healthcaredatabreachts100664318orig
Security

Human error biggest risk to health IT

In the race to digitize the healthcare industry, providers, insurers and others in the multi-layered ecosystem have failed to take some of the most basic steps to protect consumers' sensitive health information, a senior government official is warning.

Servio Medina, acting COO at the Defense Health Agency's policy branch, cautioned during a recent presentation that too many healthcare breaches are the product of basic mistakes, ignorance or employee negligence.

"These are things that could be prevented," Medina said. "Today's training and awareness efforts that we provide currently are simply not effective. They are not enough. We have to do something radically more and different."

Human element puts healthcare data at risk

Medina is arguing for a more concerted effort to address what he refers to as "the human element" of the healthcare data breach, citing a Defense Department memo issued last September that called attention to the need to improve what it called the "cybersecurity culture" at the Pentagon.

[ Related: Security threats, hackers and shadow IT still plague health IT ]

"Nearly all past successful network penetrations can be traced to one or more human errors that allowed the adversary to gain access to and, in some cases, exploit mission-critical information," Defense Secretary Ash Carter and Martin Dempsey, then the chairman of the Joint Chiefs of Staff, wrote in the memo. "Raising the level of individual human performance in cybersecurity provides tremendous leverage in defending the [DoD's networks]."

Medina's agency, which sits at the intersection of the military and healthcare and arenas, presents a target-rich environment for cyber criminals and other groups of digital adversaries. But the health sector in general has become a favorite target of hackers for a rather logical reason.

"The healthcare record is an incredibly valuable source of information," Medina said. "There's so much information in the healthcare record. It's not just a Social Security number. It's not just a bank account. It's not just PII like your home address or PHI like your diagnosis. It's all of it rolled together."

[ Related: Big data essential to cancer moonshot ]

Medina cited a recent study by the Ponemon Institute that noted an alarming spike in attacks on healthcare organizations, finding that, for the first time, criminal activity accounted for more health-data breaches than any other cause.

Since 2010, the volume of criminal attacks on healthcare outfits has jumped by 125 percent, according to Ponemon, which also reported that 91 percent of all healthcare organizations have been hit by at least one data breach.

[ Related: Healthcare’s biggest public confidence challenge, security and privacy ]

While criminal activity is now the leading cause of those attacks, "employee negligence and lost/stolen devices continue to be primary causes of data breaches," Larry Ponemon, chairman and founder of the institute, said in a statement.

Better cyber hygiene

In his call for better cyber hygiene, Medina draws a very analog parallel. In 2007, Johns Hopkins Hospital launched an awareness campaign aimed at encouraging employees to regularly wash their hands, highlighting the degree to which proper hand hygiene can reduce infection rates and the spread of diseases.

Medina would like to see a similar campaign in cyber, one that would call attention to the risks of clicking on unfamiliar links or opening attachments, leaving physical devices lying around or accessing work documents through a personal email account.

"These are examples of things that are so simple not to do," Medina said. "I'm certainly not saying that if we wash our hands we will prevent the spread of infection, nor am I saying that we can eliminate risk, but we certainly have the responsibility to reduce how much we contribute to the risk of information."

IDG Insider

PREVIOUS ARTICLE

« Top Raspberry Pi news of the week: Magic mirror; Micro:Bit gets real; more on Android

NEXT ARTICLE

Why PCs roared back to life at Computex 2016 »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Tech Cynic: VR, the never-popular technology

Tech Cynic – IT without the rose-tinted spectacles

Five months on, GDPR doubts remain for this lawyer

Martin Veitch's inside track on today’s tech trends

How can smart solutions help address Southeast Asia's urban challenges?

Keri Allan looks at the latest trends and technologies

Poll

Is your organization fully GDPR compliant?