60 Journal of Regulatory Compliance Vol. I
The SANS report conducted a case study of three of the organizations
observed which had the highest amount of malicious traffic during the
reporting period. One of these organizations was identified as a “worldwide
medical conglomerate, headquartered in the Northeast, with tens of
thousands of employees recording more than 8,000 malicious events.” 97 The
report noted that “large does not necessarily mean compliant or secure,”
despite a substantial budget for both compliance and security, as this
organization clearly “had no idea of possible infection in its midst…” 98 The
data shows that the organization was experiencing malicious attacks for
approximately five months straight without detection; sometimes up to 600
events per week.99 Among other things, the personal health record system
owned and operated by one of the conglomerate’s affiliates was
compromised,100 which clearly implicates HIPAA and its mandates to protect
Additionally, the foregoing case study is notable because it was found that
many of the conglomerate’s compromised IP addresses were supported by
Amazon’s EC2 cloud storage service.101 Like other large-scale patient
information data management products offered by business associates of
providers, Amazon EC2 is a product designed to store and transmit vast
amounts of health data in a HIPAA-compliant secure environment.102 The
vulnerabilities of these remote technology solutions raise new concerns given
recent health insurance reforms as outlined by SANS:
The health care industry faces a whole new paradigm.
Participating state health insurance exchanges will connect
with government agencies, such as the Treasury Department,
the Internal Revenue Service and other state agencies, to
verify enrollees’ eligibility for insurance and subsidies. If
cloud-based services are sources of additional exposure, the
implementation of these exchanges can unwittingly increase
the ability of criminals to harvest richer datasets of
[personally identifiable information] for profitable sale and
97. FILKINS, supra note 84, at 17.
100. Id. at 18.
102. Healthcare Providers and Insurers, AMAZON.COM,
http://aws.amazon.com/health/providers-and-insurers/ (last visited Mar. 22, 2015).
103. FILKINS, supra note 84, at 18.