Almost every month, a new data breach hits another organization. Many of these involve sensitive patient data at hospitals and medical centers, highlighting the need for better security solutions within our healthcare systems.
A recent study provides insight into the type of data breaches hospitals face and which kinds of hospitals are most at risk.
Reported in the February issue of The American Journal of Managed Care, the study found that improper disposal or theft of paper records and patient films still happens more often than network attacks. However, much more data is exposed when a cyberattack or electronic data breach occurs.
"Even with sophisticated health information technology (IT) systems in place," the report noted, "security breaches continue to affect hundreds of hospitals and compromise thousands of patients' data."
The researchers, who analyzed data from a 7-year period from 2009 through 2016, pointed out that healthcare hackers no longer rely on just selling stolen data. Instead, many use "ransomware" tactics to shut down systems unless they are paid a financial bounty.
In May 2017, for example, a crippling ransomware hack hit the British Health System and many others. Dubbed WannaCry and WannaCrypt, the huge ransomware attack on May 12 hit hospitals, schools, government agencies, and organizations around the world, locking them out of their own systems and demanding ransom to be paid in Bitcoin.
Rare But Dangerous
Although this study found that healthcare network server breaches are relatively rare, their effects are vast when breaches do occur. Consider, for example, that the 10 breaches documented between 2009 and 2016 affected a whopping 4.6 million people.
Individual laptops also emerged in the study as a major source of data loss, "far outstripping electronic health records (EHRs) in terms of numbers of breaches. There were 51 incidents of lost or stolen laptops affecting 380,699 people. By comparison, there were 19 EHR breaches affecting 44,805 people."
Which Hospitals Most at Risk?
The researchers identified 215 breaches affecting 500 or more people, over the 7-year study period.
Breaches occurred in 185 nonfederal acute care hospitals. Of those 185 hospitals, 30 suffered more than one breach, while one hospital experienced four separate breaches.
Teaching hospitals and pediatric hospitals were found to be more likely to experience breaches.
Large hospitals (with more than 400 beds) were found to be more likely to have breaches than small hospitals (with fewer than 100 beds) or medium hospitals (with 100 to 399 beds).
Investor-owned / for-profit hospitals proved less likely to have a data breach than nonprofit hospitals.
The authors noted that, during the 2009 to 2016 study period, hospitals spent considerable budgetary funds upgrading their IT systems to meet electronic health records (EHR) requirements. Much less was spent on security during that time, despite the fact that cybercrime has been growing more sophisticated over the past decade.
In conclusion, the researchers noted that the routine audits now required by cyber-insurance providers may help healthcare facilities recognize and repair their vulnerabilities before more breaches occur.
The research was led by Meghan Hufstader Gabriel, PhD, who is an assistant professor in the College of Health and Public Affairs at the University of Central Florida and a former economist at the Office of the National Coordinator for Health Information Technology.
Gabriel and her team systematically reviewed records from the Office of Civil Rights (OCR) in the US Department of Health and Human Services, including data collected at federal acute care hospitals between October 2009 and July 2016.
In addition to Dr. Gabriel, co-authors of the research included Alice Noblin, PhD, RHIA, CCS; Ashley Rutherford, PhD, MPH; Amanda Walden, MSHSA, RHIA, CHDA; and Kendall Cortelyou-Ward, PhD.