For organizations in highly regulated sectors such as health care, compliance with regulatory standards is not just a good idea; it’s the law. Moreover, there is a broad consensus that the regulatory standards are soundly based on security principles. Complaints about excessive or misguided regulations are not often heard.

But the flip side of this regulatory soundness cannot be taken for granted. Being in compliance with regulatory standards does not, in itself, ensure adequate security. This is for two different reasons, though both are rooted in technological complexity.

The first is the rapid evolution of technology, in particular the explosive growth in the number and variety of network connections. The second is the human factor in security, meaning that it is ultimately as much a state of mind as a matter of specific technical measures.

Listen to the podcast: The Biggest Security Risks in Health Care IT Systems

Compliance Is a Moving Target

According to a Level 3 report, “cyberthreats and the security landscape evolve rapidly, and industry standards cannot keep pace.” Compliance standards can only reflect best practices as of the time when the draft standards were approved. But because of the rapid evolution of the technology environment, best practices are a fast moving target.

Today’s networks are liable to have far more endpoints than what was typical even a few years ago. Indeed, the contemporary focus of security thinking is shifting from primarily endpoint protection to an emphasis on trust of specific users and devices. The current compliance framework only imperfectly reflects this very recent development.

In health care, we are now moving from mere mobile connectivity to the Internet of Things (IoT) and connected devices. This can mean that critical devices such as dialysis machines may now be potentially vulnerable to malware. In other industries with compliance rules, from finance to utilities, the IoT poses comparable evolving threats that the current compliance framework is not fully designed to handle.

Social Engineering and the Human Factor

Connected devices are one of the three leading threats for the health care sector — the others being distributed denial-of-service (DDoS) attacks and phishing attacks, according to the Level 3 report. DDoS attacks can paralyze networks, which in health care can be literally life-threatening.

But the challenge of phishing, as with other types of social engineering, is that it attacks systems through their human users. A particular insidious version, called spear phishing, goes even further by leveraging personal social information to trick users.

Health care is uniquely exposed to social engineering threats because of its large and varied workforce. But the hazards of social engineering attacks extend across industries, and there is no purely technical solution to the challenge of human error. Not even a fully updated set of compliance standards could automatically protect against social engineering attacks. User education is more important than ever, and security will ultimately depend on this human factor.

Compliance Is Not a Cure-All

Meeting compliance standards remains essential to security, not just in health care, but in all industries subject to compliance rules. But compliance should be regarded as a framework that helps make security possible, not a magic wand that automatically makes your organization secure.

Read the IBM X-Force Research Report: Security Trends in the Health care industry

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today