Owen Graduate School of Management researcher Dr. Sung Choi conducted a study on the effects of data breaches in hospitals. The results indicated a rise in mortality rates at breached hospitals due to a drop in patient care standards. It was estimated that as much as 2,100 deaths per year in the U.S. results from healthcare data breaches. Dr. Sung Choi presented the results of his study at the Cyberrisk Quantification Conference at Philadelphia’s Drexel University LeBow College of Business.
Patient care is directly affected by cyberattacks. This is clearly demonstrated in the ransomware and wiper attacks that happened last year. The incidents crippled information systems forcing the hospital to cancel appointments and delay treatments. Two particular attacks last year were the NotPetya wiper and WannaCry ransomsare attacks.
Dr. Choi noted that data breaches can have many undesirable effects that could last for years. Physicians are distracted and patient care gets delayed. The investigations and litigation also disrupt medical services. Resources for patient care are often diverted to pay for the cost of mitigating cyber attacks, such as when needing extra security solutions.
In conducting the study, Choi attempted to measure the potential fall in the quality of patient care as a result of a data breach by comparing mortality rates at certain hospitals. In particular, he compared the percentage of heart attack patients that died within 30 days of admission before and after a data breach. The control group and the breached hospitals initially had the same mortality rates. However, one year after a data breach, the breached hospitals saw a 0.23% increase in mortality rate while the control hospitals saw no change in mortality rate. Two years after a breach, the mortality rate further increased by 0.36%. This translated to 2,160 deaths per year. Dr. Choi also mentioned how the response time to administer electrocardiographs to admitted patients took longer after a data breach.
This research study was presented before the Department of Health and Human Services’ Office for Civil Rights reminded HIPAA covered entities of their need to develop contingency plans for emergency situations. OCR reiterated the importance of contingency planning in case natural disasters, including cyberattacks and ransomware attacks, occur. Dr. Choi’s research supports the idea that contingency planning that push for a quick response to emergencies including data breaches could save lives.