[BreachExchange] Human error biggest risk to health IT

Tue Jun 7 19:38:12 EDT 2016

http://www.cio.com/article/3078572/security/human-error-biggest-risk-to-health-it.html

In the race to digitize the healthcare industry, providers, insurers and
others in the multi-layered ecosystem have failed to take some of the most
basic steps to protect consumers' sensitive health information, a senior
government official is warning.

Servio Medina, acting COO at the Defense Health Agency's policy branch,
cautioned during a recent presentation that too many healthcare breaches
are the product of basic mistakes, ignorance or employee negligence.

"These are things that could be prevented," Medina said. "Today's training
and awareness efforts that we provide currently are simply not effective.
They are not enough. We have to do something radically more and different."

Human element puts healthcare data at risk

Medina is arguing for a more concerted effort to address what he refers to
as "the human element" of the healthcare data breach, citing a Defense
Department memo issued last September that called attention to the need to
improve what it called the "cybersecurity culture" at the Pentagon.

"Nearly all past successful network penetrations can be traced to one or
more human errors that allowed the adversary to gain access to and, in some
cases, exploit mission-critical information," Defense Secretary Ash Carter
and Martin Dempsey, then the chairman of the Joint Chiefs of Staff, wrote
in the memo. "Raising the level of individual human performance in
cybersecurity provides tremendous leverage in defending the [DoD's
networks]."

Medina's agency, which sits at the intersection of the military and
healthcare and arenas, presents a target-rich environment for cyber
criminals and other groups of digital adversaries. But the health sector in
general has become a favorite target of hackers for a rather logical reason.

"The healthcare record is an incredibly valuable source of information,"
Medina said. "There's so much information in the healthcare record. It's
not just a Social Security number. It's not just a bank account. It's not
just PII like your home address or PHI like your diagnosis. It's all of it
rolled together."

Medina cited a recent study by the Ponemon Institute that noted an alarming
spike in attacks on healthcare organizations, finding that, for the first
time, criminal activity accounted for more health-data breaches than any
other cause.

Since 2010, the volume of criminal attacks on healthcare outfits has jumped
by 125 percent, according to Ponemon, which also reported that 91 percent
of all healthcare organizations have been hit by at least one data breach.

While criminal activity is now the leading cause of those attacks,
"employee negligence and lost/stolen devices continue to be primary causes
of data breaches," Larry Ponemon, chairman and founder of the institute,
said in a statement.

Better cyber hygiene

In his call for better cyber hygiene, Medina draws a very analog parallel.
In 2007, Johns Hopkins Hospital launched an awareness campaign aimed at
encouraging employees to regularly wash their hands, highlighting the
degree to which proper hand hygiene can reduce infection rates and the
spread of diseases.

Medina would like to see a similar campaign in cyber, one that would call
attention to the risks of clicking on unfamiliar links or opening
attachments, leaving physical devices lying around or accessing work
documents through a personal email account.

"These are examples of things that are so simple not to do," Medina said.
"I'm certainly not saying that if we wash our hands we will prevent the
spread of infection, nor am I saying that we can eliminate risk, but we
certainly have the responsibility to reduce how much we contribute to the
risk of information."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160607/a6265e81/attachment.html>