Hospitals Face Increased Risk of Data Breaches

A new study suggests that as health providers adopt health information technology, they increasingly suffer from data breaches.

Researchers at Michigan State University, Ball State University, and Johns Hopkins University conducted a retrospective data analysis of data breaches reported to the U.S. Department of Health and Human Services between October 2009 and December 2016. By law, U.S. hospitals covered by the Health Insurance Portability and Accountability Act (HIPPA), must notify the HHS of any breach affecting 500 or more individuals within 60 days of the discovery of the breach.

The results revealed that during the study period, healthcare providers reported 1,225 of the 1,798 recorded breaches, while business associates, health plans, and healthcare clearinghouses reported the remaining 573 data breaches. Of these, 257 breaches were reported by 216 hospitals; importantly, 33 hospitals experienced more than one breach, many of them large, major teaching hospitals, such as UC Davis Medical Center (CA, USA) and Henry Ford Hospital (Detroit, MI, USA). The study was published on April 3, 2017, in JAMA Internal Medicine.

“This research reinforces the critical trade-off patient’s face: healthcare systems having access to information they need, versus a hacker planning to spend your savings at Best Buy,” said lead author Xuefeng Jiang, PhD, of MSU, and colleagues. “While the law requires health care professionals and systems to cross-share patient data, the more people who can access data, the less secure it is.”

A data breach is defined as a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information, personally identifiable information, trade secrets of corporations, or intellectual property.