New Privacy and Security of Healthcare Data Study Released by Ponemon

The Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data has been released this week by the Ponemon Institute. This year’s study has highlighted some worrying data breach trends and the new report clearly shows that healthcare organizations – and their business associates – need to do more to improve data security in order to prevent breaches of protected health information.

Many healthcare organizations lacked the resources and knowledge to adequately protect electronic protected health information when they first transitioned from paper to electronic records under the Meaningful Use scheme.

Today, knowledge of cybersecurity protections has improved and investment in cybersecurity defenses has increased, yet data breaches continue to be experienced by healthcare organizations. The Ponemon Institute has been conducting its healthcare industry data security benchmark study for six years and during that time healthcare data breaches have increased in frequency, volume, and severity.

The average cost of mitigating risk and dealing with the repercussions of a healthcare data breach is $2.2 million per incident. The Ponemon Institute estimates that data breaches are now costing the healthcare industry $6.2 billion every year; money that could be put to much more beneficial uses.

Key Findings of the Ponemon Institute’s Privacy and Security of Healthcare Data Study

Some of the key findings from this year’s study on the privacy and security of healthcare data are detailed below:

  • 89% of healthcare organizations have experienced a data breach
  • 79% of healthcare organizations have experienced two or more data breaches in the past 24 months
  • 45% of healthcare organizations have had more than 5 data breaches
  • Criminal attacks have caused 50% of healthcare organization data breaches and 41% of business associate data breaches
  • 36% of healthcare data breaches are caused by unintentional errors made by employees
  • 13% of healthcare data breaches are caused by malicious insiders
  • 56% of organizations do not think their breach response process has sufficient funding
  • 69% of healthcare organizations think they are more vulnerable to attack than other industries
  • 59% of healthcare organizations believe their cybersecurity budget is insufficient to prevent data breaches
  • 38% of healthcare organizations are aware that their patients have suffered identity theft following the exposure of their PHI
  • When data has been exposed, 64% of healthcare organizations have not offered identity theft protection services

Main Healthcare Data Security Risks

Healthcare organizations and their business associates are most concerned about employee negligence. 69% of healthcare organizations rated this as their biggest data security concern. Business associates also rated employee negligence as the biggest concern.

Concern over employee-owned mobile devices has fallen, although mobile device security is still a major concern. 35% of business associates and 30% of healthcare providers rated mobile device insecurity as one of their top three worries. Cyberattacks were rated second by healthcare providers and third by business associates. The use of public cloud services and malicious insiders were also rated as major security threats to the privacy and security of healthcare data.

The past 12 months have seen a number of high profile ransomware attacks on healthcare providers. Ransomware has now risen to the second highest cyberattack concern, second only behind denial of service attacks. Malware was rated as the third highest concern, followed by phishing, APT’s, rogue software, and password attacks.

Healthcare organizations are still a firm favorite for hackers and cyberattacks are likely to continue as long as it proves profitable for attackers. Healthcare organizations must therefore invest more heavily in defenses to repel these attacks if data breaches are to be prevented. However, with 50% of data breaches resulting from employee mistakes, third party errors, and the loss and theft of unencrypted devices, it is clear that greater care must also be taken to ensure that ePHI is not accidentally exposed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of