- Claiming that larger healthcare facilities have a higher risk of experiencing a health data breach “neglects inherent biases in data collection and reporting practices,” according to a letter published in the Journal of the American Medical Association (JAMA).
Vanderbilt University researchers Daniel Fabbri, PhD, Mark E. Frisse, MD, and Bradley Malin, PhD, wrote a letter to the editor in response to a study published earlier in 2017. That previous study used reported breach data from HHS and claimed that having greater access to healthcare data (common in larger hospitals and teaching-focused facilities) could lead to greater breach risk.
The first study found that there were 257 reported data breaches occurring at 216 hospitals from late 2009 to 2016. Thirty-three of those hospitals were also breached at least twice, with more than one-third of the facilities classified as a major teaching hospital.
The median number of beds at the breached facilities was 262, while the median number of beds was 134 for non-breached facilities. Additionally, 37 percent of the breached organizations were major teaching facilities, with 9 percent of the non-breached hospitals being classified as the same.
However, claiming larger facilities are at a greater risk is not necessarily a fair or accurate claim, as data protection practices vary across organizations, Vanderbilt researchers stated.
“Though most organizations are capable of detecting lost devices (eg, laptops), other vulnerabilities (eg, snooping insiders, malware) can go unnoticed for long periods of time,” the letter explained. “Moreover, the HHS data are biased because larger organizations inherently have a greater chance of reaching the 500 patient threshold than their smaller counterparts, and have more employees at risk for attacks.”
The research team added that focusing on large-scale health data breaches ignores smaller incidents, which are potentially more targeted events. Perceived privacy and security risks can also be negatively impacted when breaches are treated on their size and not on their impact.
“The gap between unreported and detected breaches is concerning for many reasons,” the trio maintained. “First, patient data are at risk of misuse. Second, the health care community risks using an incomplete data set to construct privacy and security policies and prioritize risk mitigation measures.”
Better visibility is necessary so organizations can defend beyond just what they can see, the researchers concluded. The government, healthcare industry, and the research community have to “look beyond lost laptops and seriously consider insider threats, as well as cyber attacks emanating from beyond their institutions.”
Researchers from the original study, which was led by assistant professor at the Johns Hopkins Carey Business School Ge Bai, PhD, CPA, responded in their own letter to the editor.
The HHS established threshold of 500 patients for required public data breach reporting does make it more likely that data breaches in large hospitals are identified, the team said. This fact was also acknowledged in their paper, researchers added.
“However, large hospitals possess a significant amount of protected health information (PHI),” the response letter read. “Combined with teaching hospitals’ needs for broad data access, this creates significant targets for cyber criminals compared with smaller institutions that might be the main reason for their relatively high risks of data breaches.”
The HITECH Act also requires covered entities to report all PHI data breaches to HHS, researchers added, but incidents affecting fewer than 500 individuals are only reported in aggregate.
While it may remain to be seen whether or not a healthcare provider’s size has an effect on its likelihood in being breached, one of the biggest health data breaches so far in 2017 did take place at a larger facility.
Kentucky-based Med Center Health, which is part of the Commonwealth Health Corporation, currently has 30 entities and continues to grow, according to its website. The facility announced in 2017 that a former employee had accessed certain patient billing information without authorization.
The OCR data breach reporting tool lists 697,800 individuals as having potentially being affected.
“The evidence we have gathered to date suggests that the former employee intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to Med Center Health officials,” Med Center Health explained in its letter, signed by CEO Connie Smith.
Billing information involved included patient names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes, and charges for medical services. However, patient medical records were not accessed.
“We sincerely apologize for any concern and inconvenience this incident may cause you,” the letter stated. “We continue to review the incident and to take steps aimed at preventing similar actions in the future. Those actions include re-enforcing education with our staff regarding our strict policies and procedures in maintaining the confidentiality of patient information.”