Do Breach Remediation Efforts Affect Patient Outcomes?Prof. Eric Johnson of Vanderbilt University Discusses 'Worrisome' Research Findings
How do hospitals' efforts to bolster information security in the aftermath of data breaches potentially affect patient outcomes? Professor Eric Johnson of Vanderbilt University discusses recent research that shows a worrisome relationship between breach remediation and the delivery of timely patient care.
In the study, Vanderbilt researchers examined the Department of Health and Human Services' data about health data breach reports appearing on the HIPAA Breach Reporting Tool website and Medicare public data on hospital quality measures for 2012 - 2016.
The researchers found that often, in the aftermath of breaches, when hospitals took action to remediate their data security, "the security fixes were many times creating their own set of problems," Johnson says in an interview with Information Security Media Group.
That included challenges that clinicians faced "in using new [security] systems, and the impact that has on the accessibility of information, particularly in cases where that information is needed in a timely manner."
In examining data from hospitals' HIPAA breach reports, and those hospitals' quality measures data - "we noticed something worrisome," Johnson says.
"In time-sensitive areas - for example, the time a patient arriving at an emergency room would be able to receive an EKG if they were experiencing chest pain - guidelines typically say that should happen within 10 minutes of arrival." But the researchers found that at hospitals that were breached - sometimes years after that breach - the time to provide those patients with EKGs after their arrival to the ER increased.
"We also saw that the mortality rate for those patients at those hospitals also increased," he says.
In the interview (see audio link below photo), Johnson also discusses:
- The types of security measures taken after a data breach that potentially impact timely patient care;
- Insecure "workarounds" that clinicians sometimes use to obtain faster access to patient information, and why technology "usability" matters;
- Key lessons for hospitals and regulators about security measures taken to prevent and recover from health data breaches, and their potential impact on patient care.
Johnson is a dean and professor of strategy at Vanderbilt University's Owen Graduate School of Management. Johnson's teaching and research focus is on the impact of information technology on the extended enterprise. He studies how IT improves process execution and also how security failures create friction throughout the extended enterprise. Johnson is currently focused on the role IT can play in improving healthcare quality and reduce cost. He has authored patents on interface design and testified before the U.S. Congress on information security.