A Troubling Study Suggests Tighter Cybersecurity Controls at Hospitals Lead to More Deaths

November 25, 2019  Jeff B. Copeland

Emergency sign at a hospitalResearchers from the University of Central Florida and Vanderbilt University have found a troubling connection between data breach remediation at hospitals and an elevated death rate from heart attacks among their patients.

Minutes count when patients with an acute myocardial infarction (AMI) arrive at a hospital – they must quickly be administered an electrocardiogram (ECG). The study found that, at hospitals that had undergone a data breach, time to ECG was delayed as much as 2.7 minutes and mortality from AMI over the following 30 days increased by 0.36% (for an additional 23-26 deaths per 10,000 patients) during the three years after a breach.

Note that the study did not cover ransomware – with an actual interruption of hospital services – but remediation after a breach that added more security perhaps at the cost of time and attention for emergency room staff.

As the study explains, “Subsequent to a breach, organizations must take action to mitigate the failure and improve security…from adopting new policies and procedures to installing new security technologies…

“Security best practice includes locking up physical devices, data encryption and stronger passwords. Single sign-on authentication may be used to improve password management.

“These interventions require hospital staff to acclimate to new systems, learn new procedures and adjust to new, and sometimes more cumbersome and time-consuming ways of obtaining and manipulating patient data,” such as retrieving and reviewing electronic health records and executing the ECG.

The study's finding suggests that hospitals and other health institutions need to take a broader view of cybersecurity than the always-add-a-control approach. As Joey Johnson of Premise Health said during the CISO Panel at the recent FAIR Conference, seemingly technical problems assigned to the cyber team often turn out to be process problems within the business.

One of the benefits of the FAIR™ methodology comes from bringing all the stakeholders together to scope out the true risk factors at play and arrive at a statement of the risk problem in business terms. That might well expose that applying tighter cybersecurity controls would be detrimental to the overall business mission, including, for healthcare, the principle of “first do no harm.”

Read the study:  Data breach remediation efforts and their implications for hospital quality.

A recent issue of ‘Health IT Security’  found that FAIR™ helps healthcare providers ‘go beyond frameworks for strong risk management.’ Contact us to learn how to bring a more sophisticated approach to health industry risk management to your organization with FAIR, the international standard for quantitative cyber risk analysis.