Data breach remediation efforts and their implications for hospital quality.

OBJECTIVE: To estimate the relationship between breach remediation efforts and hospital care quality. DATA SOURCES: Department of Health and Human Services' (HHS) public database on hospital data breaches and Medicare Compare's public data on hospital quality measures for 2012-2016. MATERIALS AND METHODS: Data breach data were merged with the Medicare Compare data for years 2012-2016, yielding a panel of 3025 hospitals with 14 297 unique hospital-year observations. STUDY DESIGN: The relationship between breach remediation and hospital quality was estimated using a difference-in-differences regression. Hospital quality was measured by 30-day acute myocardial infarction mortality rate and time from door to electrocardiogram. PRINCIPAL FINDINGS: Hospital time-to-electrocardiogram increased as much as 2.7 minutes and 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points during the 3-year window following a breach. CONCLUSION: Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes. Thus, breached hospitals and HHS oversight should carefully evaluate remedial security initiatives to achieve better data security without negatively affecting patient outcomes.

Understanding the relationship between data breaches and hospital advertising expenditures.

OBJECTIVES: To estimate the relationship between data breaches and hospital advertising expenditures. STUDY DESIGN: Observational data on hospital expenditures were analyzed using a propensity score-matched regression. The regression was specified as a generalized linear model using a gamma distribution and log link. METHODS: The study sample included Medicare hospitals captured by a survey of traditional media outlets. Hospitals included were nonfederal acute care inpatient hospitals from 2011 to 2014. Voicetrak provided data on hospital advertising expenditures. The Healthcare Cost Report Information System provided data on hospital characteristics and financial variables. Study groups were matched using observable characteristics, such as revenue, number of beds, discharges, ownership, and teaching status. The study excluded hospitals in Maryland and the US territories for financial reporting consistency. Data breaches included theft, loss, unauthorized access/disclosure, improper disposal, and hacking. Advertising expenditures were collected from media outlets including television, radio, newspapers and business journals, and local magazines in a city/metropolitan area. RESULTS: Breached hospitals (n = 72) were more likely to be large, teaching, and urban hospitals relative to the control group (unweighted n = 915). A data breach was associated with a 64% (95% CI, 7.2%-252%; P = .023) increase in annual advertising expenditures, holding observable characteristics constant. CONCLUSIONS: Breached hospitals were associated with significantly higher advertising expenditures in the 2 years after the breach. Efforts to repair the hospital's image and minimize patient loss to competitors are potential drivers of the increased spending. Advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.

Security practices and regulatory compliance in the healthcare industry.

OBJECTIVE: Securing protected health information is a critical responsibility of every healthcare organization. We explore information security practices and identify practice patterns that are associated with improved regulatory compliance. DESIGN: We employed Ward's cluster analysis using minimum variance based on the adoption of security practices. Variance between organizations was measured using dichotomous data indicating the presence or absence of each security practice. Using t tests, we identified the relationships between the clusters of security practices and their regulatory compliance. MEASUREMENT: We utilized the results from the Kroll/Healthcare Information and Management Systems Society telephone-based survey of 250 US healthcare organizations including adoption status of security practices, breach incidents, and perceived compliance levels on Health Information Technology for Economic and Clinical Health, Health Insurance Portability and Accountability Act, Red Flags rules, Centers for Medicare and Medicaid Services, and state laws governing patient information security. RESULTS: Our analysis identified three clusters (which we call leaders, followers, and laggers) based on the variance of security practice patterns. The clusters have significant differences among non-technical practices rather than technical practices, and the highest level of compliance was associated with hospitals that employed a balanced approach between technical and non-technical practices (or between one-off and cultural practices). CONCLUSIONS: Hospitals in the highest level of compliance were significantly managing third parties' breaches and training. Audit practices were important to those who scored in the middle of the pack on compliance. Our results provide security practice benchmarks for healthcare administrators and can help policy makers in developing strategic and practical guidelines for practice adoption.