Better technology can improve security in the healthcare industry, but it won't transform it. That would take a major upgrade to the human OS.
The biggest risk to increasingly digitized Personal Health Information (PHI) is not a cyber attack. It is human error.
That is the conclusion of numerous studies and surveys:
According to Michael Bruemmer, vice president of Consumer Protection at the credit reporting and financial services firm Experian, of 3,100 incidents that Experian Data Breach Resolution serviced in 2014, "81% had a root cause in employee negligence. The most common issue was the loss of administrative credentials — user name and password — but also included lost media, firewall left open, lost laptop etc.," he said.
Experian's 2015 Second Annual Data Breach Industry Forecast also reported that, "employees and negligence are the leading cause of security incidents but remain the least reported issue."
Identity Theft Resource Center program director Karen Barney said that of 333 publicly reported medical data breach incidents during 2014, 81.6 percent could be attributed to human error, although that includes both third-party breaches and malicious insiders intentionally stealing data.
Yo Delmar, vice president of GRC solutions at MetricStream, said, "human error is 15 times more likely to be traced to the misplacement of a device or data rather than an intentional theft by a malicious actor."
She added that, "according to the 2013 Verizon Data Breach Investigations report, 46 percent of healthcare security incidents were the result of lost or stolen assets, most often in the office, not from personal vehicles or homes."
The Ponemon Institute, in its Fourth Annual Benchmark Study on Patient Privacy & Data Security, released in March 2014, reported that even though criminal cyber attacks had increased 100 percent since 2010, "insider negligence continues to be at the root of most data breaches."
The report said the primary cause of breaches were, "a lost or stolen computing device (49%), which can be attributed in many cases to employee carelessness. This is followed by employee mistakes or unintentional actions (46%), and third-party snafus (41%)."
The 2014 findings of the Privacy Rights Clearinghouse (PRC) were similar. Of 75 data breaches in the healthcare industry logged on the group's website, 62, or 82.6 percent, were attributed to human error.
One caveat in the PRC statistics is that the large majority of the 4.9 million records compromised came from a single incident — 4.5 million records in the breach of Community Health Systems in Franklin, Tenn. — an intrusion attributed to a Chinese hacker.
So while there were many more breaches caused by human error, the greatest damage came from an outside attack.
Sign up for Computerworld eNewsletters.