Today @IBMHealthcare tweeted this …
… which linked to IBM’s Security Thought Leadership White Paper Healthcare Securing the healthcare enterprise: Taking action to strengthen cybersecurity in the healthcare industry (March 2015).
While I can’t comment on IBM’s business solutions “to strengthen cybersecurity in the healthcare industry,” I am surprised at the quality of information that IBM relies on to describe “the nature of today’s cyber attackers” to its potential customers.
For example, IBM presents a figure (reproduced below) and references a CNN Money report, Hospital network hacked, 4.5 million records stolen (August 18, 2014).
In fact, CNN is not the source for Figure 1. Another IBM publication, MSS Industry overview – Healthcare: Research and intelligence report (October 7, 2014) presents the same figure, and references “Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse.” IBM seems to have generated Figure 1 by querying an API on the Privacy Rights Clearinghouse website.
I wonder why IBM does not use authoritative, readily available data on breaches of protected health information to make its business case and to educate the public.
For instance, a research letter (Liu, Musen & Chou, 2015) published recently in the Journal of the American Medical Association1 described breaches of protected health information that had been reported from 2010 through 2013 by entities covered by the Health Insurance Portability and Accountability Act in the United States . Under the Health Information Technology for Economic and Clinical Health Act (2009), breaches involving the acquisition, access, use, or disclosure of protected health information and thus posing a significant risk to affected individuals must be reported.
Recently, we extended the original dataset of Liu et. al. to include breaches of health information up to the present. Table 1 summarizes the number of incidents and victims of breaches of health information in the United States from January 2010 to August 2015, inclusive.
Notice the tremendous spike in the number of victims in 2015 – a dramatic development that IBM took no note of today.
Figure 2 depicts the distribution of victims/breach of health information as a series of boxplots.
We see that in seventy-five percent of all incidents, the number of victims/breach over the year has fallen consistently below 104 (10,000). A small number of incidents have involved 100,000 – 1,000,000 victims/breach, and an even smaller number have involved 1,000,000 – 10,000,000 victims/breach. Incidents involving more than 10,000,000 victims/breach made their first appearance in 2015.
In light of these dramatic developments, it’s a shame that IBM is relying on outdated information when it comes to educating the public and identifying potential solutions “to strengthen cybersecurity in the healthcare industry.”
- Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252. ↩