Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate

Share this article on:

Healthcare data breaches lead to a reduction in the quality of care provided to patients, according to a study recently published in Health Services Research.

Researchers analyzed data from Medicare Compare which details quality measures at hospitals. Data from 2012-2016 was analyzed and compared with data from the HHS’ Office for Civil Rights on data breaches of more than 500 records over the same period. The researchers analyzed data on 3,025 Medicare-certified hospitals, 311 of which had experienced a data breach.

According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected. However, the delays were found to continue for months and years after an cyberattack was experienced.

The study showed that 3-4 years after a breach had occurred there were still delays in providing electrocardiograms to patients. The waiting time for an electrocardiograms to patients was found to be up to 2 minutes longer than before the breach occurred.

Hospitals that experienced a data breach also saw an increase in the 30‐day acute myocardial infarction mortality rate. The mortality rate at breached hospitals increased by as much as 0.36%.

The increase in mortality rate has not been attributed to the cyberattack itself, as recovery is usually possible without a few days to a few weeks after a cyberattack. The researchers suggest the delays in providing medical services following a cyberattack is due to the steps hospitals have taken to improve the security of their systems and better protect patient data, along with the increased HHS oversight that occurs after a data breach is experienced. These factors can result in a deterioration in the timeliness of care and patient outcomes.

Following a cyberattack, hospitals augment their security controls to prevent further cyberattacks from succeeding. Those measures include multi-factor authentication, stronger passwords, and other security enhancements. While these additional measures improve the security posture of hospitals and make breaches less likely to occur in the future, they can also impede clinicians.

“Over the past few years, overall improvements in AMI treatment have resulted in the 30‐day AMI mortality rate decreasing about 0.4 percentage points annually from 2012 to 2014,” wrote the researchers. “A 0.23‐0.36 percentage point increase in 30‐day AMI mortality rate after a breach effectively erases a year’s worth of improvement in the mortality rate.”

The researchers suggest hospitals should carefully evaluate the security measures they implement to prevent further breaches to ensure they do not unduly impede clinicians and negatively affect patient outcomes.

The study – Data breach remediation efforts and their implications for hospital quality – was published in the October edition of Health Services Research: DOI: 10.1111/1475-6773.13203.

Author: HIPAA Journal

Share This Post On