Which Hospitals Are Most at Risk of Data Breaches?
May 3rd, 2017
BALTIMORE — When it comes to data security for patient information, hospitals might need to heal themselves, a new study suggests.
A research letter posted online by JAMA Internal Medicine details how almost 1,800 large data breaches of patient information occurred over a seven-year period. Most at risk were teaching hospitals and larger medical centers, according to the study led by The Johns Hopkins Carey Business School researchers.
In the worst instance, during two successful cyberattacks at Advocate Health and Hospitals Corporation in Illinois, more than 4 million files were compromised, noted the study authors, who added that, overall, hundreds of hospitals reported some type of data breach.
“Data breaches negatively impact patients and cause damage to the victim hospital. To understand the risk of data breaches is the first step to manage it,” explained lead author Ge Bai, PhD, CPA, an assistant professor at the Johns Hopkins Carey Business School in Baltimore. For purposes of the study, “data breach” was defined as “an impermissible use or disclosure that compromises the security or privacy of the protected health information and is commonly caused by a malicious or criminal attack, system glitch, or human error” — whether with electronic or paper-based information.
For the study, researchers analyzed data from October 2009 to December 2016 compiled by the Department of Health and Human Services, which, based on HIPAA, must be notified within 60 days of any healthcare breach affecting 500 or more individuals.
Results indicate that 257 breaches were reported by 216 hospitals, and 33 hospitals reported multiple instances. Overall, most of the data security issues — 1,225 of the 1,798 recorded breaches — were reported by healthcare providers, while business associates, health plans, and healthcare clearinghouses reported the rest.
The research letter describes how two New York hospitals — Montefiore Medical Center and the University of Rochester Medical Center and Affiliates — experienced four data breaches each. Another four U.S. medical centers reported three data incursions each, the report states.
In 24 of the 216 hospitals reporting data security issues, the information of at least 20,000 individuals was affected, and 60,000 files were involved in breaches at each of six hospitals.
Overall, the results suggest that data-compromised hospitals tended to be larger — an average of 262 beds vs. 134 for those with no data breaches — and more likely to be major teaching facilities — 37% to 9%.
"Our findings underscore the critical need for increased data protection in the healthcare industry," said co-author Xuefeng "John" Jiang, PhD, Michigan State University associate professor of accounting. "While the law requires healthcare professionals and systems to cross-share patient data, the more people who can access data, the less secure it is."