The Ponemon Institute just released their third annual "Benchmark Study on Patient Privacy & Data Security." Sponsored by IDexperts, the survey and report looks at data breaches in the healthcare industry. As in years past, the report rings up some pretty impressive statistics. For instance, 94% of healthcare organizations had a data breach in the last year, and 45% had more than five data breaches.
Thinking about those numbers is pretty eye-opening. It should be noted that this report is not talking about small single practitioners; the study is made up of hospitals or clinics that are part of a healthcare network (46%), integrated delivery systems (36%) and standalone hospital or clinic (18%). Whether smaller healthcare organizations would raise or lower the breach number is open to debate, I guess.
But even taking those numbers as true, the real number I have a problem with is Ponemon's estimate of $7 billion in losses that these data breaches cause. That's right, $7 billion. How does Ponemon arrive at this number? Best as I can tell, this number is reached by taking the average number of records lost in a breach 2,769 x a per-record cost (from other research conducted by Ponemon Institute) of $194 x 5,754 total hospitals.
On top of that, I think by promoting numbers like this, beyond the initial shock value of such a large number, it hurts the security industry. At a time when CSOs and CISOs are fighting to take their place at the C-level discussion tables, promoting numbers that while large are hard to defend does us more harm than good. They wind up being viewed as justification for more toys and the latest gadgets that the security team wants budgeted.
Why don't I believe the $7 billion number? We are talking about health records here. PHI, or protected health information, is not exactly financial data or credit card info. I think for the most part, stolen MRI films or diabetic records are far less valuable then someone's bank account info. While medical records for the odd celebrity or sports pro might have a higher value, does anyone really put a high value on my stress test results? Yet 50% of all the breached data represents just that kind of information.
So while HIPAA and other regulations put fines in place for failing to maintain data security standards, convincing hospitals and other healthcare providers that stolen medical records are really a $7 billion problem becomes hard to defend. On top of this, the lack of widespread fines for data breaches by HIPAA regulating authorities doesn't help.
I was talking to my friend Tom Stamulis of Verizon Security just yesterday about this issue. First of all, Tom, as well as many other security pros, feels that HIPAA has become a regulation with no teeth. Without more enforcement (read that as fines and penalties imposed), it is hard to get organizations to take it more seriously. But more than that, Tom also feels that sitting at the C-level table with indefensible numbers is really counter-productive. Instead of the old FUD, security is at a mature-enough point where we should not have to rely on shock value to justify our existence.
I agree with Tom that we need better numbers. While $7 billion may catch some attention, trying to defend these numbers doesn't work long-term. At some level it almost desensitizes people when we keep throwing around such numbers.
I should also mention that the Ponemon Institute is not alone in such projections. In fact, Ponemon is pretty respected throughout the industry for some of the great research it has done. This time of year we will be seeing lots of year-end, state-of-security and data breach reports. Most of them will float out some pretty big numbers for the cost of breaches. But as an industry we would be wise to concentrate on the high frequency of breaches, while putting out costs of these breaches that are, if anything, conservative.
In fact, for me the big news on this report is that 94% of healthcare organizations reporting breaches. The report rounds up some of the usual suspects like the cloud, BYOD and lost devices. I would like to see us go to a level deeper. I don't believe the cloud is the reason for these breaches. With lost devices being such a big problem, where is the encryption? But all of this is fodder for another blog post.
We have a big problem with data breaches and I think most IT folks recognize this. We need to put more realistic numbers behind these breaches to give security folks more credibility when fighting for hard-won budget money.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.