Patient data remains unsafe, even at the largest hospitals

A study published in JAMA Internal Medicine found 1,798 large data breaches of patient data have occurred in the past seven years. The study further showed the need for improved security measures in healthcare systems nationwide.

Led by Xuefeng Jiang, Michigan State University associate professor of accounting, and colleagues from Johns Hopkins and Ball State universities, the study examined data from the Department of Health and Human Services from Oct. 2009 to Dec. 2016 on large healthcare systems including UC Davis Medical Center in California and Henry Ford Hospital in Michigan.

"Our findings underscore the critical need for increased data protection in the health care industry," said Jiang. "While the law requires health care professionals and systems to cross-share patient data, the more people who can access data, the less secure it is."

By law, hospitals covered by the Health Insurance Portability and Accountability Act (HIPAA) must report data breaches affected 500 or more patients within 60 days. Results showed that healthcare providers reported 1,225 of the 1,798 total breaches, leading the remainder to be reported by business associates, health plans and clearinghouses. A total of 257 breaches were reported by 2016 hospitals, with 33 large hospitals experiencing multiple breaches.

“A fundamental trade-off exists between data security and data access,” wrote Jiang and colleagues. “Broad access to health information, essential for hospitals’ quality improvement efforts and research and education needs, inevitably increases risks for data breaches and makes ‘zero breach’ an extremely challenging objective. The evolving landscape of breach activity, detection, management, and response requires hospitals to continuously evaluate their risks and apply best data security practices. Despite the call for good data hygiene, little evidence exists of the effectiveness of specific practices in hospitals. Identification of evidence-based effective data security practices should be made a research priority.”