Study Suggests Security Enhancements After a Hospital Data Breach Negatively Affects Patient Outcomes

Following a data breach, hospitals implement additional measures to improve their security posture and make it harder for cybercriminals to breach their defenses again. While it is important to ensure that similar breaches are prevented in the future, a recent study suggests that while security enhancements will ensure patient data is better protected, they could potentially have a negative impact on patient outcomes.

For the study – Data breach remediation efforts and their implications for hospital quality – the researchers analyzed Medicare Compare data on quality measures at Medicare-certified hospitals from 2012-2016 along with data breach reports from the HHS’ Office for Civil Rights breach portal.

The Medicare Compare data covered 3,025 hospitals and 311 of those hospitals had experienced a data breach over the period of study. The researchers assessed the time it took from a patient walking in the door to receiving an electrocardiogram to assess the relationship between breach remediation and hospital quality, with the latter measured by the 30-day mortality rate of heart attack patients.

After a hospital had experienced a data breach, the time-to-electrocardiogram increased by up to 2.7 minutes. Even 3-4 years after the breach had occurred, time-to-electrocardiogram was still up to 2 minutes longer than before the breach had been experienced. In the three years following a data breach, heart attack mortality rates increased by up to 0.36 percentage points.

The researchers suggest that the increase in mortality rate is linked to the data breach. Not the breach itself, but the measures the hospitals took following a data breach to improve security.

Steps typically taken by hospitals after a successful cyberattack include implementing multi-factor authentication, which makes it harder for stolen credentials to be used to access hospital resources. Password policies are changed, requiring longer passwords to be entered. These and other security enhancements can slow clinicians down, as can increased oversight by regulators. Together, these can have a knock-on effect on quality of care, which in turn affects patient outcomes.

“Health IT promises quality improvements and cost savings but its benefits are elusive because of learning, implementation, and usability issues that hinder clinicians,” explained the researchers. “Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes.”

The researchers suggest hospitals should carefully evaluate any proposed additional security measures to ensure they do not negatively affect patient outcomes, and that the HHS should consider how increased oversight of breached hospitals may do the same.