A recent study published in JAMA Internal Medicine looked at the hospital data breach risk and determined which organizations are most at risk of experiencing data breaches.
The researchers discovered that hospital data breach risk is positively linked with the size of the hospital. Larger hospitals are more likely to experience data breaches, as are hospitals with a strong focus on teaching.
Smaller hospitals may have smaller budgets to devote to cybersecurity and may not be such large targets for cybercriminals; however, the researchers determined that hospital data breach risk is higher at larger and teaching-focused hospitals due to them providing greater access to healthcare data. The more individuals that require access, the higher the risk of data breaches being suffered.
For the study, the researchers analyzed the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 2009 and December 2016. In total, there were 216 hospitals that had reported data breaches and 257 data breaches of more than 500 patient records. Multiple data breaches occurred at 33 hospitals. Two hospitals had experienced four major data breaches during that time frame.
There was a strong correlation between the size of the hospital and whether a data breach had occurred. Hospitals that had reported experiencing a data breach had a median of 262 beds. Hospitals that had not experienced a data breach had a median of 134 beds. The researchers looked at hospitals with a strong focus on teaching and discovered that 37% of hospitals that had experienced a data breach were major teaching hospitals, whereas just 9% of hospitals that had not suffered a data breach were classified as major teaching hospitals.
The researchers report that there is a fundamental trade-off between providing broad data access to support the needs of students and meet research needs and ensuring data remain secure. Broad data access is also required as part of hospital’s quality improvement efforts; however, broader access makes data breaches more likely to occur. The researchers report that these larger hospitals and teaching-focused hospitals are likely to finding it extremely challenging to prevent all data breaches.
A ‘zero breach’ objective is a major challenge, although risk can be effectively reduced. Which strategies and best practices can be adopted to minimize the hospital breach risk requires further research. Ge Bai, assistant professor at the Johns Hopkins Carey Business School and lead author of the study said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”