The document summarizes the findings of a study on patient privacy and data security in healthcare organizations:
- Nearly all healthcare organizations surveyed had experienced at least one data breach in the past two years, though the number of breaches decreased slightly from the previous year. However, criminal attacks on healthcare organizations have risen 100% since 2010.
- The Affordable Care Act is seen as increasing risks to patient privacy and security due to insecure health information exchanges and databases. Most organizations believe the ACA significantly or somewhat increases these risks.
- The average cost of data breaches for organizations over a two-year period was nearly $2 million, a 17% decrease from the previous year's study. However, risks
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSijsptm
All healthcare providers should have enough knowledge and sufficient information to understand the potential risk, which can lead to a breach in the Jordanian health information system (Hakeem program). This study aims to emphasise the importance of sharing sensitive health information among healthcare providers, create laws and regulations to keep the electronic medical records secure, and increase the
awareness about health information security among healthcare providers. The study conducted seven interviews with medical staff and an information technology technician. The study results showed that sharing sensitive information in a secure environment, creating laws and regulations, and increasing the
awareness about health information security render the electronic medical records of patients more secure and safe
The Security of Electronic Health Information Surveyloglogic
A new study reveals that the push for Electronic Medical Records puts patient privacy at risk. The Ponemon Institute and LogLogic surveyed hospital security professionals and found that 70% say their senior management fails to prioritize privacy and data security.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSijsptm
All healthcare providers should have enough knowledge and sufficient information to understand the potential risk, which can lead to a breach in the Jordanian health information system (Hakeem program). This study aims to emphasise the importance of sharing sensitive health information among healthcare providers, create laws and regulations to keep the electronic medical records secure, and increase the
awareness about health information security among healthcare providers. The study conducted seven interviews with medical staff and an information technology technician. The study results showed that sharing sensitive information in a secure environment, creating laws and regulations, and increasing the
awareness about health information security render the electronic medical records of patients more secure and safe
The Security of Electronic Health Information Surveyloglogic
A new study reveals that the push for Electronic Medical Records puts patient privacy at risk. The Ponemon Institute and LogLogic surveyed hospital security professionals and found that 70% say their senior management fails to prioritize privacy and data security.
Enhance Healthcare Analytics with Consumer DataRay Pun
To succeed in the new value-based care landscape, healthcare providers must expand beyond traditional data sources for healthcare analytics. Leading providers are using consumer data, available at the individual and household level, to supplement clinical and claims data. By integrating consumer insights into models for understanding and predicting patient health, providers can improve the health of Americans and achieve these outcomes:
• Improve community health needs assessments
• Drive patient retention and engagement with personalized
wellness programs
• Reduce patient readmission rates
HCOs need to consider a more holistic and efficient approach to information management based on a strategic data classification program that discovers and controls PHI wherever it is stored.
Intralinks Ponemon Research Report | Breaking Bad: The Risk of Unsecure File...Melissa Luongo
Data leakage and loss from negligent file sharing and information collaboration practices is becoming just as significant a risk as data theft.
Just like malicious threats from hackers and others, data leakage through the routine and insecure sharing of information is a major threat to many organizations. Being able to securely share valuable corporate data is a critical requirement for all organizations, but especially regulated companies like financial services and life sciences firms.
Many companies have few provisions in place – process, governance, and technology – to adequately protect data. Yet, more and more sensitive information is being shared outside the organization, often without the knowledge or approval of CIOs or GRC professionals who are arguably losing control. Employees are ‘behaving badly’ – they acknowledge risky behavior and in turn experience the consequences of risky behavior regularly.
For the first time, the study Breaking Bad: The Risk of Unsecure File Sharing explores the link between organizational and individual behavior when using increasingly popular file sync-and- share solutions. As shown in this research, organizations are not responding to the risk of ungoverned files-sharing practices among employees as well as with external parties, such as business partners, contractors, vendors and other stakeholders.
Consumer grade file-sharing cloud applications are popular with both employees and organizations because they make it possible for busy professionals to work efficiently together. However, the findings in this report identify the holes in document and file level security in part caused by their expanded use. The goal is to provide solutions to reduce the risk of created by employees’ document and file sharing practices.
More than 1,000 IT and IT security practitioners were surveyed in the United States, United Kingdom and Germany. The majority of respondents are at the supervisor level or above with expertise and understanding of their organization’s use of file-sharing solutions and overall information security and data privacy policies and strategies.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Enhance Healthcare Analytics with Consumer DataRay Pun
To succeed in the new value-based care landscape, healthcare providers must expand beyond traditional data sources for healthcare analytics. Leading providers are using consumer data, available at the individual and household level, to supplement clinical and claims data. By integrating consumer insights into models for understanding and predicting patient health, providers can improve the health of Americans and achieve these outcomes:
• Improve community health needs assessments
• Drive patient retention and engagement with personalized
wellness programs
• Reduce patient readmission rates
HCOs need to consider a more holistic and efficient approach to information management based on a strategic data classification program that discovers and controls PHI wherever it is stored.
Intralinks Ponemon Research Report | Breaking Bad: The Risk of Unsecure File...Melissa Luongo
Data leakage and loss from negligent file sharing and information collaboration practices is becoming just as significant a risk as data theft.
Just like malicious threats from hackers and others, data leakage through the routine and insecure sharing of information is a major threat to many organizations. Being able to securely share valuable corporate data is a critical requirement for all organizations, but especially regulated companies like financial services and life sciences firms.
Many companies have few provisions in place – process, governance, and technology – to adequately protect data. Yet, more and more sensitive information is being shared outside the organization, often without the knowledge or approval of CIOs or GRC professionals who are arguably losing control. Employees are ‘behaving badly’ – they acknowledge risky behavior and in turn experience the consequences of risky behavior regularly.
For the first time, the study Breaking Bad: The Risk of Unsecure File Sharing explores the link between organizational and individual behavior when using increasingly popular file sync-and- share solutions. As shown in this research, organizations are not responding to the risk of ungoverned files-sharing practices among employees as well as with external parties, such as business partners, contractors, vendors and other stakeholders.
Consumer grade file-sharing cloud applications are popular with both employees and organizations because they make it possible for busy professionals to work efficiently together. However, the findings in this report identify the holes in document and file level security in part caused by their expanded use. The goal is to provide solutions to reduce the risk of created by employees’ document and file sharing practices.
More than 1,000 IT and IT security practitioners were surveyed in the United States, United Kingdom and Germany. The majority of respondents are at the supervisor level or above with expertise and understanding of their organization’s use of file-sharing solutions and overall information security and data privacy policies and strategies.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
2017 Consumer Survey: Healthcare Cybersecurity and Digital Trustaccenture
Accenture’s 2017 Consumer Survey on Healthcare Cybersecurity and Digital Trust identifies consumers’ experiences with healthcare data breaches and their attitudes toward healthcare data, digital trust, roles and responsibilities, data sharing and breaches.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxkarlhennesey
Page 9 of 15
Capstone Project
Yaima Ortiz
IDS-4934
March 1st, 2020
Abstract
Topic:
Privacy- What medical information should be confidential? Who, if anybody, should have access to medical records?
Thesis Statement
In healthcare centers and overall privacy is the right of every US citizen that should be protected in all its forms by the healthcare organization.
Rationale
1. The purpose of this paper is to identify why security measures are necessary to protect one’s privacy in the medical industry.
2. There are numerous laws, policies and healthcare organizational rules and regulations and statistics that would be helpful for conducting this research.
3. Privacy of a person whether this is me or you, is important then everything. I want to talk on this topic because I think most of us do not know what is happening to us.
4. I have selected textual analysis of books and available internet sources. The reason of this limited research methodology is that I cannot perform field study because of shortage of time.
Rough Draft Ideas
Identity theft in healthcare industry become a common practice and leads to information leakage that may destroy someone’s life. We can eliminate this human right violation by enforcing effective and practical laws. Healthcare organizations should understand their responsibilities and tighten security to protect information of patients.
Table of Contents
Introduction 3
Overview of Privacy Protections with Respect to Medical Records 4
Data Breaches in the Healthcare Industry 5
Healthcare is the biggest Target for Cyber Attack 7
Penalties and Punishments for Hacking Personal Information 9
Penalties 9
Devastating Consequences of Healthcare Data Breaches 10
Conclusion 10
Recommendations 11
Bibliography 12
Introduction
While operating in healthcare organizations need to gather patient’s information that is mostly personal information. It is the moral and legal responsibility of health care organizations to protect the information of their patients and do not share it with people outside of the organization without the patient’s consent. Protecting patient’s information is a crucial element of respect and essential for patients' autonomy and trust in the organization — the US healthcare industry currently facing patient mistrust that is caused because of a lack of trust. When patients experience a lack of confidence they do not share their information with a healthcare professional that causes ineffective treatment. In a 2018 study, Levy, Scherer, Zikmund-Fisher, Larkin, Barnes, & Fagerlin concluded that approximately 81.1% of people withheld medically relevant information from their health-care providers. Patients fail to disclose medically relevant information in front of their clinicians undermine their health and cause patient harm (Levy, 2018).
There are numerous components of patient privacy in healthcare that are personal space, religious and cultural affiliations, physical privacy ...
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxhoney690131
Page 9 of 15
Capstone Project
Yaima Ortiz
IDS-4934
March 1st, 2020
Abstract
Topic:
Privacy- What medical information should be confidential? Who, if anybody, should have access to medical records?
Thesis Statement
In healthcare centers and overall privacy is the right of every US citizen that should be protected in all its forms by the healthcare organization.
Rationale
1. The purpose of this paper is to identify why security measures are necessary to protect one’s privacy in the medical industry.
2. There are numerous laws, policies and healthcare organizational rules and regulations and statistics that would be helpful for conducting this research.
3. Privacy of a person whether this is me or you, is important then everything. I want to talk on this topic because I think most of us do not know what is happening to us.
4. I have selected textual analysis of books and available internet sources. The reason of this limited research methodology is that I cannot perform field study because of shortage of time.
Rough Draft Ideas
Identity theft in healthcare industry become a common practice and leads to information leakage that may destroy someone’s life. We can eliminate this human right violation by enforcing effective and practical laws. Healthcare organizations should understand their responsibilities and tighten security to protect information of patients.
Table of Contents
Introduction 3
Overview of Privacy Protections with Respect to Medical Records 4
Data Breaches in the Healthcare Industry 5
Healthcare is the biggest Target for Cyber Attack 7
Penalties and Punishments for Hacking Personal Information 9
Penalties 9
Devastating Consequences of Healthcare Data Breaches 10
Conclusion 10
Recommendations 11
Bibliography 12
Introduction
While operating in healthcare organizations need to gather patient’s information that is mostly personal information. It is the moral and legal responsibility of health care organizations to protect the information of their patients and do not share it with people outside of the organization without the patient’s consent. Protecting patient’s information is a crucial element of respect and essential for patients' autonomy and trust in the organization — the US healthcare industry currently facing patient mistrust that is caused because of a lack of trust. When patients experience a lack of confidence they do not share their information with a healthcare professional that causes ineffective treatment. In a 2018 study, Levy, Scherer, Zikmund-Fisher, Larkin, Barnes, & Fagerlin concluded that approximately 81.1% of people withheld medically relevant information from their health-care providers. Patients fail to disclose medically relevant information in front of their clinicians undermine their health and cause patient harm (Levy, 2018).
