Compliance and security in different verticals

I attended a very interesting healthcare round table last week organized by RSA. One of the things that we discussed was how different verticals handle their respective compliance legislation.

There was a lot of consensus around the fact that finance has a very mature security stance. This is probably partly due to the fact that the compliance legislation (SOX) is rather mature and well defined. The consequences of non compliance can be very painful for very important people in the company which usually results in a lot of attention. There has also been a number of very big events in finance where insiders have gained elevated privileges in order to hide trading losses

If you move on to retail you have PCI which is very detailed and specifies exactly what you need to do and what happens if you don't. Again there has also been a number of cases of insiders stealing credit card data where improved security systems clearly could have lead to at least earlier detection and smaller losses.

In healthcare on the other hand we have HIPAA and HiTech. HIPAA is very high level and doesn't have any real teeth. There were some talk about HiTech fixing this but this far there has been very few cases where HiTech has been really brought to bear against health care or payer organizations.

Another aspect is that the information handled by healthcare organizations is harder to fence. Financial organizations tends to handle cash which certainly is very easy to fence. Credit card data isn't pure cash but thanks to organized crime there essentially are underground exchange where credit card data can be sold in wholesale quantities.

Healthcare and healthcare insurance information is harder to capitalize on as it is much easier to pose as a person with a credit care to a merchant than to pose as a healthcare provider to a healthcare payer. On the other hand the potential payouts could be very substantial so I wouldn't be surprised if we see a "TJ Max" like case very soon in the healthcare sector. The PI aspect of the PHI is another potentially interesting attack target as it often is possible to perform identity theft using the data in the insurance information.

The consensus in the meeting was that healthcare in general is relatively immature but that there are a lot of things that points to a change in culture over the next few years. One clear possibility is that the enforcement of HiTech may be stepped up and there may also be enough embarrassment generated by a couple of big data loss cases that actual change will happen in the industry.

BCBS Tennesse is one very famous example on what can be done if an organization decides to tackle a specific aspect of security (data at rest in this case). It should be noted that the cost of just providing data at rest encryption for a mid size payer organization is $6 million so lifting the overall security posture of the industry clearly won't be cheap.