Ordinarily, disputes over whose data security is better are a bit of a snoozer for me. After all, if you’re not a security expert, much of it will fly right over your head, and that “non-expert” group definitely includes me. But in this case, I think the story is worth a closer look, as the study in question seems to include some questionable assumptions.
In this case, the flap began in June, when a group of researchers published a study in JAMA Internal Medicine which laid out analysis of HHS statistics on data breaches reported between late 2009 to 2016. In short, the analysis concluded that teaching hospitals and facilities with high bed counts were most at risk for breaches.
Not surprisingly, the study’s conclusions didn’t please everyone, particularly the teaching-and high-bed-count hospitals falling into its most risky category. In fact, one teaching hospitals’ researchers decided to strike back with a letter questioning the study’s methods.
In a letter to the journal editor, a group from Nashville-based Vanderbilt University suggested that the study methods might hold “inherent biases” against larger institutions. Since HHS only requires healthcare facilities to notify the agency after detecting a PHI breach affecting 500 or more patients, smaller, targeted attacks might fall under its radar, they argued.
In response, the authors behind the original study admitted that the with the reporting level for PHI intrusions starting at 500 patients, larger hospitals were likely to show up in the analysis more often. That being said, the researchers suggested, large hospitals could easily be a more appealing target for cybercriminals because they possess “a significant amount of protected health information.”
Now, I want to repeat that I’m an analyst, not a cybersecurity expert. Still, even given my limited knowledge of data security research, the JAMA study raises some questions for me, and the researchers’ response to Vanderbilt’s challenge even more so.
Okay, sure, the researchers behind the original JAMA piece admitted that the HHS 500-patient threshold for reporting PHI intrusions skewed the data. Fair enough. But then they started to, in my view at least, wander off the reservation.
Simply saying that teaching hospitals and hospitals with more beds were more susceptible to data breaches simply because they offer big targets strikes me as irresponsible. You can’t always predict who is going get robbed by how valuable the property is, and that includes when data is the property. (On a related note, did you know that older Toyotas are far more likely to get stolen than BMWs because it’s easier to resell the parts? When I read about that trend in Consumer Reports it blew my mind.)
Actually, the anecdotes I’ve heard suggests that the car analogy holds true for data assets — that your average, everyday cyber thief would rather steal data from a smaller, poorly-guarded healthcare organization then go up against the big guns that might be part of large hospitals’ security armament.
If nothing else, this little dispute strongly suggests that HHS should collect more detailed data breach information. (Yes, smaller health organizations aren’t going to like this, but let’s deal with those concerns in a different article.) Bottom line, if we’re going to look for data breach trends, we need to know a lot more than we do right now.