There are numerous components of patient privacy in healthcare that are personal space, religious and cultural affiliations, physical privacy.
Survey Shows the Role of Technology in the Progress of Patient SafetyHealth Catalyst
A lack of effective technology is impeding the progress of patient safety, according to a 2018 survey of healthcare professionals. Even though most healthcare organizations claim safety as a priority, serious challenges remain to making a significant impact on patient safety outcomes.
Survey respondents said ineffective information technology and the related lack of real-time warnings for possible harm events were the top barriers to improving patient safety. They cited a number of key obstacles:
Lack of resources.
Organization structure.
Lack of reimbursement for safety measures.
Changes in patient population.
This survey of more than 400 healthcare professionals tackles a big question many hospital leaders are asking: Why aren’t we seeing improvements in patient safety despite our efforts?
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docxmccormicknadine86
ONE: Featherfall Medical Center
The 1920's Featherwall Consulting, physicians began to realize that documentation not only helped their patients, but it also helped themselves with their practice. The downfall of documenting everything on paper was that it was limited to the facility in which it created, and over time, legibility of procedures and results could become difficult. Flipping through paper charts is not only time consuming, but it could be potentially dangerous as papers could smoothly go missing, and incorrect treatment for a patient could occur. Medical records are now available electronically available for accessibility at all times and thus reduce healthcare personals countless hours of going through paper charts. Times can be assigned to treat patients effectively as lab results are available for viewing moments after they have been verified (UIC., 2017).
The concept of patient-centered care is one of the recent developments in healthcare that has received increased attention. It has played a vital role in creating a new framework for improving systems and defining -healthcare quality. Information is critical to evidence-based practice and patient-centered care. It has evolved recently to focus on the acquisition of data, storage, and its use in the healthcare setting with more emphasis on the use of technology. For instance, the information on previous admissions, diagnosis, treatment, and prescriptions required to address health issues in later times. Another essential function that health informatics has used to undertake the coordination of care within and across systems besides facilitating the availability of relevant information (Parvanta, C. F., 2015). In other words, we cannot talk of quality care without factoring in the criticality of high quality of information within the equation.
The first one is credible excellence. It provides one with the robustness they need to arrive at and deliver on reliable solutions. Patient sovereignty is another factor that should inform the use of technology in the healthcare setting. The independence of the patients in terms of expressing themselves and providing information on their will without coercion provides all the motives to consider the effort to foster patient-centered care. The other parameter is that which regards privacy. Privacy of information is of the utmost importance when it comes to healthcare management (Wang, J., 2018).
Electronic Health Records are one of the standard technologies used in the healthcare setting that contain information regarding the diagnosis, immunization, and treatment of patients. Mobile Access is another technology used in the field of health information management. It is mainly used for storing the information belonging to a patient remotely in the cloud so that it is accessed anywhere. Unified Communications have also been vital in information sharing and are especially great for consulting outside help. Unified communications are assisti.
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docxvannagoforth
ONE: Featherfall Medical Center
The 1920's Featherwall Consulting, physicians began to realize that documentation not only helped their patients, but it also helped themselves with their practice. The downfall of documenting everything on paper was that it was limited to the facility in which it created, and over time, legibility of procedures and results could become difficult. Flipping through paper charts is not only time consuming, but it could be potentially dangerous as papers could smoothly go missing, and incorrect treatment for a patient could occur. Medical records are now available electronically available for accessibility at all times and thus reduce healthcare personals countless hours of going through paper charts. Times can be assigned to treat patients effectively as lab results are available for viewing moments after they have been verified (UIC., 2017).
The concept of patient-centered care is one of the recent developments in healthcare that has received increased attention. It has played a vital role in creating a new framework for improving systems and defining -healthcare quality. Information is critical to evidence-based practice and patient-centered care. It has evolved recently to focus on the acquisition of data, storage, and its use in the healthcare setting with more emphasis on the use of technology. For instance, the information on previous admissions, diagnosis, treatment, and prescriptions required to address health issues in later times. Another essential function that health informatics has used to undertake the coordination of care within and across systems besides facilitating the availability of relevant information (Parvanta, C. F., 2015). In other words, we cannot talk of quality care without factoring in the criticality of high quality of information within the equation.
The first one is credible excellence. It provides one with the robustness they need to arrive at and deliver on reliable solutions. Patient sovereignty is another factor that should inform the use of technology in the healthcare setting. The independence of the patients in terms of expressing themselves and providing information on their will without coercion provides all the motives to consider the effort to foster patient-centered care. The other parameter is that which regards privacy. Privacy of information is of the utmost importance when it comes to healthcare management (Wang, J., 2018).
Electronic Health Records are one of the standard technologies used in the healthcare setting that contain information regarding the diagnosis, immunization, and treatment of patients. Mobile Access is another technology used in the field of health information management. It is mainly used for storing the information belonging to a patient remotely in the cloud so that it is accessed anywhere. Unified Communications have also been vital in information sharing and are especially great for consulting outside help. Unified communications are assisti ...
Information security principles to the private versus public sector.pdfinfo401595
Information security principles to the private versus public sector
Own information is reserved secure be mention by 60 percent of public sector, compare with
only 48 percent of private sector. Also, an extra dreadful split can found the knowledge of the
ICO existence: 42% of private firms have not heard at all, a percentage essentially improved
before years this be not the case for public sector, wherever only 3 percent be not awake of the
UK’s self-governing ability set up to information privileges the public concern. A lack of
wakefulness, though, does not avoid the best part of private sector firm from have more staff
members keen to in order security related duty, compare a normal of two in public sector
organizations. Amount is not openly comparative to value, it seem.
Private organizations to hold responsive and secret data such as bank and law firm ought to get
these outcomes as wake-up call and chance to study since the public sector. They are, in reality,
the mainly at danger of pain major penalty in case of a violate of the DPA. Seriously, it’s
important to know the steps for civilizing information security. Primary, it’s crucial that
organizations be conscious of information possessions and connected risk. They canister do this
conduct an estimation of this information security system, in exacting the control nearby the in
sequence possessions of the organization. Once these contain been recognized, it is likely to plan
corrective work that cover policy, events and knowledge, employees teaching and
responsiveness, implement it on a constant cycle. It is essential to message that documents and
knowledge only are not enough to pledge a development. They can, though, minimize
information security risk. Staff assurance, from senior administration to the most junior staff, is
key to creation the control and events work. If staff be not complete conscious of new policy and
actions, or are not eager to team up after that no amount of knowledge can stay an organization
in line with the suitable principles and regulations. Information security is not a last intention.
Instead, it is an infinite trip anywhere each one from senior management to check desk engineers
commit to a culture in order to defend own in order from loss, leak and robbery in a way that is
relative to the recognized risks.
Sharing knowledge is a vital component in the enlargement and advancement of our society in a
sustainable and responsible way. Through Open Access, AIU and other directing institutions
throughout the world are tearing down the barriers to access and use research literature. Our
association is interested in the dissemination of go forwards in scientific research fundamental to
the proper operation of a modern society, in words of community awareness, empowerment,
health and wellness, sustainable growth,
Financial progression and best performance of fitness, teaching and other essential
service
This listing includes laws, regulations plus manufacturing r.
Page 1 Executive Summary Policy makers are looking.docxsmile790243
Page 1
Executive Summary
Policy makers are looking carefully at the best ways to improve our healthcare system with much
emphasis being placed on the need for electronic health records for every American. This effort also
includes creating an infrastructure to allow the exchange of these records at the regional, state and
national levels. With the passing of the American Recovery and Reinvestment Act of 2009 (ARRA), the
federal government is poised to invest over $19 billion in healthcare information technology (HITECH
Act).1 This investment will provide significant incentives for healthcare providers to implement electronic
medical record (EMR) systems over the next five years. This action has the potential to dramatically
change the landscape of modern medicine and is generally seen as a tremendous step forward; however,
we must ensure that this course achieves the ultimate goals of this initiative.
If we are to improve healthcare information management, we must start with the accurate identification of
each person receiving or providing healthcare services, and anyone accessing or using this information.
As we move away from paper-based medical records that are controlled by physical access to buildings,
rooms, and files, we need to have an infrastructure that supports strong identity and security controls.
The issues with establishing identity are compounded as electronic medical records are used by many
different organizations at the regional, state, and national levels. There must be a way to uniquely and
securely authenticate each person across the healthcare infrastructure, whether that interaction is in
person or over the Internet.
Until now, there has been a slow and uncoordinated transition toward electronic medical records. There
are a myriad of systems on the market today, each with its own methods for handling patient and record
identification and each with varying levels of security and privacy controls. Many systems rely on simple
usernames and passwords to identify and control access. Far fewer implement strong multi-factor
authentication (such as smart cards). It is critical that a set of standards be established for identifying the
patient, the medical provider, and all others handling electronic records so that information across
different locations can be shared easily and securely and so that patient privacy is maintained. Accurate
identification and authentication seem like capabilities that should already exist in healthcare; however,
identification and authentication are currently uncontrolled and not standardized among medical systems,
locations, and organizations within the healthcare community.
This paper introduces the current challenges and explains why identity management in healthcare is an
essential and foundational element that must be made a priority by policy makers in order to achieve the
goals of widespread use of electronic health records to support t.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Running head Information security threats 1Information secur.docxwlynn1
Running head: Information security threats 1
Information security threats 7
Information security threats
Khaleem Pasha Mohammad
Campbellsville University
Introduction
The development of technology has been greatly embraced in hospitals, saved innumerable lives, and improved the quality of care provision. Not exclusively has technology changed patients knowledgeable and of their families but further consideration has had a significant impact on the strategy and practices of practitioners. One in every five of the areas that have greatly embraced technology is care data. Technology has helped inside the treatment of care records through the introduction of electronic health records, that's exchange paper records. With the availability of electronic care record (EHR) systems, a nurse can merely check for patients’ allergies, case history, weight, age, and prescription through the press of a button. However, the most quantity as institutions are clasp technology to stay up their health records, there are series of risks associated with these technologies. Since the start of technology inside the upkeep of care records, the care trade has been a primary target for cyber crimes. The motives behind cyber-attacks on care are clear as insurance firms, hospitals, care clinics, and totally different care suppliers keep health records that contain valuable information. The use of America Department of Health and Human Services for Civil Rights has acknowledged that over 100 million people square measure suffering from care data security breach. Gregorian calendar month 2015 was a foul month for electronic data jointly of the most important hacks on health care records on Anthem Blue Cross resulting in over seventy-eight million patients’ health data was taken. The cyber-attack scarf sensitive data that contained social securities, names, and residential addresses of people. Constant year, Premera Blue Cross reported that a cyber-attack has exposed medical information of over eleven million customers. Back in 2011, over 4.9 million health records were taken electronically from Science Application International Corporation. These are few cases of a care data breach with sensitive data falling into the hands of third parties. In guaranteeing that there are privacy and security in care records, bureau insurance mobility and responsibility (HIPPA) is providing legislation that hospital and totally different institutions that handle patient’s data to adopt in guaranteeing that varied security measures are enforced in protecting data.
