For the first time, according to a recent study, criminal and state-sponsored hacks have surpassed human error as the leading cause of health care data breaches, and it could be costing the industry as much as $6 billion. With an average organization cost of $2.1 million per breach, the results of the study give rise to a question: How do you define human error?
More than half of the respondents in the Ponemon Institute's Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, said their organization's incident response team was underfunded or understaffed and roughly one third of respondents had no incident response plan in place at all—zip, nada, zilch—a fact that beggars the imagination at a moment when breaches have become the third certainty in life, and one that highlights the seeming no-show of the "first do no harm" approach to patients on the data breach-prone operations side of the health care industry.
While it is disconcerting that there isn't a more robust incident response culture out there, perhaps more worrisome is the seeming lack of best practices pointed at heading off the problem before it happens. That's where a new term comes into play.
Wetware is a term of art used by hackers to describe a non-firmware, hardware or software approach to getting the information they want to pilfer. In other words, people. (The human body is more than 60% water.) Wetware intrusions happen when a hacker exploits employee trust, predictable behavior or the failure to follow security protocols. It can be a spearphishing email, a crooked employee on the take or a file found while Dumpster diving—and, of course, all stripe of things in between. Whatever it is, there's a human being involved.
The findings of the Ponemon Institute study point to the dire need for better wetware precautions when it comes to the security of health care records. Consider that 40% of the health organizations in the study reported more than five breaches in the past two years.
According to the study, since 2010 "the percentage of respondents who said their organization had multiple breaches increased from 60% to 79%." Also by no means inconsequential is the fact that medical identity theft—where an imposter uses a victim's credentials to obtain health care—nearly doubled in the past five years, from 1.4 million adult victims to more than 2.3 million in 2014.
The breaches comprising these figures were not all the size or severity of Anthem or Premera, which combined leaked extremely sensitive personally identifiable information like Social Security numbers, birth dates and bank account numbers belonging to more than 91 million consumers. While the $2.1 million average cost to health care organizations is eye-catching, it involved incidents with an average of 2,700 lost or stolen records, a figure that runs the gamut from Anthem and Premera to breaches that were decidedly on the smaller side.