Study in The American Journal of Managed Care® Takes a Closer Look at What Types of Hospitals Have Data Breaches
February 19 2018 - 11:47AM
Business Wire
As major healthcare cyberattacks grab headlines, researchers
report the common characteristics of US hospitals that experience
these attacks. A more common but less visible problem is poor
disposal of paper records and films, this study finds.
An estimated 16 million patient records were stolen in the
United States in 2016, and last summer the British Health System
was crippled by a ransomware attack. While we know these events are
on the rise, what do we know about the hospitals that are
vulnerable to these attacks?
A study in the new issue of The American Journal of Managed
Care® took on this question, and found that while the network
attacks in the headlines do affect millions of people, a more
mundane problem—improper disposal or theft of paper records and
patient films—happens more often, though fewer people are affected
in each case.
Researchers led by Meghan Hufstader Gabriel, PhD, an assistant
professor in the College of Health and Public Affairs at the
University of Central Florida, uncovered these findings by
systematically reviewing records from the Office of Civil Rights
(OCR) in the US Department of Health and Human Services.
Gabriel, a former economist at the Office of the National
Coordinator for Health Information Technology, and fellow
researchers examined the data collected between October 2009 and
July 2016. They studied nonfederal acute care hospitals.
While OCR tracks breaches affecting more than 500 people—and
fines health systems over violations—it took Gabriel’s team to pore
over the records and describe what kinds of hospitals are more (or
less) likely to experience a breach.
Laptops emerged as a major source of data loss during the study
period, far outstripping electronic health records (EHRs) in terms
of numbers of breaches. There were 51 incidents of lost or stolen
laptops affecting 380,699 people. By comparison, there were 19 EHR
breaches affecting 44,805 people.
Network server breaches rarely occur, but when they do the
effects are vast: 10 breaches in the study period affected 4.6
million people.
Among other findings:
- During the 7-year study period, 215
breaches affecting 500 or more people took place in 185 nonfederal
acute care hospitals; 30 hospitals had more than one breach, and
one hospital had four breaches.
- Teaching hospitals and pediatric
hospitals were more likely to experience breaches.
- Larger hospitals (more than 400 beds)
were more likely to have breaches than small (less than 100 beds)
or medium hospitals (100 to 399 beds).
- Investor-owned hospitals (for-profit)
were less likely to have a data breach.
The authors noted that hospitals were spending large amounts
during 2009-2016 upgrading their information technology systems to
meet EHR requirements, with less spent on security. The authors
noted the shifting threats to healthcare systems—hackers are no
longer interested in selling data, but threaten to shut down
systems unless they are paid a ransom.
“Routine audits required by cyber-insurance coverage may help
healthcare facilities recognize, and repair, their vulnerabilities
before a breach occurs,” the authors conclude.
About The American Journal of Managed
Care®:
The American Journal of Managed Care® (AJMC®) is a
peer-reviewed, MEDLINE-indexed journal that keeps readers on the
forefront of health policy by publishing research relevant to
industry decision makers as they work to promote the efficient
delivery of high-quality care. AJMC.com is the essential website
for managed care professionals, distributing industry updates daily
to leading stakeholders. Other titles in the AJMC® family
include The American Journal of Accountable Care®, and two
evidence-based series, Evidence-Based Oncology™
and Evidence-Based Diabetes Management™. These comprehensive
offerings bring together stakeholder views from payers, providers,
policymakers and other industry leaders in managed care. To order
reprints of articles appearing in AJMC® publications,
please contact Jeff Prescott at 609-716-7777, ext. 331.
View source
version on businesswire.com: http://www.businesswire.com/news/home/20180219005395/en/
AJMC® Media:Theresa Burek,
609-325-4811tburek@mjhassoc.comorSurabhi
Vermasverma@mjhassoc.com