HIPPA and Security Compliance
As much as institutions are clasp technology in storing care data, it is vital for institutions like HIPPA to regulate these bodies to substantiate that shopper rights are protected. The HIPAA Security Rule provides that electronic records of patients got to be protected in any respect times from any unauthorized access nonetheless the information being at rest or in transit.
Big Data in Drug Safety: Making post-marketing surveillance in pharmacovigila...Arete-Zoe, LLC
The paper makes a case for change in the way data on the safety of medicines is collected, structured, analyzed, visualized, and shared. Post-market surveillance shall move away from active reporting of individual case reports into national and international databases toward the collection and analysis of anonymous structured summary data from health care providers. The objective is to enable an analysis of total numbers of treated patients and treatment outcomes, including adverse drug reactions and off-label drug use, to provide meaningful, population-based, statistically valid, bias-free, real-time information on safety and efficacy of products on the market without endangering patients' privacy. Such approach would significantly reduce privacy concerns and add value for stakeholders who are interested in timely and accurate information on benefit:risk profile of medicinal products.
1)Health data is sensitive and confidential; hence, it should .docxteresehearn
1)
Health data is sensitive and confidential; hence, it should be kept safe. Data security is one of the critical activities which has become challenging for many organizations (Frith, 2019). Due to technology advancements, people can save their health data online. Similarly, people are also able to share data with close friends or any other person of interest. Using online platforms to store the data has brought a lot of benefits. The primary benefit is the fact that individuals can share data with medical experts easily. By, this the medical experts will be able to assist the sick people if possible. The data is always accessible as long as one is authorized.
I read different articles that shared information concerning health data breaches. Various health organizations have been affected by data breaches (Garner, 2017). A good example is the University of Washington Medicine. This organization reported that 974,000 patients' data was affected. The attack was noticed by a patient who found some files containing personal information on public sites. The patient then notified the organization, which claimed that some employees made some errors, which led to the leakage. The files were accessible through Google, so the organization had to ask Google to remove the data. Fortunately, the files were removed from the search list, and this occurred in January 2019.
It was risky to let the files containing personal information available on the website (Ronquillo, Erik Winterholler, Cwikla, Szymanski & Levy, 2018). The organization was lucky that the data breach was not significant, and hence, the patients were not significantly affected. It is good to ensure that files containing health data are handled carefully to avoid some problems. In keeping the health data secure, it is good to ensure that the systems are well-protected. The systems can be protected by making use of firewalls which prevent unauthorized people from accessing them. During the data sharing process, a health organization should ensure that the information is encrypted. Encryption prevents unauthorized people from understanding the message that is being shared using different channels. Users should make sure that they use strong passwords.
2)
Protection of patient’s information is the top most priority of health care providers and professionals. Patient’s health information contains personal data and their health conditions hence the federal laws requires to maintain security and privacy to safeguards health information. Privacy, as distinct from confidentiality, is viewed as the right of the individual client or patient to be let alone and to make decisions about how personal information is shared (Brodnik, 2012). Health data is usually stored on paper or electronically, in both these ways it is important to respect the privacy of the patients and hence follow policies to maintain security and privacy rules.
The Health Insurance Portability and Accountabili.
Similar to Fourth Annual Benchmark Study on Patient Privacy & Data Security (20)
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
This guide aims to help journalists understand their rights at protests and avoid arrest when reporting on these events. It summarizes the legal landscape and provides strategies and tools to help journalists avoid incidents with police and navigate them successfully should they arise. Credit RCFP.Org
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
Verizon Publishes 2020 Data Breach Investigation Report (DBIR) With Insights From Thousands of Confirmed Breaches. Verizon's 2020 Data Breach Investigations Report (DBIR) is the most extensive yet, with 81 contributing organizations, and more than 32,000 incidents analyzed (of which 3,950 were confirmed breaches). Credit:Verizon
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
A Resource Guide to theU.S. Foreign Corrupt Practices Act
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
The FTC takes in reports from consumers about problems they experience in the marketplace. The reportsare stored in the Consumer Sentinel Network (Sentinel), a secure online database available only to lawenforcement. While the FTC does not intervene in individual consumer disputes, its law enforcementpartners – whether they are down the street, across the nation, or around the world – can use informationin the database to spot trends, identify questionable business practices and targets, and enforce the law.
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
Below is a list of consumer reporting companies updated for 2019.1 Consumer reporting companies collect information and provide reports to other companies about you. These companies use these reports to inform decisions about providing you with credit, employment, residential rental housing, insurance, and in other decision making situations. The list below includes the three nationwide consumer reporting companies and several other reporting companies that focus on certain market areas and consumer segments. The list gives you tips so you can determine which of these companies may be important to you. It also makes it easier for you to take advantage of your legal rights to (1) obtain the information in your consumer reports, and (2) dispute suspected inaccuracies in your reports with companies as needed.
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
Transnational criminal organizations (TCOs), foreign fentanyl suppliers, and Internet purchasers located in the United States engage in the trafficking of fentanyl, fentanyl analogues, and other synthetic opioids and the subsequent laundering of the proceeds from such illegal sales.
The mission of the IC3 is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners. Information is analyzed and disseminated for investigative and intelligence purposes, for law enforcement, and for public awareness.
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
This report is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches. We will take a look at how results are changing (or not) over the years as well as digging into the overall threat landscape and the actors, actions, and assets that are present in breaches. Windows into the most common pairs of threat actions and affected assets also are provided.
The Federal Trade Commission (FTC or Commission) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad authority allows the Commission
to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.
Sentinel sorts consumer reports into 29 top categories. Appendices B1 – B3 describe the categories,providing details, and three year figures. To reflect marketplace changes, new categories or subcategories are created or deleted over time.The Consumer Sentinel Network Data Book excludes the National Do Not Call Registry. A separate report about these complaint statistics is available at: https://www.ftc.gov/reports/national-do-not-call-registry-data-book-fiscal-year-2018. The Sentinel Data Book also excludes reports about unsolicited commercial email.Consumers can report as much or as little detail as they wish when they file a report. For the Sentinel Data Book graphics, percentages are based on the total number of Sentinel fraud, identity theft, and other report types in 2018 in which consumers provided the information displayed on each chart.Reports to Sentinel sometimes indicate money was lost, and sometimes indicate no money was lost.Often, people make these reports after they experience something problematic in the marketplace,avoid losing any money, and wish to alert others. Except where otherwise stated, numbers are based on reports both from people who indicated a loss and people who did not.Calculations of dollar amounts lost are based on reports in which consumers indicated they lost between $1 and $999,999. Prior to 2017, reported “amount paid” included values of $0 to $999,999.States and Metropolitan Areas are ranked based on the number of reports per 100,000 population.State rankings are based on 2017 U.S. Census population estimates (Annual Estimates of the Resident Population: April 1, 2010 to July 1, 2017). Metropolitan Area rankings are based on 2016 U.S. Census population estimates (Annual Estimates of the Resident Population: April 1, 2010 to July 1, 2016).This Sentinel Data Book identifies Metropolitan Areas (Metropolitan and Micropolitan Statistical Areas)with a population of 100,000 or more except where otherwise noted. Metropolitan areas are defined by Office of Management and Budget Bulletin No. 15-01, “Revised Delineations of Metropolitan Statistical Areas, Micropolitan Statistical Areas, and Combined Statistical Areas, and Guidance on Uses of the Delineations of These Areas” (July 15, 2015). Numbers change over time. The Sentinel Data Book sorts consumer reports by year, based on the date of the consumer’s report. Some data contributors transfer their complaints to Sentinel after the end of the calendar year, and new data providers often contribute reports from prior years. As a result, the total number of reports for 2018 will likely change during the next few months, and totals from previous years may differ from prior Consumer Sentinel Network Data Books. The most up to date information can be found online at ftc.gov/data
A credit score is a three -digit number that predicts how likely you are to pay back a loan on time, based on information from your credit reports.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only. - Medical identity theft has existed in various forms for decades, but it was in 2006 that World Privacy Forum published the first major report about the crime. The report called for medical data breach notification laws and more research about medical identity theft and its impacts. Since that time, medical data breach notification laws have been enacted, and other progress has been made, particularly in the quality of consumer complaint datasets gathered around identity theft, including medical forms of the crime. This report uses new data arising from consumer medical identity theft complaint reporting and medical data breach reporting to analyze and document the geography of medical identity theft and its growth patterns. The report also discusses new aspects of consumer harm resulting from the crime that the data has brought to light
The FTC takes in reports from consumers about problems they experience in the marketplace. The reports are stored in the Consumer Sentinel Network (Sentinel), a secure online database available only to law enforcement. While the FTC does not intervene in individual consumer disputes, its law enforcement partners – whether they are down the street, across the nation, or around the world – can use information in the database to spot trends, identify questionable business practices and targets, and enforce the law.
Since 1997, Sentinel has collected tens of millions of reports from consumers about fraud, identity theft, and other consumer protection topics. During 2017, Sentinel received nearly 2.7 million consumer reports, which the FTC has sorted into 30 top categories. The 2017 Consumer Sentinel Network Data Book (Sentinel Data Book) has a vibrant new look, and a lot more information about what consumers told us last year. You'll know more about how much money people lost in the aggregate, the median amount they paid, and what frauds were most costly. And you'll know much more about complaints of identity theft, fraud, and other types of problems in each state, too. The Sentinel Data Book is based on unverified reports filed by consumers. The data is not based on a consumer survey. Sentinel has a five-year data retention policy, with reports older than five years purged biannually.
This guide addresses the steps to take once a
breach has occured. For advice on implementing a
plan to protect consumers’ personal information, to
prevent breaches and unauthorized access, check
out the FTC’s Protecting Personal Information: A
Guide for Business and Start with Security: A Guide
for Business.
*Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
Consumer Sentinel Network Data Book for January 2016 - December 2016- Mark - Fullbright
FTC Consumer Sentinel Network Law enforcement's source for consumer complaints.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
2.
Ponemon Institute: Private & Confidential Report 2
Fourth Annual Benchmark Study on Patient Privacy & Data Security
Presented by Ponemon Institute
March 2014
Part 1. Introduction
The Fourth Annual Study on Patient Privacy & Data Security reveals new and expanded threats
to the security and privacy of patient information in the U.S. healthcare system. The Affordable
Care Act (ACA) is seen as a contributing factor because of the documented insecure websites,
databases and health information exchanges that are highly vulnerable to insider and outsider
threats. While the total number of data breaches has declined slightly over previous years, almost
every healthcare organization represented in this research had a data breach. The study also
found that healthcare organizations continue to struggle to comply with increasing complex
federal and state privacy and security regulations.
