Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Jon Moore: Build a Security Control Framework for Predictable Compliance

Health care provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.

The healthcare industry's increasing reliance on technology during this decade has been embraced by consumers,...

and this has created increased challenges for an already highly regulated industry. The need for superior information security is understandable, after all, consumers entrust us with their health and their wealth. By that, of course, I mean that Humana's subscribers and those of our peer companies are relying on us to help enable their quality of life securely and reliably.

Healthcare companies must comply with the myriad of state and federal regulations (HIPAA, Sarbanes Oxley, PCI, and now HITECH) that have emerged since 2000; each is intended to result in healthcare companies safeguarding customer information. Achieving compliance can mean significant cost and regulation-related expenses for healthcare companies. But the cost of doing nothing can have profoundly negative consequences. In fact, the financial impact of data breaches is skyrocketing. The average cost-per-incident is now reported to be in the $6 million range. Humana's challenge, like its competitors', is in achieving compliance with varying regulations cost-effectively and efficiently.

Complying with each security-focused regulation one-by-one is a natural compliance strategy, but it can easily push you into a never-ending chase of compliance aspiration. Just analyzing the multitude of control requirements from each regulation can be costly and eat into the quality time a company needs to actually implement and achieve meaningful information protection measures.

Humana has responded with an integrated compliance strategy. Instead of focusing on distinctive compliance measures for each regulation, we concentrated on building an integrated security control framework across our enterprise. Its building blocks--common security controls, best practices, and policies--are positioned to predictably lead to a state of compliance with a host of unique regulations. Our comprehensive, integrated approach has paid off significantly.

We initially created a security control framework with ISO-27002 as its foundation. Building on this internationally recognized standard for security enabled us to steadily mature our control framework. We have progressively adopted additional best practices, carefully aligning their common requirements to be responsive to multiple regulations. As a result, our framework provides clear guidelines we consistently follow in delivering an array of services across our enterprise, including consulting, control guidance, security assurance reviews, and security-focused risk analyses. Our primary objective is achieving all our control framework standards, not simply conforming to individual regulations.

Our annual maturity assessment enables the continued viability of Humana's security control framework process. In 2004, we adopted the Capability Maturity Model Standard to assess the reliability of our program relative to the security framework. This domain-by-domain view of our maturity has been invaluable. It has enabled us to optimize our finite information protection resources by targeting them directly at areas with the greatest opportunities for improvement. As a result, we have consistently increased the overall maturity level of our program.

The progression of our framework maturity dovetailed with the formation of HITRUST, the Health Information Trust Alliance. Humana helped pioneer the healthcare industry's groundswell of support for HITRUST's development of a common security framework, a standard introduced earlier this year. As a HITRUST executive council member, I will continue to help oversee our industry's reliance on this unified and industry-driven set of security governance standards and controls offering valuable prescriptive implementation guidance. In addition, HITRUST's related services and certification initiatives are also enabling an unprecedented level of consumer, vendor and regulator confidence and trust of all healthcare entities. Health care needs this now more than ever.

Today, Humana's security control framework aligns with HITRUST's common security framework. We continually refresh it to ensure ongoing alignment and inclusion of the latest control objectives and prescriptive guidance from HITRUST. Of course, we also rely on technology's advantages to sustain our control framework's effectiveness. I recommend investing in governance, risk and compliance (GRC) technology that will enable and automate compliance maintenance, applications and evaluations with your control framework. GRC tools typically result in a positive return on investment and allow you to automate many of the manual risk and compliance processes that eat up valuable time that can be better spent on implementing or improving your control environment.

Frameworks flanked by technology and people work. Achieving compliance is realistic if you develop and implement an integrated strategy. Build a security control framework that you believe in, and continually enhance, and in time, compliance can be the expected result.


TITLE Chief information security officer
COMPANY Humana Inc.
INDUSTRY Healthcare

  • Executive Council member Health Information Trust Alliance (HITRUST)
  • Humana's first CISO; runs the Enterprise Information Security Organization
  • Helps run Humana's global readiness and crisis management office
  • Counsels executives on information security
  • Oversees $6.92M budget and a team of 44
  • Developed policies and technology to secure Web-based customer-facing tools
  • HITRUST leader; helped develop a set of industry best practices around information protection and data integrity
  • Won HITRUST's Leadership Award for his work in developing the health care industry's Common Security Framework.
  • Established consortium of HITRUST IT, risk, physical security and privacy professionals to develop third-party audit program

Healthcare is a national priority, and it is elevated in our consciousness, security and privacy of information will be paramount. Jon Moore's work at Humana and with HITRUST in establishing data protection and integrity standards is pioneering work that is laying the footing for future security professionals in the healthcare industry.


Make Critical Infrastructure a Priority: Critical infrastructure protection must be addressed today to protect our country tomorrow.
Government Must Keep Pace with Cybersecurity Threats: Securing the Internet means to much to the future of the U.S. economy and national security.
Report Security and Risk Metrics in a Business-Friendly Way: Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
Build a Security Control Framework for Predictable Compliance: Healthcare provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
Improve SSL/TLS Security Through Education and Technology: Carnegie Mellon University's CyLab designs security to improve all aspects of society.
Communicate Effectively with Management About Risk: Learn how to communicate with senior management about risk; it's your job.
Prioritize Information Security over Compliance: Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.
Article 10 of 12

Dig Deeper on Data privacy issues and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All