Over the past few years, we’ve seen increased use of online platforms and mobile applications that allow us to engage directly with doctors and healthcare providers in a way consumers never have before, whether researching a medical condition, accessing test results or making an appointment with a doctor online. Unfortunately, as healthcare organizations rush to keep pace with the latest online technologies and services (eHealth), an array of vulnerabilities can be exposed, leaving consumers’ personal information susceptible to fraudulent activity if not addressed immediately.

While online and mobile health services technology advances offer numerous benefits, including the potential of improved care and easier and more efficient patient management, they also bring heightened concerns regarding privacy and security. Medical and healthcare records contain a plethora of sensitive and private information that can be used by hackers to steal a patient’s identity, abuse medical prescriptions or for sale on the black market for a going rate of $20 per record, a big jump compared to the $1 to $2 value of U.S. credit card numbers and CVV codes. Consumers are now taking notice of these threats and are understandably concerned for the security of their health records. Specifically, 56 percent report concerns about the theft of their health-related personal information or insurance credentials when using online services.

With healthcare data breaches on the rise—43 percent of breaches in 2013 were healthcare related—it's essential that privacy professionals within the industry understand the perceived risks of eHealth services and the security and privacy measures patients expect. Judging by the recent number of healthcare-related breaches, I don’t believe these concerns are going to be dismissed any time soon.

Already we’ve seen recent prominent healthcare breaches impact consumer and patient confidence in the industry. In fact, eHealth services are considered amongst Internet-savvy users as more risky than other online activities—including email and, surprisingly, making financial transactions. These concerns translate directly into a consumer’s hesitance to adopt new technologies, as 64 percent cited privacy issues for accessing patient records online a key eHealth concern. Equally concerning is an organization’s loss of customers’ trust and business after a security incident. As seen from some of this year’s high-profile data breaches, there are very real financial and reputational consequences a security incident can have on companies in every sector.

The question is, how can healthcare providers and organizations overcome the increase in security and privacy concerns to put consumers at ease? From my experience, I believe there are three risk categories every privacy and security professional should focus on to address eHealth concerns and maintain consumer trust including:

  • Third-Party Vulnerabilities

It can be difficult for healthcare organizations and their staffs to protect themselves against breach and privacy violations as they collect and store a large amount of sensitive data. Add privacy and security concerns with increasingly complex data flows often going to manage third-party vendors, and privacy professionals face another layer of complexity in their protective planning. While the use of third-party vendors can provide organizations significant cost savings, the rise of external support for these healthcare organizations and their technology implementations creates a larger exposure window to potential security and privacy threats. To that end, a recent report from the Ponemon Institute found two-thirds of healthcare breaches during the past 24 months were sourced from a third party or business associate.

To address this issue, prior to establishing a relationship with a third-party vendor, be sure to audit your security and privacy practices to determine if the organization is up-to-snuff. Providers should also conduct the audits on a semi-annual basis with all third-party vendors that have access to patient data. These audit protocols, and vendor adherence, will remain important as more healthcare organizations contract with third-party vendors to provide platforms for eHealth services, like mobile phone and web applications. It’s worth highlighting that 69 percent of patients note the importance of adequate security safeguards for online health services, according to a recent Ponemon Institute study.

  • Employee Errors

Surprisingly, 93 percent of breaches exposing protected health information are caused by human error, with only seven percent caused by external IT incidents or hacking. Employees are on the frontline for protecting patient data and should be outfitted with the skills and knowledge they need to implement best practices. Similar to the audit function discussed above, healthcare organizations should conduct regular trainings to review security and privacy procedures with employees and provide annual updates on industry regulations. In addition, providers should evaluate professional training programs for employees who handle patient data, for example, having employees trained through the IAPP’s privacy certification programs.

  • Insufficient Data Breach Response Plans

Unfortunately, today’s online ecosystem means the likelihood of a data breach is now higher than ever before. Like any crisis plan, companies can avoid customer churn after a breach by preparing a response plan in advance. It’s important organizations have a formal data breach response plan in place to address an incident as it arises. This step is essential for the healthcare industry; organizations that experience a data breach are also at risk of violating hard-hitting consumer protection laws, including the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA Omnibus Rule and the Health Information Technology for Economic and Clinical Health Act.

The biggest surprise, however, may be that last year, 39 percent of companies indicated they still had not developed a formal data breach plan even after experiencing a breach, according to the Ponemon Institute. In my experience, those same companies are not only spending more money to respond to data breaches, but they’re also losing customers, which in return will affect revenue. The Ponemon Institute found more than 83 percent of patients indicated they would discontinue their relationship with a mobile health application or online health resource if that service experienced a data breach. By proactively creating an incident plan, conducting live exercises to implement response measures and updating the content and strategy as necessary, organizations can better manage data breach incidents and hope to maintain or regain patient and customer trust. In addition, proactive measures may help reduce the cost of a security incident, which EMC found to cost providers more than $1.6 billion a year.

Nowhere else in the information-security world does the cumulative impact of cyber-crime reach levels as potentially disastrous as in the healthcare field—especially with the increased use of eHealth services. While these technologies are valuable, consumer concern for the threat of identity theft is at an all-time high, meaning healthcare organizations need to up their game to maintain consumer confidence and put privacy concerns at ease. By addressing and communicating third-party vulnerabilities, employing frequent internal education processes and having a data breach response plan in place, organizations can begin to diagnose and overcome the barriers to adopting and embracing eHealth services.

Written By

Michael Bruemmer, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»