Technology glitches have been a predominant source of news headlines for health information exchanges (HIEs). These glitches have raised a breadth of concerns ranging from usability to the protection of patient privacy. What has received less news coverage is the risk that human vulnerabilities pose to HIEs.
Health care organizations that use HIEs face a broader array of “soft” risks such as human error or phishing attacks. Unfortunately, human vulnerabilities are addressed less frequently in the context of information security and incident response programs. The result is an open door to a potential data breach.

CASE: Human Error leads to HIE Breach

A September 2013 data breach of Minnesota’s online health exchange, MNsure, demonstrates the impact of human error. The data breach occurred when an employee mistakenly emailed the personal information of 2,400 insurance agents to an insurance broker. An investigation conducted by Minnesota’s Office of the Legislative Auditor confirmed the breach was not intentional and resulted from poor internal procedures and human error. (LINK: http://www.startribune.com/business/231039781.html)

MNsure’s breach event is consistent with findings reported in the study, 2013 Cost of Data Breach Study: Global Analysis — report from Symantec and the Ponemon Institute. According to this study of 277 data breach incidents from companies around the globe, 35% of data breaches resulted from human error. As HIEs mature, human error may be the most significant source of security vulnerabilities.

Problems with mis-addressed emails are further exacerbated by technology supposedly designed to make our lives easier – for example, the setting whereby Outlook auto completes email addresses. This has led to cases where emails containing PHI have been sent to the wrong “John Smith” from the sender’s address book. It’s interesting to note that in Europe, national privacy regulators have specifically stated that certain types of communications (e.g., faxes) are inherently insecure because of the unreasonably high possibility of user error without any safety device to catch errors (e.g. making a one digit mistake while typing in a fax number can lead to the data being sent to a complete stranger).

The full article can be read at ID Experts’ Blog.