The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

PHI Whack-a-Mole

Leave a comment

Well, the newest Ponemon Study confirms what the news keeps reporting:  health care organizations continue to be plagued by PHI security incidents.  In fact, 90 percent of healthcare organizations surveyed reported experiencing breaches.  And 45 percent agree that they have inadequate policies and procedures in place to effectively detect or prevent PHI security incidents.  


So what’s causing these breaches?  According to the Ponemon Institute’s fourth annual Patient Privacy & Data Security Study, patient data security and privacy threats are new and expanding.  For the health care organizations, it is a bit like playing whack-a-mole. First place for types of actual PHI breach goes to lost or stolen computing devices (49 percent), followed by employee error (46 percent), and third-party mishap (41 percent). The rate of data breaches caused by a malicious insider or hacker has doubled from 20 percent of all incidents to 40 percent since the first Ponemon Institute study four years ago.  This last statistic is of special concern to Dr. Ponemon:  “The latest trend we are seeing is the uptick in criminal attacks on hospitals…. With millions of new patients entering the U.S. healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals.”  The problem, of course, is that the cybercriminals are becoming more and more sophisticated with their malicious tactics and this is a huge challenge to address for the often financially strapped healthcare organizations.


What’s keeping the healthcare executives up at night?  75 percent worry the most about employee negligence; in particular, BYOD.  While 88 percent of the organization allow employees and medical staff to use their own devices, more than half are not confident that the BYOD are secure and 38 percent have no procedures to secure the devices or prevent them from accessing sensitive information. 


Business associates (BA) are worrying these executives as well.  As the healthcare environment expands with more healthcare organizations reliant on BA’s for services such as IT, claims processing and benefits management, greater risks emerge.  Less than one-third of those surveyed expressed confidence that their BAs are protecting patient data in ways mandated by the HIPAA Final Rule.


So, is there any good news?  Are any moles actually getting whacked?  Fortunately, more than half of the health care organizations surveyed (55 percent) believe they do have effective policies and procedures in place to prevent or quickly detect unauthorized patient data access, loss or theft.  This is not unfounded as the actual number and cost of data breaches has slightly declined from prior study results.  Further, while the 2013 Report noted that 45 percent of the healthcare organizations state they have had more than five incidents in the last two years, this year that percentage declined to 38 percent.  So, slow but steady progress. The challenge, according to Ponemon, is that organizations need to imbed a culture of compliance to stem the security risks.  Healthcare organizations must implement tools, processes and software that automate and streamline the practice of protecting PHI—these are the mallets health care organizations need to whack those data security moles. 

Author: eblumenfeld

Elizabeth Blumenfeld is a counsel in Crowell & Moring's Washington, D.C. office and a member of the Advertising and Product Risk Management Practice Group and Privacy & Cybersecurity Group. Her practice is focused on privacy and data compliance counseling.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s