For the first time, according to a recent study, criminal and state-sponsored hacks have surpassed human error as the leading cause of health care data breaches, and it could be costing the industry as much as $6 billion. With an average organization cost of $2.1 million per breach, the results of the study give rise to a question: How do you define human error?
More than half of the respondents in the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, said their organization’s incident response team was underfunded or understaffed and roughly one third of respondents had no incident response plan in place at all—zip, nada, zilch—a fact that beggars the imagination at a moment when breaches have become the third certainty in life, and one that highlights the seeming no-show of the “first do no harm” approach to patients on the data breach-prone operations side of the health care industry.
While it is disconcerting that there isn’t a more robust incident response culture out there, perhaps more worrisome is the seeming lack of best practices pointed at heading off the problem before it happens. That’s where a new term comes into play.
Wetware is a term of art used by hackers to describe a non-firmware, hardware or software approach to getting the information they want to pilfer. In other words, people. (The human body is more than 60% water.) Wetware intrusions happen when a hacker exploits employee trust, predictable behavior or the failure to follow security protocols. It can be a spearphishing email, a crooked employee on the take or a file found while Dumpster diving—and, of course, all stripe of things in between. Whatever it is, there’s a human being involved.
The findings of the Ponemon Institute study point to the dire need for better wetware precautions when it comes to the security of health care records. Consider that 40% of the health organizations in the study reported more than five breaches in the past two years.
According to the study, since 2010 “the percentage of respondents who said their organization had multiple breaches increased from 60% to 79%.” Also by no means inconsequential is the fact that medical identity theft—where an imposter uses a victim’s credentials to obtain health care—nearly doubled in the past five years, from 1.4 million adult victims to more than 2.3 million in 2014.
The breaches comprising these figures were not all the size or severity of Anthem or Premera, which combined leaked extremely sensitive personally identifiable information like Social Security numbers, birth dates and bank account numbers belonging to more than 91 million consumers. While the $2.1 million average cost to health care organizations is eye-catching, it involved incidents with an average of 2,700 lost or stolen records, a figure that runs the gamut from Anthem and Premera to breaches that were decidedly on the smaller side.
As Larry Ponemon rightly pointed out in an interview with Dark Reading, while many of the incidents involved the exposure of “less than 100 records,” that in no way trivializes those events. According to the study, “Many medical identity theft victims report they have spent an average of $13,500 to restore their credit, reimburse their health care provider for fraudulent claims and correct inaccuracies in their health records.”
With 91% of the health care companies who responded to the study’s questions reporting at least one incident in the preceding two years, it’s clear that whatever we’re doing to address the health care breach problem is woefully inadequate. What’s more, it is clear that the problem is wetware. Better practices need to become part of the work culture in the health care industry.
When participating organizations in the study were asked what worried them the most (with three responses permitted), 70% said the biggest concern was a negligent or careless employee. That figure was followed by 40% of respondents who thought cyber attackers were the bigger worry and 33% who were worried about the security of public cloud servers. Respondents also cited insecure mobile apps (13%) and insecure medical devices (6%).
With 96% of respondents saying that they had a security incident involving lost or stolen devices, the fact that cyber attacks—state-backed and criminal—are the leading cause of breaches should keep you up at night, but the more terrifying take-away here is that doubtless many of those attacks wouldn’t be possible were it not for the human factor. There is plenty of overlap between the proactive criminal and the clumsy employee to make these figures start to seem like so much digital rain in a lost scene from “The Matrix.”
These days, smartphones and tablets are on the most-compromised or stolen list. Earlier on in the data breach pandemic, laptop computers and desktops were at the top of that list. While it is interesting on some level how the information gets compromised, at the end of the day, a breach is a breach is a breach. Health care industry: you’re all wet.
The bottom line here is that hackers of all stripe are having a field day because the wetware problem has been largely unaddressed, and until people become the alpha and omega of the process that leads to a zero tolerance solution, data breaches will continue apace.