Researchers were able to correlate data breach that have affected hospitals across the United States and the uptick in the fatality rates and heart attack response rate in the hospitals that previously suffered some forms of a data leak.
A new study published by Eric Johnson, Ralph Owen Dean and Bruce D. Henderson Professor of Strategy at Vanderbilt’s Owen Graduate School of Management, and Christoph Lehmann, professor of pediatrics and biomedical informatics at Vanderbilt University Medical Center, revealed that there is a direct link in the increase of heart attack-related death and data breaches in hospitals.
Post-data breach measures slow down emergency response
The study looked at data from the Department of Health and Human Services (DHHS) for several key factors – including the time to EKG and 30-day mortality rate for heart attacks – for more than 3,000 different hospitals over the period 2012-2016. By the time of the study, approximately 10% of the hospitals in the sample have previously suffered a data breach, and the point of comparison was made against those that have not suffered a leak.
“In the security economics world, there’s a lot of discussion about who bears the cost of data breaches—individuals or firms,” Johnson said. “We often see bad outcomes for consumers when their credit card information is stolen, for example, but we don’t necessarily see firms bearing the full cost of losing that data. What we wanted to see here was whether there were any implications for patients when their data is stolen.”
The results of the study revealed that the main culprit is not the data breach itself; instead, it is the post-data breach remediation policies that were adopted by the victimized hospitals. According to the researchers, it is intuitive for hospitals to implement more stringent data security policies and practices after they fall victim to a data breach.
Every minute counts
Researchers found out that following a data breach, hospitals experienced both a rise in the time to EKG and in patient mortality rates for heart attack victims. Quantitatively, at 2.7 minutes, on average, has increased in the normal response time rate, which is 2.7 minutes too long for some people to survive a heart attack.
The American Heart Association (AHA) said that normal response time in heart attack emergencies should be 10 minutes and any longer than that could dramatically lower down the chances of survival of the patient. This means that a more than 2-minute delay in the response in a hospital could potentially lead to death.
In some hospitals, the response time has risen beyond 11 minutes after suffering a data breach. The impact of which can still be felt even years after the breach occurred, the researchers said. The worst part about what the researchers have uncovered is that hospitals who have previously suffered a data breach have 0.36% higher mortality rate than those hospitals who have not suffered a data breach – that is, an addition 36 deaths every 10,000 heart attack victims every year.
“We found that following a breach, time-to-EKG and mortality rates both rose and continued to rise for about three years before tapering off,” Johnson said.