Wetware: The Major Data Security Threat You’ve Never Heard Of

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blog.credit.com/2015/05/wetware-the-major-data-security-threat-youve-never-heard-of-116451/

For the first time, according to a recent study, criminal and
state-sponsored hacks have surpassed human error as the leading cause of
health care data breaches, and it could be costing the industry as much as
$6 billion. With an average organization cost of $2.1 million per breach,
the results of the study give rise to a question: How do you define human
error?

More than half of the respondents in the Ponemon Institute’s Fifth Annual
Benchmark Study on Privacy & Security of Healthcare Data, said their
organization’s incident response team was underfunded or understaffed and
roughly one third of respondents had no incident response plan in place at
all—zip, nada, zilch—a fact that beggars the imagination at a moment when
breaches have become the third certainty in life, and one that highlights
the seeming no-show of the “first do no harm” approach to patients on the
data breach-prone operations side of the health care industry.

While it is disconcerting that there isn’t a more robust incident response
culture out there, perhaps more worrisome is the seeming lack of best
practices pointed at heading off the problem before it happens. That’s
where a new term comes into play.

Wetware is a term of art used by hackers to describe a non-firmware,
hardware or software approach to getting the information they want to
pilfer. In other words, people. (The human body is more than 60% water.)
Wetware intrusions happen when a hacker exploits employee trust,
predictable behavior or the failure to follow security protocols. It can be
a spearphishing email, a crooked employee on the take or a file found while
Dumpster diving—and, of course, all stripe of things in between. Whatever
it is, there’s a human being involved.

The findings of the Ponemon Institute study point to the dire need for
better wetware precautions when it comes to the security of health care
records. Consider that 40% of the health organizations in the study
reported more than five breaches in the past two years.

According to the study, since 2010 “the percentage of respondents who said
their organization had multiple breaches increased from 60% to 79%.” Also
by no means inconsequential is the fact that medical identity theft—where
an imposter uses a victim’s credentials to obtain health care—nearly
doubled in the past five years, from 1.4 million adult victims to more than
2.3 million in 2014.

The breaches comprising these figures were not all the size or severity of
Anthem or Premera, which combined leaked extremely sensitive personally
identifiable information like Social Security numbers, birth dates and bank
account numbers belonging to more than 91 million consumers. While the $2.1
million average cost to health care organizations is eye-catching, it
involved incidents with an average of 2,700 lost or stolen records, a
figure that runs the gamut from Anthem and Premera to breaches that were
decidedly on the smaller side.

As Larry Ponemon rightly pointed out in an interview with Dark Reading,
while many of the incidents involved the exposure of “less than 100
records,” that in no way trivializes those events. According to the study,
“Many medical identity theft victims report they have spent an average of
$13,500 to restore their credit, reimburse their health care provider for
fraudulent claims and correct inaccuracies in their health records.”

With 91% of the health care companies who responded to the study’s
questions reporting at least one incident in the preceding two years, it’s
clear that whatever we’re doing to address the health care breach problem
is woefully inadequate. What’s more, it is clear that the problem is
wetware. Better practices need to become part of the work culture in the
health care industry.

When participating organizations in the study were asked what worried them
the most (with three responses permitted), 70% said the biggest concern was
a negligent or careless employee. That figure was followed by 40% of
respondents who thought cyber attackers were the bigger worry and 33% who
were worried about the security of public cloud servers. Respondents also
cited insecure mobile apps (13%) and insecure medical devices (6%).

With 96% of respondents saying that they had a security incident involving
lost or stolen devices, the fact that cyber attacks—state-backed and
criminal—are the leading cause of breaches should keep you up at night, but
the more terrifying take-away here is that doubtless many of those attacks
wouldn’t be possible were it not for the human factor. There is plenty of
overlap between the proactive criminal and the clumsy employee to make
these figures start to seem like so much digital rain in a lost scene from
“The Matrix.”

These days, smartphones and tablets are on the most-compromised or stolen
list. Earlier on in the data breach pandemic, laptop computers and desktops
were at the top of that list. While it is interesting on some level how the
information gets compromised, at the end of the day, a breach is a breach
is a breach. Health care industry: you’re all wet.

The bottom line here is that hackers of all stripe are having a field day
because the wetware problem has been largely unaddressed, and until people
become the alpha and omega of the process that leads to a zero tolerance
solution, data breaches will continue apace.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!