Human error biggest risk to health IT

In the race to digitize the healthcare industry, providers, insurers and others in the multi-layered ecosystem have failed to take some of the most basic steps to protect consumers’ sensitive health information, a senior government official is warning.

Servio Medina, acting COO at the Defense Health Agency’s policy branch, cautioned during a recent presentation that too many healthcare breaches are the product of basic mistakes, ignorance or employee negligence.

“These are things that could be prevented,” Medina said. “Today’s training and awareness efforts that we provide currently are simply not effective. They are not enough. We have to do something radically more and different.”

Human element puts healthcare data at risk

Medina is arguing for a more concerted effort to address what he refers to as “the human element” of the healthcare data breach, citing a Defense Department memo issued last September that called attention to the need to improve what it called the “cybersecurity culture” at the Pentagon.

“Nearly all past successful network penetrations can be traced to one or more human errors that allowed the adversary to gain access to and, in some cases, exploit mission-critical information,” Defense Secretary Ash Carter and Martin Dempsey, then the chairman of the Joint Chiefs of Staff, wrote in the memo. “Raising the level of individual human performance in cybersecurity provides tremendous leverage in defending the [DoD’s networks].”

Medina’s agency, which sits at the intersection of the military and healthcare and arenas, presents a target-rich environment for cyber criminals and other groups of digital adversaries. But the health sector in general has become a favorite target of hackers for a rather logical reason.

“The healthcare record is an incredibly valuable source of information,” Medina said. “There’s so much information in the healthcare record. It’s not just a Social Security number. It’s not just a bank account. It’s not just PII like your home address or PHI like your diagnosis. It’s all of it rolled together.”

Medina cited a recent study by the Ponemon Institute that noted an alarming spike in attacks on healthcare organizations, finding that, for the first time, criminal activity accounted for more health-data breaches than any other cause.

Since 2010, the volume of criminal attacks on healthcare outfits has jumped by 125 percent, according to Ponemon, which also reported that 91 percent of all healthcare organizations have been hit by at least one data breach.

While criminal activity is now the leading cause of those attacks, “employee negligence and lost/stolen devices continue to be primary causes of data breaches,” Larry Ponemon, chairman and founder of the institute, said in a statement.

Better cyber hygiene

In his call for better cyber hygiene, Medina draws a very analog parallel. In 2007, Johns Hopkins Hospital launched an awareness campaign aimed at encouraging employees to regularly wash their hands, highlighting the degree to which proper hand hygiene can reduce infection rates and the spread of diseases.

Medina would like to see a similar campaign in cyber, one that would call attention to the risks of clicking on unfamiliar links or opening attachments, leaving physical devices lying around or accessing work documents through a personal email account.

“These are examples of things that are so simple not to do,” Medina said. “I’m certainly not saying that if we wash our hands we will prevent the spread of infection, nor am I saying that we can eliminate risk, but we certainly have the responsibility to reduce how much we contribute to the risk of information.”