Research Ties Breaches, Ransomware to Negative Patient Care Outcomes – HealthITSecurity.com

October 25, 2019 -In a damning report, researchers determined data breach remediation efforts were linked to decreased patient care outcomes and negatively impacted the timeliness of care. Whats more, ransomware may have a greater short-term negative relationship with patient outcomes.

Published by Health Services Research, University of Central Florida and Vanderbilt University researchers Sung Choi, M. Eric Johnson, and Christoph Lehmann, MD examined the relationship between breach remediation efforts and hospital care quality.

The researchers analyzed data from the Department of Health and Human Services data breach reporting tool and Medicare Compares public data on hospital quality measures between 2012 and 2016, providing a panel of 3,025 hospitals and 14,297 unique hospital observations.

HHS Office of Civil Rights typically monitor breached covered entities for about three years, wherein corrective actions will be implemented to bolster vulnerable IT systems. Those actions can include civil monetary penalties, new IT systems, staffing training, and a revision of policies and procedures.

While the bulk of the study focused on data breach remediation efforts, the research team also made some concerning observations around the persistent challenge of ransomware, given the attacks are much more disruptive than typically data breaches and can negatively affect the accuracy and timeliness of patient information available to providers.

READ MORE: Prompt Notification Reduces Data Breach Fallout, Consumer Impact

Hacking can also temporarily disrupt hospital's servers, as seen in multiple ransomware attacks in recent months. Those providers are often driven to pen and paper during the period those servers are patched or repaired, researchers explained.

Instances of unauthorized access suggest that existing systems may have weaknesses verifying provider or patient identity, which may increase the risk of a provider inadvertently accessing or editing information on the wrong patient, researchers noted.

Inaccuracies or delays in patient information resulting from changes or enhancements in security are likely to disrupt the care process and adversely affect patient outcomes, they continued. Downtimes in EHRs because of maintenance or malfunction has been associated with disruptions in laboratory and medication orders as a result of patient identification and communication problems.

Whats more, researchers found ransomware might have an even greater short-term negative relationship with patient outcomes than with the long-term remediation efforts analyzed in the report. More work needs to be done to address potential implications of ransomware on patient outcomes.

The shock of ransomware attacks on hospitals and patients can be framed as a natural experiment, researchers noted. Ransomware attacks are likely to be initiated by opportunistic external adversaries motivated by financial reward; therefore, the model for ransomware attacks has a smaller threat of confounding variables related to patient outcomes.

READ MORE: 70% of Data Involved in Healthcare Breaches Increases Risk of Fraud

Studying ransomware attacks will also provide insights into longrun changes on hospitals associated with remediation activities, which may persist years after the attack, they added.

To gather data on data breach remediation efforts, researchers estimated the calculation using a difference-in-differences regression. Hospital quality was measured by a 30-day acute myocardial infarction mortality and time from door to electrocardiogram.

Researchers determined those providers that experienced breach remediation efforts saw the timetoelectrocardiogram increase as much as 2.7 minutes and associated with a 1.4minute increase in time to ECG one year after the breach.

The elevated time to ECG persisted with a 2.7minute and a twominute increase in time to ECG at three and four years after the breach, respectively, the researchers wrote.

Whats more, the 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points over a three-year observation period.

READ MORE: Healthcare Most Impacted by Data Breaches, Insiders Root Cause

Corrective actions are intended to remedy the deficiencies in privacy and security of protected health information, researchers explained. However, enhanced security measures may introduce usability which we define as the ease of use problems.

New security procedures typically alter how clinicians access and use clinical information in health information systems and may disrupt the provision of care as providers require additional time to learn and use the new or modified systems, they added.

To the researchers, its also possible that remediation efforts can introduce organizational changes that may complicate, delay, or disrupt health IT and care processes, as well as introducing changes with learning, training, and support costs that impact usability challenges and unexpected errors.

After a breach occurs, an organization will typically change data handling and access privilege policies and are often encouraged to implement auditing systems to capture forensic evidence. Other security best practices include locking up physical devices, data encryption, and stronger passwords.

However, the researchers explained that the new technologies, policies, and procedures require healthcare workforce members to acclimate and adjust to new, sometimes more cumbersome and timeconsuming ways, of obtaining and manipulating patient data.

A brief informal survey of chief medical informatics officers showed that publishing on breach remediation would be considered negatively by their institutions and was perceived as counterproductive as the new measures should not be advertised, researchers noted.

Specific remedial changes at those breached hospitals were not directly observed. Instead, they used dummy variables that identified when breached hospitals implemented remedial changes, which could take between two and four years.

Hospital quality measures for acute conditions and timeliness may be negatively affected by these remedial changes because of delays and disruptions in care, researchers explained. This relationship is potentially confounded by unobserved hospital characteristics.

In the conceptual model, hospital quality does not directly affect security efforts, such as breach remediation, they added. We are not aware of formal regulations or cases where enforcement agencies intervened to remediate hospitals health IT because they have poor care quality, even though poorly implemented EHRs have been associated with safety concerns.

What they found was that the discovery of and recovery from a breach was viewed as a random shock to a hospital's care delivery system.

The time from door to ECG significantly increased after a breach, which persisted even four years after a breach. Researchers pointed to security measures that typically add inconvenience by design: hackers are slowed down, but additional steps also add time to clinicians workflows.

Lost passwords and account lockouts are nuisances that may disrupt workflow. The persistence in the longer time to ECG suggests a permanent increase in time requirement due to stronger security measures, researchers explained.

Especially in the case of a patient with chest pain arriving in the emergency department, any delay in registering the patient and accessing the patient's record will lead to delay in ordering and executing the ECG, they added. With every minute delay affecting mortality, delays in access to the EHR may prove detrimental.

A full analysis of the research methods and synopsis can be found at the Health Services Research.

Read the rest here:

Research Ties Breaches, Ransomware to Negative Patient Care Outcomes - HealthITSecurity.com