Daily Management Review

A detailed insight into causes for health care data breaches


Fundamental and ethical hacking have been the primary go-to methods in order to attain personal data and information. With a stage of advanced learning perfectly set up, the ordeal seems to have gotten easier.

For the first time, according to recent studies it has been found that criminal and state sponsored hacks have surpassed human error as the leading cause for health-care data breaches. It has been also found that it could be costing the industry as much as $6 billion.

With an average organization cost spiking up to $2.1 million per breach, the results of the study raises the question: How do you define human error?

More than half of the respondents at the Ponemom Institutes Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data had to say that their organization’s incident response team was underfunded or rather understaffed.
According to them roughly one third of respondents had no incident response plan in place at all, a fact that seems to beggar the imagination at the moment when breaches seem to have become the third certainty of life. It also highlights the seeming no show of the “first do no harm” patients on the data-breach prone operations.
While the ordeal is disconcerting as there isn’t a more robust incident response culture out there, perhaps a more concerning aspect is the lack of best practices pointed at heading off the problem before it happens. That is indeed where a new term comes into play.

Wetware can be defined as a term of art that is used by hackers to describe a non-firmware, hardware or software approach for getting the information that they want to pilfer, in other words, people. (As the human body is 60% water.)

Wetware intrusions take place when a potential hacker exploits employee trust, predictable behavior or in case of failure to follow security protocols. It could be a crooked employee on the take or it could also be a file found in the Dumpster diving.

The findings of the Ponemon Institute’s study point towards the definite need of a better wetware precaution when it comes to the issue of a better security for healthcare records. Amazingly nearly 40% of the health organizations in the study reported more than 5 breaches in the past two years.

According to detailed analysis, since the beginning of 2010, “the percentage of respondents who said their organization had multiple breaches increased from 60% to 79%.” Also by no means inconsequential is the fact that medical identity theft (an imposter uses a victim’s credentials to obtain health care) nearly doubled in the past 5 years from 1.4 million to more than 2.3 million in 2014.

The breaches comprising these figures were not all the size or severity of Anthem or Premera which combined seems to have leaked extremely sensitive and personally identifiable information which includes the likes of Social Security Number, birth dates and bank account numbers of more than 91 million consumers.

While the $2.1 million average cost incurred to health care organizations is eye-catching, it is reported to have also included incidents with an average of 2700 lost or stolen records, a figure that seemingly runs the gamut from Anthem and Premera to breaches presumably on the smaller side. 
As Larry Ponemon rightly pointed out in an interview with Dark Reading, while many of the incidents involved the exposure of “less than 100 records,” that in no way trivializes those events.
He also stated “Many medical identity theft victims report they have spent an average of $13,500 to restore their credit, reimburse their health care provider for fraudulent claims and correct inaccuracies in their health records.” This was exclusively framed after a detailed study on the former topic.
With 91% of the health companies responding to the study’s questions reported at least one incident in the preceding two years. However it is clear that whatever we have been doing to address the health care breach problem is woefully inadequate and at the same time insufficient as well. In addition to that it is also clear that the problem is wetware.
When the practicing organizations in the study were asked about what was worrying them the most (with three responses permitted), astoundingly 70% said that the biggest concern was a negligent or rather a careless employee.

In addition to that this figure was followed by nearly 40% of respondents who thought that cyber attackers were the larger reason for concern and that nearly 33% were worried about the security of the public cloud servers. The respondents were also found citing insecure mobile apps (13%) and insecure medical devices (6%).

Reports suggest that nearly 96% of respondents said that they had a security incident involving lost or stolen devices. The fact that cyber attacks are the leading cause of breaches should keep you up at night, but an even more terrifying fact here is that many of these attacks would not have been possible were it not for the human factor.

It can be assumed that there is plenty of overlap between the proactive criminal and the clumsy employee in order to make these figures start to seem like much of digital rain much like in “The Matrix”.
Nowadays smartphones and tablets seem to be on the list of most compromised or stolen assets. Earlier on the data breach seemed to be pandemic and the ordeal was limited to the then sophisticated gadgets like laptop, computer and desktop which were on top of the list back then.

While it may seem interesting on some level as to how the information seems to get relatively compromised, one needs to accept the fact that at the end of the day a breach is a breach.

The bottom line here is that hackers of all genres are having a field day because of the fact that the wetware problem has been largely unaddressed. One can certainly speculate that this scenario of data breaching is likely to be persistent until people become the alpha and omega of the peocess leading to zero tolerance solution.