Compliance isn't everything

Managing security risks matters, too.
By Erin McCann
07:58 AM

There's been a lot of talk about compliance lately. Federal and state regulations. HIPAA regulations. But, if you're in charge of healthcare security, compliance is far from sufficient, says Jim Routh, chief information security officer for Aetna, one of the nation’s leading diversified healthcare benefits companies.

"The focus of the information security capabilities and controls has less to do with the regulatory requirements and more to do with the shift in tactics and trends for cybersecurity threats," he explains. 

Routh is slated to kick off the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston Sept. 8, with his keynote, "Climate Change: It’s About Managing Risk, Not Just Compliance."

If you think about it, he says, the cycle time for regulatory requirements is measured in years. They’re typically years out of date at best, as it takes time to figure out what the rules should be and what the best way to enforce the rules is.

Compare that with the cycle time on the threat side, which proves fundamentally different. "Back in the good ol' days,” Routh says, "we'd go four or five years before there was a major shift in tactics used by cybersecurity criminals."

Fast forward to present day, and that four- or five-year time frame has been condensed to about 30 days, "meaning that every 30 days or so, we see a shift in tactics on the threat side that causes us to make some adjustments on our side."

Indeed, according to a 2014 Verizon breach report, attackers were able to compromise an asset in days or less in nearly 100 percent of breaches examined.

Thus, the cycle time for threats is measured in days, versus the years it takes for regulations to change, "so there's a fundamental disconnect," Routh adds. "If you have an information security program that satisfies all the regulatory requirements, that's like the first level of maturity you want to achieve, but it's not at all effective from a risk management standpoint to support the needs of protecting customers' information."

Routh, who comes most recently from the financial industry – he was formerly global head of applications and mobile security at JP Morgan Chase – is first to admit that the number of cyberattacks on the healthcare industry is far less than what he observed in the financial industry.

Don't breathe any sighs of relief yet, however. As banks have gotten a handle on security, he explains, cybercriminals are increasingly looking to other sectors. Combine that with the consumerization of the industry, and the healthcare sector has made itself one attractive target for cybercriminals. 

As Routh notes, just in the last 12 months, he's seen an uptick in the number of attacks. "Even though it's much less significant on a comparative basis with a bank, the number of attacks is creeping up. It's escalating," says Routh.

Accompanying this escalation is the necessity also to escalate risk management efforts – and to better protect the data of its 46 million members Aetna is doing just that.

In terms of security projects Routh and his security team of 100 are working on right now? "There's only 38 of them," he says, chuckling.

One of those projects, which he worked on back at JP Morgan Chase, involves addressing the issue of phishing.

Aetna now authenticates all of its outbound emails to consumers and prospects, and publishes the DMARC record, which allows the ISPs that deliver mail to the consumers’ mailbox to drop any mail that doesn’t originate from Aetna’s authenticated email servers. Aetna is the first healthcare company to do this, Routh points out. 

"The only email message (consumers) get from Aetna is a legitimate email message," he says. "It reduces the risk to the consumer of getting phished and getting credentials stolen, and it lowers our operating costs because we don't have to deal with consumers that experience that."

It’s one project out of 38 for now, but Routh anticipates the number will grow as threats continue to materialize. Regulatory laws are "not enough," he adds. "We have to constantly consume cybersecurity intelligence through information sharing capability."

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.