IBM Healthcare Could Have Done Better Today

Today @IBMHealthcare tweeted this …

‏@IBMHealthcare Beyond the basics: Crafting an in-depth #healthcare #security strategy

… which linked to IBM’s Security Thought Leadership White Paper Healthcare Securing the healthcare enterprise: Taking action to strengthen cybersecurity in the healthcare industry (March 2015).

While I can’t comment on IBM’s business solutions “to strengthen cybersecurity in the healthcare industry,” I am surprised at the quality of information that IBM relies on to describe “the nature of today’s cyber attackers” to its potential customers.

For example, IBM presents a figure (reproduced below) and references a CNN Money report, Hospital network hacked, 4.5 million records stolen (August 18, 2014).

Leading source of data leaks in healthcare institutions
Figure 1. IBM’s leading source of data leaks in healthcare institutions

In fact, CNN is not the source for Figure 1. Another IBM publication, MSS Industry overview – Healthcare: Research and intelligence report (October 7, 2014) presents the same figure, and references “Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse.” IBM seems to have generated Figure 1 by querying an API on the Privacy Rights Clearinghouse website.

I wonder why IBM does not use authoritative, readily available data on breaches of protected health information to make its business case and to educate the public.

For instance, a research letter (Liu, Musen & Chou, 2015) published recently in the Journal of the American Medical Association1 described breaches of protected health information that had been reported from 2010 through 2013 by entities covered by the Health Insurance Portability and Accountability Act in the United States . Under the Health Information Technology for Economic and Clinical Health Act (2009), breaches involving the acquisition, access, use, or disclosure of protected health information and thus posing a significant risk to affected individuals must be reported.

Recently, we extended the original dataset of Liu et. al. to include breaches of health information up to the present. Table 1 summarizes the number of incidents and victims of breaches of health information in the United States from January 2010 to August 2015, inclusive.

Counts and Victims of Health Information Breaches - US 2010-2015
Table 1. Number of incidents and victims of breaches of health information. † 2015 data are for January – August inclusive only.

Notice the tremendous spike in the number of victims in 2015 – a dramatic development that IBM took no note of today.

Figure 2 depicts the distribution of victims/breach of health information as a series of boxplots.

Distribution of number of victims/incident (log scale) of breach of health information U.S. 2010-2015
Figure 2. Distribution of victims/incident (log scale) of breach of health information. † 2015 data are for January – August inclusive only.

We see that in seventy-five percent of all incidents, the number of victims/breach over the year has fallen consistently below 104 (10,000). A small number of incidents have involved 100,000 – 1,000,000 victims/breach, and an even smaller number have involved 1,000,000 – 10,000,000 victims/breach. Incidents involving more than 10,000,000 victims/breach made their first appearance in 2015.

 

In light of these dramatic developments, it’s a shame that IBM is relying on outdated information when it comes to educating the public and identifying potential solutions “to strengthen cybersecurity in the healthcare industry.”

 

  1.  Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252.