Hospital Productivity After Data Breaches: Difference-in-Differences Analysis.

BACKGROUND: Data breaches are an inevitable risk to hospitals operating with information technology. The financial costs associated with data breaches are also growing. The costs associated with a data breach may divert resources away from patient care, thus negatively affecting hospital productivity. OBJECTIVE: After a data breach, the resulting regulatory enforcement and remediation are a shock to a hospital's patient care delivery. Exploiting this shock, this study aimed to investigate the association between hospital data breaches and productivity by using a generalized difference-in-differences model with multiple prebreach and postbreach periods. METHODS: The study analyzed the hospital financial data of the California Office of Statewide Health Planning and Development from 2012 to 2016. The study sample was an unbalanced panel of hospitals with 2610 unique hospital-year observations, including general acute care hospitals. California hospital data were merged with breach data published by the US Department of Health and Human Services. The dependent variable was hospital productivity measured as value added. The difference-in-differences model was estimated using fixed effects regression. RESULTS: Hospital productivity did not significantly differ from the baseline for 3 years after a breach. Data breaches were not significantly associated with a reduction in hospital productivity. Before a breach, the productivity of hospitals that experienced a data breach maintained a parallel trend with control hospitals. CONCLUSIONS: Hospital productivity was resilient against the shocks from a data breach. Nonetheless, data breaches continue to threaten hospitals; therefore, health care workers should be trained in cybersecurity to mitigate disruptions.

Assessing the impact of health information exchange on hospital data breach risk.

OBJECTIVE: Widespread electronic health information exchange (HIE) across hospitals remains an important policy goal for reducing costs and improving the quality of care. Meanwhile, cybersecurity incidents are a growing threat to hospitals. The relationship between the electronic sharing of health information and cybersecurity incidents is not well understood. The objective of this study was to empirically examine the impact of hospitals' HIE engagement on their data breach risk. MATERIALS AND METHODS: A balanced panel dataset included 4,936 US community hospitals spanning the period 2010-2017, which was assembled by linking the American Hospital Association annual survey database and the Information Technology (IT) supplement, and the Department of Health and Human Services reports of health data breaches. The relationship between HIE engagement and hospital data breaches was modeled using a difference-in-differences specification controlling for time-varying hospital characteristics. RESULTS: The percentage of hospitals electronically exchanging information has more than tripled (from 18% to 68%) from 2010 to 2017. Hospital data breaches increased concurrently, largely due to the rise in hacking and unauthorized access. HIE engagement was associated with a 0.672 percentage point increase in the probability of an IT breach three years after the engagement. Hospitals actively engaging in a health information organization and exchanging data with outside providers were associated with a higher risk of IT related breaches in the long run; however, hospitals actively engaging in HIE and exchanging data with inside providers were not associated with any significant risk of IT related breaches. DISCUSSION: Over time, the increasing amount and complexity of patient information being exchanged can create challenges for cybersecurity if data protection is not up to date. Additionally, data security depends on the weakest link of HIE, and providers with fewer resources for data governance and infrastructure are more vulnerable to data breaches. CONCLUSION: Moving toward widespread health information exchange has important cybersecurity implications that can significantly impact both patients and healthcare organizations.

The relationship between cybersecurity ratings and the risk of hospital data breaches.

OBJECTIVE: We investigated the progression of healthcare cybersecurity over 2014-2019 as measured by external risk ratings. We further examined the relationship between hospital data breaches and cybersecurity ratings. MATERIALS AND METHODS: Using Fortune 1000 firms as a benchmark, time trends in hospital cybersecurity ratings were compared using linear regression. Further, the relationship between hospital data breaches and cybersecurity ratings was modeled using logistic regression. Hospital breach data were collected from US HHS, and cybersecurity ratings were provided by BitSight. The resulting study sample yielded 3528 hospital-year observations. RESULTS: In aggregate, we found that hospitals had significantly lower cybersecurity ratings than Fortune 1000 firms, however, hospitals have closed the gap in recent years. We also found that hospitals with the low security ratings were associated with significant risk of a data breach, with the probability of a breach in a given year ranging from 14% to 33%. DISCUSSION: Recent cyber-attacks in healthcare continue to illustrate the need to better secure information systems. While hospitals have reduced cyber risk over the past decade, they remain statistically more vulnerable than the Fortune 1000 firms against botnets, spam, and malware. CONCLUSION: Policy makers should continue encouraging acute-care hospitals to proactively invest in security controls that reduce cyber risk. Best practices from other sectors like the financial services sector could provide useful guides and benchmarks for improvement.

