Monday, August 13, 2018

It Appears that Healthcare Data Breaches are More Common in Larger Facilities

According to a recent study that appeared in JAMA Internal Medicine, larger medical facilities are more likely to suffer from data breaches.
This makes a certain degree of sense.  Larger institutions certainly have more patient data stored in the EHR (Electronic Health Record) and, therefore, make a more practical target for attackers.  By going after larger databases, hackers can get more info per intrusion.  Obviously, even in the world of data theft, economies of scale exist.  There is also the matter of simple computer security.  Larger organizations will have more computers, connected devices, etc that need to be patched and kept updated with the latest security enhancements.  One small door is all that is needed and in big hospitals, there are more “electronic doors” and therefore, greater odds of finding a device to exploit.  Then there is the matter of employees and security protocols.  The sheer number of people with access to data means more opportunities for a phishing attack or any of a myriad other things that might leave data exposed.
While I agree with the odds increasing as the amount of patient data increases, it should be noted here that data breaches, hacking, and RansomWare are an all to frequent occurrence in small practices as well.  My good friends at DDS Rescue tell me that their help is frequently required by customers that have either been locked out of their data by RansomWare or some type of malicious hacking break in.  These situations can happen to anyone.  You need to be prepared and DDS Rescue can help you with hacking incidents.
Here is an abbreviated version of the article:

As the adoption of electronic record and health information technology rapidly expands, hospitals and other health providers increasingly suffer from data breaches.1 A data breach is an impermissible use or disclosure that compromises the security or privacy of the protected health information and is commonly caused by a malicious or criminal attack, system glitch, or human error.2,3 Policy makers, hospital administrators, and the public are highly interested in reducing the incidence of data breaches. In this retrospective data analysis, we use data from the Department of Health and Human Services (HHS) to examine what type of hospitals face a higher risk of data breaches.

Under the Health Information Technology for Economic and Clinical Health Act of 2009, all heath care providers covered by the Health Insurance Portability and Accountability Act must notify HHS of any breach of protected health information affecting 500 or more individuals within 60 days from the discovery of the breach. The Department of Health and Human Services publishes the submitted data breach incidents on its website, with the earliest submission date as October 21, 2009. We were able to link 141 acute care hospitals to their 2014 fiscal year Medicare cost reports filed with the Centers for Medicare and Medicaid Services (CMS). The unlinked hospitals include long-term care hospitals, Veterans Affairs and military hospitals, hospital systems, and hospitals unidentifiable in the CMS data set. We applied multivariable and regression analyses to compare these 141 hospitals with other acute care hospitals to understand what type of hospitals face a higher risk of breaches.4 Statistical analysis was performed with SAS 9.4 (SAS Institute Inc) and STATA 14 (StataCorp LLC). For statistical analysis, t tests were used, and P < .05 was considered significant.

Between October 21, 2009, and December 31, 2016, 1798 data breaches were reported.5 Among them, 1225 breaches were reported by health care providers and the remaining by business associates, health plans, or health care clearing houses. There were 257 breaches reported by 216 hospitals in the data, with median (interquartile range [IQR]) 1847 (872-4859) affected individuals per breach; 33 hospitals that had been breached at least twice and many of which are large major teaching hospitals (Table 1). Table 2 lists hospitals with more than 20 000 total affected individuals. For the 141 acute care victim hospitals linked to their 2014 CMS cost reports, the median (IQR) number of beds was 262 (137-461) and 52 (37%) were major teaching hospitals. In contrast, among 2852 acute care hospitals not identified as having breaching incidents, the median (IQR) number of hospital beds was 134 (64-254), and 265 (9%) were major teaching hospitals. Hospital size and major teaching status were positively associated with the risk of data breaches (P < .001).

A fundamental trade-off exists between data security and data access. Broad access to health information, essential for hospitals’ quality improvement efforts and research and education needs, inevitably increases risks for data breaches and makes “zero breach” an extremely challenging objective. The evolving landscape of breach activity, detection, management, and response requires hospitals to continuously evaluate their risks and apply best data security practices. Despite the call for good data hygiene,6 little evidence exists of the effectiveness of specific practices in hospitals. Identification of evidence-based effective data security practices should be made a research priority.

This study has 3 important limitations. First, data breaches affecting fewer than 500 individuals were not examined. Second, since each victim hospital was matched to CMS cost report based on the name and state, the matching might be incomplete or inaccurate for some hospitals. Finally, our analysis is limited to the hospital industry. Future studies that examine the characteristics of other types of health care entities that experienced data breaches are warranted.

No comments:

Post a Comment