The Human Errors Behind Data Breaches
By Julie Knudson
For The Record
Vol. 30 No. 2 P. 24
Poor habits and a lack of awareness contribute to PHI exposures.
A Protenus review of 2016 health care security incidents—those reported directly to Health and Human Services plus breaches revealed through media reports or other sources—shows that more than 27.3 million patient records were impacted. But health care isn't the only vulnerable sector; data exposures are a scourge in nearly every industry. From Equifax to Anthem, Target to Chipotle, hackers don't discriminate.
With every breach comes new insight about threats and how to eliminate them. There are lessons from across the security spectrum that HIT and leadership teams can use to reduce their risk of a compromise. While fingers often point to weaknesses in technology, human error is at the heart of many data breaches.
As health care organizations work to boost their defensive measures against these unauthorized disclosures, they should also consider where people-based mistakes can compromise their efforts.
One of the most common points of entry for hackers is the end user. After all, this target is abundant and rarely is security their strong suit.
"We all know phishing is a primary form of attack," says Robert Brzezinski, CHPS, CISA, CISM, principal at information security risk management consulting firm Bizwit, referring to legitimate-looking e-mails that actually contain malicious links or attachments with sender addresses spoofed to appear as though they're from a partner organization or trusted colleague.
Phishing victims face various consequences. "It could be just a malware infection that's easy to deal with or it could be ransomware that spreads through the network and becomes a big cost and a big problem for the entire organization," Brzezinski says, adding that end users who aren't mindful of the risks can provide an easy gateway into the rest of the network.
Also lurking in the end user sphere is the very real problem of lost and stolen devices. A survey conducted by security products provider Kensington revealed that the largest percentage of stolen IT information (25%) came from laptops stolen from cars and other transportation. While this is dismaying, just as worrisome is the revelation that IT theft in the office was a close second at 23%.
"People may leave a laptop or flash drive somewhere with protected health information [PHI] on it," says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission. "These devices are extremely easy to take and, in many cases, people don't encrypt their laptops or flash drives."
Barrett points out that forgetting to lock a laptop at work could lead to a breach, something end users may not consider. Even if the computer or smartphone itself is the target of the theft, the PHI contained within could be at risk, he notes.
Mistakes at the Top
Security and privacy mistakes can also occur at an organization's highest levels. Rob Rhodes, CPHIMS, CHCIO, CISSP, HCISPP, vice president of product management and patient privacy solutions at Iatric Systems, a health care technology and privacy provider, says security, training, and an environment of awareness are critical, but those missions may be left by the wayside in favor of other issues if there's a lack of commitment from the C-suite.
"Even in organizations where senior-level folks support those types of activities, there are still cases where leaders don't do what they should," he says.
In their bid to maintain a focus on revenue and stretch lean resources, executives may fail to enforce crucial security policies or shortchange security budgets, Rhodes says, adding that both scenarios have the potential to create an environment of poor security hygiene.
As the role of chief information security officer (CISO) becomes more commonplace within large and small health care organizations, Barrett says some may nevertheless fall behind in ensuring the right expertise is in place to tackle security challenges. The individuals chosen to oversee strategic security and privacy functions need to have sufficient training, experience, and authority to carry out their responsibilities, something leadership teams don't always understand or support.
"It's a real risk and a real mistake," Barrett says. "It puts not only the individual in that role in a very vulnerable position, but also the organization."
In the event of a breach, the CISO's background and knowledge will come under intense scrutiny, something every C-suite should consider as it fills critical roles.
Even when executives and the board of directors agree on making security a priority, everyday operational mistakes remain. "The elephant in the room is how budgets are allocated," says Varun Badhwar, CEO and cofounder of cloud security firm RedLock. "That's where we have an inherent problem."
Instead of looking at security needs in detail and budgeting from the bottom up, Badhwar sees too many companies relying on the classic budgetary model that sets security spending at a percentage of the overall budget. "We're going through a fundamental disruption in technology," he says, noting that new systems are being implemented, data centers are shutting down, and services and storage are moving to the cloud. "It's uncharted territory."
As technology and processes are retooled, the dollar figures associated with maintaining security also need to be evaluated and updated, Badhwar says.
Even within the IT group itself, the potential for errors lurks. As systems and connection points proliferate—from patient portals to links with health information exchanges and payers—maintaining watch over this burgeoning infrastructure becomes more cumbersome.
"There's a real risk when an organization says they can do everything themselves and they don't need a third party to assist them," Barrett says. It's difficult for teams to identify their own issues and vulnerabilities, and there's a tendency for departments to overestimate their ability to deal with threats, he notes. "There are so many different political and other influences that impact their ability to do an objective review," Barrett says.
Good security relies on a strong chain. If IT doesn't take the steps necessary to put the right measures in place, then errors made at the end user level or by the executive team may be allowed to propagate throughout the network unchecked, Barrett says.
A dependence on the wrong sorts of technology may also leave IT's practices and procedures lacking when it comes to defending against next-generation cyber threats. In addition, risk assessments aren't always conducted to ensure the right safeguards are in place.
"I see it over and over. IT teams are overrelying on firewalls and antivirus protection," Brzezinski says. For example, IT may put stringent security around a central office only to realize that most of its workforce is outside that perimeter. Other strategies zero in on infrastructure risks but overlook the security needs of mobile device users.
"IT needs to create visibility into what's happening in their IT environment," Brzezinski says. The health of the network and its endpoints—as well as a better perspective on who's accessing the environment and whether they're using secure methods to connect—isn't always monitored as closely as it should be, allowing gaps to form that could be exploited, he says.