Criminal attacks on healthcare systems have risen a startling 100 percent since we first
conducted this study four years ago in 2010. Healthcare employees are fueling breach risks by
increased use of their personal unsecured devices (smartphones, laptops and tablets). Business
Associates—those that have access to PHI and work with healthcare organizations—are not yet
in compliance with the HIPAA Final Rule.
Data breaches continue to cost some healthcare organizations millions of dollars every year.
While the cost can range from less than $10,000 to more than $1 million, we calculate that the
average cost for the organizations represented in this year’s benchmark study is approximately
$2 million over a two-year period. This is down from $2.4 million in last year’s report as well as
from the $2.2 million reported in 2011 and $2.1 million in 2010. Based on the experience of the
healthcare organizations in this benchmark study, we believe the potential cost to the healthcare
industry could be as much as $5.6 billion annually.
1
The types of healthcare organizations participating in the study are hospitals or clinics that are
part of a healthcare network (49 percent), integrated delivery systems (34 percent) and
standalone hospital or clinic (17 percent). This year 91 healthcare organizations participated in
this benchmark research and 388 interviews were conducted
2
. All organizations in this research
are subject to HIPAA as a covered entity. Most respondents interviewed work in compliance, IT,
patient services and privacy.
Key Research Findings:
The number of data breaches decrease slightly. Ninety percent of healthcare organizations in
this study have had at least one data breach in the past two years. However, 38 percent report
that they have had more than five incidents. This is a decline from last year’s report when 45
percent of organizations had more than 5. This coupled with an increase in organizations’ level of
confidence in data breach detections suggests that modest improvements have been made in
reducing threats to patient data.
Healthcare organizations improve ability to control data breach costs. The economic impact
of one or more data breaches for healthcare organizations in this study ranges from less than
$10,000 to more than $1 million over a two-year period. Based on the ranges reported by
respondents, we calculated that the average economic impact of data breaches over the past two
years for the healthcare organizations represented in this study is $2.0 million. This is a decrease
of almost $400,000 or 17 percent since last year.
1
This is based on multiplying $986,948 (50% of the average two year cost of a data breach experienced by the 91
healthcare organizations in this research) x 5,723 (the total number of registered US hospitals per the AHA).
2
Benchmark research differs from survey research. The unit of analysis in benchmark research is the organization and in
survey research it is the individual.
3.
Ponemon Institute: Private & Confidential Report 3
ACA increases risk to patient privacy and information security. Respondents in 69 percent
of organizations represented believe the ACA significantly increases (36 percent) or increases
(33 percent) risk to patient privacy and security. The primary concerns are insecure exchange of
patient information between healthcare providers and government (75 percent of organizations),
patient data on insecure databases (65 percent) and patient registration on insecure websites (63
percent of organizations).
ACO participation increases data breach risks. Fifty-one percent of organizations say they are
part of an Accountable Care Organization (ACO) and 66 percent say the risks to patient privacy
and security due to the exchange of patient health information among participants has increased.
When asked if their organization experienced changes in the number of unauthorized disclosure
of PHI, 41 percent say it is too early to tell. Twenty-three percent say they noticed an increase.
Confidence in the security of Health Information Exchanges (HIEs) remains low. An HIE is
defined as the mobilization of healthcare information electronically across organizations within a
region, community or hospital system. The percentage of organizations joining HIEs increased
only slightly. This year, 32 percent say they are members and this is up slightly from 28 percent
last year. One-third of organizations say they do not plan to become a member. The primary
reason could be that 72 percent of respondents say they are only somewhat confident (32
percent) or not confident (40 percent) in the security and privacy of patient data share on HIEs.
Criminal attacks on healthcare organizations increase 100 percent since 2010. Insider
negligence continues to be at the root of most data breaches reported in this study but a major
challenge for healthcare organizations is addressing the criminal threat. These types of attacks
on sensitive data have increased 100 percent since the study was conducted in 2010 from 20
percent of organizations reporting criminal attacks to 40 percent of organizations in this year’s
study.
Employee negligence is considered the biggest security risk. Seventy-five percent of
organizations say employee negligence is their biggest worry followed by use of public cloud
services (41 percent), mobile device insecurity (40 percent) and cyber attackers (39 percent).
BYOD usage continues to rise. Despite the concerns about employee negligence and the use
of insecure mobile devices, 88 percent of organizations permit employees and medical staff to
use their own mobile devices such as smart phones or tablets to connect to their organization’s
networks or enterprise systems such as email. Similar to last year, more than half of
organizations are not confident that the personally-owned mobile devices or BYOD are secure.
Heavy use of cloud services increases. As discussed above, healthcare organizations view the
use of public cloud services as a serious threat. In fact, only one-third are very confident or
confident that information in a public cloud environment is secure. Despite the risk, 40 percent of
organizations say they use the cloud heavily, an increase from 32 percent last year. The
applications or services most used are backup and storage, file-sharing applications, business
applications and document sharing and collaboration.
Half of healthcare organizations are compliant with the post-incident risk assessment
requirement in the Final Rule. Fifty-one percent of respondents said they are in full compliance
while 49 percent report they are not compliant or are only partially compliant. Thirty-nine percent
say their incident assessment process is not effective and cite a lack of consistency and inability
to scale their process as the primary reasons.
Healthcare organizations don’t trust their third parties or business associates with
sensitive patient information. Seventy-three percent of organizations are either somewhat
confident (33 percent) or not confident (40 percent) that their business associates would be able
to detect, perform an incident risk assessment and notify their organization in the event of a data
breach incident as required under the business associate agreement. The business associates
4.
Ponemon Institute: Private & Confidential Report 4
they worry most about are IT service providers, claims processor and benefits management. Only
30 percent are very confident or confident that their business associates are appropriately
safeguarding patient data as required under the Final Rule.
Organizations rely on policies and procedures to achieve compliance and secure sensitive
information. Fifty-five percent of organizations agree they have the policies and procedures that
effectively prevent or quickly detect unauthorized patient data access, loss or theft. Unfortunately,
the budget, technologies and resources needed to safeguard patient information from a data
breach are not as available. Further, less than half (46 percent) of organizations have personnel
who are knowledgeable about HITECH and states’ data breach notification laws.
Majority of organizations say the HIPAA Final Rule has either not affected patient data
privacy and security programs or it’s too early to tell. The HIPAA Final Omnibus Rule seeks
to better protect patients by removing the harm threshold. Covered entities and their business
associates must still conduct an incident risk assessment, for every data security incident that
involves PHI. Rather than determine the risk of harm, the risk assessment determines the
probability that PHI has been compromised. While 44 percent of organizations say it has affected
their programs, 41 percent say it has not and 15 percent say it is too early to tell. The biggest
change has been to require policies and procedures to be updated.
Most healthcare organizations are not in compliance with AOD requirements. Less than half
of the organizations in this study report they are in full compliance (25 percent) or nearly in full
compliance (23 percent) with the Accounting of Disclosures (AOD) requirement. These
organizations say they achieve compliance mostly by an ad-hoc process (31 percent), a paper-
based process or tool that was developed internally (27 percent), a software-based process or
tool that was developed internally (27 percent) or a software-based process or tool that was
developed by a third party (15 percent).
5.
Ponemon Institute: Private & Confidential Report 5
Part 2. Key findings
In this section, we provide a more detailed analysis of the research findings. Whenever possible,
we show trends in the findings since the study was first conducted in 2010. The complete audited
results are presented in the appendix of this report. The findings are organized according to the
following issues:
• Data breaches decline but are still pervasive
• ACA puts patient data at risk
• Insider-outsider threats to sensitive data are on the rise
• Healthcare organizations struggle to comply with the HIPAA Final Rule
Data breaches decline but are still pervasive
The number of data breaches decrease slightly. Ninety percent of healthcare organizations in
this study have had at least one data breach in the past two years. As shown in Figure 1, 38
percent report they have had more than five incidents. This is a decline from last year’s report
when 45 percent of organizations had more than 5 but greater than what was first reported in
2010. This coupled with an increase in organizations’ level of confidence in data breach
detections suggests that modest improvements have been made in reducing threats to patient
data.
Figure 1. Experienced a data breach involving the loss of patient data in the past two years
10%
16%
36%
38%
6%
16%
33%
45%
4%
17%
33%
46%
14%
26%
31% 29%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
No Yes, 1 incident Yes, 2 to 5 incidents Yes, more than 5
incidents
FY 2013 FY 2012 FY 2011 FY 2010
6.
Ponemon Institute: Private & Confidential Report 6
Consistent with the previous three annual studies, the data breaches are most likely to involve
healthcare records with the most sensitive and valuable information for identity thieves. According
to Figure 2, billing and insurance records and medical files are the most likely to be lost or stolen.
Figure 2. Type of patient data lost or stolen
More than one choice permitted
3%
19%
20%
25%
17%
47%
49%
2%
20%
15%
19%
24%
48%
48%
2%
18%
18%
20%
22%
46%
49%
0% 10% 20% 30% 40% 50% 60%
Other
Prescription details
Monthly statements
Scheduling details
Payment details
Medical file
Billing and insurance record
FY 2013 FY 2012 FY 2011
7.
Ponemon Institute: Private & Confidential Report 7
Healthcare organizations improve ability to control data breach costs. The economic impact
of one or more data breaches for healthcare organizations in this study ranges from less than
$10,000 to more than $1 million over a two-year period. Based on the ranges reported by
respondents, we calculated that the average economic impact of data breaches over the past two
years for the healthcare organizations represented in this study is $1,973,895, as shown in Figure
3. This is a decrease of 17 percent or almost $400,000 since last year.
Figure 3. Economic impact of data breach incidents experienced over the past two years
Average economic impact of data breach over the past two years is
$1,973,895
7%
4%
1%
4%
11%
25%
19%
29%
5%
5%
2%
3%
8%
26%
21%
30%
5%
3%
1%
3%
8%
23%
26%
31%
5%
5%
3%
4%
10%
26%
22%
25%
0% 5% 10% 15% 20% 25% 30% 35%
Cannot determine
Less than $10,000
$10,001 to $50,000
$50,001 to $100,000
$100,001 to $200,000
$200,001 to $500,000
$500,001 to $1 million
More than $1 million
FY 2013 FY 2012 FY 2011 FY 2010
8.
Ponemon Institute: Private & Confidential Report 8
Contributing to the cost reduction is the fact that the size of the breaches decreased. According to
Figure 4, the average number of lost or stolen records per breach was 2,150. Last year the
average number was almost 3,000 records. Based on other research conducted by Ponemon
Institute, the average cost per one lost or stolen record is $188. This suggests that it could take
only one data breach to have an economic impact of $404,200.
