Fixing Hacks Has A Deadly Impact On Hospitals

A study from Vanderbilt University shows that remediating data breaches has a very real impact on mortality rates at hospitals. The data shows that the type and scale of a breach don't have an impact on patient outcomes but that breaches do have an effect, and it appears to come from the hospital's response rather than the attack itself. The effect is serious: mortality rates go up significantly.

Dr. Sung Choi, a post-doctoral fellow at Vanderbilt University, says that the study looked at a common metric available to researchers: the 30-day mortality rate from AMI (acute myocardial infarction), which is basically how many people who come through the hospital door because of a heart attack are still alive 30 days later.

They chose that number because it's commonly collected and frequently used by researchers and allows different factors to be compared in their impact on this metric, and it allows different facilities to be compared on a similar metric.

The general 30-day mortality rate has been falling at a fairly consistent rate for at least the last five years, which is good news. But, according to the study,

"The .34 to.45 percentage point increase in 30-day AMI mortality rate after a breach was comparable to undoing a year’s worth of improvement in mortality rate."

Behind the Bad Number

There are two key findings in the study's working paper that are surprising from a computer security perspective. "The association between data breaches and AMI mortality rate did not differ significantly by the magnitude of the breach," the paper said. So the outcome wasn't significantly different whether there were 1,000 records hit or 500,000.

The second key finding contains an important caveat. According to the paper, "The relation between breaches and AMI mortality did not differ significantly by the type of breach." The caveat is the timing of the study's data; the last year included was 2015, before ransomware became a major malware issue.

Choi says this appears to point in the direction of a cause for the worsening mortality rate. "It's not the immediate effect of the breach but what happens afterward that has such an impact on the patients," he says. And the research paper begins to explore why that is so: "...regardless of the source the resulting discovery and mitigation of a breach can be viewed as a random shock to a hospital's care-delivery system."

(Lack of) Speed Kills

Healthcare IT systems may show that shock in slower and more disruptive change than those in other industries because they start from a relatively weakened position security-wise. "For the most part the healthcare industry, and especially the providers, has been a laggard for information security," says Larry Ponemon, founder and chairman of the Ponemon Institute.

When hospitals respond to a breach, the response tends to have a major impact on their legitimate users. According to Choi's research, "new access and authentication procedures, new protocols, new software after any breach incident is likely to disrupt clinicians."

That disruption is where the patient is affected, through inaccurate or delayed information reaching the people caring for them. And how much, in blunt terms, can that effect be? The study says an additional 34- to 45 deaths per 1,000 heart attack discharges every year.

Good and Bad on the Horizon

Choi says that hospitals should be careful to focus changes in their security processes, procedures, and technology to improve both data security and patient outcomes.

Ponemon sees healthcare organisations starting to improve in security. "We do see healthcare organisations starting to take care of security and rising to the next level of security. I think the public demands it," he says.

Two factors contribute to the improvement across the industry:

The first is the simple acknowledgement that doctors and hospitals are targets, an acknowledgement that was a long time coming.

The next is the march of technology. "There are technologies that healthcare can now afford because they're available in the cloud and it provides the opportunities for healthcare security to improve," Ponemon says.

The improved security may come just in time to have an impact on a looming area of security concern: The medical IoT. "There's a universe of devices, many of which are implanted and many can be communicated with through WiFi or Bluetooth," Ponemon says.

"Right now, the providers are looking at records but the devices are really an area of huge concern."

Dark Reading

You Might Also Read: 

Healthcare Security Should Use More Sophisticated Tools:

One A Day: Healthcare Breaches Are A Daily Event:

 

« Six Steps to Protect Customer Data
A New Cold War Will Not Be Based On Hardware. »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Korea Internet & Security Agency (KISA)

Korea Internet & Security Agency (KISA)

KISA is committed to improving the competitiveness, reliability and security of Internet information and knowledge in Korea.

Independent Security Evaluators (ISE)

Independent Security Evaluators (ISE)

ISE is an independent security consulting firm headquartered in Baltimore, Maryland dedicated to securing high value assets for global enterprises and performing groundbreaking security research.

Institute for Cybersecurity & Privacy (ICSP) -  University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Sandia National Laboratories

Sandia National Laboratories

Sandia National Laboratories is a premier science and engineering lab for national security and technology innovation.

PSYND

PSYND

PSYND is a Swiss consultancy company based in Geneva specialized in CyberSecurity and Identity & Access Management.

Totaljobs

Totaljobs

Totaljobs is the UK’s largest hiring platform. We have over 280,000 live jobs adverts on our site, helping you to find any type of job in any industry, including cybersecurity.

Talion

Talion

Talion aim to reduce the complexity involved in securing your organisation and to give security teams unrivalled visibility into their security operations, so they can make optimal decisions, fast.

Ward Solutions

Ward Solutions

Ward Solutions are an information security consultancy and managed services company. We help organisations protect their brand, people, assets, intellectual property and profits.

Diligent

Diligent

Diligent's SaaS GRC platform gives leaders a connected view of governance, risk, compliance and ESG across their organization.

CryptoNext Security

CryptoNext Security

CryptoNext provides optimal end-to-end post-quantum cybersecurity remediation tools and solutions for IT/OT infrastructures & applications.

Catalyst Campus For Technology & Innovation

Catalyst Campus For Technology & Innovation

Catalyst Campus is a collaborative ecosystem to create community, spark innovation and stimulate business growth.

ZeroGPT

ZeroGPT

ZeroGPT.com stands at the forefront of AI detection tools, specializing in the precise identification of ChatGPT-generated text.

Evolve Business Group

Evolve Business Group

Evolve is an independently-owned managed network solutions provider, creating bespoke packages for customers globally since 2005.

Hubble

Hubble

Hubble grew from the idea that legacy solutions were failing to provide organizations with the asset visibility they needed to effectively secure and operate their businesses.

RKON

RKON

RKON Technologies provides managed IT and cybersecurity services to organizations across various industries, helping businesses mitigate risks and secure their digital infrastructures.

Exaforce

Exaforce

At Exaforce, we are on a mission to 10× improve the productivity and efficacy of security and operations teams using our transformative multi-model AI engine.