2014 Ponemon Insitute Fourth Annual Benchmark Study on Patient Privacy and Data Security

Date of Publication: 
March 2014

Knowledge Base item Tags:


Some 75 percent of healthcare professionals put their own employees atop the list of security concerns. Is anyone else surprised by how small that number is?

“We know from prior studies that – and this is consistent – despite cybercriminals and a thriving black market, the real risk is negligent employees,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

That is perhaps most striking because cybercrime is on the rise, and sharply. When Ponemon conducted its inaugural Benchmark Study on Patient Privacy and Data Security in 2010, 20 percent of all attacks were criminal, while the remaining 80 percent were due to incompetence, negligence, system glitches and other issues. In the report Ponemon released on Wednesday, 40 percent of attacks are criminal in nature.

“Criminal attacks have increased by about 100 percent since 2010,” Ponemon said.

Rick Kam, co-founder and president of ID Experts, which sponsored the study, added that “crooks are essentially following the money.”

Ponemon is careful to lay down the distinction between cybercriminals and the sort of negligent employees who lose laptops, smartphones, tablets or thumbdrives housing PHI that lead to data breaches. Then there are the employees, Kam added, who perhaps just take a piece of hardware without paying any mind to the protected health information it houses, which can still constitute a breach.

Last year’s study found 94 percent of the participating hospitals had some sort of breach within the previous two years; the results Ponemon circulated this week pointed to 90 percent having experienced a breach in the same time period.

“We are reporting some positive results,” Ponemon said, “but the percentage of breaches is still very high.”

And the prevalence of unsecured smartphones and tablets on the crest of Bring Your Own Device is not exactly helping matters.

“There’s been a tidal wave of BYOD and a lot of folks who fought the battle saying ‘we can’t use unsecured devices’ are giving up,” Ponemon explained. 

Indeed, Ponemon found that 88 percent of respondents are already permitting employees, including medical staff, to have immediate access to patients' health records, to connect to the network via their own devices.

That alone might even signify technological progress, if not for the 38 percent who neither secure those devices nor prevent them from accessing patient data.

Wait, it gets worse. More than half of those respondents lack confidence that personally owned mobile devices are secure. And like the aforementioned 75 percent of health IT professionals who view insiders as their top security threat, that stat is not new.

Given those findings, the question: Who are the other half of respondents who have confidence that BYO devices are secure? And what of the 25 percent who don’t actually view internal employees as their biggest security threat?

“In my experience should it be 100 percent?” Ponemon asked rhetorically. “Yes.”