For organizations in highly regulated sectors such as health care, compliance with regulatory standards is not just a good idea; it’s the law. Moreover, there is a broad consensus that the regulatory standards are soundly based on security principles. Complaints about excessive or misguided regulations are not often heard.

But the flip side of this regulatory soundness cannot be taken for granted. Being in compliance with regulatory standards does not, in itself, ensure adequate security. This is for two different reasons, though both are rooted in technological complexity.

The first is the rapid evolution of technology, in particular the explosive growth in the number and variety of network connections. The second is the human factor in security, meaning that it is ultimately as much a state of mind as a matter of specific technical measures.

Listen to the podcast: The Biggest Security Risks in Health Care IT Systems

Compliance Is a Moving Target

According to a Level 3 report, “cyberthreats and the security landscape evolve rapidly, and industry standards cannot keep pace.” Compliance standards can only reflect best practices as of the time when the draft standards were approved. But because of the rapid evolution of the technology environment, best practices are a fast moving target.

Today’s networks are liable to have far more endpoints than what was typical even a few years ago. Indeed, the contemporary focus of security thinking is shifting from primarily endpoint protection to an emphasis on trust of specific users and devices. The current compliance framework only imperfectly reflects this very recent development.

In health care, we are now moving from mere mobile connectivity to the Internet of Things (IoT) and connected devices. This can mean that critical devices such as dialysis machines may now be potentially vulnerable to malware. In other industries with compliance rules, from finance to utilities, the IoT poses comparable evolving threats that the current compliance framework is not fully designed to handle.

Social Engineering and the Human Factor

Connected devices are one of the three leading threats for the health care sector — the others being distributed denial-of-service (DDoS) attacks and phishing attacks, according to the Level 3 report. DDoS attacks can paralyze networks, which in health care can be literally life-threatening.

But the challenge of phishing, as with other types of social engineering, is that it attacks systems through their human users. A particular insidious version, called spear phishing, goes even further by leveraging personal social information to trick users.

Health care is uniquely exposed to social engineering threats because of its large and varied workforce. But the hazards of social engineering attacks extend across industries, and there is no purely technical solution to the challenge of human error. Not even a fully updated set of compliance standards could automatically protect against social engineering attacks. User education is more important than ever, and security will ultimately depend on this human factor.

Compliance Is Not a Cure-All

Meeting compliance standards remains essential to security, not just in health care, but in all industries subject to compliance rules. But compliance should be regarded as a framework that helps make security possible, not a magic wand that automatically makes your organization secure.

Read the IBM X-Force Research Report: Security Trends in the Health care industry

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…