For organizations in highly regulated sectors such as health care, compliance with regulatory standards is not just a good idea; it’s the law. Moreover, there is a broad consensus that the regulatory standards are soundly based on security principles. Complaints about excessive or misguided regulations are not often heard.

But the flip side of this regulatory soundness cannot be taken for granted. Being in compliance with regulatory standards does not, in itself, ensure adequate security. This is for two different reasons, though both are rooted in technological complexity.

The first is the rapid evolution of technology, in particular the explosive growth in the number and variety of network connections. The second is the human factor in security, meaning that it is ultimately as much a state of mind as a matter of specific technical measures.

Listen to the podcast: The Biggest Security Risks in Health Care IT Systems

Compliance Is a Moving Target

According to a Level 3 report, “cyberthreats and the security landscape evolve rapidly, and industry standards cannot keep pace.” Compliance standards can only reflect best practices as of the time when the draft standards were approved. But because of the rapid evolution of the technology environment, best practices are a fast moving target.

Today’s networks are liable to have far more endpoints than what was typical even a few years ago. Indeed, the contemporary focus of security thinking is shifting from primarily endpoint protection to an emphasis on trust of specific users and devices. The current compliance framework only imperfectly reflects this very recent development.

In health care, we are now moving from mere mobile connectivity to the Internet of Things (IoT) and connected devices. This can mean that critical devices such as dialysis machines may now be potentially vulnerable to malware. In other industries with compliance rules, from finance to utilities, the IoT poses comparable evolving threats that the current compliance framework is not fully designed to handle.

Social Engineering and the Human Factor

Connected devices are one of the three leading threats for the health care sector — the others being distributed denial-of-service (DDoS) attacks and phishing attacks, according to the Level 3 report. DDoS attacks can paralyze networks, which in health care can be literally life-threatening.

But the challenge of phishing, as with other types of social engineering, is that it attacks systems through their human users. A particular insidious version, called spear phishing, goes even further by leveraging personal social information to trick users.

Health care is uniquely exposed to social engineering threats because of its large and varied workforce. But the hazards of social engineering attacks extend across industries, and there is no purely technical solution to the challenge of human error. Not even a fully updated set of compliance standards could automatically protect against social engineering attacks. User education is more important than ever, and security will ultimately depend on this human factor.

Compliance Is Not a Cure-All

Meeting compliance standards remains essential to security, not just in health care, but in all industries subject to compliance rules. But compliance should be regarded as a framework that helps make security possible, not a magic wand that automatically makes your organization secure.

Read the IBM X-Force Research Report: Security Trends in the Health care industry

More from Data Protection

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

How Do Data Breaches Impact Economic Instability?

Geopolitical conflict, inflation, job market pressure, rising debt — we've been hearing about economic headwinds for a while now. Could data breaches have anything to do with this? According to a recent IBM report, the average cost of a data breach has reached an all-time high. Like any other business liability, these costs must be absorbed somehow. Given the rising risk and costs, cyberattacks have undoubtedly evolved into market stressors. The magnitude of the problem might surprise you.  Despite the…