The Ponemon Papers: Healthcare Data Privacy 2016

June 22, 2021//Dan Fabbri

Last Updated: June 25, 2021

The Ponemon Institute’s annual benchmark study on the privacy and security of healthcare data was released in May 2016. This study provides a lens into the challenges of healthcare security and privacy professionals.

Two specific survey results were compelling:

1. The root cause of the medical identity theft.

The top two most common root causes for medical identity theft were:

a. Unintentional employee actions (48%)
b. Intentional non-malicious employee actions (15%).

What does this mean for covered entities?

In short, people who have access to patient data for their jobs have inappropriately used that data. This result signifies that privacy and security training needs to be enhanced and better controls need to be put in place.

2. The types of patient data targeted by attacks.

It comes as no surprise that patient medical files and billing/insurance info were the most successfully targeted PHI from healthcare providers. Given that these medical data allow individuals to commit fraud, the data are extremely valuable. Moreover we do not expect these attacks to decrease as there has been a 9% increase in the number of successfully targeted medical files compared to the previous year.

What conclusions can we draw from these two results?

It’s obvious that electronic medical record systems contain highly valuable data that are at risk due to employee negligence and blatant snooping activities.

Therefore healthcare providers must put in place more sophisticated processes to control access to patient data. These controls can range from enhanced training, network monitoring and audit logging throughout the healthcare system. Moreover if current employee negligence and snooping can be effectively detected, it can serve as a deterrent for future inappropriate activity.

Healthcare employees must access medical records in order to treat patients, therefore health systems cannot easily block access to that information and prevent employee caused breaches. Balancing these competing priorities of patient treatment and data privacy is an ongoing challenge for modern health care systems.

close close