Currently Viewing:
The American Journal of Managed Care February 2018
Community Navigators Reduce Hospital Utilization in Super-Utilizers
Michael P. Thompson, PhD; Pradeep S.B. Podila, MS, MHA; Chip Clay, MDiv, BCC; Joy Sharp, BS; Sandra Bailey-DeLeeuw, MSHS; Armika J. Berkley, MPH; Bobby G. Baker, DMin, BCC; and Teresa M. Waters, PhD
Cost-Effectiveness of Collaborative Care for Depression and PTSD in Military Personnel
Tara A. Lavelle, PhD; Mallika Kommareddi, MPH; Lisa H. Jaycox, PhD; Bradley Belsher, PhD; Michael C. Freed, PhD; and Charles C. Engel, MD, MPH
Currently Reading
Data Breach Locations, Types, and Associated Characteristics Among US Hospitals
Meghan Hufstader Gabriel, PhD; Alice Noblin, PhD, RHIA, CCS; Ashley Rutherford, PhD, MPH; Amanda Walden, MSHSA, RHIA, CHDA; and Kendall Cortelyou-Ward, PhD
Pricing of Monoclonal Antibody Therapies: Higher If Used for Cancer?
Inmaculada Hernandez, PharmD, PhD; Samuel W. Bott, BS; Anish S. Patel, BS; Collin G. Wolf, BS; Alexa R. Hospodar, BS; Shivani Sampathkumar, BS; and William H. Shrank, MD, MSHS
Leveraging Benefit Design for Better Diabetes Self-Management and A1C Control
Abiy Agiro, PhD; Yiqiong Xie, PhD; Kevin Bowman, MD; and Andrea DeVries, PhD
Development of a Tailored Survey to Evaluate a Patient-Centered Initiative
Marcy Winget, PhD; Farnoosh Haji-Sheikhi, MS; and Steve M. Asch, MD, MPH
Claims-Based Risk Model for First Severe COPD Exacerbation
Richard H. Stanford, PharmD, MS; Arpita Nag, PhD, MBA, MS; Douglas W. Mapel, MD; Todd A. Lee, PhD; Richard Rosiello, MD; Michael Schatz, MD; Francis Vekeman, MS; Marjolaine Gauthier-Loiselle, PhD; J.F. Philip Merrigan, PhD; and Mei Sheng Duh, ScD
Impact of Telephonic Comprehensive Medication Reviews on Patient Outcomes
Evan A. DeZeeuw, PharmD; Ashley M. Coleman, PharmD; and Milap C. Nahata, PharmD, MS
Variation in Markups on Outpatient Oncology Services in the United States
Angela Park; Tim Xu, MD, MPP; Michael Poku, MD, MBA; James Taylor, MBBChir, MPH, MRCS(Eng); and Martin A. Makary, MD, MPH

Data Breach Locations, Types, and Associated Characteristics Among US Hospitals

Meghan Hufstader Gabriel, PhD; Alice Noblin, PhD, RHIA, CCS; Ashley Rutherford, PhD, MPH; Amanda Walden, MSHSA, RHIA, CHDA; and Kendall Cortelyou-Ward, PhD
Despite the high level of hospital adoption of electronic health records and the federal incentives to do so, the most common type of data breach in hospitals occurred with paper records and films.
ABSTRACT

Objectives: The objectives of this study were to describe the locations in hospitals where data are breached, the types of breaches that occur most often at hospitals, and hospital characteristics, including health information technology (IT) sophistication and biometric security capabilities, that may be predicting factors of large data breaches that affect 500 or more patients.

Study Design: The Office of Civil Rights breach data from healthcare providers regarding breaches that affected 500 or more individuals from 2009 to 2016 were linked with hospital characteristics from the Health Information Management Systems Society and the American Hospital Association Health IT Supplement databases.

Methods: Descriptive statistics were used to characterize hospitals with and without breaches, data breach type, and location/mode of data breaches in hospitals. Multivariate logistic regression analysis explored hospital characteristics that were predicting factors of a data breach affecting at least 500 patients, including area characteristics, region, health system membership, size, type, biometric security use, health IT sophistication, and ownership.

Results: Of all types of healthcare providers, hospitals accounted for approximately one-third of all data breaches and hospital breaches affected the largest number of individuals. Paper and films were the most frequent location of breached data, occurring in 65 hospitals during the study period, whereas network servers were the least common location but their breaches affected the most patients overall. Adjusted multivariate results showed significant associations among data breach occurrences and some hospital characteristics, including type and size, but not others, including health IT sophistication or biometric use for security.

Conclusions: Hospitals should conduct routine audits to allow them to see their vulnerabilities before a breach occurs. Additionally, information security systems should be implemented concurrently with health information technologies. Improving access control and prioritizing patient privacy will be important steps in minimizing future breaches.

