Why healthcare IT security is harder than the rest

Throughout the year, in such articles as " Medical identity theft a rising and significant threat" and " Healthcare security needs a booster shot," CSOonline has documented many of the challenges the healthcare industry faces in trying to keep its customers' records secure and to run its business-technology systems within regulatory mandates. This week we've turned to security expert Gunnar Peterson, managing principal at Arctec Group, a consultancy based in Minneapolis, MN. Peterson's specialty is on distributed systems security for large, mission-critical systems in the financial, healthcare, manufacturing, and insurance industries, as well as a number of start-ups. Peterson also blogs at 1raindrop and has a number of interesting thoughts on the special challenges of health care security.

Healthcare 'most breached industry in 2011'

CSO: How do you see healthcare data security as being different from securing other types of data and transactions from other industries?Gunnar Peterson: I think that the health care industry has a number of challenges that make the security architect's job, the CSO's job -- in all cases except for one -- much more difficult than in financial services and most other industries. The one thing that's more difficult in financial services is that they have ongoing determined attacks through fraud and other types of financial attacks. That's been with banks long before there were computers. I would argue that almost every other aspect of security is more difficult in healthcare.

It starts with the transaction. One of the nice things that security architects have in the financial world is a very black and white transaction model. The money is in my account, or it's in your account, or it's in the holding company's account. There is no gray area about who's got the money at any given period of time, or where the risk is at any given time. Relatively speaking these transaction models are brutally simple, because lots of players have to sign up for them and there's lots of standardization. And people have been tweaking these models for a long time. When you start a job as a CISO at a financial services firm you are given a transaction model manual, and it's fairly straightforward.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Throughout the year, in such articles as " Medical identity theft a rising and significant threat" and " Healthcare security needs a booster shot," CSOonline has documented many of the challenges the healthcare industry faces in trying to keep its customers' records secure and to run its business-technology systems within regulatory mandates. This week we've turned to security expert Gunnar Peterson, managing principal at Arctec Group, a consultancy based in Minneapolis, MN. Peterson's specialty is on distributed systems security for large, mission-critical systems in the financial, healthcare, manufacturing, and insurance industries, as well as a number of start-ups. Peterson also blogs at 1raindrop and has a number of interesting thoughts on the special challenges of health care security.

Healthcare 'most breached industry in 2011'

CSO: How do you see healthcare data security as being different from securing other types of data and transactions from other industries?Gunnar Peterson: I think that the health care industry has a number of challenges that make the security architect's job, the CSO's job -- in all cases except for one -- much more difficult than in financial services and most other industries. The one thing that's more difficult in financial services is that they have ongoing determined attacks through fraud and other types of financial attacks. That's been with banks long before there were computers. I would argue that almost every other aspect of security is more difficult in healthcare.