Researchers Vanderbilt University, Tennessee, have released a study into the effects that breaches of healthcare data have on the affected individual’s health. The results of the study suggest mortality rates at hospitals increase following a data breach, and may result in an additional 2,100 deaths a year in the United States. Dr Sung Choi of Owen Graduate School of Management researcher was in charge of the study. The findings were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business.
The researchers investigated the direct impact that cyberattacks can have on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. In several high cases, the use of ransomware and wiper malware attacks have crippled information systems. The results in cancelled appointments, and the inability of professionals to access to patient health records. This in turn can cause a delay in cause treatments, and negatively affect patient welfare.
Several high profile cases of malware attacks on healthcare systems have been in the public eye in the past year. Both the NotPetya wiper and WannaCry ransomware attacks last year caused major disruption to computer systems. In particular, the WannaCry attacks caused major problems for the National Health Service in the UK and affected patient treatment for a significant period of time.
At the conference, Choi explained that data breaches can be a distraction for physicians. After the initial furore, the disruption that breaches cause can last for years. HIPAA covered entities face investigations and litigation which Choi suggests could result in disruption to medical services and delays in providing treatment. The cost of mitigating attacks are substantial. This may include a covered entity purchasing additional security solutions and dealing with the fallout from data breaches can see resources diverted away from patient care to cover the costs.
For the study, Choi and her team compared mortality rates at hospitals before and immediately after a data breach had occurred. The researchers used several metrics to compare the timeframes, including the percentage of heart attack patients who died within 30 days of admission to hospital. The aim was to assess a potential fall in the quality of care offered to patients as an indirect result of a breach occurring.
Choi notes that the control group and breached hospitals had similar mortality rates, although after a data breach, the mortality rate for the control group remained the same but increased at hospitals that had experienced a breach. Choi’s analysis showed there was a 0.23% increase in the mortality rate one year following a data breach and an increase of 0.36% two years after a breach. That equates to 2,160 deaths a year across the United States. In particular, Choi noted that the time taken to administer electrocardiographs was longer for newly admitted patients after a hospital had experienced a data breach.
The study was presented just a few days before the Department of Health and Human Services’ Office for Civil Rights issued a reminder to HIPAA covered entities about the need to develop contingency plans for emergencies such as cyberattacks and ransomware incidents. OCR explained that HIPAA Rules on contingency planning help to ensure a “fast recovery from a natural disaster, cyberattack, or other emergency situation”.
This research suggests that the development of an effective contingency plan and a rapid response to data breaches can save lives.