This article is more than 5 years old. Information may no longer be current.

Cybersecurity should be a research priority for hospitals

More than 200 data breaches have been reported at hospitals across the United States during the last 7 years, highlighting the need for better research on how to effectively guard patients’ information, according to findings published in JAMA Internal Medicine.

“Broad access to health information, essential for hospitals’ quality improvement efforts and research and education needs, inevitably increases risks for data breaches and makes ‘zero breach’ an extremely challenging objective,” Ge Bai, PhD, CPA, an assistant professor at the Johns Hopkins Carey Business School, and colleagues wrote. “The evolving landscape of breach activity, detection, management and response requires hospitals to continuously evaluate their risks and apply best data security practices.”

Using data from HHS, Bai and colleagues conducted a retrospective analysis to evaluate what types of hospitals are at a greater risk for data breaches.

The researchers linked 141 acute care hospitals to their 2014 fiscal year Medicare cost reports filed with CMS. The researchers then compared those hospitals with other acute care hospitals not identified in that list to see if there was a correlation in terms of what type of hospitals face greater risks for breaches.

Between October 2009 and December 2016, 1,798 data breaches were reported. Among them, 1,225 breaches were reported by health care providers and the remainder were reported by business associates, health plans, or health care clearing houses.

Two-hundred and sixteen hospitals across the United States reported 257 data breaches with a median of 1,847 affected individuals per breach.

Thirty-three hospitals had been breached at least twice, and in 24 breaches, data from more than 20,000 individuals were compromised.

The median number of beds in the 141 acute care victim hospitals linked to their 2014 CMS cost reports was 262 and 37% of the hospitals were considered major teaching institutions.

The median number of beds among the 2,852 acute care hospitals identified as not having any breaches was 134 and 9% were considered major teaching institutions.

The size of a hospital and its status as a major teaching institution were associated with an increased risk for data breaches (P < .001).

“Despite the call for good data hygiene, little evidence exists of the effectiveness of specific practices in hospitals,” the researchers wrote. “Identification of evidence-based effective data security practices should be made a research priority.” – by Ryan McDonald

Disclosure: The researchers report no relevant financial disclosures