TMCnet News
Health-Care Industry Starts to Pay Attention to Cyber Risks [Cihan News Agency (Turkey)](Cihan News Agency (Turkey) Via Acquire Media NewsEdge) The health-care industry is grappling with how to protect personal health information from increasing cyber threats. In addition to meeting security and privacy regulations, companies can do more to prevent breaches by assessing and prioritizing cybersecurity risks, said Jim Routh, chief information security officer at health insurer Aetna Inc. The message has already caught on at some health-care companies, who are starting to look for technology executives with risk experience. Since 1996, the industry's regulations under the Health Insurance Portability and Accountability Act have required the security and privacy of individually identifiable patient health information. While HIPAA sets out clear expectations for protecting personal health information, it doesn't address the fast-paced world of cybercriminals and their increasing sophistication in targeting health-care companies. "Cybersecurity threats change every 30 days," Mr. Routh told CIO Journal. Yet, the regulatory frameworks the industry uses have taken 17 years to create. "They're not designed to be responsive to the changes in the threat landscape," he said. A September global state of information security report from PricewaterhouseCoopers LLP found that detected incidents reported by health-care providers and payers in a two month period in 2014 were 60% higher than for a similar period in 2013. Financial losses increased 282% over 2013. Cybercriminals have begun to use electronic healthcare information to perpetrate identity theft and account fraud in the last couple years, said John Pescatore, director of emerging security trends at SANS Institute, a cybersecurity research and education organization. "There's been near zero reaction from the health-care industry," he said. Regulatory compliance, while important, isn't enough alone to prevent breaches. Instead, it's important to also take a risk-based approach by "prioritizing the allocation of resources so we're focused on the risks with the biggest impact," said Mr. Routh, who previously served as head of application security at J.P. Morgan Chase & Co. This approach has been used by the largest banks but it is just now making its way to the health-care industry, he said. Aetna, for example, has met HIPAA requirements for the protection of health data, but it has also gone one step beyond and created an even higher level of control for certain types of data including credit card information, social security numbers and security credentials such as user names and passwords. The higher level of controls use techniques such as multi-vector authentication and encryption of data at rest and in motion, said Mr. Routh. "This is not mandated by any regulatory requirement but mandated by risk," he said. To be sure, a risk-based cybersecurity approach is a good starting point but it's not necessarily bulletproof. J.P. Morgan, for example, said that about 76 million households were affected by a data breach this summer where cybercriminals stole customer contact information, the Journal's Emily Glazer and Danny Yadron reported in October. At the time, the bank said it had not seen an unusual amount of fraud resulting from the breach. Still, some health-care companies are beginning to consider a risk-based approach when hiring technology executives, said Katherine Graham Shannon, global practice managing partner of the information and technology officers practice at executive search firm Heidrick & Struggles . Ms. Shannon said she recently met with a health-care company and about a quarter of the conversation was about risk-based information security. (c) 2014 Cihan News Agency. All right reserved. Provided by SyndiGate Media Inc. (Syndigate.info). |