of how they where violiated the law says the hospital is at fault here. MY guess is teh doctor would be looking at malpractice, and so would the hospital. the worm writer would be lookign at jail time. If the antivirus IDS/IPS systems in the hospital where not working who ever singed off on them would be looking at fines and poss jail time. Blowing a regulatory compliance issue like this is not taken lightly and well in this country if a worm dose damage the wrighter tends to go to jail.
Oh and neg unless it was shown that the doctor knew about the alergies and gave the person medication with the intent to harm them there is no criminal act on the doctors part...malpractice yes, jail time no...but depending on how many other issues like this he has had he may lose his licanse.
From a legal perspective Yes. Bottom line is, If the 'worm' would have never been written and released this man would still be alive to this day. I bet his family sues big time.Quote:
The worm writer also released the worm. Are they responsible for the death, legally?
Negative... I have no doubt the doctor would be hit with a malpractice suit... but those really don't mean anything. Why do you think they pay half thair salary in malpractice insurance? Why do you think most states have capped malpractice suits?
I stand behind the fact that the doctor would not be held criminally responsible and would most likely settle a malpractice suit because it would be cheaper than fighting it, and beside insurance pays for it anyhow.
Hospital administraion on the other hand IS criminally responsible.
cheers,
catch
Whether the doctor would be prosecuted by the state is up to the state: if the DA reasons the same way you do, then the doctor would indeed not be held responsible.
And doesn't HIPAA specifiy that one single person must be responsible for HIPAA compliance (so the "hospital administration" cannot be held responsible)? Criminally prosecuting someone under HIPAA is a possibility, but the burden of proof (ie: the state must prove that the person responsible for HIPAA had knowledge of the violation...) is with the state.
Most Doctors are also Lawyers aswell. ;)
No DA in the country would pursue a criminal charges against an individual who acted within the best practices of their profession. You have no case, there was no action through malice, indifference, or neglect.Quote:
Whether the doctor would be prosecuted by the state is up to the state: if the DA reasons the same way you do, then the doctor would indeed not be held responsible.
No, HIPAA doesn't state that. One person must be accountable for each violation... considering the number of violations in this instance it is likely that several people will be held accountable, unless, as i stated previously one particula exec suggested cutting a corner that resulted in the bad configuration. Then that individual would be accountable. Without the specifics of the organizations model or why the network was exposed it is not possible to lay guilt on any single individual, but suffice to say that the individual(s) responsible fall within the Administration unit.Quote:
And doesn't HIPAA specifiy that one single person must be responsible for HIPAA compliance (so the "hospital administration" cannot be held responsible)? Criminally prosecuting someone under HIPAA is a possibility, but the burden of proof (ie: the state must prove that the person responsible for HIPAA had knowledge of the violation...) is with the state.
In this case the HIPAA would not be the sole point of prosecution, the individuals responsibile for the exposed network, which lead to the loss of files, which lead to the death may also be charged with with a homocide on the basis of indifference or neglect depending on the specifics of the situation.
cheers,
catch
And do you really believe that a sysadmin can be charged with homicide because (s)he didn't properly secure his/her network? A violation of HIPAA and possibly the CFAA, sure... but homicide?Quote:
http://www.cms.hhs.gov/hipaa/hipaa2/...ty/03-3877.pdf
The assigned security
responsibility standard adopted in this
final rule specifies that final security
responsibility must rest with one
individual to ensure accountability
within each covered entity. More than
one individual may be given specific
security responsibilities, especially
within a large organization, but a single
individual must be designated as having
the overall final responsibility for the
security of the entity’s electronic
protected health information.