Over on Technology Liberation Front, Jim Harper responded to my post that asked what can we learn from the first year of HHS breach reports. He starts by taking me to task for seemingly glossing over what he sees as important considerations:
…. The post gives extremely light treatment to the possibility—indeed, the likelihood—of noncompliance with the regulations due to unawareness of breaches or judgments that reporting is more dangerous than not reporting.
I can forgive Jim for not being a regular reader of my blogs if he can forgive me for not repeating those possibilities in detail in every blog entry I write analyzing breach data. Unless someone has data suggesting that the healthcare sector is qualitatively different from other sectors when it comes to non-detection or willful non-reporting, simply acknowledging the issues should suffice when the purpose is a comparative analysis.
Jim also questions the value of conducting such analyses at all, suggesting that gross statistics do not help us understand the relationship between breaches and harm. He writes:
But one also must wonder . . . Why does this matter?
Data breach notification is the grown-up version of the schoolyard taunt: “Your epidermis is showing!”
This is the first year we’ve been able to start to gauge how much epidermis might be showing in the healthcare sector – even though we know it’s only the tip of the iceberg. Doesn’t it make sense to look at subtype patterns and consider whether they are comparable to what we’ve been seeing in other sectors for the past five years? And to the extent that we have learned anything from breach reports in other sectors, how does that compare to what we are learning in the healthcare sector?
I agree with Jim that “harm” is where the rubber meets the road. I think that breaches involving sensitive patient data are more likely to cause psychological harm and to potentially damage doctor-patient trust and relationships even when there may be no social or economic harm. We need to assess whether certain types of PHI-involved breaches are more damaging to trust than other types of breaches, and we need more data, not less, if we are to begin to understand the kinds of harm and risks of harm from healthcare sector breaches. Does more psychological harm accrue if dataset A is lost by the patient’s doctor than if it is lost by a pharmacy benefits management firm? I would guess that it does. Does more psychological harm accrue if the data are lost by a doctor because he left his laptop in the car than if the laptop was stolen from his locked office? I would guess that it does. Those are empirical questions that could start to be assessed via survey methodologies, but they do not diminish the need for breach notification analyses to assess the broader frequency and pattern of breaches in the healthcare sector.
Not analyzing data that you do have because you don’t yet have harm data to correlate with it is like saying that you won’t study the elephant in the room if you don’t already know which parts of the elephant are messing up your floor.