Q&A: It's crucial for organizations to value their data, says Larry Ponemon

Healthcare records "substantially more valuable than other types of records"
By Tom Sullivan
09:18 AM

Three out of five healthcare organizations are not allocating enough resources to protect patient data – and among the reasons is a simple fact that the industry has no way to place a value on that information.

That’s according to Rick Kam, president and co-founder of ID Experts, which sponsored the Ponemon Institute’s third annual benchmark "Study on Patient Privacy and Data Security," published on Dec.6. 

Prior to the report’s release, Government Health IT Editor Tom Sullivan spoke with Kam and Ponemon Institute Chairman Larry Ponemon about the survey's alarming statistics, the potential dangers of criminal social-engineering and why healthcare as an industry is so far behind in terms of safeguarding data.

Those reasons, it turns out, go back even further than most health IT professionals might imagine.

Q: The staggering figure in this report is that 94 percent of healthcare providers have had at least one breach in the last two years — given how difficult it can be to tell whether breaches result in medical identities actually falling into the wrong hands, do you have a sense for what percentage of breaches actually expose personal health information (PHI) to criminals?

Ponemon: If you look at our data, we try to understand as best we can the root cause of the data breach. The majority of the events involved a negligent insider, an employee for instance, so ultimately the probability of a lost laptop ending up in the hands of a cyber-criminal is remote. It could happen but it’s not a high-probability event.

We also have root causes that are connected to malicious or criminal activity, and we believe those are the types of activities that would result in actual data and medical identity theft. In terms of the percentage, we report about a third of all cases fall into the category of criminal but even in those cases it’s not exactly clear whether that information will result in a medical identity theft. We can make the case that there’s probably some of these – why make an attack if there’s not value in the information? – but you can’t assume that everybody is a victim. That’s true of data breaches across the board.

[See also: Healthcare data breaches on the rise, with potential $7B price tag.]

Q: Earlier this week, ADP put the word out that it was breached by an employee who illegally accessed health data, then exposed it to a theft ring suspected of tax fraud. Is this something you expect to see more of? Will these crimes be smaller or bigger?

Kam (pictured at right): In many of the cases that we work on it's somebody who has trusted access to the system either gets human-engineered by a criminal to give them the data or access keys, or some variation on that theme. It’s very unfortunate. Just like in the financial services industry, the reason why it’s illegal for employees to publish their work email addresses on social networks is because they’re targeted by criminal social engineers because they want to find them and compromise them somehow.

Q: So why aren't health organizations allocating enough resources, IT, expertise to data security? I’ve heard more than one seasoned health IT veteran make the argument that the industry is two decades behind others when it comes to basic data encryption.