Wetware: People are the problem in countless data breaches

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Adam Levin, ThirdCertainty

For the first time, accord­ing to a recent study, crim­i­nal and state-spon­sored hacks have sur­passed human error as the lead­ing cause of health care data breach­es, and it could be cost­ing the indus­try as much as $6 bil­lion. With an aver­age orga­ni­za­tion cost of $2.1 mil­lion per breach, the results of the study give rise to a ques­tion: How do you define human error?

More than half of the respon­dents in the Ponemon Institute’s fifth annu­al Bench­mark Study on Pri­va­cy & Secu­ri­ty of Health­care Data, said their organization’s inci­dent response team was under­fund­ed or under­staffed and rough­ly one-third of respon­dents had no inci­dent response plan in place at all—zip, nada, zilch—a fact that beg­gars the imag­i­na­tion at a moment when breach­es have become the third cer­tain­ty in life, and one that high­lights the seem­ing no-show of the “first do no harm” approach to patients on the data breach-prone oper­a­tions side of the health care industry.

While it is dis­con­cert­ing that there isn’t a more robust inci­dent response cul­ture out there, per­haps more wor­ri­some is the seem­ing lack of best prac­tices point­ed at head­ing off the prob­lem before it hap­pens. That’s where a new term comes into play.

Human fac­tor helps hackers

Wet­ware is a term of art used by hack­ers to describe a non­firmware, hard­ware or soft­ware approach to get­ting the infor­ma­tion they want to pil­fer. In oth­er words, peo­ple. (The human body is more than 60 per­cent water.) Wet­ware intru­sions hap­pen when a hack­er exploits employ­ee trust, pre­dictable behav­ior, or the fail­ure to fol­low secu­ri­ty pro­to­cols. It can be a spear phish­ing email, a crooked employ­ee on the take, or a file found while Dump­ster diving—and, of course, all stripe of things in between. What­ev­er it is, there’s a human being involved.

The find­ings of the Ponemon Insti­tute study point to the dire need for bet­ter wet­ware pre­cau­tions when it comes to the secu­ri­ty of health care records. Con­sid­er that 40 per­cent of the health orga­ni­za­tions in the study report­ed more than five breach­es in the past two years.

Accord­ing to the study, since 2010 “the per­cent­age of respon­dents who said their orga­ni­za­tion had mul­ti­ple breach­es increased from 60 per­cent to 79 per­cent.” Also, by no means incon­se­quen­tial, is the fact that med­ical iden­ti­ty theft—where an imposter uses a victim’s cre­den­tials to obtain health care—nearly dou­bled in the past five years, from 1.4 mil­lion adult vic­tims to more than 2.3 mil­lion in 2014.

The breach­es com­pris­ing these fig­ures were not all the size or sever­i­ty of Anthem or Pre­mera, which com­bined leaked extreme­ly sen­si­tive per­son­al­ly iden­ti­fi­able infor­ma­tion like Social Secu­ri­ty num­bers, birth dates and bank account num­bers belong­ing to more than 91 mil­lion con­sumers. While the $2.1 mil­lion aver­age cost to health care orga­ni­za­tions is eye-catch­ing, it involved inci­dents with an aver­age of 2,700 lost or stolen records, a fig­ure that runs the gamut from Anthem and Pre­mera to breach­es that were decid­ed­ly on the small­er side.

As Lar­ry Ponemon right­ly point­ed out in an inter­view with Dark Read­ing, while many of the inci­dents involved the expo­sure of “less than 100 records,” that in no way triv­i­al­izes those events. Accord­ing to the study, “Many med­ical iden­ti­ty theft vic­tims report they have spent an aver­age of $13,500 to restore their cred­it, reim­burse their health care provider for fraud­u­lent claims and cor­rect inac­cu­ra­cies in their health records.”

Bet­ter secu­ri­ty pro­to­cols needed

With 91 per­cent of the health care com­pa­nies who respond­ed to the study’s ques­tions report­ing at least one inci­dent in the pre­ced­ing two years, it’s clear that what­ev­er we’re doing to address the health care breach prob­lem is woe­ful­ly inad­e­quate. What’s more, it is clear that the prob­lem is wet­ware. Bet­ter prac­tices need to become part of the work cul­ture in the health care industry.

When par­tic­i­pat­ing orga­ni­za­tions in the study were asked what wor­ried them the most (with three respons­es per­mit­ted), 70 per­cent said the biggest con­cern was a neg­li­gent or care­less employ­ee. That fig­ure was fol­lowed by 40 per­cent of respon­dents who thought cyber attack­ers were the big­ger wor­ry and 33 per­cent who were wor­ried about the secu­ri­ty of pub­lic cloud servers. Respon­dents also cit­ed inse­cure mobile apps (13 per­cent) and inse­cure med­ical devices (6 percent).

With 96 per­cent of respon­dents say­ing that they had a secu­ri­ty inci­dent involv­ing lost or stolen devices, the fact that cyber attacks—state-backed and criminal—are the lead­ing cause of breach­es should keep you up at night, but the more ter­ri­fy­ing take­away here is that doubt­less many of those attacks wouldn’t be pos­si­ble were it not for the human fac­tor. There is plen­ty of over­lap between the proac­tive crim­i­nal and the clum­sy employ­ee to make these fig­ures start to seem like so much dig­i­tal rain in a lost scene from “The Matrix.”

These days, smart­phones and tablets are on the most-com­pro­mised or stolen list. Ear­li­er in the data breach pan­dem­ic, lap­top com­put­ers and desk­tops were at the top of that list. While it is inter­est­ing on some lev­el how the infor­ma­tion gets com­pro­mised, at the end of the day, a breach is a breach is a breach. Health care indus­try: you’re all wet.

The bot­tom line here is that hack­ers of all stripe are hav­ing a field day because the wet­ware prob­lem has been large­ly unad­dressed, and until peo­ple become the alpha and omega of the process that leads to a zero tol­er­ance solu­tion, data breach­es will con­tin­ue apace.

Full dis­clo­sure: IDT911 spon­sors Third­Cer­tain­ty. This sto­ry orig­i­nat­ed as an Op/Ed con­tri­bu­tion to Credit.com and does not nec­es­sar­i­ly rep­re­sent the views of the com­pa­ny or its partners.

Adam Levin is chair­man and co-founder of Credit.com and IDT911. His expe­ri­ence as for­mer direc­tor of the New Jer­sey Divi­sion of Con­sumer Affairs gives him unique insight into con­sumer pri­va­cy, leg­is­la­tion and finan­cial advo­ca­cy. He is a nation­al­ly rec­og­nized expert on iden­ti­ty theft and credit.

More on iden­ti­ty theft:
Iden­ti­ty Theft: What You Need to Know
3 Dumb Things You Can Do With Email
How Can You Tell If Your Iden­ti­ty Has Been Stolen?

Posted in Data Breach, Guest Essays