Why Human Error is Just as Risky As Ransomware for Healthcare Cybersecurity

The following is a guest article by Tim Sadler, CEO of Tessian.

Ransomware attacks continue to plague the healthcare industry. In all, cyberattacks on healthcare more than doubled last year, with ransomware making up 28% of those attacks. But healthcare IT leaders have another cybersecurity challenge to overcome: human error. According to Verizon’s 2021 Data Breach Report, miscellaneous errors are the number one cause of data breaches in healthcare today, with the most common of these mistakes involving an email or file attachment being sent to the wrong person.

While these errors are not maliciously motivated, they can result in lost data and significant reputational damage. When you consider how much valuable and sensitive information healthcare employees are responsible for, a simple slip-up on email could cause a serious cybersecurity incident.

In fact, I would argue that human error can be just as damaging as ransomware attacks — and in some cases, more damaging given that healthcare IT leaders often lack visibility into employees’ mistakes and risky behaviors. A deeper look at employee behavior patterns can help organizations prevent a simple mistake from turning into a major breach.

The Gap in IT Leaders’ Assumptions vs Reality

Healthcare employees, partners and vendors access large amounts of sensitive data. Personal and medical information, research and development, and intellectual property that once resided in physical filing cabinets are now stored on databases and spreadsheets. This data can be shared from person to person in just one simple click. This makes the industry especially vulnerable to data breaches caused by human error.

One unfortunate example of this happened when a staff member at a gender identity clinic in the UK exposed the personal details of nearly 2,000 people because they CC’d recipients instead of BCC’ing them. In addition to damaging patient trust, a mistake like this can cause major legal problems like violating HIPAA and HITECH laws.

One major contributor to this risk is that many IT leaders don’t actually realize the scale of the problem. In a report from Tessian, for example, IT leaders estimated that 480 misdirected emails are sent in their organizations each year. But our platform data shows that at least 800 emails are sent to the wrong person in companies with 1,000 employees each year. Within healthcare, nearly half (46%) of employees surveyed said they had made this mistake before. It’s clear that organizations need greater visibility into this threat.

The Impact of Hybrid and Remote Work

The rise of telehealth and virtual medicine means that the hybrid work transition is happening rapidly within healthcare. While the transition to remote work brought new security challenges, the “next normal” of hybrid work could prove to be even more disruptive. In fact, 59% of healthcare security leaders are concerned about employees’ unsafe data practices in a hybrid-remote environment.

Their concerns are valid. More than one-third of employees say they have picked up bad security behaviors and found security “workarounds” while working from home. Equally concerning is that one in four employees say they made security mistakes while working from home that no one will ever know about.

In addition to making mistakes like sending emails to the wrong person, falling for phishing emails is another case of human error that can put organizations at risk. More than two-thirds of IT leaders (67%) predict an uptick in phishing emails that take advantage of the transition back to working in the office. One example, spotted by Cofense, saw attackers impersonating a CIO that welcomed staff back to the office and asked them to provide login credentials.

With employees reporting that they make more mistakes due to stress, fatigue, and distraction, security incidents caused by human error could be exacerbated by the transition to hybrid work as staff switch between various locations and devices.

Whether employees work remotely, in the office, or in a hybrid setting, they are the gatekeepers to healthcare organizations’ data and systems. Their behavior will make or break security. Businesses, then, need to put people at the heart of security strategies and make employees part of the solution.

Human Error Must Be a Healthcare Priority

In order to mitigate these risks, healthcare organizations must work toward building a strong security culture that empowers employees to work both securely and productively.

Ongoing, tailored training is an important first step. The training should be contextual and relevant to a specific employee’s tenure, location, and role, if it’s going to stick. Another important factor involves creating a security culture that educates employees and builds a level of self-efficacy by arming people with the tools and knowledge they need to spot threats and avoid making risky moves that could compromise security. This culture should also never shame employees for making mistakes; employees should feel safe admitting when something goes wrong. Otherwise, healthcare IT leaders cannot have visibility into this risk and will continue to make assumptions that don’t reflect reality.

Threats like ransomware will continue to be a problem for healthcare organizations, and they need to be prepared for this. But that doesn’t mean employee behavior and mistakes should be deprioritized. In fact, securing the “human layer” of an organization can help defend against many cybersecurity risks. Protecting against human error must be part of an organization’s holistic security strategy in today’s threat landscape.

   

Categories