"Folks in IT have a great amount of opportunity to make mistakes," Rhodes says.
Why 'People' Mistakes Happen
Security gaps can also appear when employees aren't fully engaged in mitigation efforts. They rarely have visibility into risks, and they aren't always shown what they can do to help prevent them. "Security is a difficult job if end users don't understand the importance and the impact that security problems can have," Badhwar says.
Compounding the problem is the tendency of health care organizations to forgo the use of robust security protocols that can identify potentially risky user behavior. "Organizations need to follow a trust-but-verify model," Badhwar says.
Whether an employee's actions are accidental or on purpose, they could expose PHI or other confidential data. The right proactive measures can often prevent a security lapse from resulting in a breach, but providers have yet to fully embrace those tools, Badhwar says.
Unfortunately, real-world examples of what happens when an insider—whether an end user, the IT group, or an executive—makes a mistake are plentiful. Brzezinski says a number of incidents can be traced back to clerical errors.
For example, there have been instances when e-mails containing protected information destined for the patient were mistakenly routed to someone else. "This triggered the requirement to contact this individual who received the e-mail and its information in error, and ask them to delete it," Brzezinski says.
The organization needed to wait for confirmation that the errant message and its contents had been removed. A complete security incident report was also required, with notification provided to the person who should have received the information but didn't.
Through the years, Rhodes has witnessed several procedural errors being made behind the scenes. On several occasions he viewed system administrators set up device shares intended to allow specific users to later add information. "[However], often they would create the share, but it was shared with everyone by default. They wouldn't take the time to properly adjust the permissions," he says.
Most systems come with a range of default settings. If IT doesn't work through each one, "it can leave them open to instances where information could easily be breached through that mistake," Rhodes says.
An inability to break old habits also causes problems. For example, issues such as deployment timing for software patches could use a refresh. When he looks back at patch management in an era when infrastructure wasn't always easy to modify, Rhodes says, "In those early years, it wasn't unusual for a patch to break something."
The IT group often needed to conduct preliminary testing to ensure the changes wouldn't trigger new problems, but Rhodes says the entire process has improved significantly in the intervening years.
The epic breach at credit bureau Equifax, which affected an estimated 143 million victims, resulted from inadequate policies and procedures about deploying system patches. "There was a patch out for the problem they got hit with, and that patch had been available for months but they hadn't yet applied it," Rhodes explains.
With the huge breach at Equifax stemming from a failure to apply a patch in a timely manner, this issue is something organizations must prioritize if they want to avoid similar problems. It takes time—something that's in short supply in many health care organizations—to install patches, but delaying security upgrades is not recommended. "If management put more emphasis on it and said, 'Hey, you've got to do this,' I believe we'd have a lot fewer of these situations," Rhodes says.
Reducing the Risks
There's no one answer when it comes to addressing and avoiding human mistakes, but Brzezinski says many of the solutions involve a combination of training and technology. "Technology provides a lot of good tools," he explains.
Strong compliance and security platforms previously available only to large enterprises are now within reach for smaller organizations, thanks largely to cloud economics. "But we have to train users on these new technologies," Brzezinski cautions. "They need to know how to use them properly and how to benefit from them."
Rolling out an encryption tool or a more secure e-mail system will prove ineffective if employees don't know how to leverage them, he adds.
Rhodes says awareness programs have a lot to offer when it comes to reducing people-based security mistakes. Unfortunately, many organizations don't structure their efforts in a way that connects with users or that provides them with the kind of actionable information they need to adopt better habits. "You have to do it in such a way that you're changing the behaviors and attitudes people have," Rhodes says.
For example, frame security discussions in terms of patient well-being. Rhodes says security efforts have more traction when hospitals link unauthorized disclosure of PHI to an erosion of trust between patients and providers. "We don't know at any given point or with any individual what someone will find embarrassing," he says. "And if a patient doesn't trust their provider, they'll be much less likely to share information that's critical to their care."
Internally, organizations should be taking greater advantage of tools that can identify potentially suspicious activities, Badhwar says. For example, platforms can be added to help IT monitor user behavior. "These aren't just to trigger training and other programs, but also to build risk models and profiles of users," Badhwar says.
Should an employee deviate from his or her normal behavior, the software responds, whether it's sending an alert to IT or locking down the user's account to limit the damage. "For example, the software would raise an alert if it observes that a specific user normally logs in from Toronto and performs a set of actions, but now the user is logging in from Croatia and performing a different set of actions," Badhwar says.
IT can then review the activity to determine, for example, whether the account has been compromised or it's the work of a malicious insider.
In general, a philosophical shift may be in order within health care. Too often organizations assume they're immune to a breach either because they have yet to experience one—this assumes current measures are sufficient—or because they believe they're too small to be targeted. Both positions result in security being deprioritized, a huge mistake, according to experts.
How can this line of thinking be overcome? "It requires getting through to people the risks they have," Barrett says. "If their organization is impacted, the effects aren't limited to loss of revenue. They may also lose credibility."
Rejecting complacency begins at the top, not just with allocating resources more effectively but also in appointing the right people to important security positions and through support for ongoing training efforts. "Look at organizations like Equifax and Anthem. These are major organizations and they spend millions of dollars a year in relation to IT infrastructure, yet they still had attacks," Barrett says.
He encourages health care leaders to turn the tide and to bring their organizations into alignment under a unified commitment to security.
— Julie Knudson is a freelance writer based in Seattle.