Understanding the relationship between data breaches and hospital advertising expenditures.

OBJECTIVES: To estimate the relationship between data breaches and hospital advertising expenditures. STUDY DESIGN: Observational data on hospital expenditures were analyzed using a propensity score-matched regression. The regression was specified as a generalized linear model using a gamma distribution and log link. METHODS: The study sample included Medicare hospitals captured by a survey of traditional media outlets. Hospitals included were nonfederal acute care inpatient hospitals from 2011 to 2014. Voicetrak provided data on hospital advertising expenditures. The Healthcare Cost Report Information System provided data on hospital characteristics and financial variables. Study groups were matched using observable characteristics, such as revenue, number of beds, discharges, ownership, and teaching status. The study excluded hospitals in Maryland and the US territories for financial reporting consistency. Data breaches included theft, loss, unauthorized access/disclosure, improper disposal, and hacking. Advertising expenditures were collected from media outlets including television, radio, newspapers and business journals, and local magazines in a city/metropolitan area. RESULTS: Breached hospitals (n = 72) were more likely to be large, teaching, and urban hospitals relative to the control group (unweighted n = 915). A data breach was associated with a 64% (95% CI, 7.2%-252%; P = .023) increase in annual advertising expenditures, holding observable characteristics constant. CONCLUSIONS: Breached hospitals were associated with significantly higher advertising expenditures in the 2 years after the breach. Efforts to repair the hospital's image and minimize patient loss to competitors are potential drivers of the increased spending. Advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.

Data breach remediation efforts and their implications for hospital quality.

OBJECTIVE: To estimate the relationship between breach remediation efforts and hospital care quality. DATA SOURCES: Department of Health and Human Services' (HHS) public database on hospital data breaches and Medicare Compare's public data on hospital quality measures for 2012-2016. MATERIALS AND METHODS: Data breach data were merged with the Medicare Compare data for years 2012-2016, yielding a panel of 3025 hospitals with 14 297 unique hospital-year observations. STUDY DESIGN: The relationship between breach remediation and hospital quality was estimated using a difference-in-differences regression. Hospital quality was measured by 30-day acute myocardial infarction mortality rate and time from door to electrocardiogram. PRINCIPAL FINDINGS: Hospital time-to-electrocardiogram increased as much as 2.7 minutes and 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points during the 3-year window following a breach. CONCLUSION: Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes. Thus, breached hospitals and HHS oversight should carefully evaluate remedial security initiatives to achieve better data security without negatively affecting patient outcomes.

Serum uric acid levels and hormone therapy type: a retrospective cohort study of postmenopausal women.

OBJECTIVE: Serum uric acid levels increase in postmenopausal women, but decrease when hormone therapy (HT) is administered. No study has, however, evaluated the effects of different types of HT on serum uric acid levels. We therefore examined whether estrogen therapy (ET), estrogen plus progestogen therapy (EPT), and tibolone use affected serum uric acid levels in this population. METHODS: We performed a retrospective cohort study of postmenopausal women. From 2005 to 2015, postmenopausal women who had undergone blood uric acid-level testing at least twice were enrolled. Participants were grouped according to HT regimen: ET, EPT, or tibolone. The nonhormone therapy group did not receive HT. Differences in serum uric acid levels were examined in each group. Our analysis was adjusted to accommodate different follow-up intervals for individual participants. Multiple variables were adjusted using the Tukey-Kramer method. Age, body mass index, hypertension, diabetes mellitus, dyslipidemia, estimated glomerular filtration rate, alcohol consumption, smoking status, and comedications were also adjusted. RESULTS: After adjusting for multiple variables, the serum uric acid level increased to 0.87 ±â€Š0.27 mg/dL (least squares mean ±â€Šstandard error) in the nonhormone therapy group, and serum uric levels in the EPT group were found to be significantly lower (-0.38 ±â€Š0.29 mg/dL, P < 0.001). The serum uric acid levels in the ET and tibolone groups did not, however, differ significantly from the nonhormone therapy group level. CONCLUSIONS: We attribute our findings to the effects of progestogen, rather than estrogen.