3
Figure 4. Number of compromised records
Extrapolated average is 2,150
3
See 2013 Cost of Data Breach, conducted by Ponemon Institute, May 2013
61%
20%
12%
5%
2%
1%
42%
25%
19%
12%
2%
0%
38%
28%
21%
11%
3%
0%
49%
25%
16%
8%
2%
0%
0% 10% 20% 30% 40% 50% 60% 70%
10 to 100
101 to 1,000
1,001 to 5,000
5,001 to 10,000
10,001 to 100,000
> 100,000
FY 2013 FY 2012 FY 2011 FY 2010
9.
Ponemon Institute: Private & Confidential Report 9
ACA puts patient data at risk
ACA increases risk to patient privacy and information security. Respondents in 69 percent
of organizations represented believe the ACA significantly increases or increases the risk to
patient privacy and security. As shown in Figure 5, the primary concerns are insecure exchange
of patient information between healthcare providers and government (75 percent of
organizations), patient data on insecure databases (65 percent) and patient registration on
insecure websites (63 percent of organizations).
Figure 5. Primary concerns regarding the risks to patient information
More than one choice permitted
ACO participation increases data breach risks. Fifty-one percent of organizations say they are
part of an Accountable Care Organization (ACO) and 66 percent say the risks to patient privacy
and security due to the exchange of patient health information among participants has increased.
According to Figure 6, when asked if their organization experienced changes in the number of
unauthorized disclosure of PHI, 41 percent say it is too early to tell. Twenty-three percent say
they noticed an increase as shown in Figure 6.
Figure 6. Changes in the number of unauthorized disclosures of PHI
2%
63%
65%
75%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Patient registration on insecure websites
Patient data on insecure databases
Insecure exchange of patient information
between healthcare providers and government
23%
3%
33%
41%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Yes, an increase Yes, a decrease No changes Too early to tell
10.
Ponemon Institute: Private & Confidential Report 10
Confidence in the security of Health Information Exchanges (HIEs) remains low. An HIE is
defined as the mobilization of healthcare information electronically across organizations within a
region, community or hospital system. The percentage of organizations joining HIEs increases
only slightly. This year, 32 percent say they are members and this is up slightly from 28 percent
last year. One-third of organizations say they do not plan to become a member.
Figure 7 shows that the primary reason could be that 72 percent of respondents say they are only
somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of
patient data share on HIEs.
Figure 7. Confidence in the security and privacy of patient data shared on HIEs
13%
15%
32%
40%
17% 17%
30%
36%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Very confident Confident Somewhat confident Not confident
FY 2013 FY 2012
11.
Ponemon Institute: Private & Confidential Report 11
Insider-outsider threats to sensitive data are on the rise
Criminal attacks on healthcare organizations increase 100 percent since 2010. Insider
negligence continues to be at the root of most data breaches reported in this study but a major
challenge for healthcare organizations is addressing the criminal threat as shown in Figure 8.
These types of attacks on sensitive data have increased 100 percent since the study was
conducted in 2010 from 20 percent of organizations reporting criminal attacks to 40 percent of
organizations in this year’s study.
Consistent with previous studies, the primary cause of breaches is a lost or stolen computing
device (49 percent), which can be attributed in many cases to employee carelessness. This is
followed by employee mistakes or unintentional actions (46 percent), and third-party snafus (41
percent).
Figure 8. Nature of the incident
More than one choice permitted
10%
15%
31%
20%
34%
45%
41%
9%
14%
33%
30%
46%
41%
49%
8%
14%
31%
33%
42%
42%
46%
8%
12%
32%
40%
41%
46%
49%
0% 10% 20% 30% 40% 50% 60%
Intentional non-malicious employee action
Malicious insider
Technical systems glitch
Criminal attack
Third-party snafu
Unintentional employee action
Lost or stolen computing device
FY 2013 FY 2012 FY 2011 FY 2010
12.
Ponemon Institute: Private & Confidential Report 12
It is interesting that audit and assessment as the reason for discovering a data breach has
increased significantly from 41 percent of respondents in 2010 to 58 percent of respondents this
year while patient complaints declined since 2010. Finding out about the data breach from a legal
complaint also declined, as shown in Figure 9.
Figure 9. How the data breach was discovered
More than one choice permitted
8%
9%
19%
21%
41%
47%
41%
7%
14%
20%
28%
35%
51%
43%
5%
10%
26%
26%
36%
47%
52%
7%
12%
19%
26%
35%
46%
58%
0% 10% 20% 30% 40% 50% 60% 70%
Law enforcement
Loss prevention
Legal complaint
Accidental
Patient complaint
Employee detected
Audit/assessment
FY 2013 FY 2012 FY 2011 FY 2010
13.
Ponemon Institute: Private & Confidential Report 13
Employee negligence is considered the biggest security risk. Figure 10 reveals that 75
percent of organizations say employee negligence is their biggest worry followed by use of public
cloud services (41 percent), mobile device insecurity (40 percent) and cyber attackers (39
percent).
Figure 10. Security threats of most concern
Three choices permitted
2%
5%
12%
13%
16%
23%
34%
39%
40%
41%
75%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Insecure medical devices
Identity thieves
Malicious insiders
System failures
Insecure mobile apps
Employee-owned mobile devices
Cyber attackers
Mobile device insecurity
Use of public cloud services
Employee negligence
14.
Ponemon Institute: Private & Confidential Report 14
BYOD usage continues to rise. As shown in Figure 11, despite the concerns about employee
negligence and the use of insecure mobile device, 88 percent of organizations permit employees
and medical staff to use their own mobile devices such as smart phones or tablets to connect to
their organization’s networks or enterprise systems such as email. More than half of organizations
are not confident that the personally-owned mobile devices or BYOD are secure.
Very few organizations require their employees to take such security precautions as requiring
anti-virus/anti-malware software to reside on the mobile device prior to connection (23 percent),
scanning devices for viruses and malware prior to connection (22 percent) and scanning devices
and removing all mobile apps that present a security threat prior to connection (14 percent).
Figure 11. Employees permitted to use personal mobile devices to connect to networks
88%
12%
81%
19%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Yes No
FY 2013 FY 2012
15.
Ponemon Institute: Private & Confidential Report 15
Since last year, more organizations are taking steps to secure devices. These steps to protect
their organization’s network or enterprise systems from the insecurity of BYOD include limiting
access from devices to critical systems including those that connect to PHI, requiring users to
read and sign an acceptable use policy prior to connection and limiting or restricting the download
of PHI onto these devices, according to Figure 12.
Figure 12. Measures to ensure devices are secure enough to connect to the network
More than one response permitted
.
2%
46%
16%
21%
23%
40%
38%
45%
51%
3%
38%
14%
22%
23%
36%
44%
53%
56%
0% 10% 20% 30% 40% 50% 60%
Other
None of the above steps are done
Scan devices and remove apps that present a
security threat
Scan devices for viruses and malware prior to
connection
Require anti-virus/anti-malware software to
reside on the mobile device
Scan devices for viruses and malware while they
are connected
Limit or restrict the download of PHI
Require user to read and sign an acceptable use
policy
Limit access from devices to critical systems
FY 2013 FY 2012
16.
Ponemon Institute: Private & Confidential Report 16
Heavy use of cloud services increases. As discussed above, healthcare organizations view the
use of public cloud services as a serious threat. In fact, only one-third are very confident or
confident that information in a public cloud environment is secure. Despite the risk, 40 percent of
organizations say they use the cloud heavily, an increase from 32 percent last year. The
applications or services most used are backup and storage, file-sharing applications, business
applications and document sharing and collaboration.
According to Figure 13, the types of information most often processed or stored in the cloud are
email applications, productivity applications, accounting information and employee information
such as payroll data. This is pretty much consistent with previous years. Also processed or stored
in the cloud but not as often are patient medical records and billing information. The majority of
organizations believe patient medical records and billing information is too sensitive to be
processes and/or stored in a public cloud environment.
Figure 13. Types of information processed and/or stored in the cloud
More than one choice permitted
2%
37%
5%
26%
30%
28%
41%
46%
46%
49%
3%
34%
4%
28%
31%
31%
44%
49%
49%
53%
0% 10% 20% 30% 40% 50% 60%
Other
None of the above
Clinical trial and other research information
Patient medical records
Patient billing information
Administrative and scheduling information
Employee information including payroll data
Accounting and financial information
Productivity applications
Email applications
FY 2013 FY 2012
17.
Ponemon Institute: Private & Confidential Report 17
Healthcare organizations struggle to comply with the HIPAA Final Rule
Half of healthcare organizations are compliant with the post-incident risk assessment
requirement in the Final Rule. Fifty-one percent of respondents said they are in full compliance
while 49 percent report they are not compliant or are only partially compliant. Thirty-nine percent
say their incident assessment process is not effective and cite a lack of consistency and inability
to scale their process as the primary reasons.
As shown in Figure 14, the process most often used to conduct and document post incident risk
assessment is a manual process that was developed internally (34 percent) followed by an ad-
hoc process (23 percent). Only 15 percent use an automated tool or process developed internally
or one that was developed by a third party (20 percent).
Figure 14. Post incident risk assessment process
0%
8%
15%
20%
23%
34%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Other
Free tool that was developed by an external
entity
Automated process that was developed internally
Automated process that was developed by a
third party
Ad-hoc process
Manual process or tool that was developed
internally
18.
Ponemon Institute: Private & Confidential Report 18
Healthcare organizations don’t trust their third parties or business associates
4
with
sensitive patient information. Seventy-three percent of organizations are either somewhat
confident (33 percent) or not confident (40 percent) that their business associates would be able
to detect, perform an incident risk assessment and notify your organization in the event of a data
breach incident as required under the business associate agreement.
The business associates they worry most about are IT service providers, claims processors and
benefits management, as shown in Figure 15. Only 30 percent are very confident or confident
that their business associates are appropriately safeguarding patient data as required under the
Final Rule.
Figure 15. Business associates that present the greatest risk to privacy and security
Two choices permitted
4
A business associate conducts activities on behalf of healthcare organizations that involve the use or disclosure of
individually identifiable health information. Such activities can include claims processing or administration, data analysis,
billing and other services. According to the HIPAA Final Omnibus Rule, new rules expand the obligations of physicians
and other healthcare providers to protect patients’ protected health information (PHI), extend these obligations to other
individuals and companies who, as business associates, have access to PHI, and increase the penalties for violations of
any of these obligations.
5%
3%
4%
6%
8%
19%
33%
47%
75%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Legal services
Accounting services
Consulting services
Data analysts
Pharmacy benefits manager
Benefits management
Claims processor
IT service provider
19.
Ponemon Institute: Private & Confidential Report 19
Organizations rely on policies and procedures to achieve compliance and secure sensitive
information. According to Figure 16, fifty-five percent of organizations agree they have the
policies and procedures that effectively prevent or quickly detect unauthorized patient data
access, loss or theft. This has increased significantly since 2010 when 41 percent said this was
the case. Technical expertise has increased as well since 2010 (from 42 percent of respondents
to 49 percent).
