Better technology can improve security in the healthcare industry, but it won’t transform it. That would take a major upgrade to the human OS.
The biggest risk to increasingly digitized Personal Health Information (PHI) is not a cyber attack. It is human error.
[ Why healthcare providers need to take HIPAA risk assessments seriously ]
That is the conclusion of numerous studies and surveys:
According to Michael Bruemmer, vice president of Consumer Protection at the credit reporting and financial services firm Experian, of 3,100 incidents that Experian Data Breach Resolution serviced in 2014, “81% had a root cause in employee negligence. The most common issue was the loss of administrative credentials – user name and password – but also included lost media, firewall left open, lost laptop etc.,” he said.
Experian’s 2015 Second Annual Data Breach Industry Forecast also reported that, “employees and negligence are the leading cause of security incidents but remain the least reported issue.”
Identity Theft Resource Center program director Karen Barney said that of 333 publicly reported medical data breach incidents during 2014, 81.6 percent could be attributed to human error, although that includes both third-party breaches and malicious insiders intentionally stealing data.
Yo Delmar, vice president of GRC solutions at MetricStream, said, “human error is 15 times more likely to be traced to the misplacement of a device or data rather than an intentional theft by a malicious actor.”
She added that, “according to the 2013 Verizon Data Breach Investigations report, 46 percent of healthcare security incidents were the result of lost or stolen assets, most often in the office, not from personal vehicles or homes.”
The Ponemon Institute, in its Fourth Annual Benchmark Study on Patient Privacy & Data Security, released in March 2014, reported that even though criminal cyber attacks had increased 100 percent since 2010, “insider negligence continues to be at the root of most data breaches.”
The report said the primary cause of breaches were, “a lost or stolen computing device (49%), which can be attributed in many cases to employee carelessness. This is followed by employee mistakes or unintentional actions (46%), and third-party snafus (41%).”
The 2014 findings of the Privacy Rights Clearinghouse (PRC) were similar. Of 75 data breaches in the healthcare industry logged on the group’s website, 62, or 82.6 percent, were attributed to human error.
One caveat in the PRC statistics is that the large majority of the 4.9 million records compromised came from a single incident – 4.5 million records in the breach of Community Health Systems in Franklin, Tenn. – an intrusion attributed to a Chinese hacker.
So while there were many more breaches caused by human error, the greatest damage came from an outside attack.
Still, John Hawes, writing in the Sophos blog Naked Security, noted that while a single cyber attack can lead to the exposure of millions of records, smaller breaches due to human carelessness can add up as well.
He cited unencrypted CDs lost in the mail, a number of stolen laptops and even paper records stolen from a storage shed or falling off the back of a truck – incidents that left thousands of records exposed.
There are several reasons for PHI becoming an increasingly attractive target for cyber criminals. First, the number of them is growing by the millions. One of the requirements of the Affordable Care Act is the generation of Electronic Health Records (EHR), to allow medical professionals to share information about patients more easily.
They also contain very valuable data. “Personal health records are high-value targets to cybercriminals,” said Dan Berger, president and CEO of Redspin. “They can be exploited for identity theft, insurance fraud, stolen prescriptions, ransom, and dangerous hoaxes.”
Indeed, Dark Reading reported in October that, “credit cards can now go for a dollar or less on the black market, but stolen health credentials may sell for as high as $10 per patient.”
Danny Lieberman, CTO at Software Associates, said PHI can be valuable, “in personal disputes – imagine lawyers attempting to obtain the dirt on a spouse in a divorce case – and to an insurance investigator trying to disprove a claim of injury. And some data is intrinsically sensitive, like AIDS and cystic fibrosis, where it will influence an employer not to hire someone,” he said.
Delmar said the use of PHI for blackmail does happen but is relatively rare. The main motivation, she said, is profit – gathering information, “that can be used to build a folio to support some manner of fraud.”
Ulf Mattsson, CTO at Protegrity, added that another attraction of PHI is that its value does not degrade as rapidly as credit card data, which can be changed or updated quickly. “PHI is long-lived and will always be valuable to those wishing to exploit it,” he said.