A report released by John Hopkins University’s Care School of Business claims large healthcare organizations experience more data breaches than smaller healthcare providers.
The researchers used breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR). Any HIPAA covered entity is required to submit breach reports to the OCR, and under HITECH Act requirements, OCR publishes the breaches that impact 500 or more individuals.
The study, led by Ge Bai, Ph.D., found that between 2009 and 2016, 216 hospitals reported a data breach and 15% of hospitals reported more than one breach. The analysis of these breach reports suggests hospitals with teaching centers are more likely to suffer a data breach- a third of breached hospitals were major teaching centers. It also suggests larger hospitals were more likely to suffer from a data breach, but many healthcare professionals disagree.
A team of doctors from Vanderbilt University in Nashville claims the researchers only included data breach figures from breaches over 500 people, not including smaller breaches, making larger hospitals with more patients more likely to reach that 500 patient threshold. They also argued that in order for a breach to be reported, it must be detected. They claim these breaches are often left undetected as smaller hospitals often lack the technology, budget, and staff to detect these data breaches. Lastly, the doctors argue that smaller hospitals take much longer to detect insider threats as they lack the necessary technology and resources to conduct internal audits and data access logs.
Bai has since responded claiming that while she agrees there is an issue with the 500-individual threshold, larger hospitals truly have more PHI and this “combined with teaching hospitals’ need for broad data access, this creates significant targets for cybercriminals, compared with smaller institutions that might be the main reason for their reliability high risks of data breaches.”
This can be looked at two ways really. Yes, larger health providers handle an incredibly large amount of PHI which can mean a huge win for hackers. But sometimes these large providers, with significantly more cybersecurity resources than that of their smaller counterparts, can be seen as a more difficult target. Which leads hacking groups to target smaller healthcare organizations because they lack the resources or staff to devote time to cybersecurity.
NNT offers an easy to use, but fully featured security and HIPAA compliance solution with HIPAA compliance reports built in based on both CIS and NIST 800-53 recommendation. These hardened build standards can be tailored to your specific healthcare and ePHI systems to ensure access rights and audit trails are provisioned correctly. NNT then monitors for compliance continuously to ensure that if any drift from your security configuration occurs, you can address it immediately before any damage is done.
Read this article on HIPAA Journal