Unfortunately, the budget, technologies and resources needed to safeguard patient information
from a data breach are not as available. Further, less than half (46 percent) of organizations have
personnel who are knowledgeable about HITECH and states’ data breach notification laws.
Figure 16. Attributions about patient data security
Strongly agree and agree response combined
29%
42%
41%
27%
45%
47%
27%
34%
44%
45%
52%
28%
33%
46%
49%
55%
0% 10% 20% 30% 40% 50% 60%
Sufficient resources to prevent or quickly detect
unauthorized patient data access, loss or theft
Security budget is sufficient to curtail or minimize
data breach incidents *
Personnel are knowledgeable about HITECH
and data breach notification laws *
Technical expertise to prevent or quickly detect
unauthorized patient data access
Sufficient policies and procedures to prevent or
quickly detect unauthorized patient data access,
loss or theft
* This choice was not available for FY 2011 & FY 2010
FY 2013 FY 2012 FY 2011 FY 2010
20.
Ponemon Institute: Private & Confidential Report 20
Majority of organizations say the HIPAA Final Rule has either not affected patient data
privacy and security programs or it’s too early to tell. The HIPAA Final Omnibus Rule seeks
to better protect patients by removing the harm threshold. Covered entities and their business
associates must still conduct an incident risk assessment, for every data security incident that
involves PHI. Rather than determine the risk of harm, the risk assessment determines the
probability that PHI has been compromised. While 44 percent of organizations say it has affected
their programs, 41 percent say it has not and 15 percent say it is too early to tell.
According to Figure 17, the biggest change has been to require policies and procedures to be
updated followed by conducted a risk assessment or analyses.
Figure 17. How the Final Rule changed patient data privacy and security programs
More than one choice permitted
40%
15%
21%
28%
29%
31%
36%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
None of the above
Purchased cyber insurance
Require certain third parties to strengthen their
data privacy and security procedures
Changed relationships with certain third parties
Conducted employee training and awareness
Conducted a risk assessment/risk analyses
Required an update to our policies and
procedures
21.
Ponemon Institute: Private & Confidential Report 21
Most healthcare organizations are not in compliance with AOD requirements. Less than half
of the organizations in this study report they are in full compliance (25 percent) or nearly in full
compliance (23 percent) with the Accounting of Disclosures (AOD) requirement.
Figure 18 reveals that these organizations say they achieve compliance mostly by an ad-hoc
process (31 percent), a paper-based process or tool that was developed internally (27 percent), a
software-based process or tool that was developed internally (27 percent) or a software-based
process or tool that was developed by a third party (15 percent).
Figure 18. How is compliance with the Accounting of Disclosures achieved?
Part 3. Conclusion
The more things change the more they stay the same. Four years of conducting this research
reveals that healthcare organizations continue to have data breaches due to the human factor.
These include employees’ carelessness with their computing devices and other unintended but
negligent acts that put patient data in jeopardy. For the first time, we asked what is the greatest
risk to the security and privacy of patient information. The vast majority (75 percent) of
organizations say it is employee negligence.
A major change in the delivery of healthcare services is also having an impact on the risks to
patient information. The ACA has healthcare organizations worried about insecure websites,
databases and health information exchanges that are highly vulnerable to insider and outsider
threats.
Healthcare security professionals need to address both internal and external threats. The
research reveals that many organizations are relying on policies and procedures to achieve
compliance and secure sensitive information. In addition to policies, organizations should be
focused on technologies that secure mobile devices and protect sensitive data that is stored in
the cloud. Training and awareness programs should be conducted at every level of the
organization to reduce the negligent employee risk. Finally, the growth in criminal attacks against
healthcare organizations calls for assessments of areas vulnerable to attack and investment in
technologies that protect organizations from malicious outsiders. Implementing these measures
is a huge challenge but critical to the future of the industry.
15%
27%
27%
31%
0% 5% 10% 15% 20% 25% 30% 35%
Software-based process or tool that was
developed by a third party
Paper-based process or tool that was developed
internally
Software-based process or tool that was
developed internally
Ad-hoc process
22.
Ponemon Institute: Private & Confidential Report 22
Part 4. Benchmark Methods
Table 1 summarizes the responses completed over a three-month period concluding in January
2014. A total of 505 health care organizations were selected for participation and contacted by
the researcher. One hundred and eleven organizations agreed to complete the benchmark
survey; however, 93 completed the benchmark instrument. Two benchmarked organizations were
deemed incomplete and, hence, removed from the sample. A final sample of 91 organizations
was used in our analysis, which is a net increase of 11 organizations from our 2012 study.
Table 1. Benchmark sampling response FY 2013 FY 2012 FY 2011 FY 2010
Total healthcare organizations contacts made 505 499 511 457
Total healthcare organizations recruited 111 92 98 99
Total healthcare organizations participating 93 81 75 67
Total healthcare organizations providing incomplete responses 2 1 3 2
Final benchmark sample 91 80 72 65
Pie Chart 1 reports the type of healthcare providers that participated in this research, with 59
percent representing private organizations. Pie Chart 2 shows the size of organizations with
respect to the number of patient beds. Forty-two percent of participating healthcare providers
have a 301 to 600-bed capacity, while 35 percent have 101 to 300 beds.
Pie Chart 1. Type of health care provider Pie Chart 2. The number of patient beds (size)
59%
36%
5%
Private Public Other
17%
35%
42%
6%
< 100 101 to 300 301 to 600 > 600
23.
Ponemon Institute: Private & Confidential Report 23
According to Pie Chart 3, the primary roles of respondents or their supervisors interviewed in this
study are HIPAA compliance leader (12%), chief information security officer (11 percent), chief
information officer (11 percent), chief compliance officer (10 percent) and billing & administrative
leader (10 percent).
Pie Chart 3. What best describes your role or the role of your supervisor?
12%
11%
11%
10%
10%
9%
6%
6%
5%
5%
4%
3%
3%
3% 2%
* This response was not available for all fiscal years
HIPAA compliance leader
Chief information security officer
Chief information officer
Chief compliance officer
Billing & administrative leader
Medical records management leader
Chief security officer
General counsel
Chief privacy officer
Chief finance officer
Human resources leader
Chief medical officer
Chief medical information officer *
Clinician
Chief development officer
24.
Ponemon Institute: Private & Confidential Report 24
Part 5. Limitations
The presented findings are based on self-reported benchmark survey returns. Usable returns
from 91 organizations – or about 18 percent of those organizations initially contacted – were
collected and used in the above-mentioned analysis. It is always possible those organizations
that chose not to participate are substantially different in terms of data protection and compliance
activities.
Because our sampling frame is a proprietary list of organizations known to the researcher, the
quality of our results is influenced by the accuracy of contact information and the degree to which
the list is representative of the population of all covered entities and business associates in the
United States. While it is our belief that our sample is representative, we do acknowledge that
results may be biased in two important respects:
• Survey results are skewed to larger-sized healthcare organizations, excluding the plethora
of very small provider organizations including local clinics and medical practitioners.
• Our contact methods targeted individuals who are presently in the data protection, security,
privacy or compliance fields. Hence, it is possible that contacting other individuals in these
same organizations would have resulted in different findings.
To keep the survey concise and focused, we omitted other normatively important variables from
the analyses. Omitted variables might explain survey findings, especially differences between
covered entities and business associates as well as organizational size.
The quality of survey research is based on the integrity of confidential responses received from
respondents. While certain checks and balances have been incorporated into our survey
methods, there is always the possibility that certain respondents did not provide accurate or
complete responses to our benchmark instrument.
We fully acknowledge that our sample size is small and, hence, the ability to generalize findings
about organizational size, organizational type, and program maturity is limited. Great care should
be exercised before attempting to generalize these findings to the population of all health care
providers.
Finally, we compare the 2013 results to benchmark studies completed in 2012, 2011 and 2010.
While these four samples were approximately matched based on organizational size, type and
regional location, we can only infer trends from between-sample differences.
25.
Ponemon Institute: Private & Confidential Report 25
Appendix: Detailed Results
The following tables provide the frequency and percentage frequency of all benchmark survey
questions completed by 91 participating companies. All field research was completed over a
three-month period concluding in January 2014
Benchmark sampling response FY 2013 FY 2012 FY 2011 FY 2010
Total healthcare organizations contacts made 505 499 511 457
Total healthcare organizations recruited 111 92 98 99
Total healthcare organizations participating 93 81 75 67
Total healthcare organizations providing
incomplete responses 2 1 3 2
Final benchmark sample 91 80 72 65
Screening Question
S1. Is your organization a healthcare provider
subject to HIPAA as a coverend entity FY 2013 FY 2012 FY 2011 FY 2010
Yes 91
No 0
Part 1: Organizational characteristics
Q1a. What best describes your organization: FY 2013 FY 2012 FY 2011 FY 2010
Public healthcare provider 36% 35% 32% 35%
Private healthcare provider 59% 58% 57% 54%
Other 5% 8% 11% 11%
Total 100% 100% 100% 100%
Q1b. How many patient beds (capacity) does
your organization have? FY 2013 FY 2012 FY 2011 FY 2010
Less than 100 17% 16% 17% 18%
101 to 300 35% 36% 35% 32%
301 to 600 42% 40% 42% 45%
More than 600 6% 8% 7% 5%
Total 100% 100% 100% 100%
Q1c. What best describes your organization's
operating structure? FY 2013 FY 2012 FY 2011 FY 2010
Integrated Delivery System 34% 36% 36% 35%
Hospital or clinic that is part of a healthcare
network 49% 46% 47% 46%
Standalone hospital 13% 14% 17% 17%
Standalone Clinic 4% 4%
Other 0% 0% 0% 2%
Total 100% 100% 100% 100%
Q1d. Please indicate the region of the United
States where you are located. FY 2013 FY 2012 FY 2011 FY 2010
Northeast 20% 21% 22% 23%
Mid-Atlantic 20% 20% 21% 20%
Midwest 15% 16% 15% 15%
Southeast 12% 11% 13% 12%
Southwest 14% 13% 13% 14%
Pacific-West 19% 19% 17% 15%
Total 100% 100% 100% 100%
26.
