The Ford Pinto was a subcompact manufactured by Ford (introduced on 9/11/70 — another infamous coincidence?). It became a focus of a major scandal when it was alleged that the car’s design allowed its fuel tank to be easily damaged in the event of a rear-end collision, which sometimes resulted in deadly fires and explosions. Ford was aware of this design flaw but allegedly refused to pay what was characterized as the minimal expense of a redesign. Instead, it was argued, Ford decided it would be cheaper to pay off possible lawsuits for resulting deaths. The resulting liability case produced a judicial opinion that is a staple of remedy courses in American law schools.
What brought this on? Well, a recent conversation with a healthcare institution went something like this:
Us: Are you required to comply with HIPAA?
Them: Well, I suppose…yes
Us: So how do you demonstrate compliance?
Them: Well, we’ve never been audited and don’t know anyone that has
Us: So you don’t have a solution in place for this?
Them: Not really…but if they ever come knocking, I’ll pull some reports and wiggle out of it
Us: But there is a better, much better way with all sorts of upside
Them: Yeah, yeah whatever…how much did you say this “better” way costs?
Us: Paltry sum
Them: Well why should I bother? A) I don’t know anyone that has been audited. B) I’ve got better uses for the money in these tough times. C) If they come knocking, I’ll plead ignorance and ask for “reasonable time” to demonstrate compliance. D) In any case, if I wait long enough Microsoft and Cisco will probably solve this for me in the next release.
Us: Heavy sigh
Sadly..none of this is true and there is overwhelming evidence of that.
Regulations are not intended to be punitive of course and implementing log management in reality provides positive ROI
Read the memo…compliance is not merely about “checking the boxes”…but if you are reading this, you probably already knew that.