Sounds reasonable, until you look at the Silicon Valley experience. Silicon Valley grew like a weed precisely because employees could…
Readers Write: Why Healthcare Organizations Can’t Afford A Data Breach Caused by Human Error
Why Healthcare Organizations Can’t Afford A Data Breach Caused by Human Error
By Tim Sadler
Tim Sadler, MA, MSc, MEng is co-founder and CEO of Tessian of London, England.
$9.42 million. That’s how much a healthcare data breach now costs, a staggering $2 million more than it was a year ago. According to IBM’s 2021 Cost of Data Breach report, data breaches in the healthcare industry are the highest across all industries today.
While ransomware attacks have dominated the headlines in recent months, the leading cause of data breaches in the healthcare industry is actually miscellaneous errors, with the most common of these mistakes involving an email or file attachment being sent to the wrong person.
We’ve all been there. Faced with looming deadlines and overwhelming to-do lists, you think to yourself, “I’ll just quickly send that by email.” But with healthcare professionals now responsible for more data than ever before, the stakes are high.
Employees are the gatekeepers to highly sensitive and valuable information, such as people’s personal and medical records, intellectual property, and research and development. With many clinics sharing patients’ information among colleagues or with third-party partners via email, a simple typo could result in lost data, a serious cybersecurity incident, and significant reputational damage.
This was the case with a gender identity clinic in the UK. An employee accidentally exposed the personal details of nearly 2,000 people because they CC’d recipients instead of BCC’ing them. In addition to damaging patient trust, a mistake like this can cause major legal problems, like violating HIPAA and HITECH laws.
Many IT and security teams may not even realize the scale of the problem that human error poses to their organization. IT leaders surveyed by my company estimated that 480 misdirected emails were sent in their organizations each year. In reality, at least 800 emails are sent to the wrong person in companies with 1,000 employees each year. What’s more, one in five healthcare professionals say they’ve made a mistake that has compromised security while working remotely that no one will ever know about.
It’s not accidents causing problems. Security leaders know that the vast majority of employees are well intentioned, but there are some people who knowingly exfiltrate data from the organization. In fact, 35% of employees working in the healthcare industry admit to downloading, saving, or sending work-related documents to personal accounts before leaving or after being dismissed from a job. Our platform indicates that at least 27,500 non-compliant, unauthorized emails are sent every year in organizations with 1,000 employees. Security leaders estimated just 720.
Visibility into the threat is sorely needed. You can’t defend against what you can’t see.
To prevent security incidents caused by human error and avoid the eye-watering costs associated with a data breach, healthcare organizations need to start putting people at the heart of their security strategies and consider how they can best support their riskiest and most at-risk employees.
Constantly reinforcing security awareness training is an important first step in improving people’s security behaviors. Training can’t be a one-size-fits all, tick-box exercise; it has to be contextual and relevant if it’s ever going to resonate with employees and enforce long-lasting behavioral change.
Then create and maintain a security culture that empowers employees to make the right cybersecurity decisions. Arm people with the tools and knowledge they need, in the moment they need it most, to avoid making risky mistakes that can compromise data security. This could mean alerting people to think twice before clicking, rewarding employees for spotting threats, and creating a safe space for people to admit when they’ve a mistake.
Businesses are digitally transforming and ways of working are changing, but one thing remains the same — people are in control of the data and systems. Their behaviors will make or break a company’s security posture. With the cost of a healthcare data breach continually rising year on year and with people being responsible for more data than ever before, IT leaders can’t no longer afford to neglect security at the human layer in their organization.
Oh boy! Regarding “Can’t Afford …”
Let me say, up front, that I’m a big booster of security systems, patching, privacy, all that. That’s to start.
But can’t afford? Ouch! They can afford, and do so every day. They don’t want to afford. It’s not desirable to afford. It results in Opportunity Costs, for sure.
Continuing, the “human error” component. We can’t limit it to just that, IMO. Data breaches happen for all sorts of reasons, and human factors is just one of many. It’s a bit short-sighted to address only that component. Unless we are saying that organizations “can afford” data breaches caused solely by technical issues? No, that doesn’t sound right.
And how exactly do we remove human psychology from our systems? You can’t. It’s a fool’s errand to think you can.
This always comes back to training. OK, training is good, right? Sure it is! I won’t speak a word against it. But… the studies I’ve seen? Even the best training programmes, with lots of testing, follow-up, non-punitive learning opportunities, realistic penetration & phishing efforts, White Hat hacker engagements?
You get a 30-50% reduction in your people doing the wrong thing. Consistently. So there is improvement, but it isn’t a security silver bullet either. Thus you need to do the training, but limit your expectations of what you can actually achieve.