JAMA Debate Highlights Need for Better Data Breach Stats

In the spring, JAMA Internal Medicine published a study indicating that large medical centers and teaching hospitals are at higher risk of data breaches than smaller institutions. This week, a team of doctors from Vanderbilt University are calling those findings into question.

Ge Bai, PhD, of Johns Hopkins University’s Care School of Business, led the original research. It used Department of Health and Human Services (HHS) data breach reporting statistics from 2009 to 2016. The team found 216 hospitals that reported breaches of protected health information (PHI), 15% of which reported more than 1 incident. Some suffered as many as 4.

The investigators compared their cohort of breached hospitals to hospitals not reporting breaches and found the median size of hospitals reporting breaches was nearly double. They also noticed that a third of hospitals victimized were major teaching facilities.

The study’s official statement and several media outlets ran with the takeaway that larger hospitals and teaching hospitals were at an elevated risk for data breaches. But the new letter from the Vanderbilt team, led by Daniel Fabbri, PhD, takes issue with that idea.

“Such a broad claim neglects inherent biases in data collection and reporting practices,” he and his colleagues write in a response letter, also published in JAMA Internal Medicine.

First, they point out the minimum threshold for reporting a data breach to HHS: A breach of PHI must be reported to the industry within 60 days, though the department only publicizes breaches impacting 500 more patients. (So Bai’s study didn’t include smaller ones.)

“The HHS data are biased because larger organizations inherently have a greater chance of reaching the 500-patient threshold than their smaller counterparts,” the Vanderbilt researchers write.

Breaches stemming from employee error (lost laptops or phishing emails, for example) are also more likely when you have more employees, they add.

The fact that larger hospitals have larger staffs feeds into a second issue. An institution can only report to HHS the breaches that they detect: Bigger hospitals with more advanced technology and specialized IT staff are more likely to detect breaches that other hospitals cannot.

Not every breach is reported, and a breakdown compromising fewer than 500 patients could still be problematic. Bai’s initial study found that Montefiore Medical Center in New York reported 4 breaches in the observed period, but that alone does not mean Montefiore’s data is less secure than a smaller community hospital with 0 publicly reported breaches.

Bai and her team have written a reply to the new letter. They agree that the 500-affected-individual benchmark is complicating. Still, they double down that “large hospitals possess a significant amount of [PHI]…Combined with teaching hospitals’ need for broad data access, this creates significant targets for cyber criminals,” compared to smaller institutions.

They argue that “the vigilance of the public may compensate for these hospitals’ lack of detection ability,” noting that more than 100,000 patients have reported suspected information compromises to HHS since 2003.

They also mention that the Health Information Technology for Economic and Clinical Health (HITECH) Act requires health plans, providers, and covered entities to report all PHI breaches to HHS, though that information is only reported in aggregate. Because the large, disclosed breaches impacted 52 million people between 2009 and 2014, and the smaller ones affected only 800,000, they argue that “large incidents have the potential to significantly impact more individuals than small incidents.”

But Fabbri and his 2 co-authors argue that without more complete HHS statistics, it will be difficult to do meaningful research and change hospital privacy practices.

“This nonuniform treatment of breaches based on size, instead of impact, offense, or rate-per-employee biases the results and can negatively impact perceived patient privacy and security risks,” they write. “Without better visibility, organizations are likely only to defend what they can see.”