The Ponemon Papers: Healthcare Data Privacy 2016

The Ponemon Institute’s annual benchmark study on the privacy and security of healthcare data was released in May 2016. This study provides a lens into the challenges of healthcare security and privacy professionals.

Two specific survey results were compelling:

1. The root cause of the medical identity theft.

Ponemon graph of the root cause of medical identity theft

The top two most common root causes for medical identity theft were:

  1. Unintentional employee actions (48%)
  2. Intentional non-malicious employee actions (15%)


What does this mean for covered entities?

In short, people who have access to patient data for their jobs have inappropriately used that data. This result signifies that privacy and security training needs to be enhanced, and better access controls need to be put in place.

2. The types of patient data targeted by attacks.

Ponemon graph of the types of patient data targeted by cyberattacks

It comes as no surprise that patient medical files and billing/insurance info were the most successfully targeted PHI from healthcare providers. Given that these medical data allow individuals to commit fraud, healthcare data is extremely valuable. Moreover, we do not expect these attacks to decrease, as there has been a 9% increase in the number of successfully targeted medical files compared to the previous year.


What conclusions can we draw from these two results?

It’s obvious that electronic medical record (EMR) systems contain highly valuable data that are at risk due to employee negligence and blatant snooping activities.

Therefore, healthcare providers must put in place more sophisticated processes to control access to patient data. These controls can range from enhanced training, network monitoring and audit logging throughout the healthcare system. Moreover, if current employee negligence and snooping can be effectively detected, it can serve as a deterrent for future inappropriate activity.

Healthcare employees must access medical records in order to treat patients, therefore health systems cannot easily block access to that information and prevent employee caused breaches. Learn more about how to balance the competing priorities of patient treatment and data privacy with SecureLink’s Patient Privacy Monitoring solution.