Maksim Kabakou - Fotolia
Patients could die when hospital networks are breached, and many more might die when hackers infiltrate infusion pumps, pacemakers and other lifesaving medical devices that rely on hospital cybersecurity systems.
But recent headlines that explicitly connected data breaches to more than 2,000 patient deaths per year misinterpreted what the Vanderbilt University research into patient care quality actually revealed.
The findings of the report, "Do Hospital Data Breaches Reduce Patient Care Quality?" by Sung Choi, a postdoctoral student, and M. Eric Johnson, dean of the Owen Graduate School of Management at Vanderbilt, showed associations based on statistical language, not causations, Johnson said.
Specifically, the study looked at the number of heart attack patients who died within 30 days of being admitted to a hospital. Their death rate increased by 0.23% one year after a breach and by 0.36% two years after a breach, according to the report, which, if extrapolated to real patients in every hospital, could represent 2,160 additional patient deaths annually, Johnson said.
'It's the impact from breaches'
It's unlikely that the breaches themselves caused the deaths; rather, hospital cybersecurity steps might be a culprit. "It's the impact from breaches [and resulting] remediation efforts, like employing new security controls, installing new systems, more complex passwords and the lack of readily available data from downed servers," Johnson said.
"You can't put your finger on any one of specific changes the breached hospitals are making," he said. "All you can say is that changes are taking place at the two- and three-year marks that end up affecting or are associated with [heart attack] mortality rates."
The study, originally published in May 2017 and now being expanded and presented at academic and industry conferences by Choi, reviewed U.S. Department of Health and Human Services data from more than 3,000 hospitals between 2012 and 2016. The 305 hospital breaches during that period exposed 14 million patient records.
"The study shows that any changes you make in the healthcare delivery process can have unintended consequences, even good things," Johnson said. "There are always going to be trade-offs between usability of a system and privacy."
Responding to a hospital cybersecurity breach
Email, phishing, shared passwords and privilege misuse are responsible for most widespread breaches in healthcare, according to the Hospital Corporation of America.
"Basically, humans make mistakes and do dumb stuff" despite internal education campaigns, Chou said. He doubts that many organizations know how to respond to a real threat much less a breach.
"Are they practicing a response?" he said. "Do they realize it's going to happen one day?"
At a minimum, once you find where a hospital cybersecurity breach occurred, you need to deactivate the user account. Hopefully you have the right protocols in place and hopefully the person who made the mistake by opening an infected email or sharing a password immediately realizes the mistake and tells the IT department. Results are worse if the mistake remains a secret, Chou said.
"The real pain point is to understand who is affected and how far the breach extends," Chou said. "Some [healthcare organizations] are overly conservative and make it a bigger deal than it has to be by shutting everything down."
Cyberattacks continue to threaten hospital cybersecurity
Hospitals, not financial services firms, are the most frequent targets of cyberattacks, according to Forbes, Accenture and polls from insurance, security and healthcare agencies. Medical records almost always include Social Security numbers and are considered more valuable for resale than stolen credit card digits. And because most health systems have large numbers of employees, legacy systems, unsecured desktops and scores of mobile devices, there are many more opportunities for breaches to occur.
"Not one organization I've walked into has a good core infrastructure," said David Chou, vice president and chief information and digital officer at Children's Mercy Kansas City in Missouri. "Investments tend to be made in a more advanced MRI machine to drive revenue than in core infrastructure."
Ensuring mission-critical hospital cybersecurity can't be seen as just an IT issue, but a patient care issue, Chou said, and it requires adoption from leaders down to individual users.
"The potential for a data breach to translate to poor patient care is 100% valid," Chou said. "If a medical device gets hit, you can kill someone."
Still, there's no rush to change security systems in hospitals, for financial and other reasons. "Everything is done carefully; especially with EHRs, you don't want to adversely impact the care system," Johnson said.
You also don't have to go far to find a physician complaining about usability of systems and multifactor authentication, he said. "There are trade-offs between usability and utility and privacy, and that needs to be carefully managed," Johnson said.