Data breaches can have real-world consequences beyond just stolen information or compromised data. In the healthcare industry, for example, data breaches can lead to deterioration in patient care and a long-term increase in patient mortality rates at hospitals. A new study from Vanderbilt’s Owen Graduate School of Management and the Vanderbilt University Medical Center shows a clear link between data breaches and an increase in the number of fatal heart attacks at hospitals across the United States – but not for the reason you might think.
Key findings from the medical researchers
The researchers found that security remediation initiatives put into place after a data breach – such as stronger passwords, stronger authentication procedures, and quicker logout times for idle computers – had a significant impact on the ability of hospitals and medical care professionals to deliver patient care to heart attack victims. This should make intuitive sense – in the world of healthcare delivery, every minute and second counts, and longer approval and authentication times ultimately slow down the healthcare delivery process. What might not make intuitive sense is the fact that these security remediation initiatives actually had a greater impact than the original cyber attack itself. Put another way, it is not the data breach itself that matters the most, but the post-breach remediation efforts.
What this means, says Sung Choi, an assistant professor at the University of Central Florida who is the lead author of an article exploring the research in the October issue of Health Services Research, is that hospitals should do a more comprehensive review of the security procedures that they put into place after a data breach. While there might be an immediate push to implement the most secure data practices possible, it might be wiser to keep in mind the usability and practicality of these security practices for doctors, nurses or emergency room workers.
Details of the research study on hospital data breaches
To get an idea of just how much these cybersecurity remediation initiatives might be slowing down the patient care process, as well as their ultimate impact on patient mortality rates, the researchers looked at data from Department of Health and Human Services (DHHS) for several key factors – including time to EKG and 30-day mortality rate for heart attacks – for more than 3,000 different hospitals over the period 2012-2016. During that time, approximately 10% of these hospitals had been the victim of a data breach, so it was relatively easy for the researchers to compare the performance and results of hospitals that had been breached with those that had not.
What they found was very worrisome – following a data breach, hospitals experienced both a rise in the time to EKG and in patient mortality rates for heart attack victims. The average increase in time to EKG was 2.7 minutes. That might not sound like a big number – but it has significant implications for hospitals, because the industry standard for time to EKG is 10 minutes. Any longer than that, says the American Heart Association (AHA), and the chances of a patient surviving the heart attacks starts to decline. In the case of hospitals experiencing a data breach, the time to EKG actually increased to more than 11 minutes in some cases. Moreover, this increase was still observable years after a breach had occurred.
Not surprisingly, then, the same hospitals that saw deterioration in their time to EKG performance also saw an uptick in patient fatalities. The mortality rate increased by 0.36% in the aftermath of a data breach. Again, that might not sound like a big number, but it translates into an additional 36 deaths per 10,000 heart attack victims per year.
Implications for U.S. healthcare
In the United States, heart attacks are one of the most common forms of medical emergencies. Overall, there are more than 735,000 reported heart attacks requiring medical attention each year. So it’s easy to see how even a relatively small decline in overall hospital performance (especially emergency room performance) can have a huge impact on patient care and mortality rates. If cyber attacks persist, they could lead to a long-term increase in fatal heart attacks in the U.S.
That is especially important to keep in mind, given that there was a nearly 20% spike in the number of healthcare data breaches in 2019 over the year-earlier period. This is a problem that is only getting worse. In the period 2012-2016, the researchers focused on 305 hospital breaches that impacted more than 14 million patient records overall.
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, comments on the real-world implications of healthcare data breaches: “We tend to associate attacks on critical infrastructure to human lives being at stake. This report brings a stark realization to the forefront – attacks on services organizations (be it a hospital, first responders or city governments) related to elderly and special needs people also do cause irreparable harm.”
Ransomware, the new threat on the horizon
As pernicious and insidious as data breaches can be, an even worse problem for hospitals and other medical care providers might be ransomware. Given that ransomware is a relatively new phenomenon, the researchers did not specifically consider it during their study. However, the paper from Sung Choi of the University of Central Florida covering the results of the research made a special point of acknowledging the new ransomware threat.
In the UK, there have been attempts to quantify the impact of ransomware on healthcare delivery. In May 2017, the Wannacry ransomware virus disrupted UK hospital performance, forcing some hospitals to shift from electronic to paper records and some emergency rooms to re-route patients to other facilities. All told, ransomware-related disruptions led to 19,000 canceled appointments and total losses of close to £100 million. Overall, nearly one-third of all hospitals experienced a disruption of some kind, and almost one in ten general practitioners had to cancel appointments or make other adjustments to their workflow.
The new medical research study from Vanderbilt University marks an important new milestone in how we think about cyber attacks and data breaches. These breaches have very real effects on performance, and in worst-case scenarios, can lead to an increase in patient mortality rates. With that in mind, hospitals and medical care practitioners should re-think their current cybersecurity practices and find new ways to prevent data breaches from occurring in the first place.