Am J Manag Care. 2018;24(2):78-84
Takeaway Points
  • Even with sophisticated health information technology (IT) systems in place, security breaches continue to affect hundreds of hospitals and compromise thousands of patients’ data; this gives cause to believe that other hospital factors, such as area characteristics, region, bed size, health system membership, hospital type, hospital governance, and market concentration, may play a vital role in breach risk.
  • This study's results showed that of all types of healthcare providers, hospitals accounted for approximately one-third of all data breaches and hospital breaches affected the largest number of individuals.
  • Paper and films were the most frequent mode or location of data breaches. However, although network servers were among the most infrequent locations of data breaches, breaches of this type impacted the most patients overall.
  • Adjusted multivariate results showed significant associations among data breach occurrences and some hospital characteristics, including type and size, but not others, including health IT sophistication or biometric use for security.
Instances in which private information has been breached are becoming more commonplace in the United States,1 making the security of this type of information a significant concern.2 Healthcare information is particularly vulnerable, due to the sensitivity of these data and how they can be used by criminals.3 Demographic data, Social Security numbers, and clinical information, including medical diagnoses, are housed in both paper and electronic health records (EHRs).3 For these reasons, multiple attempts have been made through federal legislation to help curtail the occurrences of healthcare privacy breaches, including the 1996 Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009, and the Omnibus Final Rule in 2013.4-6 Despite these initiatives, however, large data breaches are still occurring in US hospitals.

The adoption of EHRs among hospitals has increased rapidly over the past several years.7,8 As healthcare systems digitized to keep up, the healthcare sector was unable to adopt electronic security components at the same pace, leading to vulnerabilities in record systems.7 In some cases, technology purposed to assist healthcare delivery processes are now having costly difficulties.9,10 The majority of small- and medium-size health organizations do not possess the financial or personnel resources necessary for sufficient information technology (IT) and security investments.11,12 This, along with their highly valuable data, has left hospitals vulnerable to breaches of sensitive information.13,14

Hospitals have begun to implement strategies to help prevent data breaches that most often occur through theft, loss, unauthorized access, or hacking.15 Strategies include the adoption of systems that include 2-factor authentication requirements to ensure that patients’ health information is only accessible to and usable by those with rights to access it.16 Two-factor authentication often incorporates a biometric component to verify the user’s identity, such as a fingerprint, voice recognition, or iris scan, along with a password, personal identification number, or physical verification object, such as a token or key.

The objectives of this study were to describe the locations in hospitals where data are breached, the types of breaches that occur most often at hospitals, and hospital characteristics, including health IT sophistication and biometric security capabilities, that may be predicting factors of large data breaches that affect 500 or more patients. In spite of these health IT strategies, it is unclear what the most common types of breaches are and where patients’ health information is most vulnerable. Under federal legislation, if a healthcare privacy breach affects 500 or more patients it must be reported to the Office of Civil Rights (OCR). Then, information regarding the breach is publicly posted on the OCR data breach portal.13,17 Although several studies have examined OCR data breach information,11-13 none have specifically focused on pediatric, academic, and nonfederal acute care hospitals, which house millions of patient records.

METHODS

Data Sources

The OCR data breach portal provides an online database describing data breaches of protected health information (PHI) that affect 500 or more individuals.15,18 This portal provides users the option of examining breach information from 3 types of covered entities: health plans, healthcare clearing houses, and healthcare providers. As of July 2016, the OCR portal included 1085 healthcare providers that had PHI breaches affecting 500 or more individuals between October 2009 and July 2016. Of these, 185 were nonfederal acute care hospitals and 27 were Veterans Affairs (VA) hospitals. Nonfederal acute care hospital breach information was linked with the 2015 Health Information and Management Systems Society (HIMSS) analytic data file (HIMSS Analytics, unpublished data) and information from the 2015 American Hospital Association (AHA) Health IT Supplement Survey regarding the use of 2-factor authentication.19

Variables to Characterize Data Breaches

Hospital data breaches of PHI that affected 500 or more individuals were characterized by: 1) type of breach and 2) location or mode of breached information. Data breach types included 6 categories: 1) hacking/IT incident, 2) improper disposal, 3) loss, 4) other/unknown, 5) theft, and 6) unauthorized access/disclosure. Data breach locations or modes included 7 categories: 1) desktop computer, 2) EHR, 3) email, 4) laptop computer, 5) network server, 6) paper/films, and 7) other location. To gain a more detailed view of which provider types were most frequently breached and had the most individuals affected, the OCR data were further categorized by “name of covered entity” into 9 health provider categories: 1) colleges/universities; 2) emergency response; 3) government; 4) group/physician practices; 5) health systems; 6) hospitals; 7) nursing homes, home/hospice care, and treatment facilities; 8) pharmacies; and 9) research facilities, laboratories, and medical supply companies.