Ponemon Institute: Private & Confidential Report 26
Q1e. What best describes your role or the role
of your supervisor? FY 2013 FY 2012 FY 2011 FY 2010
Chief security officer 6% 5% 5% 7%
Chief information security officer 11% 9% 10% 9%
Chief information officer 11% 12% 11% 6%
Chief privacy officer 5% 5% 6% 4%
Chief compliance officer 10% 11% 11% 11%
Chief medical officer 3% 2% 3% 1%
Chief clinical officer 0% 1% 1% 0%
Chief risk officer (2012) 0% 2%
Chief medical information officer (2012) 3% 2%
Chief finance officer 5% 4% 4% 6%
Chief development officer 2% 1% 2% 2%
General counsel 6% 6% 5% 6%
HIPAA compliance leader 12% 11% 11% 12%
Clinician 3% 4% 3% 1%
Billing & administrative leader 10% 10% 12% 15%
Medical records management leader 9% 8% 11% 13%
Human resources leader 4% 5% 5% 5%
Other 0% 2% 1% 1%
Total 100% 100% 100% 100%
Total number of individual interviews 388 324 300 211
Average number of interviews per HC
organization 4.26 4.05 4.17 3.25
Q1f. What best describes your department or
function? FY 2013 FY 2012 FY 2011 FY 2010
Compliance 100% 94% 100% 91%
Privacy 42% 34% 39% 48%
Information technology (IT) 81% 79% 76% 45%
Legal 23% 21% 21% 20%
Finance 19% 16% 15% 20%
Marketing 4% 6% 8% 6%
Medical informatics 26% 24% 24% 17%
Medical staff 21% 19% 18% 15%
Patient services 52% 48% 47% 38%
Records management 20% 23% 14% 9%
Risk management 9% 6% 15% 9%
Development (foundation) 4% 6% 11% 8%
Planning 6% 10% 4% 6%
Human resources 13% 14% 19% 20%
Other 6% 6% 4% 0%
Total 426% 405% 417% 352%
27.
Ponemon Institute: Private & Confidential Report 27
Strongly agree and Agree
response combined
Part 2. Attributions. Please rate your opinion
about the statements contained in Q2 to Q7
using the scale provided below each item. FY 2013 FY 2012 FY 2011 FY 2010
Q2. My organization has sufficient policies and
procedures that effectively prevent or quickly
detect unauthorized patient data access, loss or
theft. 55% 52% 47% 41%
Q3. My organization has sufficient technologies
that effectively prevent or quickly detect
unauthorized patient data access, loss or theft. 44% 40% 38% 37%
Q4. My organization has sufficient resources to
prevent or quickly detect unauthorized patient
data access, loss or theft. 28% 27% 27% 29%
Q5. My organization has personnel who have
sufficient technical expertise to be able to
identify and resolve data breaches involving the
unauthorized access, loss or theft of patient
data. 49% 45% 45% 42%
Q6. Our organization's security budget is
sufficient to curtail or minimize data breach
incidents. 33% 34%
Q7. My organization has personnel who are
knowledgeable about HITECH and states' data
breach notification laws. 46% 44%
Part 3: Data Breach
Q8. Has your department suffered a data
breach involving the loss or theft of patient data
in the past two years as defined above? 2013 Pct% 2012 Pct% 2011 Pct% 2010 Pct%
No 10% 6% 4% 14%
Yes, 1 incident 16% 16% 17% 26%
Yes, 2 to 5 incidents 36% 33% 33% 31%
Yes, more than 5 incidents 38% 45% 46% 29%
Total 100% 100% 100% 100%
Extrapolated average number of data breaches
for the sample 3.70 4.00 4.08 3.09
Extrapolated total number of data breaches for
the sample 337 320 294 201
Q9. How confident are you that your
organization has the ability to detect all patient
data loss or theft? 2013 Pct% 2012 Pct% 2011 Pct% 2010 Pct%
Very confident 15% 13% 12% 11%
Confident 38% 33% 31% 31%
Little confidence 29% 31% 33% 35%
No confidence 18% 23% 24% 23%
Total 100% 100% 100% 100%
Q10. Two separate data breach incidents over
the past two years. FY 2013 FY 2012 FY 2011 FY 2010
Number of incidents reported 337 320 294 201
Number of observed incidents used in the
analysis of Q10 169 156 138 157
28.
Ponemon Institute: Private & Confidential Report 28
Q10a. Approximate number of compromised
records FY 2013 FY 2012 FY 2011 FY 2010
< 10 0%
10 to 100 49% 38% 42% 61%
101 to 1,000 25% 28% 25% 20%
1,001 to 5,000 16% 21% 19% 12%
5,001 to 10,000 8% 11% 12% 5%
10,001 to 100,000 2% 3% 2% 2%
> 100,000 0% 0% 0% 1%
Total 100% 100% 100% 100%
Extroplated average number of lost or stolen
records over two years 2,150 2,769 2,575 1,769
Q10b. Nature of the incident FY 2013 FY 2012 FY 2011 FY 2010
Unintentional employee action 46% 42% 41% 45%
Intentional non-malicious employee action 8% 8% 9% 10%
Technical systems glitch 32% 31% 33% 31%
Criminal attack 40% 33% 30% 20%
Malicious insider 12% 14% 14% 15%
Third-party snafu 41% 42% 46% 34%
Lost or stolen computing device 49% 46% 49% 41%
Total 228% 216% 220% 197%
*More than one selection is permitted
Q10c. Type of device compromised or stolen FY 2013 FY 2012 FY 2011 FY 2010
Desktop or laptop 30% 38% 43%
Smartphone 28% 24% 21%
Tablet 27% 18% 7%
Notebook 1% 2% 4%
Server 3% 5% 7%
USB drive 11% 13% 16%
Total 100% 100% 100%
Q10d. Type of patient data lost or stolen FY 2013 FY 2012 FY 2011 FY 2010
Medical file 46% 48% 47%
Billing and insurance record 49% 48% 49%
Scheduling details 20% 19% 25%
Prescription details 18% 20% 19%
Payment details 22% 24% 17%
Monthly statements 18% 15% 20%
Other 2% 2% 3%
Total 175% 176% 180%
*More than one selection is permitted
Q10e. How the data breach was discovered FY 2013 FY 2012 FY 2011 FY 2010
Accidental 26% 26% 28% 21%
Loss prevention 12% 10% 14% 9%
Patient complaint 35% 36% 35% 41%
Law enforcement 7% 5% 7% 8%
Legal complaint 19% 26% 20% 19%
Employee detected 46% 47% 51% 47%
Audit/assessment 58% 52% 43% 41%
Total 203% 202% 198% 187%
*More than one selection is permitted
29.
Ponemon Institute: Private & Confidential Report 29
Q10f. Offer of protection services FY 2013 FY 2012 FY 2011 FY 2010
None offered 70% 65% 65%
Credit monitoring 20% 22% 19%
Other identity monitoring 6% 4% 6%
Insurance 0% 1% 1%
Identity restoration 4% 7% 9%
Financial incentives (i.e., gift cards) 0%
Other 0% 0% 0%
Total 100% 100% 100%
*More than one selection is permitted
Q11. What best describes the process for
preventing and detecting data breach incidents
in your organization today? Please select only
one. FY 2013 FY 2012 FY 2011 FY 2010
An "ad hoc" process 19% 23% 27% 35%
Mostly a process that relies on policies and
procedures 29% 28% 29% 23%
Mostly a process that relies on security
technologies 20% 20% 21% 16%
A combination of manual proceduress and
security technologies 29% 24% 19% 20%
None of the above 3% 5% 4% 6%
Total 100% 100% 100% 100%
Q12. How confident are you that your
organization has the abiility to prevent or quickly
detect patient data loss or theft? FY 2013 FY 2012* FY 2011* FY 2010*
Very confident 13% 13% 12% 11%
Confident 32% 33% 31% 31%
Somewhat confident 34% 31% 33% 35%
Not confident 21% 23% 24% 23%
Total 100% 100% 100% 100%
*Question was worded differently in prior
studies
Q13. In your opinion (best guess), what best
describes the lifetime economic value, on
average, of one patient or customer to your
organization? FY 2013 FY 2012 FY 2011 FY 2010
Less than $10,000 11% 9% 10% 12%
$10,001 to $50,000 35% 32% 31% 29%
$50,001 to $100,000 21% 24% 23% 21%
$100,001 to $200,000 11% 12% 10% 13%
$200,001 to $500,000 6% 7% 4% 5%
$500,001 to $1 million 2% 3% 3% 3%
More than $1 million 2% 2% 3% 2%
Cannot determine 12% 11% 16% 15%
Total 100% 100% 100% 100%
Average lifetime value of one lost patient
(customer) $97,990 $111,810 $113,400 $107,580
30.
Ponemon Institute: Private & Confidential Report 30
Q14. In your opinion (best guess), what best
describes the economic impact of data breach
incidents experience by your organization over
the past two years? FY 2013 FY 2012 FY 2011 FY 2010
Less than $10,000 5% 3% 5% 4%
$10,001 to $50,000 3% 1% 2% 1%
$50,001 to $100,000 4% 3% 3% 4%
$100,001 to $200,000 10% 8% 8% 11%
$200,001 to $500,000 26% 23% 26% 25%
$500,001 to $1 million 22% 26% 21% 19%
More than $1 million 25% 31% 30% 29%
Cannot determine 5% 5% 5% 7%
Total 100% 100% 100% 100%
Average economic impact of data breach over
the past two years $1,973,895 $2,390,270 $2,243,700 $2,060,174
Q15. In your opinion, what harms do patients
actually suffer if their records are lost or stolen? FY 2013 FY 2012 FY 2011 FY 2010
Increase risk of financial identity theft 60% 61% 59% 56%
Increase risk of medical identity theft 55% 59% 51% 45%
Increased risk that personal health facts will be
disclosed 72% 70% 73% 61%
None 8% 9% 10% 8%
Total 195% 199% 193% 170%
Q16a. Does your organization consult with third
parties to determine if a data exposure incident
requires notification under applicable federal
and state regulations? FY 2013 FY 2012 FY 2011 FY 2010
Yes, we consult with outside legal counsel 53%
Yes, we consult with our cyber insurance carrier 12%
Yes, we consult with auditors 15%
Yes, we consult with privacy & data protection
experts 13%
No we determine this through ourselves
(internally) 36%
Total 129%
Q16b. If yes, how have these third parties
changed the frequency of your organization's
data breach notifications? FY 2013 FY 2012 FY 2011 FY 2010
We now report more breaches 17%
We now report fewer breaches 12%
We report about the same number of breaches 71%
Total 100%
31.
Ponemon Institute: Private & Confidential Report 31
Q17. Does your organization perform the
following activities (Please check all that apply)? FY 2013 FY 2012 FY 2011 FY 2010
Annual or periodic privacy risk assessments 18% 16%
Annual or periodic security risk assessments 51% 48%
Incident response plan development and or test 31% 26%
Updated policies and procedures in response to
regulatory changes
46%
47%
Annual or periodic HIPAA privacy and security
awareness training of all staff
63%
56%
Vetting and monitoring of third parties, including
business associates
55%
49%
Updating of agreements with business
associates
53%
48%
Total 317% 290%
Q18. Is your EHR system in compliance with
the HHS mandated requirements to protect
patient privacy? FY 2013 FY 2012 FY 2011 FY 2010
Yes, fully 28% 22%
Partially 33% 29%
No 14% 19%
We don't use EHRs 25% 30%
Total 100% 100%
Q19. Is your organization a member of a Health
Information Exchange (HIE)? FY 2013 FY 2012 FY 2011 FY 2010
Yes 32% 28%
We will become a member 20% 17%
We are considering membership 15% 20%
No, we do not plan to become a member of HIE 33% 35%
Total 100% 100%
Q20. What is your level of confidence as to the
security and privacy of patient data shared on
Health Information Exchanges? FY 2013 FY 2012 FY 2011 FY 2010
Very confident 13% 17%
Confident 15% 17%
Somewhat confident 32% 30%
Not confident 40% 36%
Total 100% 100%
Q21a. Has the HIPAA Final Omnibus Rule
affected your organization’s patient data privacy
and security programs? FY 2013 FY 2012 FY 2011 FY 2010
Yes 44%
No 41%
Too early to tell 15%
Total 100%
32.
