- Hospital data breaches accounted for approximately 30 percent of large data security incidents reported to OCR from 2009 to 2016, according to a study published in the American Journal of Managed Care (AJMC).
The largest number of individuals were impacted in hospital data breaches as well, found the research team led by Meghan Hufstader Gabriel, PhD, University of Central Florida.
There were 215 breaches that affected 500 or more individuals in the research time period, with 185 occurring at nonfederal acute care hospitals. Thirty hospitals had multiple breaches during that time, which included 24 hospitals having two breaches and five hospitals reporting three breaches. One hospital had four breaches, the study found.
“Even with sophisticated health information technology (IT) systems in place, security breaches continue to affect hundreds of hospitals and compromise thousands of patients’ data,” the researchers wrote. “This gives cause to believe that other hospital factors, such as area characteristics, region, bed size, health system membership, hospital type, hospital governance, and market concentration, may play a vital role in breach risk.”
Paper and films were the most common type or cause of the reported data breaches. Network servers were found to be the most infrequent data breach location, but these types of incidents impacted the most patients overall.
The research team noted that there were significant differences found between hospitals that had at least one breach and hospitals that did not have a breach in the review period. Teaching hospitals and pediatric hospitals had higher percentages of data breaches.
Eighteen percent of teaching hospitals reported a data breach, with 3 percent not having one. Six percent of pediatric hospitals had a data breach in the study period, while 2 percent were without.
A lower percentage of investor-owned (for-profit) hospitals and other specialty hospitals had at least one data breach, the study found.
Researchers explained that computers are a popular source of data breaches because of their easy accessibility from generic usernames and passwords.
“Hospital unit computers are easy targets because they contain patient and staff information, such as referral letters, nursing reports, patient charts, audits, handovers, and staff sick leave lists, directly on the desktop,” the research team said.
Two-factor authentication can be a good way to strengthen data security, researchers suggested. Combining a username and password with a physical biometric (i.e., fingerprint, gesture, voice recognition) can be beneficial.
“Given that the most common location of breaches in a hospital is currently paper files/films, the addition of biometric technology is not likely to impact this number,” the researchers wrote. “However, as the diffusion of EHR technology continues in the United States and cyber threats become more prevalent, these hard-copy breaches will presumably continue to be minimized as long as necessary security policies are upheld and security audits are practiced.”
Access control must be a key consideration for hospitals as they create and implement IT security controls, the research team stressed. Citing a study on IT budgets, researchers explained that organizations are spending nearly all of their IT budgets on complying with federal initiatives and 5 percent of budgets were being spent on security.
“Although there are more group/physician practices within the United States than hospitals, the overall number of individual patients treated, and who thus have data created and stored within the record system, is greater within hospitals,” researchers concluded.
“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs. Accordingly, information security systems should be concurrently implemented alongside health information technologies.”
The AJMC study is very similar to one published by JAMA Internal Medicine in 2017. Researchers in that study also utilized OCR data and concluded that larger hospitals have a greater data breach risk.
Vanderbilt University researchers criticized the study though, stressing the need for improved health data breach statistics. Additionally, data protection practices vary across organizations so claiming larger facilities are at a greater risk is not necessarily a fair or accurate claim.
“Though most organizations are capable of detecting lost devices (eg, laptops), other vulnerabilities (eg, snooping insiders, malware) can go unnoticed for long periods of time,” explained researchers Daniel Fabbri, PhD, Mark E. Frisse, MD, and Bradley Malin, PhD. “Moreover, the HHS data are biased because larger organizations inherently have a greater chance of reaching the 500 patient threshold than their smaller counterparts, and have more employees at risk for attacks.”
Healthcare organizations require better visibility into data breaches because it will help them defend sensitive data beyond what they can see, Fabbri and Frisse said.
The government, healthcare industry, and research community all need to consider more types of threats, such as insider threats and outsider cyber attacks, the duo concluded. A more comprehensive approach to data security will help prevent future data breaches.