As major healthcare cyberattacks grab headlines, researchers report the common characteristics of US hospitals that experience these attacks. A more common but less visible problem is poor disposal of paper records and films, this study finds.
An estimated 16 million patient records were stolen in the United States in 2016, and last summer the British Health System was crippled by a ransomware attack. While we know these events are on the rise, what do we know about the hospitals that are vulnerable to these attacks?
A study in the new issue of The American Journal of Managed Care® took on this question, and found that while the network attacks in the headlines do affect millions of people, a more mundane problem—improper disposal or theft of paper records and patient films—happens more often, though fewer people are affected in each case.
Researchers led by Meghan Hufstader Gabriel, PhD, an assistant professor in the College of Health and Public Affairs at the University of Central Florida, uncovered these findings by systematically reviewing records from the Office of Civil Rights (OCR) in the US Department of Health and Human Services.
Gabriel, a former economist at the Office of the National Coordinator for Health Information Technology, and fellow researchers examined the data collected between October 2009 and July 2016. They studied nonfederal acute care hospitals.
While OCR tracks breaches affecting more than 500 people—and fines health systems over violations—it took Gabriel’s team to pore over the records and describe what kinds of hospitals are more (or less) likely to experience a breach.
Laptops emerged as a major source of data loss during the study period, far outstripping electronic health records (EHRs) in terms of numbers of breaches. There were 51 incidents of lost or stolen laptops affecting 380,699 people. By comparison, there were 19 EHR breaches affecting 44,805 people.
Network server breaches rarely occur, but when they do the effects are vast: 10 breaches in the study period affected 4.6 million people.
Among other findings:
The authors noted that hospitals were spending large amounts during 2009-2016 upgrading their information technology systems to meet EHR requirements, with less spent on security. The authors noted the shifting threats to healthcare systems—hackers are no longer interested in selling data, but threaten to shut down systems unless they are paid a ransom.
“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs,” the authors conclude.
About The American Journal of Managed Care®:
The American Journal of Managed Care® (AJMC®) is a peer-reviewed, MEDLINE-indexed journal that keeps readers on the forefront of health policy by publishing research relevant to industry decision makers as they work to promote the efficient delivery of high-quality care. AJMC.com is the essential website for managed care professionals, distributing industry updates daily to leading stakeholders. Other titles in the AJMC® family include The American Journal of Accountable Care®, and two evidence-based series, Evidence-Based Oncology™ and Evidence-Based Diabetes Management™. These comprehensive offerings bring together stakeholder views from payers, providers, policymakers and other industry leaders in managed care. To order reprints of articles appearing in AJMC® publications, please contact Jeff Prescott at 609-716-7777, ext. 331.
Theresa Burek, 609-716-7777