A recently published study by the American Journal of Managed Care reveals common characteristics found in hospitals where data breaches occurred.
The Department of Health and Human Services’ Office for Civil Rights breach data from healthcare providers regarding breaches that affected 500 or more individuals from 2009 to 2016 were linked with hospital characteristics from the Health Information Management Systems Society and the American Hospital Association Health IT Supplement databases, according to the study.
The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30 percent of all large healthcare security incidents reported to the Department of Health.
In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the exposure of the highest number of health records.
The study also found the most common locations of breached data were paper and film, occurring in 65 hospitals during the seven-year period.
While there has been a significant increase in malware and ransomwareattacks as of late, network servers were the least common location for breaches between 2009 and 2016. While the least common, those breaches resulted in the highest number of stolen medical records.
The second most common location of breaches was data stored in locations other than paper, film, laptops, email, desktops, WHRs or network servers, accounting for 56 hospital breaches. The third most common was laptop breaches, which were reported by 51 hospitals.
What Types of Hospitals Experienced the Most Data Breaches?
The most susceptible to data breaches were teaching hospitals and pediatric hospitals. Eighteen percent of teaching hospitals experienced at least one data breach while six percent of pediatric hospitals also experienced a breach.
Larger hospitals (more than 400 beds) were found to be more prone to data breaches with 26 percent experiencing a breach. Investor-owned hospitals also experienced fewer breaches than not-for-profit hospitals. The threats to healthcare systems have also shifted from hackers interested in selling data to threatening to shut down systems unless paid a ransom.
The study did not find any significant difference based on the level of IT sophistication, biometric security use, health system membership, hospital region or area characteristics.
The authors noted that hospitals were spending large amounts during the seven-year timeframe upgrading their information technology systems to meet electronic health record requirements, with less spent on data security.
The researchers suggest the amount of money spent on security needs to increase if hospital data breaches are to be prevented. Security measures also need to be improved for paper and films to reduce the opportunity to access data and hospitals should conduct regular audits to determine who is accessing persona health information.
The study also suggests access to PHI should be limited to the minimum necessary amount to allow employees to complete their work duties.
“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs,” the authors conclude.