Nothing is safe sadly, HIPAA does almost nothing, in reality very few companies actually get the full fat $1000 per patient fine. Even the regulation itself is now hilariously outdated, "encrypted at rest and transit" is absolutely the lowest bar for security.
There are way too many fast and loose players in the mental health space, they do not care to actually have security. They do not have separate roles for security and engineering.
These startups only have to pretend to have security to appease their VCs. In Series B they MAY get a small security audit, but they already lie on their SOC2 or ISO27000... so whats some more lies?
The idea of having a rigorous process that ensures security is completely unacceptable if it adds any time to market.
This is why we see numerous hacks in the health tech space.
There are way too many fast and loose players in the mental health space, they do not care to actually have security. They do not have separate roles for security and engineering.
These startups only have to pretend to have security to appease their VCs. In Series B they MAY get a small security audit, but they already lie on their SOC2 or ISO27000... so whats some more lies?
The idea of having a rigorous process that ensures security is completely unacceptable if it adds any time to market.
This is why we see numerous hacks in the health tech space.