Data breaches at hospitals appear to be having a serious impact on patient care, increasing mortality rates for years after an incident, according to new research.
Researchers at Vanderbilt University and the University of Central Florida analyzed breach data for 3000 hospitals from 2012-2016 in an attempt to estimate the relationship between breach remediation efforts and care quality. Department of Health and Human Services (HHS) breach data and Medicare Compare's public data on hospital care measures provided the data sources.
What they found was shocking: an increase in 30-day mortality rate for heart attacks that translated to 36 additional deaths per 10,000 heart attacks per year. Mortality rates apparently continued to rise for about three years after a breach before tapering off.
Breaches also had a worrying impact on the time it took staff to hook up a patient in the emergency room to an electrocardiogram (EKG). Time-to-EKG rose by 2.7 minutes following a breach.
Although the research wasn’t able to determine what changes led to these delays and outcomes, it pointed the finger at the post-breach delay while an incident is investigated and security updates are applied.
“This long time-frame tells us that in breached hospitals, it’s the remediation efforts — not the breach itself, but the post-breach remediation efforts — that are impacting these time-sensitive processes and patient outcome measures,” said report co-author, Eric Johnson.
“Security solutions designed to prevent future breaches may require usability assessment or include some sort of ‘break glass in case of emergency’ functionalities to ensure providers can quickly get the information they need when they need it most.”
There is no information in the report on ransomware, as it was relatively rare prior to 2016 and thus not covered.
However, the authors warned: “Our findings suggest that ransomware attacks might have an even stronger short-term negative relationship with patient outcomes than the long-term remediation efforts studied here.”
The UK’s NHS famously suffered major outages as a result of the WannaCry ransomware worm in 2017. Estimates suggest 19,000 operations and appointments were cancelled, and some cases critical patients had to be diverted to other hospitals.