A Vanderbilt University researcher is claiming more than 2,100 patient deaths are linked to hospital data breaches each year.
Sung Choi of the university's Owen Graduate School of Management said data breaches trigger remediation activities, regulatory inquiries and litigation in the years following a breach, that disrupt and delay hospital services leading to a decline in care, according to the Wall Street Journal.
“Before a breach, the control group and breached hospitals are similar, then after a breach there appears some change in trend that made the breach hospitals have worse quality,” Choi said.
The comments were made at a cyberrisk quantification conference hosted by Drexel University's LeBow College of Business in Philadelphia as the Dr. cited data from the U.S. Department of Health and Human Services and the Centers for Medicare & Medicaid Services to compare patient-care metrics at hospitals that have and have not experienced a data breach.Choi argued the proportion of heart attack patients who die within 30 days of being admitted to a hospital increased by 0.23 percent one year after a breach and by 0.36 percent two years after a breach, which represents 2,160 additional patient deaths annually.
Leon Lerman, co-founder and CEO of healthcare cybersecurity specialist Cynerio, said it's difficult to get the medical devices back up and running following a breach with many devices requiring assistance from the manufacturers in order to reset them. He went on to say that disruption doesn't have to be caused directly by the breach or attack but could be caused during the investigation process.
“I think it's fair and logical to say that the more often these breaches occur the more likely there will be an increase in patient mortality rates, as it's very likely that during a breach some sort of service disruption will occur and the doctor will be preoccupied and won't be giving full attention to a patient,” Lerman said.
Ultimately, Lerman said, it depends on if the breach or attack is visible to the doctors or not to understand the extent of the correlation of attacks.