Shostack + Friends Blog Archive


Fair Warning: I haven't read this report, but…

@pogowasright pointed to “HOW many patient privacy breaches per month?:”

As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide some baseline data on how many patient privacy breaches their clients were experiencing each month. Keeping in mind that many places already had some security and privacy protocols in place and that higher rates are more likely to create customers for them, here’s what they report for four clients that they say are representative cases from their client database of 300 clients:

I haven’t read the report yet, but what really excites me is that they tell us the population they’re monitoring. We can test two hypotheses:

  1. FairWarning customers buy because they know they’re more likely to make a mistake. (This would give us an interesting approximation of an upper bound for their customers, if their customers are capable of accurate self-assessment.)
  2. FairWarning customers are representative. This would be the case if people are unable to accurately assess their risk of a breach, which I think is the case.

Either way, knowing about the population allows us to learn a lot more than we otherwise could, and I commend FairWarning for including the number.

Update: I did give you fair warning. They say they have “over 300 customers.” That ‘over’ makes a big difference. The report also seems to define ‘privacy breach’ narrowly to be unauthorized peeking, and has a remarkably breathless style of promotion. The key message is that monitoring employee access to patient records and ensuring your employees know that they’re being monitored cuts down on peeking.