Better technology can improve security in the healthcare industry, but it won't transform it. That would take a major upgrade to the human OS.
The biggest risk to increasingly digitized Personal Health Information (PHI) is not a cyber attack. It is human error.
That is the conclusion of numerous studies and surveys:
According to Michael Bruemmer, vice president of Consumer Protection at the credit reporting and financial services firm Experian, of 3,100 incidents that Experian Data Breach Resolution serviced in 2014, "81% had a root cause in employee negligence. The most common issue was the loss of administrative credentials -- user name and password -- but also included lost media, firewall left open, lost laptop etc.," he said.
Experian's 2015 Second Annual Data Breach Industry Forecast also reported that, "employees and negligence are the leading cause of security incidents but remain the least reported issue."
Identity Theft Resource Center program director Karen Barney said that of 333 publicly reported medical data breach incidents during 2014, 81.6 percent could be attributed to human error, although that includes both third-party breaches and malicious insiders intentionally stealing data.
Yo Delmar, vice president of GRC solutions at MetricStream, said, "human error is 15 times more likely to be traced to the misplacement of a device or data rather than an intentional theft by a malicious actor."
She added that, "according to the 2013 Verizon Data Breach Investigations report, 46 percent of healthcare security incidents were the result of lost or stolen assets, most often in the office, not from personal vehicles or homes."
The Ponemon Institute, in its Fourth Annual Benchmark Study on Patient Privacy & Data Security, released in March 2014, reported that even though criminal cyber attacks had increased 100 percent since 2010, "insider negligence continues to be at the root of most data breaches."
The report said the primary cause of breaches were, "a lost or stolen computing device (49%), which can be attributed in many cases to employee carelessness. This is followed by employee mistakes or unintentional actions (46%), and third-party snafus (41%)."
The 2014 findings of the Privacy Rights Clearinghouse (PRC) were similar. Of 75 data breaches in the healthcare industry logged on the group's website, 62, or 82.6 percent, were attributed to human error.
One caveat in the PRC statistics is that the large majority of the 4.9 million records compromised came from a single incident -- 4.5 million records in the breach of Community Health Systems in Franklin, Tenn. -- an intrusion attributed to a Chinese hacker.
So while there were many more breaches caused by human error, the greatest damage came from an outside attack.
Still, John Hawes, writing in the Sophos blog Naked Security, noted that while a single cyber attack can lead to the exposure of millions of records, smaller breaches due to human carelessness can add up as well.
He cited unencrypted CDs lost in the mail, a number of stolen laptops and even paper records stolen from a storage shed or falling off the back of a truck -- incidents that left thousands of records exposed.
There are several reasons for PHI becoming an increasingly attractive target for cyber criminals. First, the number of them is growing by the millions. One of the requirements of the Affordable Care Act is the generation of Electronic Health Records (EHR), to allow medical professionals to share information about patients more easily.
They also contain very valuable data. "Personal health records are high-value targets to cybercriminals," said Dan Berger, president and CEO of Redspin. "They can be exploited for identity theft, insurance fraud, stolen prescriptions, ransom, and dangerous hoaxes."
Indeed, Dark Reading reported in October that, "credit cards can now go for a dollar or less on the black market, but stolen health credentials may sell for as high as $10 per patient."
Danny Lieberman, CTO at Software Associates, said PHI can be valuable, "in personal disputes -- imagine lawyers attempting to obtain the dirt on a spouse in a divorce case -- and to an insurance investigator trying to disprove a claim of injury. And some data is intrinsically sensitive, like AIDS and cystic fibrosis, where it will influence an employer not to hire someone," he said.
Delmar said the use of PHI for blackmail does happen but is relatively rare. The main motivation, she said, is profit -- gathering information, "that can be used to build a folio to support some manner of fraud."
Ulf Mattsson, CTO at Protegrity, added that another attraction of PHI is that its value does not degrade as rapidly as credit card data, which can be changed or updated quickly. "PHI is long-lived and will always be valuable to those wishing to exploit it," he said.
And, as the statistics show, one of the most successful paths to stealing that data is to dupe employees.
"Hackers are generally efficient -- they look for the easiest path to exploit," Berger said. "Unfortunately today, the weakest link is the employee population and their lack of security awareness. Phishing attacks are disturbingly successful. And it only takes one employee to get duped for the hacker possibly to gain their credentials and pivot to exploiting a database of PHI."
Human weakness is not confined to the healthcare field, of course. But as Mattsson noted, "healthcare is unique in that there are a greater number of people who come in contact with sensitive information during the course of normal business operations than in other industries."
Those can include office staff, nurses, interns, doctors, specialists, lab technicians, pharmacists, billing staff, insurance processors and more. Beyond that, medical records come in multiple forms -- lab test results to X-rays, prescription labels etc.
"So, when you combine the number of people involved with handling multiple forms of PHI records, along with the immaturity of the data security systems and practices that are in place, there are so many opportunities for mistakes or intentional breaches to take place," Mattsson said.
Does that mean better training is the only path to better security?
Lieberman is dubious. "I'm not a big believer in security awareness training as an effective security countermeasure," he said. "But having clear, one-page policies and enforcing them with employees, starting with the CEO, is an important piece of privacy protection."
Berger said it comes down to the type of training. "We don't simply recommend cafeteria-style or even web-based training courses," he said. "Real situational training is far more effective. We recommend running mock phishing attacks, also known as social engineering testing. It is important to run them regularly over time, to establish benchmarks on which you can then measure improvements."
Delmar said she believes it requires both training and enforcement. "Improving human security really starts with policies and awareness training and ends with enforcement of appropriate risk-based controls," she said.
And experts agree that "control of the data" can help mitigate the human weakness risk.
"Understand who needs certain information, when, and under which circumstances," said Deena Coffman, CEO of IDT911 Consulting.
Mattsson offered a list of measures organizations can take, including:
- Fine-grained de-identification of both PII (Personally Identifiable Information) and PHI.
- Fine-grained tokenization of PHI, to alleviate the need for plain-text data and exposure in-memory across the entire data flow.
- Strong credentials, including password improvement and rotation, plus separation of duties to prevent privileged users, such as database administrators or system administrators, from accessing sensitive data.
- Secure the data to the point that it is useless to a potential thief. "Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization," he said.
However it is done, better security is crucial because the stakes are high. Besides potential fines for violations of the Health Insurance Portability and Accountability Act (HIPAA), Berger notes that the costs of a breach can include, "remediation, legal fees, reputational harm, and potential class-action liability."
There is general support among experts for strict regulatory oversight -- Lieberman said he thinks it ought to be, "enforced with random pop site visits with zero tolerance for infringement."
And Delmar said stiff penalties for noncompliance, "can help get the attention of executives to see the value of making investments in security and risk management programs and monitoring systems."
But Morris Panner, CEO of DICOM Grid, contends that HIPAA's mixed messages leave organizations, "paralyzed for fear of committing an unwitting violation.
"On the one hand, we are encouraged to digitize health information, which makes it easier to share. On the other, we are penalized if we make errors in how we share information."
Panner argued that regulators, "need to create appropriate safe harbors for sharing information." The balance between sharing and securing information is hard, he acknowledged, "but right now we aren't even trying."