Human error biggest risk to health IT

Military health official warns that cyber hygiene falls short in health IT. Healthcare data breaches have hit more than nine out of 10 organizations in the field.

In the race to digitize the healthcare industry, providers, insurers and others in the multi-layered ecosystem have failed to take some of the most basic steps to protect consumers' sensitive health information, a senior government official is warning.

Servio Medina, acting COO at the Defense Health Agency's policy branch, cautioned during a recent presentation that too many healthcare breaches are the product of basic mistakes, ignorance or employee negligence.

"These are things that could be prevented," Medina said. "Today's training and awareness efforts that we provide currently are simply not effective. They are not enough. We have to do something radically more and different."

Human element puts healthcare data at risk

Medina is arguing for a more concerted effort to address what he refers to as "the human element" of the healthcare data breach, citing a Defense Department memo issued last September that called attention to the need to improve what it called the "cybersecurity culture" at the Pentagon.

[ Related: Security threats, hackers and shadow IT still plague health IT ]

"Nearly all past successful network penetrations can be traced to one or more human errors that allowed the adversary to gain access to and, in some cases, exploit mission-critical information," Defense Secretary Ash Carter and Martin Dempsey, then the chairman of the Joint Chiefs of Staff, wrote in the memo. "Raising the level of individual human performance in cybersecurity provides tremendous leverage in defending the [DoD's networks]."

Medina's agency, which sits at the intersection of the military and healthcare and arenas, presents a target-rich environment for cyber criminals and other groups of digital adversaries. But the health sector in general has become a favorite target of hackers for a rather logical reason.

"The healthcare record is an incredibly valuable source of information," Medina said. "There's so much information in the healthcare record. It's not just a Social Security number. It's not just a bank account. It's not just PII like your home address or PHI like your diagnosis. It's all of it rolled together."

[ Related: Big data essential to cancer moonshot ]

Medina cited a recent study by the Ponemon Institute that noted an alarming spike in attacks on healthcare organizations, finding that, for the first time, criminal activity accounted for more health-data breaches than any other cause.

Since 2010, the volume of criminal attacks on healthcare outfits has jumped by 125 percent, according to Ponemon, which also reported that 91 percent of all healthcare organizations have been hit by at least one data breach.

[ Related: Healthcare’s biggest public confidence challenge, security and privacy ]

While criminal activity is now the leading cause of those attacks, "employee negligence and lost/stolen devices continue to be primary causes of data breaches," Larry Ponemon, chairman and founder of the institute, said in a statement.

Better cyber hygiene

In his call for better cyber hygiene, Medina draws a very analog parallel. In 2007, Johns Hopkins Hospital launched an awareness campaign aimed at encouraging employees to regularly wash their hands, highlighting the degree to which proper hand hygiene can reduce infection rates and the spread of diseases.

Medina would like to see a similar campaign in cyber, one that would call attention to the risks of clicking on unfamiliar links or opening attachments, leaving physical devices lying around or accessing work documents through a personal email account.

"These are examples of things that are so simple not to do," Medina said. "I'm certainly not saying that if we wash our hands we will prevent the spread of infection, nor am I saying that we can eliminate risk, but we certainly have the responsibility to reduce how much we contribute to the risk of information."

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts