Saturday, February 22, 2014

HHS Info for 2013

The human health services (HHS) publishes on its website the list of breaches that affected at least 500 people. This is a trove of information concerning the Health breaches.

For the year 2013, there are 217 breaches that either started or ended, totalling 7,636,544 records, an average of 35,191.45 records per breach. The minimum is 500 (the minimum to be publicly reported), the maximum 4,029,530 records. The first quartile is 1,127 records and the third 6,332 records.

The breach that resulted in 4,029,530 records compromised affected Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group and was due to the theft of a desktop machine.

The following graph shows the geographical distribution of these breaches, with green being the least and red the most. The "white" states reported no breach affecting more than 500 records for 2013, which doesn't mean there was none: either each breach affected less than 500 users or the breaches were not reported to the authorities, which would be a clear violation of HIPAA.

The five states with the highest number of breaches are California (23), Texas (17),  Florida (15), North Carolina (14) and Illinois (13). These five states represent 37.78% of all breaches.

In terms of number of records compromised, the map becomes

The five states with the most affected records are Illinois (4,112,982), California (940,541), New Jersey (852,953), Texas (781,771) and Indiana (218,084). These five states represent 90% of all compromised records. It is to be noted that Illinois inherits the title of "highest number of records compromised state" due to the "Advocate Health & Hospitals Corporation" breach.

The most cited cause for a breach is "Theft" and related, with 92 breaches or 42% of all breaches, totalling 5,923,705 records. Interestingly enough, all the "Hacking/IT Incidents" represents only 17 breaches, or a bit short of 8%, for a total of 532,230 records. The average number of records compromised through thievery is 64,388 and through IT Hacking 31,308.

There is already an interesting trend there: a breach is more likely to happen through a stolen device than through hacking and with more severe consequences. However, it is also important to keep in mind that the gigantic breach that affected more than 4 millions users drags that number way up. If it is removed, the average goes down to 20,815 records per breach on average, below the average for a breach resulting through IT Hacking.

Out of the 92 incidents that involved theft in a form of another, 52 of them mention that the location of the information was on a laptop, more than 56%. If we add to that the category "Other portable devices", the number rises to 57 (62%). On average, an incident involving the theft of a laptop resulted in the disclosure of 33,827 records. The maximum reported is 839,711 compromised records for such an event.

It is interesting to notice that these 52 incidents represents the vast majority of all the breaches involving laptops. The following graph shows the type of breach for all the events concerning a laptop.

Geographically, a breach through thievery happened 12 times in California (52% of all CA breaches), 8 times in Florida (53% of all FL breaches), 7 times in Texas (41% of all TX breaches), 6 times both in Ohio (55% of all OH breaches) and Georgia (55% of all GA breaches). It is interesting to notice that the proportion of breaches through theft amounts to half of the reported breaches, at least for the top 5.

But laptops and mobile devices are not the only ones susceptible to be stolen. These devices represent 57% of the stolen containers. The following graph shows the distribution for the non-laptop stolen devices/containers that led to a breach.

"Desktop Computer" and "Paper"represent the top two categories. There is no explanation on how these were stolen, but one could safely assume this resulted from a burglary or break-in.

But thievery is not the only cause of data breaches. The second most cited cause is "Unauthorized Access" with 58 occurences (27% of all breaches). All together, "Theft" and "Unauthorized Access" represent 69% of all breaches. From a number of records perspective, 435,880 records were breached due to improper access.

The location of the breached information changes dramatically: if the laptops were the main location in the thievery scenario, in the unauthorized access the most cited location is paper with 16 occurrences (28%), then E-mail and "Network Server",tied, with 11 occurrences (19%). A note: some reasons include multiple reasons, I counted them for each category.

'Unauthorized Access' happened predominantly in Florida (8 incidents), Montana and North Carolina (5 incidents each), in California (4 incidents) and in Texas, Puerto Rico, Oregon, North Carolina and Illinois with 3 incidents each. These 9 states are responsible for about 60% of this type of breach.

The "unauthorized access" on paper information accounts for 32% of all breaches involving paper documents. Unfortunately, the main reason is often described as "Other", which means that the details are not available in the HHS database.

The "type of breach" represents the issue that permitted the breach. Several rows include multiple reasons, such as "Theft, Other". It is possible to extract seven "major themes":

  • Improper Disposal
  • Theft 
  • Loss
  • Other 
  • Hacking/IT Incident 
  • Unauthorized Access/Disclosure
  • Unknown 
The following figure presents the number of occurrences of  each reason. A reason that includes multiple "simple" reasons will be counted for each category.

Clearly and as already described, "Theft" is biggest issue, then "Unauthorized Access/Disclosure." Unfortunately, the third one is "Other", which is not self explanatory. The "Hacking/IT Incident" comes fifth, between "Loss" and "Improper Disposal."

What can we conclude of this?

The Health industry ("HI") is still struggling with breaches, and more importantly, with "stupid" breaches such as theft and unauthorized access. Unfortunately, every time one happens, people's lives can be ruined. It is then of the uttermost importance that the HI gives the patient information the highest priority in terms of protection.

Almost a quarter of all breaches (in count or in number of affected individuals) results from the theft of a laptop. This is a lot! This points to the fact that some data is simply not meant to be carried on portable devices. However, it seems that the HI is still having difficulties with this concept. And this is not looking very promising in the light of the current BYOD craze...

This could be solved by adopting a number of simple rules, such as "if it touches the network of an hospital, it is encrypted. If it works for an hospital, it is encrypted. If it has an hospital in its client, it is encrypted." Yes, that means that lots of companies will have to invest in disk encryption technologies; I don't think this is a huge problem in 2014. This is more a no-brainer.