[BreachExchange] Risk of Data Breaches at Hospitals Is Greater at Larger Facilities and Those with Major Teaching Mission, Johns Hopkins Researcher Finds

[Audrey McNeil]

https://www.benzinga.com/pressreleases/17/04/p9254408/
risk-of-data-breaches-at-hospitals-is-greater-at-larger-facilities-and-

The risk of data breaches at U.S. hospitals is associated with larger
facilities and hospitals that have a major teaching mission, according to a
study published online today by JAMA Internal Medicine.

More than 30 hospitals in the study each experienced data breaches at least
twice since 2009. At one of those facilities, the data of more than 4
million individuals was compromised.

"Data breaches negatively impact patients and cause damage to the victim
hospital. To understand the risk of data breaches is the first step to
manage it," says lead author Ge Bai, an assistant professor at the Johns
Hopkins Carey Business School in Baltimore. Her expertise is in accounting
and governance issues in the health care industry.

A data breach is defined in the study as "an impermissible use or
disclosure that compromises the security or privacy of the protected health
information and is commonly caused by a malicious or criminal attack,
system glitch, or human error." It could be a breach of electronic or paper
records.

Bai and two co-authors examined the federal Department of Health and Human
Services' statistics on data breaches reported by various health care
providers from late 2009 through 2016. They found that 216 hospitals
reported a total of 257 breaches during that period – 33 of those hospitals
(or 15 percent) were breached at least twice, and more than a third of them
are major teaching hospitals.

Two hospitals in New York State, Montefiore Medical Center and the
University of Rochester Medical Center and Affiliates, were breached four
times each, while four other facilities around the United States each
experienced three data breaches.

At each of 24 of the 216 breached hospitals, the violations exposed the
information of at least 20,000 individuals. More than 60,000 individuals
were affected at each of six hospitals, with Advocate Health and Hospitals
Corporation in Illinois reporting a total of 4,031,767 affected by two
breaches.

The researchers also looked at hospitals that reported no data breaches.
Comparing these findings with the information from the compromised
hospitals, Bai and her colleagues noted that the breached facilities were
larger (262 median number of beds versus 134 for the non-breached) and more
likely to be major teaching facilities (37 percent versus 9 percent of the
non-breached hospitals).

"It is very challenging for hospitals to eliminate data breaches, since
data access and sharing are crucial to improve the quality of care and
advance research and education," says Bai. "More research is needed to
identify effective and evidence-based data security practices to guide
hospitals' risk management efforts."

The study by Bai of Johns Hopkins, Associate Professor John (Xuefeng) Jiang
of Michigan State University, and Assistant Professor Renee Flasher of Ball
State University is titled "Hospital Risk of Data Breaches." Besides being
currently available online at JAMA Internal Medicine, it will appear in the
print version of the journal in June 2017.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170405/6e2c3c21/attachment.html>