Inclusion/Exclusion Criteria

Only nonfederal acute care hospitals, which include children’s, teaching, and public or private hospitals, were included in this study. All other health provider categories were excluded.

Variables to Characterize Hospitals

Variables to characterize hospitals included area characteristics, region, bed size, health system membership, hospital type, health IT sophistication, hospital governance, and market concentration at the hospital referral region (HRR) level. A binomial variable for area characteristics was created that assessed whether the hospital was located in a rural or urban area; hospitals were considered to be urban if they were located in a metropolitan core–based statistical area. Regions (Northeast, Midwest, South, and West) were categorized based upon the US Census Bureau classification system. Hospitals were categorized into small (<100 staffed beds), medium (100 to 399 staffed beds), and large (≥400 staffed beds). Hospital types included academic, general medical and surgical, pediatric, critical access, and other specialty. A second binomial variable was created to measure health IT sophistication, and high levels were defined as having a HIMSS Electronic Medical Record Adoption Model (EMRAM) score of 6 or 7. The EMRAM score ranges from Stage 0, which is paper-chart–based, to Stage 7, which is defined by a complete EHR system.16 A third binomial variable characterizing biometric security use was created by combining the hospitals that used biometric technology for security on the HIMSS analytics survey and/or the hospitals that answered that they supported an infrastructure for 2-factor authentication, including biometrics, in the AHA Health IT Supplement Survey. Hospital governance characteristics included hospital status, such as not-for-profit, investor-owned (for-profit), and government (nonfederal). In addition, a hospital was considered to be a member of a hospital system if it belonged to an integrated healthcare delivery system. Market concentration was measured by the Herfindahl-Hirschman Index,20 constructed on bed shares within systems at the HRR level.21

Data Analysis

Descriptive analyses to characterize provider facility, data breach type, and location/mode in hospitals were performed. Number of patients affected by data breaches was log transformed and a factorial 2-way analysis of variance (ANOVA) was conducted to examine the differences between data location/mode and type of breach and the number of patients affected by data breaches. Univariate analyses were conducted on hospital and area characteristics. To explore factors associated with hospitals having a data breach affecting 500 or more individuals, multivariate logistic regression analyses were performed using SAS Enterprise Guide (SAS Institute Inc; Cary, North Carolina). Significance was determined at the P <.05 level.

RESULTS

In total, 215 breaches, each affecting 500 or more individuals, occurred at 185 nonfederal acute care hospitals that reported to the OCR during the study period. Thirty hospitals had multiple breaches during that time. Twenty-four hospitals had 2 breaches, 5 hospitals had 3 breaches, and 1 hospital had 4 breaches (Table 1).

Descriptive Results

Significant differences were found between hospitals that had at least 1 breach and hospitals that did not have a breach affecting 500 or more individuals during the study period (Table 2). Bivariate descriptive statistics comparing hospitals with and without data breaches showed unadjusted differences in terms of hospital type, size, and ownership. Specifically, teaching hospitals (18% with a data breach vs 3% without a breach) and pediatric hospitals (6% with a breach vs 2% without) had higher percentages of data breaches. Larger hospitals also had a higher percentage of data breaches (26% with a data breach vs 10% without). In addition, a lower percentage of investor-owned (for-profit) hospitals (15% with a data breach vs 22% without) and other specialty hospitals (6% with a data breach vs 12% without) had at least 1 data breach. In bivariate descriptive analyses, health IT sophistication, biometric security use, health system membership, hospital region, and area characteristics were not significantly different in terms of data breach percentages.

Location of Data Breaches in Hospitals

The location of breached data and the number of individuals affected varied greatly among hospitals (Figure 1). Data breaches of paper/films occurred most frequently (65 hospitals). Data located in “other locations” (eg, breaches not from paper/films, laptop computers, email, desktop computers, EHRs, or network servers, which were reported in 56 hospitals) and in laptops (in 51 hospitals) were the second and third most prevalent, respectively. The numbers of unsecured PHI breaches from email (in 34 hospitals) and desktop computers (in 33 hospitals) were approximately equal during the study period. EHR data were breached in 19 hospitals. Although network server breaches occurred most infrequently (in 10 hospitals), these breaches compromised the highest number of individuals (4,613,858 affected).

Types of Data Breaches in Hospitals

Types of data breaches and the number of individuals affected by those types of breaches varied significantly among hospitals (Figure 2). Thefts occurred most frequently (in 112 hospitals), followed by unauthorized access/disclosure (in 54 hospitals), whereas hacking/IT incidents from 27 hospitals affected the most individuals (4,685,426).

 
Copyright AJMC 2006-2018 Clinical Care Targeted Communications Group, LLC. All Rights Reserved.
x
Welcome the the new and improved AJMC.com, the premier managed market network. Tell us about yourself so that we can serve you better.
Sign Up
×

Sign In

Not a member? Sign up now!