What sense can we make of some statistics?

Here’s a useful example of why my eyes glaze over at times when trying to make sense of breach statistics.  Tim Smith of the Greenville News recently reported:

South Carolina state agencies and businesses over a three-year period reported dozens of computer security breaches that potentially could affect at least 410,000 people, a report obtained by GreenvilleOnline.com shows.

Much of that, according to a report by the state Department Consumer Affairs, came from healthcare organizations last year, which reported breaches affecting a possible 325,000 people.

The report does not include the most recent fiscal year, or the database theft earlier this year of almost 230,000 records from the Department of Health and Human Services, said Juliana Harris, spokeswoman for the agency.

So my first impression was that healthcare sector clearly accounts for the greatest percentage of records/individuals affected by reported breaches in South Carolina for the past three years.   But does it also represent the largest percentage of breaches? So I read on:

Of the 56 disclosures, the healthcare industry, such as hospitals, submitted nine notices affecting 340,000 residents. Government agencies submitted six breaches affecting 35,000 residents; financial organizations turned in 12 breach notices affecting almost 19,000 consumers; and other industries submitted 29 notices affecting about 17,000 residents, according to the data from Consumer Affairs.

Healthcare organizations alone reported 325,000 people impacted from three security breaches in 2011, according to the data.

Using the three-year timeframe, 9 out of 56 = 16% of reported breaches were from the healthcare sector, a statistic that is considerably higher than the 7% statistic reported in Verizon’s 2012 breach report. Verizon, however, notes that their cases from this sector may be under-represented as many healthcare sector entities would not turn to Verizon to investigate a breach.  SC’s 16% statistic is consistent, however, with the 15% all-time statistic for the healthcare sector from DataLossDB.org.

For 2011, however, healthcare sector breaches constituted 50% of all reported SC breaches (3 out of 6), while for DataLossDB.org, healthcare sector breaches constituted 18% of all 2011 breaches in that database. Frankly, I’m surprised South Carolina only got six breach reports in 2011 considering it was somewhat a “banner year” for breaches. Even though South Carolina does not require reporting to the state for breaches affecting fewer than 1,000, their report still seems surprisingly low to me.

But as importantly, we can’t really interpret SC’s statistics without knowing what percent of all entities the healthcare sector represents in South Carolina. If they represent 10% of all entities that might have to report breaches, then the 16% might indicate unusual trouble in the healthcare sector with respect to breaches. If, on the other hand, they represent 25% of all entities, then a 16% statistic reflects favorably on the sector.

Without additional information or context, interpreting statistics is often a puzzlement and is definitely not a task for the faint-hearted.

What seems clear, though, is that a lot of South Carolina consumers had their personal and/or health information compromised or put at risk  over the past three years and that healthcare entities that maintain huge databases may make desirable targets for corrupt insiders or hackers.  Verizon offers some suggestions for the healthcare sector. Their advice strikes me as sound.

And now if you’ll excuse me, I’m going to go put a cool towel over my eyes and forehead until the urge to make sense of statistics passes – for now, anyway.

 

About the author: Dissent