AJMC Study Finds Common Characteristics of Hospital Data Breaches

The study by the American Journal of Managed Care found teaching hospitals and pediatric hospitals are the most susceptible to data breaches.
Published: February 22, 2018

A recently published study by the American Journal of Managed Care reveals common characteristics found in hospitals where data breaches occurred.

The Department of Health and Human Services’ Office for Civil Rights breach data from healthcare providers regarding breaches that affected 500 or more individuals from 2009 to 2016 were linked with hospital characteristics from the Health Information Management Systems Society and the American Hospital Association Health IT Supplement databases, according to the study.

The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30 percent of all large healthcare security incidents reported to the Department of Health.

Over the seven-year time period, there were 216 data breaches reported by 185 non-federal acute care hospitals. Thirty hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced two breaches, five hospitals experienced three breaches and 24 hospitals experienced two breaches, reports the HIPAA Journal.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the exposure of the highest number of health records.

The study also found the most common locations of breached data were paper and film, occurring in 65 hospitals during the seven-year period.

While there has been a significant increase in malware and ransomware attacks as of late, network servers were the least common location for breaches between 2009 and 2016. While the least common, those breaches resulted in the highest number of stolen medical records.

The second most common location of breaches was data stored in locations other than paper, film, laptops, email, desktops, WHRs or network servers, accounting for 56 hospital breaches. The third most common was laptop breaches, which were reported by 51 hospitals.

What Types of Hospitals Experienced the Most Data Breaches?

The most susceptible to data breaches were teaching hospitals and pediatric hospitals. Eighteen percent of teaching hospitals experienced at least one data breach while six percent of pediatric hospitals also experienced a breach.

Larger hospitals (more than 400 beds) were found to be more prone to data breaches with 26 percent experiencing a breach. Investor-owned hospitals also experienced fewer breaches than not-for-profit hospitals. The threats to healthcare systems have also shifted from hackers interested in selling data to threatening to shut down systems unless paid a ransom.

The study did not find any significant difference based on the level of IT sophistication, biometric security use, health system membership, hospital region or area characteristics.

The authors noted that hospitals were spending large amounts during the seven-year timeframe upgrading their information technology systems to meet electronic health record requirements, with less spent on data security.

The researchers suggest the amount of money spent on security needs to increase if hospital data breaches are to be prevented. Security measures also need to be improved for paper and films to reduce the opportunity to access data and hospitals should conduct regular audits to determine who is accessing persona health information.

The study also suggests access to PHI should be limited to the minimum necessary amount to allow employees to complete their work duties.

“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs,” the authors conclude.

ADVERTISEMENT
ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series