An estimated 16 million patient records were stolen in the United States in 2016, and last summer the British health system was crippled by a ransomware attack. While we know these events are on the rise, what do we know about the hospitals that are vulnerable to these attacks?
A study in The American Journal of Managed Care took on this question, and found that while the network attacks in the headlines do affect millions of people, a more mundane problem – improper disposal or theft of paper records and patient films – happens more often, though fewer people are affected in each case.
Researchers led by Meghan Hufstader Gabriel, PhD, an assistant professor in the College of Health and Public Affairs at the University of Central Florida, uncovered these findings by systematically reviewing records from the Office of Civil Rights (OCR) in the US Department of Health and Human Services.
Gabriel, a former economist at the Office of the National Coordinator for Health Information Technology, and fellow researchers examined the data collected between October 2009 and July 2016. They studied nonfederal acute care hospitals.
While OCR tracks breaches affecting more than 500 people – and fines health systems over violations – it took Gabriel’s team to pore over the records and describe what kinds of hospitals are more (or less) likely to experience a breach.
Laptops emerged as a major source of data loss during the study period, far outstripping electronic health records (EHRs) in terms of numbers of breaches. There were 51 incidents of lost or stolen laptops affecting 380,699 people. By comparison, there were 19 EHR breaches affecting 44,805 people.
Network server breaches rarely occur, but when they do the effects are vast: 10 breaches in the study period affected 4.6 million people.
Among other findings:
- During the 7-year study period, 215 breaches affecting 500 or more people took place in 185 nonfederal acute care hospitals; 30 hospitals had more than one breach, and one hospital had four breaches.
- Teaching hospitals and pediatric hospitals were more likely to experience breaches.
- Larger hospitals (more than 400 beds) were more likely to have breaches than small (less than 100 beds) or medium hospitals (100 to 399 beds).
- Investor-owned hospitals (for-profit) were less likely to have a data breach.
The authors noted that hospitals were spending large amounts during 2009-2016 upgrading their information technology systems to meet EHR requirements, with less spent on security. The authors noted the shifting threats to healthcare systems—hackers are no longer interested in selling data, but threaten to shut down systems unless they are paid a ransom.
“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs,” the authors conclude.