Is the Risk of Cyberattacks Really Increasing? Study Says No

The Department of Health and Human Services’ Office for Civil Rights breach portal lists all of the self-reported healthcare data breaches submitted by HIPAA covered entities, for all data-exposing security incidents, including hacks.

A look at the headlines would suggest hackers are gaining access to patient data with increasing regularity, as malicious attacks on healthcare networks are widely reported in the media. When hacking incidents do occur, they tend to be headline news as they often involve the exposure of vast quantities of data.  So far in 2015, multi-million-record data breaches have been suffered by a number of healthcare providers, health plans and Business Associates of covered entities, but is the risk of cyberattacks actually increasing?

A recent study conducted by the University of New Mexico’s Department of Computer Science suggests that despite a number of major healthcare cybersecurity breaches being reported in 2014 and 2015, the risk of cyberattacks occurring has actually changed very little over the past decade, and that we are perhaps not actually in as dire a situation as many would believe.

The study, recently published in Workshop on the Economics of Information Security, shows the risk of suffering a cyberattack has not actually changed much at all in the past decade. This is only one study of course. Others have been conducted that suggest there has actually been a rise in cyberattacks, although it does appear to depend on where the source data comes from, and the statistical method that is used to analyze data.

This study used a different data analysis technique known as Bayesian inference, which uses Bayes theorem. In short, probabilities are determined from posterior probability as a consequence of prior probability and a likelihood function; which is determined from a statistical analysis of observed data, in this case, data from Privacy Rights Clearinghouse, a Californian not-for-profit education and advocacy project. The researchers differentiated different types of data breaches: Those resulting from negligence, which were accidental, and those that were malicious and were caused with intent.

Using Bayesian inference, the researchers determined the risk of cyberattacks being suffered has changed little. Also, over the past decade, not only has the frequency of cyberattacks remained pretty much constant, the volume of records exposed in cyberattacks has similarly changed little across all industries.

The analysis showed that organizations are twice as likely to suffer data breaches caused by negligence as they are to suffer a deliberate cyberattack. According to the report, the risk of suffering a data breach due to the actions of a malicious outsider may not have changed much over the years, but the probability of such a data breach being suffered is actually very high. Organizations face a 98.2% chance that they will suffer such an attack that exposes the records of more than 5 million individuals in the next 3 years.

The take home message from the study, Hype and Heavy Tails: A Closer Look at Data Breaches, is therefore to put policies, procedures, and technology in place that limit the possibility of negligence resulting in a breach of data, and to implement physical, technical and administrative defenses to protect networks and data from hackers and other malicious outsiders. As it stands, the researchers determined that the cost of cyberattacks is likely to rise to $180 million over the next 3 years. Even if the probability of a cyberattack occurring hasn’t much changed over the past decade, the cost of dealing with those breaches when they do occur certainly has.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.