Even with sophisticated health information technology (IT) systems in place, security breaches continue to affect hundreds of hospitals and compromise thousands of patients’ data. Researchers at the College of Health and Public Affairs, University of Central Florida, and at the United States Air Force Joint Base in Charleston, South Carolina conducted a study to examine what other hospital factors may play a vital role in breach risk.
The study, published in the American Journal of Managed Care, examined the locations in hospitals were data breaches occur, including the types of breaches that occur most often at hospitals, and hospital characteristics, including health information technology (health IT) sophistication and biometric security capabilities, that may be predicting factors of large data breaches that affect 500 or more patients.
The study findings indicated that, of all types of healthcare providers, hospitals accounted for approximately one-third of all data breaches and hospital breaches affected the largest number of individuals.
Despite the high level of hospital adoption of electronic health records (EHRs) and federal incentives to do so, paper and films were the most frequent location of breached data, occurring in 65 hospitals during the study period. Interestingly, network servers were the least common location, the study found, but network server breaches affected the most patients overall.
The study findings also indicated significant associations among data breach occurrences and some hospital characteristics, including type and size, but not others, including health IT sophistication or biometric use for security.
For the study, researchers linked breach data from the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) regarding breaches at healthcare providers that affected 500 or more individuals from 2009 to 2016, with hospital characteristics from the Health Information Management Systems Society (HIMSS) and the American Hospital Association (AHA) Health IT Supplement databases.
The researchers used descriptive statistics to characterize hospitals with and without breaches, data breach type, and location/mode of data breaches in hospitals. Multivariate logistic regression analysis explored hospital characteristics that were predicting factors of a data breach affecting at least 500 patients, including area characteristics, region, health system membership, size, type, biometric security use, health IT sophistication, and ownership.
Of all types of healthcare providers, hospitals accounted for approximately one-third of all data breaches, and the most individual patients were impacted when hospitals were breached compared with other types of healthcare providers, such as doctors, nurses, and social workers. Paper and films were the most frequent location of breached data, occurring in 65 hospitals during the study period. These paper and film breaches occurred mostly due to theft, improper disposal, and unauthorized access. However, the overall number of patients affected by these breaches was relatively small.
Conversely, network servers were found to be the least frequent location of data breaches, but these breaches impacted the most patients overall. In addition, this study found that there were large numbers of thefts of laptops, which can easily be physically removed and stolen regardless of EHR or biometric security system implementation.
Data located in “other locations,” such as breaches not from paper/films, laptop computers, email, desktop computers, EHRs, or network servers, were reported in 56 hospitals and were the second most prevalent. Laptops were the third most prevalent location of breached data, reported in 51 hospitals. The numbers of unsecured personal health information (PHI) breaches from email (in 34 hospitals) and desktop computers (in 33 hospitals) were approximately equal during the study period. EHR data breaches occured in 19 hospitals. Although network server breaches occurred most infrequently (in 10 hospitals), these breaches compromised the highest number of individuals (4,613,858 affected).
Thefts occurred most frequently (in 112 hospitals), followed by unauthorized access/disclosure (in 54 hospitals), whereas hacking/IT incidents from 27 hospitals affected the most individuals (4,685,426).
The study findings also showed significant associations among data breach occurrences and some hospital characteristics, including type and size. Pediatric hospitals and teaching hospitals were found to be at increased risk for breaches.
What’s more, the study found that the presence of capability and infrastructure support for biometrics and high health IT sophistication were not significantly associated with data breach risk.
Drilling down further, significant differences were found between hospitals that had at least one breach and hospitals that did not have a breach affecting 500 or more individuals during the study period. Specifically, teaching hospitals (18 percent with a data breach vs 3 percent without a breach) and pediatric hospitals (6 percent with a breach vs 2 percent without) had higher percentages of data breaches. Larger hospitals also had a higher percentage of data breaches (26 percent with a data breach vs 10 percent without), the study states.
In addition, a lower percentage of investor-owned (for-profit) hospitals (15 percent with a data breach vs 22 percent without) and other specialty hospitals (6 percent with a data breach vs 12 percent without) had at least one data breach. The researchers found that health IT sophistication, biometric security use, health system membership, hospital region, and area characteristics were not significantly different in terms of data breach percentages.
The researchers note that although hospital investments in technology have been implemented to meet Meaningful Use and other federal requirements, protecting digitized patient data has not been a central focus. The findings of this study point to a need to integrate security measures in areas where patient information is kept in order to reduce the theft risk for both paper files and computers with PHI.
Although there are more group/physician practices within the United States than hospitals, the overall number of individual patients treated, and who thus have data created and stored within the record system, is greater within hospitals, the study authors conclude.
“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs. Accordingly, information security systems should be concurrently implemented alongside health information technologies. Improving access control and prioritizing patient privacy will be important steps in minimizing future breaches,” the study authors state.