Some healthcare CIOs are taking a lesson from the insurance sector for standards in cybersecurity.
The government'sefforts to set cybersecurity standards for healthcare have had limited success, and insurers have relatively more success, according to the Wall Street Journal. They have gathered large contingencies of lawyers and security experts and formed partnerships with security advisory firms, bringing a business risk perspective to cybersecurity, according to the report.
Companies such as Aetna treat cybersecurity like any other business risk and conduct security analyses every day. The HHS's Office of Civil Rights requirements on security analysis only require businesses to conduct security analyses "as needed," saying some covered entities may "conduct these processes annually or as needed (e.g. bi-annual or every 3 years)." The cyber attacks against Indianapolis-based Anthem and Mountlake Terrace, Wash.-based Premera, both of which compromised tens of millions of patient records, have spurred healthcare executives to double down on their security practices.