Over the course of a recent seven-year span, breaches at hospitals accounted for nearly one third of data security incidents reported to the U.S. Department of Health and Human Services' Office for Civil Rights (OCR).
An academic study (.PDF) published last week claims there were 215 data breaches, each affecting 500+ patients, at 185 different hospitals from 2009 to 2016.
The study, released by the American Journal of Managed Care (AJMC) combed through the OCR's data breach portal, where facilities are required under federal legislation to report breaches that impact 500 or more patients. The goal of the study was to identify what kind of data was targeted, the types of breaches that occur the most often, and how susceptible facilities are, at least from an information technology/biometric standpoint, to being breached.
The quintet of academics who carried out the research, Meghan Hufstader Gabriel, PhD; Alice Noblin, PhD, RHIA, CCS; Ashley Rutherford, PhD, MPH; Amanda Walden, MSHSA, RHIA, CHDA; and Kendall Cortelyou-Ward, PhD, claim its the first of its kind. Previous research has been published on data breach information reported to OCR but none have drilled down to focus on pediatric, academic, and non-federal acute care hospitals, according to the paper's authors.
Over the last several years practically all non-federal acute care hospitals, 96 percent in 2015 according to the Office of the National Coordinator for Health Information Technology's Health IT Dashboard, have adopted EHR, or Electronic Health Record technology.
Despite the near widespread adoption of EHR of late, breaches of paper records and film on file at facilities outnumbered network server breaches and affected 65 hospitals, according to the study. In most of those incidents however the number of patients ultimately affected by breaches was fairly low. In contrast, network server breaches impacted the highest number of patients; 4,613,858 at 10 hospitals. The closest type of breach after network server breaches, theft, affected a quarter of that number: 1,161,476 records.
While the AJMC doesn't name any of the facilities, it's interesting to note that 30 of them, roughly 16 percent of the hospitals, had multiple breaches over the seven-year span. One hospital was even hit four times over the course of the research.
Judging by the numbers the academics suggest that going forward pediatric hospitals and teaching hospitals, both which had higher percentages of data breaches, could continue to have a higher risk for breaches.
If it isn't already, investing in technology to help protect digitized patient data should be a focus for hospitals, the report stresses.
“Medical identity theft has long-lasting repercussions that can affect an individual’s health and financial well-being; it cannot be remedied by closing an account, as one would do with a financial breach of a credit card number, for instance. Hospitals are vulnerable to data breaches, but investment in data security is lacking,” one part of the study reads.
The proliferation of EHR technology over the last several years should spur hospitals to consider enhancing information security but that hasn't been quite the case. The AJMC report cites statistics from a Texas State University study (.PDF) that on average, healthcare organizations are spending 95 percent of their IT budgets on attempts to comply with federal initiatives, such as health IT implementation and adoption but only 5% on security.
While safeguarding patient data satisfies HIPAA's Minimum Necessary Rule - which states that protected health data (PHI) should not be used or disclosed unless necessary - many facilities have adopted data loss prevention tools to do more, like accurately monitoring, classifying, and protecting electronic PHI.
While the stats in AJMC's report are interesting, it'd be fascinating to see the numbers from the last two years. While there were a few major ransomware incidents in 2016, the journal's study concluded before a rash of particularly nasty ransomware started hitting hospitals nationwide.
A campaign delivering the Locky strain of ransomware - the same malware that locked doctors out of systems, databases, and information at the Hollywood Presbyterian Medical Center - targeted the healthcare sector in late 2016. The malware NotPetya, which crippled facilities last June, disrupted operations at healthcare institutions and corporations like U.S. drug maker Merck, costing the company more than $310M.
A scourge of attacks involving the SamSam strain of ransomware made headlines earlier this year, hitting hospitals, city councils, transportation agencies, and industrial control system companies. Hancock Health, a hospital based just outside of Indianapolis, reportedly paid $55,000 to fend off a SamSam infection just several weeks ago.
The OCR has gone on record that unless a company can demonstrate a "low probability that PHI has been compromised,” any ransomware attack that encrypts electronic protected health information is considered a breach under HIPAA. While it remains to be seen how many hospitals are actually reporting these attacks, the nascent hospital ransomware trend could prophesize big numbers for future reports to come.
