Research shows large teaching hospitals more prone to data breaches

According to a new study led by a researcher at a U.S. business school, large teaching hospitals are more susceptible to data breaches.

The study, led by John Hopkins Carey Business School, unsurprisingly found that 30 of the hospitals in the study had experienced data breaches at least twice since 2009. The study published in the Jama Internal Medicine Journal found that in at least one of those healthcare institutions, over four million patients’ data was compromised.

Lead author and assistant professor at the Carey Business School, Ge Bai, highlights the effect on individuals and what healthcare institutions must do:

“…data breaches negatively impact patients and cause damage to the victim hospital. To understand the risk of data breaches is the first step to manage it.”

Dr Bai notes that organisations must understand the risks that are posed in order to effectively combat them.

Findings

The team examined the federal Department of Health and Human Services’ statistics on data breaches reported by healthcare institutions from 2009 to 2016. Their findings showed that 216 hospitals reported 257 breaches during the 8-year period. Of those hospitals, 33 (15%) of them admitted to breaching data protection twice.

What’s important to glean is that these are only reported breaches. It’s a no-brainer that many more hospitals could’ve breached data protection rules, but haven’t reported the breaches. It is a legal requirement, both in the U.S. and U.K., to notify victims and regulators about certain breaches.

Montefiore Medical Centre and the University of Rochester Medical Centre (New York) reportedly breached personal data on four occasions. Four other healthcare institutions suffered three data breaches. Though the breaches may sound minimal, the impact for the victims can of course be severe.

These breaches can affect millions of people. By way of an example, Illinois Advocate Health and Hospitals Corporation reported a total of 4,031,767 who were affected by two breaches that took place there.

Dr Bai compared breached institutions to non-breached institutions. Her findings concluded that victim hospitals were twice as large as other hospitals; in the larger hospitals there were 262 beds, and in the smaller hospitals there were 134. They also found that more than one-third of the hospitals were teaching hospitals.

Precautionary/preventative measures required

As digital and electronic healthcare records are fast becoming the norm, it’s inevitable that hospitals and other healthcare institutions will increasingly suffer from data breaches. Data breaches are still commonly caused by a malicious or cyber-criminal attack, or a systematic error. However, this shouldn’t ease the pressure on healthcare institutions or any other organisation, to try as best as they can to limit or prevent the damage that a cyber-attack can cause.

Dr Bai further noted that:

“…more research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”