Human Factors Engineering is dedicated to the idea that if it is possible to make a mistake in a process or task, a human being somewhere will make that possibility a reality.
It accepts that even smart, well-trained people will make mistakes. It’s a complex discipline, but a big part of the job is to figure out what mistakes humans can make and create fail safes to prevent harm when they do.
For example, when cars where relatively new, you could start the car when it was in gear, causing the car to lurch forward. This wasn’t the recommended way to do it, obviously, but even smart people do dumb things and there were many injuries and several deaths from people doing this. Then a smart engineer created a failsafe mechanism that prevented the car from starting if it wasn’t in neutral. Further iterations of this created the brake/ignition interlock, making it impossible to start the car if you didn’t have your foot on the brake. This is human factors engineering in action – assuming people will try to start the car in the wrong gear and making it impossible for them to do so.
I was thinking about this as I read the NTT DATA 2018 Global Threat Intelligence Report. There are some interesting details in the report, covering a variety of industries across the globe, and some good advice about what to do to improve your security posture. What struck me, though, is a common thread through most breaches, and it isn’t a new factor: they occur because someone in the organization does something unwise that they should not have done.
The dumb things people do are all over the map: using weak passwords or passwords that are easy to guess based on their social media data; responding to phishing emails or vishing phone calls; sharing passwords with colleagues; downloading files from unvetted web sites; neglecting to install security patches on their laptops or even on servers; storing sensitive files on mobile devices; failing to encrypt mobile devices; and leaving unlocked mobile devices in public locations. If there is a way that your organization can be exposed to a breach, some hapless person will find it and do it.
There are reasons why smart people do dumb things. They are distracted by too many tasks and not enough time. They get tired or sick or have a sleepless night. They rush because they are running late. They get impatient with all the security rigmarole we IT people put them through and they create easier workarounds. On rare occasions employee malice may be involved, but more often, well-meaning people do the wrong thing. And IT people in far too many organizations still operate under the premise that they can train users (and their own staff) to do the right thing every time. There are decades of examples to disprove that premise.
A better way is to assume everyone is occasionally an idiot (because, really, don’t we all have our idiotic moments?) and create systems that prevent them from causing breaches. From this perspective you begin to see ways to limit the damage people inadvertently cause and design systems to help people do it right.
This is especially important in healthcare, because you are dealing with supersensitive data and a workforce that is often overloaded, focused on saving lives, and impatient with technology if it slows them down. If we don’t help them get it right, a breach is inevitable.
Saving people (and the organization) from themselves
So how do you create failsafe mechanisms to prevent breaches? A thorough risk assessment of your critical systems is step one, paying close attention to your password protocols as well as all other security risks. Since more than 80% of breaches are the result of stolen/compromised passwords, that’s a good place to start
Make it easy for users to do the right thing. Limit access by role and strictly enforce password protocols. If you have multiple systems that require user sign-on, as many healthcare organizations do, wrap those systems in a single sign-on system that requires only one password. Most people can create a single strong password that they can remember, reducing the chances that people will keep a written copy of the password in a vulnerable location.
Multi-factor authentication, combined with single-sign on and strong passwords, help prevent breaches, reducing the chances that a compromised password alone will allow unauthorized access. Since brute force attacks to guess passwords continue to be an issue, this also will help stop a breach not caused by careless users.
During the assessment, pay attention to your process for applying security patches. One infamous breach last year was the result of a delayed patch, so you should establish a cadence and verify that patches are applied promptly. That may mean using a non-production environment to test patches, having dedicated IT staff to ensure those patches get applied on time and pushing automatic security updates out to users. Don’t make patching optional, because well-meaning people will find reasons to procrastinate, leaving systems and data unprotected.
Proactively stop potential security incidents through monitoring and alerting, vulnerability testing, and threat intelligence. Assume the bad guys are trying to get in every second of every day. As part of that effort, identify and quarantine suspect emails to keep phishing attempts out of users’ inboxes, because no amount of training will keep all users from responding to these fraudulent emails.
But that doesn’t mean you shouldn’t train users to recognize phishing and other fraudulent messages. Provide interactive exercises that present users with a variety of phishing and vishing attempts, and have them react in real time. If your quarantine systems miss a phishing email, you want your users to recognize it and alert you.
And keep looking for ways to help your staff and users do the right thing. If it’s easy to do it right, they are less likely to do it wrong. And you are less likely to have a breach.