Data breach remediation efforts and their implications for hospital quality.

OBJECTIVE To estimate the relationship between breach remediation efforts and hospital care quality. DATA SOURCES Department of Health and Human Services' (HHS) public database on hospital data breaches and Medicare Compare's public data on hospital quality measures for 2012-2016. MATERIALS AND METHODS Data breach data were merged with the Medicare Compare data for years 2012-2016, yielding a panel of 3025 hospitals with 14 297 unique hospital-year observations. STUDY DESIGN The relationship between breach remediation and hospital quality was estimated using a difference-in-differences regression. Hospital quality was measured by 30-day acute myocardial infarction mortality rate and time from door to electrocardiogram. PRINCIPAL FINDINGS Hospital time-to-electrocardiogram increased as much as 2.7 minutes and 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points during the 3-year window following a breach. CONCLUSION Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes. Thus, breached hospitals and HHS oversight should carefully evaluate remedial security initiatives to achieve better data security without negatively affecting patient outcomes.

[1]  D. Zohar Safety climate in industrial organizations: theoretical and applied implications. , 1980, The Journal of applied psychology.

[2]  M. Lynne Markus,et al.  Power, politics, and MIS implementation , 1987, CACM.

[3]  Said S. Al-Gahtani,et al.  Attitudes, satisfaction and usage: Factors contributing to each in the acceptance of information technology , 1999, Behav. Inf. Technol..

[4]  Gavriel Salvendy,et al.  Usability and Security An Appraisal of Usability Issues in Information Security Methods , 2001, Comput. Secur..

[5]  Gervasio A. Lamas,et al.  ACC/AHA guidelines for the management of patients with ST-elevation myocardial infarction--executive summary. A report of the American College of Cardiology/American Heart Association Task Force on Practice Guidelines (Writing Committee to revise the 1999 guidelines for the management of patients wi , 2004, Journal of the American College of Cardiology.

[6]  Y. Han,et al.  Unexpected Increased Mortality After Implementation of a Commercially Sold Computerized Physician Order Entry System , 2005, Pediatrics.

[7]  Harlan M Krumholz,et al.  Effect of door-to-balloon time on mortality in patients with ST-segment elevation myocardial infarction. , 2006, Journal of the American College of Cardiology.

[8]  Joan S. Ash,et al.  Research Paper: Types of Unintended Consequences Related to Computerized Provider Order Entry , 2006, J. Am. Medical Informatics Assoc..

[9]  Michael I. Harrison,et al.  Viewpoint Paper: Unintended Consequences of Information Technologies in Health Care - An Interactive Sociotechnical Analysis , 2007, J. Am. Medical Informatics Assoc..

[10]  Anol Bhattacherjee,et al.  Physicians' resistance toward healthcare information technology: a theoretical model and empirical test , 2007, Eur. J. Inf. Syst..

[11]  W. Weaver,et al.  Trends in reperfusion strategies, door-to-needle and door-to-balloon times, and in-hospital mortality among patients with ST-segment elevation myocardial infarction enrolled in the National Registry of Myocardial Infarction from 1990 to 2006. , 2008, American heart journal.

[12]  Joan S. Ash,et al.  The unintended consequences of computerized provider order entry: Findings from a mixed methods exploration , 2009, Int. J. Medical Informatics.

[13]  Christine W Hartmann,et al.  Identifying organizational cultures that promote patient safety , 2009, Health care management review.

[14]  Spencer S Jones,et al.  Electronic health record adoption and quality improvement in US hospitals. , 2010, The American journal of managed care.

[15]  C. Terkelsen,et al.  System delay and mortality among patients with STEMI treated with primary percutaneous coronary intervention. , 2010, JAMA.

[16]  P. Armstrong,et al.  Mortality Implications of Primary Percutaneous Coronary Intervention Treatment Delays: Insights From the Assessment of Pexelizumab in Acute Myocardial Infarction Trial , 2011, Circulation. Cardiovascular quality and outcomes.

[17]  Hhs Centers for Medicare Medicare Services Medicare program; hospital inpatient value-based purchasing program. Final rule. , 2011, Federal register.

[18]  Hhs Centers for Medicare Medicare Services Medicare program; hospital inpatient prospective payment systems for acute care hospitals and the long-term care hospital prospective payment system and FY 2012 rates; hospitals' FTE resident caps for graduate medical education payment. Final rules. , 2011, Federal register.

[19]  Sara J Singer,et al.  Perceptions of hospital safety climate and incidence of readmission. , 2011, Health services research.

[20]  Wayne G. Lutters,et al.  Tensions of network security and collaborative work practice: Understanding a single sign-on deployment in a regional hospital , 2011, Int. J. Medical Informatics.

[21]  Takeshi Kimura,et al.  Association of onset to balloon and door to balloon time with long term clinical outcome in patients with ST elevation acute myocardial infarction having primary percutaneous coronary intervention: observational study , 2012, BMJ : British Medical Journal.

[22]  Jeffrey M. Weiss,et al.  Understanding and preventing wrong-patient electronic orders: a randomized controlled trial , 2013, J. Am. Medical Informatics Assoc..

[23]  Harlan M Krumholz,et al.  Relationship between hospital readmission and mortality rates for patients hospitalized with acute myocardial infarction, heart failure, or pneumonia. , 2013, JAMA.

[24]  S. Burjonrappa,et al.  We thought we would be perfect: medication errors before and after the initiation of Computerized Physician Order Entry. , 2015, The Journal of surgical research.

[25]  José Luis Fernández Alemán,et al.  Analysis of health professional security behaviors in a real clinical setting: An empirical study , 2015, Int. J. Medical Informatics.

[26]  Ross Koppel,et al.  Great Promises of Healthcare Information Technology Deliver Less , 2016 .

[27]  Sasha Romanosky,et al.  Examining the costs and causes of cyber incidents , 2016, J. Cybersecur..

[28]  Susan A. Sherer,et al.  The Consequences of Electronic Health Record Adoption for Physician Productivity and Birth Outcomes , 2016 .

[29]  Christopher M. McDermott,et al.  The impact of Health Information Technology bundles on Hospital performance: An econometric study , 2016 .

[30]  Ge Bai,et al.  Hospital Risk of Data Breaches , 2017, JAMA internal medicine.

[31]  Timothy J. Vogus,et al.  Measuring outcome differences associated with STEMI screening and diagnostic performance: a multicentred retrospective cohort study protocol , 2018, BMJ Open.

[32]  Meghan Hufstader Gabriel,et al.  Data breach locations, types, and associated characteristics among US hospitals. , 2018, The American journal of managed care.

[33]  Sherali Zeadally,et al.  Healthcare Data Breaches: Implications for Digital Forensic Readiness , 2018, Journal of Medical Systems.

[34]  Raj M. Ratwani,et al.  Implications of electronic health record downtime: an analysis of patient safety event reports , 2018, J. Am. Medical Informatics Assoc..