Are Large Teaching Hospitals At Greater Risk for Breaches?New Study Analyzes Health Data Breach Reporting Trends
Larger hospitals, especially teaching institutions, appear to be at greatest risk for health data breaches, says a new study. That's possibly due to several factors, including these hospitals' rich pools of patient data and greater demands for sharing that information for patient care and research, some experts say.
The study, which was published by JAMA Internal Medicine, analyzed data from the U.S. Department of Health and Human Services to examine what type of hospitals face a higher risk of data breaches.
The study's analysis included examining major health data breaches affecting 500 or more individuals that are posted on the HHS' Office for Civil Rights' HIPAA breach reporting website, commonly called the "wall of shame."
The study notes that 1,798 large breaches were reported to HHS between Oct. 21, 2009 and Dec. 31, 2016, and of those, 1,225 were reported by healthcare providers, with the remainder reported by business associates, health plans and clearinghouses.
Of the breaches reported by healthcare providers, 257 of the incidents were reported by 216 hospitals: 33 of the hospitals reported two or more breaches.
Of hospitals reporting more than one major breach, two hospitals - Montefiore Medical Center and the University of Rochester Medical Center and Affiliates, which are both based in New York State - were breached four times each, while four other U.S. facilities each experienced three data breaches.
The researchers also examined hospitals that had not reported data breaches to HHS, finding that breached facilities tended to be larger, with a median number of 262 beds, compared to a median of 134 beds at hospitals that had not reported breaches. Nearly 40 percent of the breached hospitals were major teaching facilities, compared with only 9 percent of non-breached hospitals being teaching institutions.
Larger, teaching hospitals are potentially more at risk for data breaches because of a number of likely factors, says the study's lead researcher, Ge Bai, an assistant professor at the Johns Hopkins Carey Business School.
"Large hospitals have more patients and richer protected health information than small hospitals and thus are more likely to become targets, [and] teaching hospitals are more at risk due to the trade-off between data security and data access," she says. "These hospitals have a greater need for data sharing and data access due to their teaching and research obligation. For example, multiple researchers, possibly from multiple organizations, must have access to patient data for research purposes."
Cris Ewell, CISO at the University of Washington Medicine agrees there are several issues that make an academic medical center a richer target.
That includes "being part of an academic environment that typically has a less restrictive information security posture than a hospital-only structure ... and the collaborative environment that is required for research," he notes. "Typically, these institutions have a higher volume of all types of data - personally identifiable information, protected health information and intellectual property."
On top of that, academic medical centers encompass "a teaching environment that requires a constant influx of clinical students, interns and residents. This includes the fast pace and demanding environment for our residents. For example, understanding their requirements for data protection as they rotate through their assignments and multiple hospitals."
Mac McMIllan, CEO of security consulting firm CynergisTek, agrees that it's a combination of factors, including "the population of users, volume of data, complexity of networks, span of control issues, replication of data, overall activity, and more" that put larger teaching hospitals at high risk for data breaches.
That's also compounded by "inexperience of some user groups ... multiple uses of the information, and the greater instances of access and sharing ... that introduces more opportunities for risk," he adds.
Also, for teaching hospitals, "the close affiliation to [a] university has always made their challenge greater due to cultural differences. Schools typically are resistant to controls on data that are limiting. It creates opposing priorities," McMillan notes.
Meanwhile, the target on teaching hospitals is also bigger for potential hacker attacks, he says. "It can be due to the volume [of data the hospitals] have and research they perform. Especially as an espionage target for intellectual property and general demographic information about our population."
However, could the higher rate of major breaches reported by larger hospitals be because those institutions are just being better resourced than smaller hospitals in terms of detecting breaches and reporting them to regulators?
"Not at all," McMillan says. "Some are, some aren't, but their challenge is bigger and requires a much more sophisticated response to be successful."
But Ewell says larger medical institutions sometimes do have advantages when it comes to breach detection and reporting. "As far as the controls and detection, I think that large facilities are more likely to have a CISO and a strategy around the protection of data throughout the entire enterprise," he says. "All facilities are going to be targets, and there will be opportunities that just fall into the view of the adversaries - scans that reveal major vulnerability, for example - and others that require more advance capabilities."
Another capability on the academic medical center side is the ability to partner with "very smart" researchers and faculty, Ewell notes. "I only have to pick up the phone and go a very short distance to had discussions and potentially develop new capabilities that would not be available to the smaller facility."
Steps to Take
Larger hospitals, especially teaching facilities, need to take some special security precautions to prevent breaches, Ewell says. "When you have a large facility, it is even more important to identify your assets and base your information security program on risk. The program must also interface with clinicians, executives, workforce, etc. to ensure that the controls that are implemented are fully vetted before implementation."
Without this, "you can have very smart people develop workarounds just to get their work done," he says. "Having activities such as information security staff rounding with physicians is a great way to develop the team relationships and better understanding of the impacts of information security controls on patient care."