Article

Study in the The American Journal of Managed Care® Takes a Closer Look at What Types of Hospitals Have Data Breaches

As major healthcare cyberattacks grab headlines, researchers report the common characteristics of US hospitals that experience these attacks. A more common but less visible problem is poor disposal of paper records and films, this study finds.

An estimated 16 million patient records were stolen in the United States in 2016, and last summer the British Health System was crippled by a ransomware attack. While we know these events are on the rise, what do we know about the hospitals that are vulnerable to these attacks?

A study in the new issue of The American Journal of Managed Care® took on this question, and found that while the network attacks in the headlines do affect millions of people, a more mundane problem—improper disposal or theft of paper records and patient films—happens more often, though fewer people are affected in each case.

Researchers led by Meghan Hufstader Gabriel, PhD, an assistant professor in the College of Health and Public Affairs at the University of Central Florida, uncovered these findings by systematically reviewing records from the Office of Civil Rights (OCR) in the US Department of Health and Human Services.

Gabriel, a former economist at the Office of the National Coordinator for Health Information Technology, and fellow researchers examined the data collected between October 2009 and July 2016. They studied nonfederal acute care hospitals.

While OCR tracks breaches affecting more than 500 people—and fines health systems over violations—it took Gabriel’s team to pore over the records and describe what kinds of hospitals are more (or less) likely to experience a breach.

Laptops emerged as a major source of data loss during the study period, far outstripping electronic health records (EHRs) in terms of numbers of breaches. There were 51 incidents of lost or stolen laptops affecting 380,699 people. By comparison, there were 19 EHR breaches affecting 44,805 people.

Network server breaches rarely occur, but when they do the effects are vast: 10 breaches in the study period affected 4.6 million people.

Among other findings:

  • During the 7-year study period, 215 breaches affecting 500 or more people took place in 185 nonfederal acute care hospitals; 30 hospitals had more than one breach, and one hospital had four breaches.
  • Teaching hospitals and pediatric hospitals were more likely to experience breaches.
  • Larger hospitals (more than 400 beds) were more likely to have breaches than small (less than 100 beds) or medium hospitals (100 to 399 beds).
  • Investor-owned hospitals (for-profit) were less likely to have a data breach.

The authors noted that hospitals were spending large amounts during 2009-2016 upgrading their information technology systems to meet EHR requirements, with less spent on security. The authors noted the shifting threats to healthcare systems—hackers are no longer interested in selling data, but threaten to shut down systems unless they are paid a ransom.

“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs,” the authors conclude.

About The American Journal of Managed Care®:

The American Journal of Managed Care® (AJMC®) is a peer-reviewed, MEDLINE-indexed journal that keeps readers on the forefront of health policy by publishing research relevant to industry decision makers as they work to promote the efficient delivery of high-quality care. AJMC.com is the essential website for managed care professionals, distributing industry updates daily to leading stakeholders. Other titles in the AJMC® family include The American Journal of Accountable Care®, and two evidence-based series, Evidence-Based Oncology™ and Evidence-Based Diabetes Management™. These comprehensive offerings bring together stakeholder views from payers, providers, policymakers and other industry leaders in managed care. To order reprints of articles appearing in AJMC® publications, please contact Jeff Prescott at 609-716-7777, ext. 331.

Contacts:

AJMC® Media:

Theresa Burek, 609-716-7777

tburek@mjhassoc.com

or

Surabhi Verma

sverma@mjhassoc.com

Related Content
AJMC Managed Markets Network Logo
CH LogoCenter for Biosimilars Logo