Share this article on:
A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches.
The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records.
33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches.
The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS cost reports. Unlinked hospitals included those run by the Department of Veteran Affairs and military hospitals and long term care hospitals.
The study revealed that larger hospitals were statistically more likely to experience a data breach. More than one third of hospitals (37%) that had experienced a data breach are classed as major teaching hospitals.
Linked hospitals had a median of 262 beds, while an analysis of 2852 acute care hospitals that had not reported a data breach had a median of 134 beds. 265 (9%) of those unbreached hospitals were major teaching hospitals.
The researchers found that both the size of hospitals and their teaching status were positively associated with the risk of experiencing data breaches.
The researchers used multivariable and regression analyses to compare the 141 linked acute care hospitals with other hospitals to determine why they faced a higher risk of experiencing data breaches.
The researchers suggest the reason why larger hospitals and teaching hospitals experience more data breaches is due to having broader access to sensitive patient data. The more individuals who require access to data, the greater the risk of data breaches occurring. The report suggests “There is a fundamental trade-off between data security and data access.” When data are made available to a greater number of individuals for research and education purposes it makes “zero breach” an extremely challenging objective.
While investment in information technology such as EHRs has certainly made hospitals more efficient and has improved the provision of care to patients, it has also made security and privacy breaches more likely.
While many hospitals have invested heavily in cybersecurity defenses to reduce the risk of data breaches, the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights clearly show that healthcare data breaches are increasing in frequency.
The fast-evolving threat landscape requires hospitals to invest in cybersecurity defenses to mitigate data breach risk and hospitals must continuously evaluate data security risks and apply best data security practices to prevent breaches from occurring; however, it is difficult for hospitals to determine which technologies and best practices are the most effective at preventing data breaches.
Lead author of the study, Ge Bai, an assistant professor at John Hopkins Business School said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”