In my experience HIPAA is taken very seriously in the sense that people are willing to have meetings about HIPAA, with furrowed brows and serious expressions and a lot of signatures. Are the actual end-products more secure? No probably not. Of course this probably varies drastically from place to place.

Like you said, it may vary place to place, but you are definitely more secure when complying with HIPAA than without. The very act of discussing security within an organization in a structured way is a good start.

edit: missing word

There are plenty of reports of hospitals using out-of-support Windows versions (95-XP) with known vulnerabilities on _networked connected_ devices. ( https://nakedsecurity.sophos.com/2020/02/20/nearly-half-of-h... )

On the parent comment I am not saying that hospitals aren't HIPPA compliant but rather that the security expectations of credit card data are higher than medical data.

That's UK, no HIPPA per se. Funny enough, the infamous GDPR applies and data leaks are quite punishable.

The Hospital Group is in a quite bad position: 1) the blackmail, in no definition that's ransom. 2) The data leak has to be reported and potentially they will get fined by the state.

As for taking regulation seriously, I guess it does depend on the industry. Where I work GDPR and regulatory breaches are treated more seriously than downtime.

I assume UK business won’t have to worry about GDPR for clients in the UK going forward due to Brexit?

Not really. The UK has its own[0].

[0]: https://www.gov.uk/data-protection

Same. And we have external audits and experts checking what we do.