The following was originally posted to PHIprivacy.net. The carousel image for this post reflects 2011 statistics from DataLossDB and is used with permission. Note that healthcare sector breaches account for a smaller percentage of total breaches reported in 2011 compared to 2010 while business sector breaches account for a larger percentage of total breaches compared to last year – despite the fact that we have fewer resources for reports on business sector breaches this year. The following is a more detailed analysis.
To his credit, Dave Kennedy tried to analyze breaches based on Privacy Rights Clearinghouse data. PRC’s database begins with 2005 breaches and allows interested individuals to sort by year, breach type, and sector.
After pulling out the numbers for 2010 and 2011 to compare to previous years, Kennedy reports that healthcare was/is the most breached industry in 2011, a conclusion that Bill Brenner then cites in his column. Kennedy’s analysis, however, appears seriously flawed with respect to the reported healthcare sector breaches, so let’s dissect this a bit, starting where he writes:
Doing some analysis of breaches this year, the healthcare industry has experienced 170 breaches out of the total 480 for 2011. This is over double of any other industry that is listed within the privacyrights.org database. … Below is a bit of trending analysis on a per instance breach each year for the healthcare industry.
In the picture depicted above, there is a clear increase in healthcare related breaches in 2010 and 2011. (emphasis added by me)
While there is a clear increase in healthcare incidents that Privacy Rights Clearinghouse (PRC) learned about and included, Kennedy’s statement and mine are not equivalent.
Consider two possible explanations for the apparent increases in 2010 and 2011 for the healthcare sector that have nothing to do with an actual increase in breaches:
1. HITECH regulations now provide us with a publicly available listing of breaches in the healthcare sector for breaches affecting over 500 individuals. Since September 2009 when that went into effect, there have been 364 breaches reported on the government’s data breach tool. In reviewing the breaches reported on HHS’s breach tool, I have often found breaches that we otherwise would not have known about. Hence, reported breaches would be predictably higher in 2010 and 2011 than previous years.
2. In 2010, PRC began using my blogs as their primary source for updating their chronology. I had always reported many more breaches than PRC had reported for each of the preceding years and my special interest in healthcare sector breaches meant that for every year from 2006 forward, I was reporting more healthcare sector breaches than PRC or DataLossDB, (PRC’s main source until 2010). Hence, increases in 2010 and 2011 over earlier years are explainable, in part, to due to PRC now using PHIprivacy.net to fuel its chronology on healthcare sector.
The bottom line is that there is simply no way to directly compare healthcare breaches for 2010 and 2011 to previous years based on PRC’s chronology because of the difference in available resources. It’s also important to note that a subset of breaches coded as “Medical” sector are medical entity breaches that do not involve patient information or protected health information but involve employee data. The security of databases involving employee data are likely different than those involving patient data.
As a second concern, I disagree with any suggestion that healthcare sector breaches are “over double of any other industry,” even though Kennedy qualifies it by pointing to PRC’s database. That finding is inconsistent with other databases (e.g., DataLossDB.org) that suggest that the business sector is responsible for over 47% of reported breaches this year. Apart from the newly added resources increasing PRC’s healthcare sector numbers for 2010 and 2011, there has been a parallel decrease in resources for business sector breaches. Towards the end of 2010, the Maryland Attorney General’s Office stopped publicly posting breaches, as did the NYS Consumer Protection Board. Breaches reported to those entities were heavily from the business sector, and without their reports, all we have are significant underestimates of business sector breaches for 2010 and 2011 relative to previous years. So as healthcare sector reports have been more readily available, business sector reports became less available to us.
So folks, as I’ve repeatedly cautioned everyone for the past five years, we need to continue to be very cautious in any trend statements because from year to year, we’ve got apples and pears for each sector. That said, Kennedy offers some good advice on security that professionals should consider. The confounds in Kennedy’s analysis notwithstanding, George V. Hulme also provides a thoughtful interview with security pro Gunnar Peterson of Arctec Group on the complexity of security challenges facing the healthcare industry. I’d encourage everyone to read both articles for their advice.