Hospitals that have experienced a data breach may see their cardiovascular-related death rates rise following the incident, according to a study recently published in Health Services Research.
Infographic: Follow these 6 steps to handle a cyberattack
For the study, researchers from Vanderbilt University's Owen Graduate School of Management looked at breach data from HHS spanning from 2012 to 2016. The researchers cross-referenced that data with Medicare-certified hospitals and pulled out hospitals that kept track of how long it takes a patient with chest pain to get from entering the hospital to receiving an electrocardiogram (EKG), and the hospital's 30-day heart attack mortality rate.
The researchers ultimately narrowed their evaluation to a total of 3,025 Medicare-certified hospitals with 14,297 hospital-year observations. According to the researchers, a total of 311 of those hospital years were affected by data breaches.
The researchers found that hospitals that had experienced a data breach on average had between 23 and 36 additional heart attack deaths per 10,000 heart-attack patient discharges each year when compared with hospitals that had not experienced a breach.
According to the researchers, the disparity likely is due to cybersecurity increases at hospitals that had experienced a breach, such as stronger passwords or two-factor authentication, which appeared to be slowing down care and affecting patient outcomes. For instance, the researchers found that the time it took for a patient to receive an EKG at hospitals that had experienced a breach increased by as much as 2.7 minutes during the three-year period following the breach.
Overall, the researchers wrote, "Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes." They noted, "Remediation activity may introduce changes that delay, complicate, or disrupt [health] IT and patient care processes."
Eric Johnson, co-leader of the study and dean of the Owen Graduate School, cautioned that the study is "looking at a very granular level across a national sample of hospitals." He said, "To understand the more detailed mechanics of how security was implemented in any particular hospital, that's an area for future research."
Leo Scanlon, former deputy chief information security officer at HHS who was not involved in the study, said, "The exploitation of cybersecurity vulnerabilities is killing people," and "[t]here is a lot of possible research that might be unleashed by this study." He added, "I believe that nothing less than a congressional investigation will give the subject the attention it deserves."
However, Scanlon said "it would be almost impossible" to get the information needed from hospitals to complete such an investigation. "The problem is this data is hard to come by—nobody likes to admit that death can be attributable to a non-natural cause like this—and is otherwise considered sensitive at a very high and proprietary level by the institutions that have the facts."
For instance, Ross Koppel, a sociologist at the University of Pennsylvania, said hospitals typically don't share their responses to data breaches in part because they fear hackers may try to re-hack their systems. Hospitals also may be concerned about how patients will respond, Koppel said. For example, a 2015 study found that patients are not as forthcoming with doctors if they know their medical records can be accessed on the internet.
In the meantime, Johnson said hospitals should look to adopt faster but still secure technologies for accessing medical records—like radio frequency identification wristbands, biometric scans for fingerprints, or facial recognition—to avoid having cybersecurity systems slow down care.
However, Koppel said the government or the health care industry overall would have to mandate new cybersecurity standards in order for hospitals to widely adopt such technologies (KrebsOnSecurity, 11/7; Akpan, PBS NewsHour, 10/24; Choi et al., Health Services Research, 9/10).