Like any large company, a modern hospital has hundreds – even thousands – of workers using countless computers, smartphones and other electronic devices that are vulnerable to security breaches, data thefts and ransomware attacks. But hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people. And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.
A 2013 data breach at the University of Washington Medicine medical group compromised about 90,000 patients’ records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients. Cyberattacks can interrupt medical devices, close emergency rooms and cancel surgeries. The WannaCry attack, for instance, disrupted a third of the UK’s National Health Service organizations, resulting in canceled appointments and operations. These sorts of problems are a growing threat in the health care industry.
Protecting hospitals’ computer networks is crucial to preserving patient privacy – and even life itself. Yet recent research shows that the health care industry lags behind other industries in securing its data.
I’m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser, and I interviewed hospital officials in charge of cybersecurity and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees’ roles line up with cybersecurity efforts. Read More »
As our healthcare system moves from compensating providers on the basis of quantity of care to quality of care, it’s very important to measure hospital performance. But a key limitation for that measurement is patient selection.
A large body of research suggests that it doesn’t matter where patients go for treatment. Teaching hospitals, for example, have been found to achieve modestly better health outcomes. Unfortunately, patients in worse health tend to choose or are referred to hospitals based on the facilities’ capabilities. So hospitals with higher levels of treatment intensity – meaning teaching hospitals or hospitals that perform the latest procedures – could appear to have poorer grades on healthcare report cards because they are treating the sickest patients.
As the debate about health care costs swirls, I’ve published an article that challenges the common view that higher healthcare spending is not correlated with better health outcomes. To the contrary, I found that tourists who become ill and receive emergency care at “high-spending” hospitals have significantly lower mortality rates compared to tourists who end up in “lower-spending” hospitals.
Because hospitals in general tend to spend more on sicker patients, I knew how difficult it is to estimate returns to healthcare spending. My goal was to compare apples to apples. It’s not possible to conduct a randomized experiment where some patients go to a high-spending hospital system and others are sent to a low-spending one. Since most people don’t choose their vacation destinations based on the budgets of local hospitals, tourists come close to mimicking this type of random assignment: some are exposed to high-spending hospital systems while others are exposed to low-spending ones.