Privacy & Security

Compliance isn't everything

Managing security risks matters, too.
By Erin McCann
August 06, 2014
07:58 AM

There's been a lot of talk about compliance lately. Federal and state regulations. HIPAA regulations. But, if you're in charge of healthcare security, compliance is far from sufficient, says Jim Routh, chief information security officer for Aetna, one of the nation’s leading diversified healthcare benefits companies.

"The focus of the information security capabilities and controls has less to do with the regulatory requirements and more to do with the shift in tactics and trends for cybersecurity threats," he explains. 

Routh is slated to kick off the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston Sept. 8, with his keynote, "Climate Change: It’s About Managing Risk, Not Just Compliance."

If you think about it, he says, the cycle time for regulatory requirements is measured in years. They’re typically years out of date at best, as it takes time to figure out what the rules should be and what the best way to enforce the rules is.

Compare that with the cycle time on the threat side, which proves fundamentally different. "Back in the good ol' days,” Routh says, "we'd go four or five years before there was a major shift in tactics used by cybersecurity criminals."

Fast forward to present day, and that four- or five-year time frame has been condensed to about 30 days, "meaning that every 30 days or so, we see a shift in tactics on the threat side that causes us to make some adjustments on our side."

Indeed, according to a 2014 Verizon breach report, attackers were able to compromise an asset in days or less in nearly 100 percent of breaches examined.

Thus, the cycle time for threats is measured in days, versus the years it takes for regulations to change, "so there's a fundamental disconnect," Routh adds. "If you have an information security program that satisfies all the regulatory requirements, that's like the first level of maturity you want to achieve, but it's not at all effective from a risk management standpoint to support the needs of protecting customers' information."

Routh, who comes most recently from the financial industry – he was formerly global head of applications and mobile security at JP Morgan Chase – is first to admit that the number of cyberattacks on the healthcare industry is far less than what he observed in the financial industry.

Don't breathe any sighs of relief yet, however. As banks have gotten a handle on security, he explains, cybercriminals are increasingly looking to other sectors. Combine that with the consumerization of the industry, and the healthcare sector has made itself one attractive target for cybercriminals. 

As Routh notes, just in the last 12 months, he's seen an uptick in the number of attacks. "Even though it's much less significant on a comparative basis with a bank, the number of attacks is creeping up. It's escalating," says Routh.

Accompanying this escalation is the necessity also to escalate risk management efforts – and to better protect the data of its 46 million members Aetna is doing just that.

In terms of security projects Routh and his security team of 100 are working on right now? "There's only 38 of them," he says, chuckling.

One of those projects, which he worked on back at JP Morgan Chase, involves addressing the issue of phishing.

Aetna now authenticates all of its outbound emails to consumers and prospects, and publishes the DMARC record, which allows the ISPs that deliver mail to the consumers’ mailbox to drop any mail that doesn’t originate from Aetna’s authenticated email servers. Aetna is the first healthcare company to do this, Routh points out. 

"The only email message (consumers) get from Aetna is a legitimate email message," he says. "It reduces the risk to the consumer of getting phished and getting credentials stolen, and it lowers our operating costs because we don't have to deal with consumers that experience that."

It’s one project out of 38 for now, but Routh anticipates the number will grow as threats continue to materialize. Regulatory laws are "not enough," he adds. "We have to constantly consume cybersecurity intelligence through information sharing capability."

Topics: 
Privacy & Security, Compliance & Legal

More regional news

Capitol rotunda at sunset

Congress releases AI policy blueprint

By
Andrea Fox
December 20, 2024
Epic booth at HIMSS global conference

Epic files to dismiss antitrust lawsuit

By
Andrea Fox
December 20, 2024
Representatives of NUS Medicine, Kailuan General Hospital, Tianjin Medical University, and Tianjin Medical University General Hospital pose after signing their MOU

Chinese hospitals join NUS Medicine's big health data project

By
Adam Ang
December 19, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Capitol rotunda at sunset
Congress releases AI policy blueprint

Most Read

Epic asks court to throw out 'baseless' Particle Health lawsuit
FDA releases its stance on regulating AI in healthcare
CHAI: Look for healthcare AI model 'nutrition labels' soon
New DiMe platform validates digital health software
Aidoc, NVIDIA intro new plan to speed AI adoption in healthcare
Winning cybersecurity warfare is the ultimate millstone for CISOs

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

John Saran at Holland & Knight_Modern office buildings in London Photo by Tim Grist Photography/Moment/Getty Images
PE and healthcare investment: What's next for 2025
Sponsored by
Healthcare worker talking to patient
New infusion pumps may help lighten nurses’ workload
Dr Chien-Tzung Chen 4t Linkou Chang Gung Memorial Hospital_HIMSS24 APAC
Linkou Chang Gung Memorial Hospital eyes remote patient monitoring at home
Dan Torrens at eHealth Technologies_Blockchain in healthcare concept Photo by ArtemisDiana/iStock/Getty Images Plus
Getting providers from point A to B

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care