Aetna CISO: Mandate protection of health data by risk, not regulation

Healthcare companies increasingly are being targeted by cybercriminals, and as threats to consumers' private health information grow, the industry must do more to prevent breaches.

The regulatory framework in healthcare has taken 17 years to make and is "not designed to be responsive to the changes in the threat landscape," Jim Routh, chief information security officer at health insurance giant Aetna, told the Wall Street Journal.

As technology advances, so does the ability for hackers to find new ways to compromise systems, and regulatory compliance just isn't enough to prevent breaches, Routh said. Companies must take a risk-based approach, he said, and make allocation of resources a priority to put the focus on risks that could do the most harm.

For example, is still facing problems with security. A recent Government Accountability Office report found that the health exchange site may still have security holes. And in early September it was reported that a hacker broke into part of the insurance enrollment website in July and uploaded malicious software, according to federal officials.

At Aetna, the insurer has gone beyond just regulations like HIPAA to protect health data; it has added a higher level of control for information like credit card data and Social Security numbers, according to Routh. To protect that data, Aetna uses multi-vector authentication and encryption of data.

"This is not mandated by any regulatory requirement but mandated by risk," Routh said.

This comes at a time when black market for medical identity information is thriving. Basic information--such as names, birth dates and health insurance contract numbers--fetches $20 on the black market, FierceHealthIT previously reported. And deluxe, ready-to-use identity theft kits can fetch nearly $1,500. 

James Brady, chief information officer at Kaiser Permanente Orange County in California, also stressed the importance of a proactive response to data security in a recent HIMSS post.

According to Brady, steps employees at healthcare organizations can take to reduce the risk of hacks include encryption of all devices and systems, secure email and text messaging, good password practices and caution when opening attachments of clicking on links to websites.

"As a clinician on the front lines of healthcare, you have an important role to play in advocating for the protection of patient and member information," Brady said. 

To learn more:
- read the WSJ article
- check out the HIMSS post