- Having greater access to healthcare data, which is common in larger hospitals and teaching-focused facilities, can create a higher data breach risk, according to a recent study published by JAMA Internal Medicine.
There is a “fundamental trade-off,” as broad health data access helps hospital quality improvement efforts, research needs, and education requirements, researchers noted. However, that increased data access can also make “zero breach” a more challenging task for those providers.
Researchers gathered information from HHS on reported data breaches from late 2009 to 2016. There were 257 reported data breaches in that time frame, occurring at 216 hospitals. Thirty-three of those hospitals were also breached at least twice, with more than one-third of the facilities classified as a major teaching hospital.
“Data breaches negatively impact patients and cause damage to the victim hospital,” lead author and assistant professor at the Johns Hopkins Carey Business School Ge Bai said in a statement. “To understand the risk of data breaches is the first step to manage it.”
As previously mentioned, facilities experiencing a data breach also tended to be larger. Specifically, the median number of beds at the breached facilities was 262, according to the study. For non-breached facilities, the median number of beds was 134.
Similarly, 37 percent of the breached organizations were major teaching facilities, while 9 percent of the non-breached hospitals were classified as the same.
“It is very challenging for hospitals to eliminate data breaches, since data access and sharing are crucial to improve the quality of care and advance research and education,” Bai explained. “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”
HHS data also showed that Montefiore Medical Center and the University of Rochester Medical Center and Affiliates both had four reported data breaches between October 21, 2009 and December 25, 2016.
The Montefiore breaches were all classified as thefts, and potentially affected 53,715 individuals, according to the OCR data breach reporting tool.
The four reported incidents at the University of Rochester included two cases of lost portable electronic devices, one case of unauthorized access or disclosure, and one listed as “other.” A total of 7,425 individuals were possibly affected by those breaches, OCR stated.
The research published in JAMA stated that the violations exposed the information of at least 20,000 individuals at each of 24 of the 216 breached hospitals. Furthermore, more than 60,000 individuals were affected at each of six hospitals.
“The evolving landscape of breach activity, detection, management, and response requires hospitals to continuously evaluate their risks and apply best data security practices,” the research team concluded.
Healthcare data breaches have continued to increase in frequency, and can force covered entities to even suspend daily operations as they work to regain control over compromised networks.
The Workgroup for Electronic Data Interchange (WEDI) recently called for a culture change, saying that entities needed to utilize cybersecurity frameworks to better protect sensitive data.
Organizations must ensure that their healthcare cybersecurity measures appropriately match, WEDI explained in a paper, citing discussions from multi-stakeholder cybersecurity roundtables in November 2015 and April 2016.
“Despite heavy investment and implementation of health information technology (e.g. electronic health record systems, databases, registries, repositories, connected medical/personal devices and other software) organizations are increasingly vulnerable because they do not have sufficient cybersecurity resources, processes or encryption measures in place,” WEDI wrote.
Roundtable participants said that organizations must drive a cultural change in healthcare cybersecurity, starting with “raising awareness to educate stakeholders around the risk and cost of cyberattacks.”
Additionally, entities should “develop cybersecurity frameworks that provide a robust, forward‐facing roadmap to protect organizations in a changing environment.”
“Chronic underinvestment in cybersecurity has left many so exposed that they are unable to even detect cyberattacks when they occur,” the white paper explained. “While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.”