The American Journal of Managed Care has released a report detailing hospital data breaches experienced in the United States. The focus of the study was to discover common characteristics of hospital data breaches, what the biggest issue areas are, the main causes of security incidents and the types of information most in danger.
The study indicated that hospitals are the most commonly violated type of healthcare supplier, accounting for around 30% of all large healthcare sector security incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) by supplier from 2009-16.
Over that seven-year time duration there were 215 breaches registered by 185 non-federal acute care hospitals and 30 hospitals encountered multiple breaches of 500 or more healthcare histories. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals encountered two breaches. Along with hospitals experiencing the highest percentage of security breaches, those breaches also lead to the theft/exposure of the highest amount of health records.
While hacks were commonly encountered, it was not digital healthcare information that was the biggest issue area. Paper and film were the most common places where protected health information was breached. 65 hospitals experienced paper/film data breaches over the time period that was reviewed; however, while those breaches were the most common, they normally affected a relatively small number of individuals.
Recently, there has been a noted rise in hacks and malware and ransomware attacks on networks, although from 2009 and 2016 – for hospitals particularly – network servers were the least common location of violated PHI. While this manner of breach was least common, they were the worst seen. Network server breaches were a consequence of the highest number of stolen records reported.
The second most common area where breaches were experienced was PHI stored in locations other than paper/film, laptops, email, desktops, EHRs, or network systems. Those breaches had been felt by 56 hospitals. Next up was laptop-related breaches, experienced by 51 hospitals.
The variety of data breaches most often experienced were theft incidents, which had been encountered by 112 hospitals. Unauthorized access/disclosures were in second place with incidents reported by 54 hospitals. Hacking/IT attacke was third and was behind 27 hospital data violations.
Multivariate logistic regression analyses were carried out to look into factors associated with hospital data breaches. The researchers found major differences between hospitals that had encountered a data breach and those that did not.
Educational hospitals and pediatric hospitals were found to be the most targeted in data breaches. 18% of teaching hospitals had encountered at least a single breach, compared to 3% without a breach. ^5 of pediatric hospitals had encountered a breach compared to 2% that did not.
Bigger hospitals were also more susceptible to data breaches than smaller centers. 26% of large hospitals had encountered a data breach, as opposed to 10% that had no breaches. Investor-owned hospitals had experienced fewer breaches than not-for profit hospitals.
There were no major contrasts based on the level of IT sophistication, health system subscription, biometric security implementation, hospital region or area characteristics.
The researchers state that while hospitals have spent heavily on technology and have digitized health data to meet Meaningful Use requirements, security has not been a main focus and investment in data security has been minimal. Hospitals are usually only spending 5% of their IT budgets on security and that needs to be better if hospital data breaches are to be avoided. Security measures also need to be enhanced for paper/films to minimize the potential for unauthorized access and theft.
The researchers say that hospitals should be carrying out regular reviews to determine who is accessing PHI, while audits of data security systems will help hospitals identify weaknesses before they are targeted.
The use of biometric identifiers can restrict the potential for unauthorized access of ePHI and 2-Factor authentication should be added to all user accounts.
The researchers also suggest the ability to obtain PHI should be restricted to the lowest necessary amount to allow staff member to carry out their work duties. By limiting access, the severity of data breaches will be minimized.