Ponemon Institute: Private & Confidential Report 32
Q21b. If yes, how has the Final Rule changed
your organization’s patient data privacy and
security programs? Please select all that apply. FY 2013 FY 2012 FY 2011 FY 2010
Required an update to our policies and
procedures 36%
Require certain third parties to strengthen their
data privacy and security procedures 21%
Changed relationships with certain third parties 28%
Conducted employee training and awareness 29%
Conducted a risk assessment/risk analyses 31%
Purchased cyber insurance 15%
None of the above 40%
Total 200%
Q22. How confident are you that your
organization’s business associates are
appropriately safeguarding patient data as
required under the Final Rule? FY 2013 FY 2012 FY 2011 FY 2010
Very confident 13%
Confident 17%
Somewhat confident 31%
Not confident 39%
Total 100%
Q23. How confident are you that your
organization’s business associates would be
able to detect, perform an incident risk
assessment and notify your organization in the
event of a data breach incident as required
under your business associate agreement? FY 2013 FY 2012 FY 2011 FY 2010
Very confident 11%
Confident 16%
Somewhat confident 33%
Not confident 40%
Total 100%
Q24. In your opinion, which of the following
business associates present the greatest risk to
the privacy and security of patient data. Please
select the top two? FY 2013 FY 2012 FY 2011 FY 2010
IT service provider 75%
Claims processor 47%
Data analysts 8%
Accounting services 4%
Legal services 3%
Consulting services 6%
Benefits management 33%
Pharmacy benefits manager (PBM) 19%
Other (please specify) 5%
Total 200%
33.
Ponemon Institute: Private & Confidential Report 33
Q25a. Does your organization conduct and
document post incident risk assessments as
required in the Final Rule? FY 2013 FY 2012 FY 2011 FY 2010
Yes, full compliance 51%
Yes, partial compliance (in-process) 33%
No 16%
Total 100%
Q25b. If yes, which one of the following choices
best describes your process? FY 2013 FY 2012 FY 2011 FY 2010
An ad-hoc process 23%
A manual process or tool that was developed
internally 34%
An automated process or software tool that was
developed internally 15%
An automated process or software tool that was
developed by a third party 20%
A free tool that was developed by an external
entity or association 8%
Other (please specify) 0%
Total 100%
Q26a. How effective is your organization’s
incident risk assessment process? FY 2013 FY 2012 FY 2011 FY 2010
Very effective 21%
Effective 40%
Not effective 39%
Total 100%
Q26b. If you selected not effective, what are
your primary concerns? Please select all that
apply. FY 2013 FY 2012 FY 2011 FY 2010
Lack of consistency in the outcomes of the
incident risk assessment process 79%
Difficulty in using applications and tools 23%
Lack of scalability of the process 48%
Other (please specify) 6%
Total 156%
Q27a. How does the Affordable Care Act affect
the privacy and security of patient information? FY 2013 FY 2012 FY 2011 FY 2010
Significantly increases risk 36%
Increases risk 33%
No impact on risk 13%
Decreases risk 6%
Significantly decreases risk 7%
Cannot determine 5%
Total 100%
34.
Ponemon Institute: Private & Confidential Report 34
Q27b. If you believe the risk to patient
information increases, what are your primary
concerns? Please select all that apply. FY 2013 FY 2012 FY 2011 FY 2010
Patient registration on insecure websites 63%
Patient data on insecure databases 65%
Insecure exchange of patient information
between healthcare providers and government 75%
Other (please specify) 2%
Total 205%
Q28a. Is your organization part of an
Accountable Care Organization (ACO)? FY 2013 FY 2012 FY 2011 FY 2010
Yes 51%
No 49%
Total 100%
Q28b. If yes, are you finding increased patient
privacy and security risks with the exchange of
patient health information among participants? FY 2013 FY 2012 FY 2011 FY 2010
Yes 66%
No 34%
Total 100%
Q28c. If yes, has your organization experienced
changes in the number of unauthorized
disclosures of PHI? FY 2013 FY 2012 FY 2011 FY 2010
Yes, we noticed an increase 23%
Yes, we noticed a decrease 3%
No, we have not noticed any changes 33%
Too early to tell 41%
Total 100%
Q29a. What best describes your organization’s
state of compliance with the Accounting of
Disclosures requirement? Please select only
one. FY 2013 FY 2012 FY 2011 FY 2010
We are in full compliance 25%
We are nearly in full compliance 23%
We are not near full compliance 38%
We are not taking steps to be in compliance 7%
Unsure 7%
Total 100%
Q29b. If your organization is in full or near full
compliance with the Accounting of Disclosures
requirement, how is this achieved? Please
select only one. FY 2013 FY 2012 FY 2011 FY 2010
An ad-hoc process 31%
A paper-based process or tool that was
developed internally 27%
A software-based process or tool that was
developed internally 27%
A software-based process or tool that was
developed by a third party 15%
Total 100%
35.
Ponemon Institute: Private & Confidential Report 35
Q30a. Does your organization permit
employees and medical staff to use their own
mobile devices such as smart phones or tablets
to connect to your organization’s networks or
enterprise systems (such as email)? FY 2013 FY 2012 FY 2011 FY 2010
Yes 88% 81%
No 12% 19%
Total 100% 100%
Q30b. If yes, approximately what percentage of
your organization’s employees (including part-
time and contract employees) use their
personally owned mobile device such as a
smartphone or tablet? FY 2013 FY 2012 FY 2011 FY 2010
Less than 10% 5% 5%
10 to 25% 9% 11%
26 to 50% 26% 35%
51 to 75% 30% 21%
More than 75% 30% 28%
Total 100% 100%
Extrapolated percentage use rate 57% 53%
Q30c. If yes, how does your organization
ensure these personally owned mobile devices
are secure enough to connect to your
organization’s network or enterprise systems?
Please select all that apply. FY 2013 FY 2012 FY 2011 FY 2010
Scan devices for viruses and malware prior to
connection 22% 21%
Scan devices and remove all mobile apps that
present a security threat prior to connection 14% 16%
Scan devices for viruses and malware while
they are connected 36% 40%
Require anti-virus/anti-malware software to
reside on the mobile device prior to connection 23% 23%
Require user to read and sign an acceptable
use policy prior to connection 53% 45%
Limit access from devices to critical systems
including those that connect to PHI 56% 51%
Limit or restrict the download of PHI onto these
devices 44% 38%
None of the above steps are done 38% 46%
Other (please specify) 3% 2%
Total 289% 282%
Q30d. If yes, how confident are you that the
personally-owned mobile devices used in your
organization are secure? FY 2013 FY 2012 FY 2011 FY 2010
Very confident 9% 9%
Confident 17% 16%
Somewhat confident 23% 21%
Not confident 51% 54%
Total 100% 100%
36.
Ponemon Institute: Private & Confidential Report 36
Q31. Does the scope of your organization’s IT
security and/or data protection activities include
the security of FDA-approved medical devices
such as those attached or not attached to the
patient (such as insulin pumps or medical
imaging equipment)? FY 2013 FY 2012 FY 2011 FY 2010
Yes 30% 31%
No 70% 69%
Total 100% 100%
Q32. What best describes your organization’s
use of cloud services? FY 2013 FY 2012 FY 2011 FY 2010
No use of cloud services (skip to Q37) 8% 9%
Light use of cloud services 23% 29%
Moderate use of cloud services 29% 30%
Heavy use of cloud services 40% 32%
Total 100% 100%
Q33. What cloud applications or services does
your organization presently use? Please select
all that apply. FY 2013 FY 2012 FY 2011 FY 2010
Peer-to-peer communications (such as Skype) 39% 35%
Social media applications (such as Facebook,
LinkedIn, Twitter, etc.) 25% 26%
Business applications (such as
SalesForce.com, webmail, HR, etc.) 43% 39%
Document sharing and collaboration (such as
Dropbox, etc.) 42% 35%
Infrastructure applications (online backup,
security, archiving, etc.) 33% 33%
Services such as identity management,
payments, search and others 29% 28%
Solution stacks such as Java, PHP, Python,
ColdFusion and others 18% 19%
Backup & storage 45% 41%
Other (please specify) 3% 2%
Total 277% 258%
Q34. What types of information does your
organization process and/or store in a public
cloud environment? Please select all that apply. FY 2013 FY 2012 FY 2011 FY 2010
Patient medical records 28% 26%
Patient billing information 31% 30%
Clinical trial and other research information 4% 5%
Employee information including payroll data 44% 41%
Administrative and scheduling information 31% 28%
Accounting and financial information 49% 46%
Email applications 53% 49%
Productivity applications 49% 46%
None of the above 34% 37%
Other (please specify) 3% 2%
Total 326% 310%
37.
Ponemon Institute: Private & Confidential Report 37
Q35. What types of information does your
organization consider too sensitive to be
processed and/or stored in a public cloud
environment? Please select all that apply. FY 2013 FY 2012 FY 2011 FY 2010
Patient medical records 52% 56%
Patient billing information 50% 51%
Clinical trial and other research information 44% 37%
Employee information including payroll data 31% 34%
Administrative and scheduling information 25% 29%
Accounting and financial information 32% 33%
Email applications 12% 15%
Productivity applications 13% 18%
None of the above 34% 35%
Other (please specify) 2% 2%
Total 295% 310%
Q36. How confident are you that information in
a public cloud environment is secure? FY 2013 FY 2012 FY 2011 FY 2010
Very confident 12% 11%
Confident 21% 19%
Somewhat confident 21% 23%
Not confident 46% 47%
Total 100% 100%
Q37. What best describes your organization’s
privacy and security functions. Please select
only one. FY 2013 FY 2012 FY 2011 FY 2010
Privacy and security functions are completely
separate 30%
Privacy and security functions overlap in some
places (hybrid) 51%
Privacy and security functions are combined 19%
Total 100%
Q38. What security threats is your organization
most concerned about? Select the top three. FY 2013 FY 2012 FY 2011 FY 2010
Employee-owned mobile devices or BYOD 34%
Mobile device insecurity 40%
Use of public cloud services 41%
Insecure medical devices 5%
Employee negligence 75%
Malicious insiders 13%
Cyber attackers 39%
Identity thieves 12%
Insecure mobile apps (eHealth) 23%
System failures 16%
Other (please specify) 2%
Total 300%
For more information about this study, please contact Ponemon Institute by sending an
email to research@ponemon.org or calling our toll free line at 1.800.887.3118.
38.
Ponemon Institute: Private & Confidential Report 38
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.