Tag Archives: lessons

Breakdowns of Healthcare Data Breaches

On the side, I’m working on a data-breach project with a specific focus on IT-related problems. A major part of any analysis I do is separating truth from hype. And hype is a major part of the reporting done on data breaches, particularly when the breaches are due to hacking or security issues. Using HHS data on healthcare-related breaches, the hype–OMG, when hackers strike!–quickly is separated from reality–how frequent and what percentage of data breaches are hacking/IT security related. I use this as a starting point, because it allows the various parties to understand the issue at hand and develop a properly balanced risk-mitigation strategy (i.e., spend money where it counts).

At first glance, it is striking how consistent data breaches of healthcare data are (see below). One might think that data breaches are increasing, perhaps non-linearly due to reporting and how we magnify reports with our fears.



Furthermore, this consistency is found in cyber/IT/hacking-related breaches, an area where we might suspect an increasing number of incidents due to the rebirth of major hacking groups, cloud computing, and increasingly shared medical records. As the graphic below makes clear, a feared increase in cyber-related breaches is not the case.

Last, if we look at the breaches by type (and, here, it is useful to have the data in front of you and manage the data to make proper analysis more insightful), we learn that improving record-handling procedures would lead to significant improvements, as it’s a combination of lost records and managing access to said records that lead to the most breaches. A more helpful analysis, which I’ve done, shows which attacks leads to the most records being breached (this is important for notification purposes and cost calculations, but not in how to prevent breaches from occurring), etc.

Deeper analysis of this data allows companies to properly insure data breaches, allocate rational/reasonable resources to mitigate the different types of breaches, and evolve their data handling and breach response policies over time.

A couple notes:
* Data is courtesy of HHS. This does not include unreported breaches. Due to state-reporting requirements, reporting may be biased or of varying qualities. The data could be normalized/adjusted/tweaked to provide a more clear picture, but the untouched data is useful in a few ways.

* Graphics and data handling is courtesy of Palantir Government software.

* If you or your company would like more detailed analysis, with this or other similar data, reach out to me (jasonkoepke a gmail . com).

Things I Learned this Week

Among the things I learned this week:
* My Mom does not know my Dad’s email address. (Courtesy: Mom)

* Justice Thomas’ pro-anonymous free-speech position. (Courtesy: NYer)

* Twin Cities Review of Political Philosophy, a student-run political philosophy journal, made its debut. (Courtesy: SD)

* The Welcome to Detroit project has re-started, and it could be very good. (Courtesy: Ursprung Collective)

Things I Learned this Week

Among the things I learned this week:

* Shakespeare became popular after a publisher disregarded copyright agreements and moved to sell his works for dirt cheap. (Courtesy: Harper’s)

* The tremendous drop in labor share–how much labor is needed to cover the labor costs of doing business–during the past few years and its longer decline. (Courtesy: The Big Picture)

* What it’s like to be in an earthquake. (Courtesy: Personal experience)

* Once you’ve been in a demolition derby, you never watch one the same way. (Courtesy: Personal experience)