Latest Ponemon Study Reveals Key Threats

Rick Kam Headshot_0Study Shows “Leaky Bucket” Approach to Managing New Threats

By Rick Kam, President & Co-Founder of ID Experts

It’s been a year since the HIPAA Omnibus Final Rule was issued. Kudos to the healthcare organizations that have made strides toward compliance. But shifting threats and risks, as revealed in the newly released Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, are forcing organizations to be reactive, not proactive. It’s like a bucket filled with water and holes. The water keeps spurting out. Every time you patch a hole, a new one forms. The whole process of patching old and new holes is overwhelming and never-ending

It’s no surprise, then, that 90 percent of healthcare organizations are still experiencing breaches, and 38 percent report that they have had more than five incidents in the last two years.

Some of the key threats the Ponemon study found are:

Employee negligence: 75 percent reported employee negligence as their biggest worry, and insider negligence was the root of most data breaches reported in the study.

Unsecured mobile devices: It’s a lot more convenient to use your personal mobile device for work—a major security risk to the 88 percent of healthcare organizations that permit employees and medical staff to use their own mobile devices to connect to the organization’s networks or enterprise systems.

Security gaps with business associates: In light of the Target data breach, which may have been caused by a fourth-party—essentially a subcontractor of a subcontractor—this, is a real concern. Only 30 percent of organizations surveyed are confident that their business associates are appropriately safeguarding patient data as required under the HIPAA Final Rule.

Evolving criminal threats: “The latest trend we are seeing is the uptick in criminal attacks on hospitals, which have increased a staggering 100 percent since the first study four years ago,” Dr. Larry Ponemon says. “As millions of new patients enter the U.S. healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals.”

New vulnerabilities under the Affordable Care Act: Survey participants had strong reservations about the security of Health Information Exchanges (HIEs): a third said they don’t plan to participate in HIEs because they are not confident enough in the security and privacy of patient data shared on the exchanges.

PHI Protection Network Conference—A Proactive Approach to New Threats

It’s time to get a new bucket—and the best way to do that is to join us at the second annual PHI Protection Network Conference, Thursday, April 10, 2014 in Anaheim, California. Senior privacy, compliance, and security officers will share best practices and insights, giving you tangible and actionable takeaways that you can implement right away. To register for Adopting Best Practices and Protecting Patients, visit or visit the PPN LinkedIn Group here.

Free Webinar on the Ponemon Study

In addition, if you would like more information on the Ponemon findings, join Dr. Ponemon and me for a free webinar, ACA Impacts on Patient Data Security, on Tuesday, April 8, 2014 at 2:00 p.m. ET. To register, visit here.

About the Author:  Rick Kam, CIPP, is founder and president of ID Experts. He is an expert in privacy and information security. His experience includes leading organizations in policy and solutions to address protecting PHI/PII and resolving privacy incidents and identity theft. He is the chair of the ANSI PHI Project, Identity Management Standards Panel and the Santa Fe Group Vendor Council ID Management working group.  This article was originally published on ID Experts and is republished here with permission.