Analysis Report Four - Health Privacy and Data Profiling

Author

Mary Elizabeth Magyar

Executive Summary

Healthcare has been and continues to move at a rapid pace when it comes to electronic health record systems and the digital space as a whole. Although this is the case, security and privacy has not been as fast-paced and is a ongoing major concern in healthcare. After reviewing information on ransomware data, these type of attacks have more than doubled between 2016-2021 (Neprash et al. 2022). These type of security attacks that have increased not only affected the healthcare organization but affected patient care as well. These type of attacks have impacted procedures, ambulances getting to and from one emergency to the next, but also IT systems and more (Neprash et al. 2022). Many organizations have reported more and more ransomware attacks that points to oversight on how often these attacks are happening. This is where the HITECH Act stands out, by showing that hospitals are/were willing to adopt new technologies like electronic health record systems (EHR) pretty quickly when they realized a financial incentive was attached (Adler-Milstein and Jha 2017). The same push for EHR systems is also what expanded the number of ways that attackers can get access to the data. The telehealth and data-privacy article added another layer to this, because many people assume that HIPAA protects their health information across any and all health related apps, when in reality that is not the case. Some of the health apps that has been apart of the FTC stepping in is BetterHelp, GoodRX, Flo Health and more due to not properly storing data and disclosing it (Haggin 2023). The Change Healthcare attack in 2024 really showed what is at stake due to possibly sharing one-third of the populations information which caused a disruption in billing where some struggled to operate (Rundle and Stupp 2024). After reviewing all of these findings, it is plain to see that healthcare leadership needs to start treating cyber security as part of patient safety rather than something that is up to IT to control, this truly needs to be invested in more in healthcare organizations (Adler-Milstein and Jha 2017). It is crucial to understand how apps (like patient portals) are handling patient data rather than assuming they are protected under HIPAA since it is a healthcare app (Haggin 2023). Healthcare cannot continue to move fast on technology while moving slow on protecting the people it’s meant to serve.

Introduction

The HITECH Act of 2009 is a good starting point to understand how healthcare got to where it is today with technology. It was not the healthcare organizations deciding on if they wanted to utilize advanced technologies and EHR systems, it was a federal push that made it worth it to these organizations on a financial level. The main point of the HITECH Act was the “meaningful use” incentive program, which paid hospitals bonus money for actually implementing and using EHR systems in specific, defined ways, instead of just rewarding the organizations for achieving better patient care/outcomes (Adler-Milstein and Jha 2017). In this study, some healthcare organizations were eligible for the incentive while some were not. With this being the case, it showed that HITECH itself caused a jump in adopting EHR systems. Before the HITECH Act, eligible hospitals were only increasing EHR adoption by about 3.2% a year, but once meaningful use incentives were in effect, that number increased to about 14.2% each year (Adler-Milstein and Jha 2017). One thing that stood out to me is that for-profit hospitals tended to respond the strongest to these incentives, showing when there is a financial incentive attached, healthcare organizations are capable of making progress happen and making it happen fast. That being said, the article also raised the question on if this money was put to good use, because it was around $20.9 billion dollars that was paid to hospitals, even though they were most likely going to make the switch to an EHR system in the future anyway, the interesting part is that HITECH only addressed the adoption side of things, meaning hospitals had the technology, but the question is, was that technology being used to its full capability or not. This was a big security question. Healthcare was told to adopt this new EHR system quickly, which many did. But, just because it was adopted quickly does not mean that IT and security had time to catch up to speed. This same motivation needed to be in place for the systems to be protected. This gap between adopting technology and knowing how to secure and use it properly is the main foundation. In other words, HITECH proved that healthcare can move fast when it has to, which raises the question of why the same urgency has not been applied to protecting what it built.

The Healthcare Context

Looking deeper into these core issues goes to show that healthcare organizations are still struggling with the same issues years later, just at a larger scale. Gold and McLaughlin’s five year review of HITECH amplifies that getting providers to adopt EHR systems can be the easiest part of the entire process when reflecting on the detail that goes into the actual EHR system and what is needed to share information correctly and effectively across multiple providers (Gold and McLaughlin 2016). The review points out that HITECH’s goal was to create a system that was strong from the jump start and could operate the way they needed it to, when in reality, this was too ambitious. Believing that the system would be strong from the start created points of vulnerability in the process because huge changes like this take more time and support than a five year window allows. This is what many have seen, ransomware attacks on healthcare organizations have more than doubled in the years 2016 to 2021, which has a negative impact on patient care (Neprash et al. 2022). Further research that is relatively more up to date (2025) shows that this issue continues to be a main concern. Data breaches that involve patient information have more than doubled between 2010 to 2024 with the number of patient records affected jumped from 6 million to 170 million in this time period (Jiang, Ross, and Bai 2025). This cost the healthcare system and billing nationwide around $2.4 billion dollars and effected 100 million people (Jiang, Ross, and Bai 2025), which made many providers rely on emergency loans just to continue operations (Rundle and Stupp 2024). The privacy issue has not gotten any easier, many patients assume that their information is protected by HIPAA at all cost, any healthcare app no matter what, but that is simply not the case. When data is mishandled, the FTC has to step in (Haggin 2023). This points back to what Adler-Milstein and Jha pointed out originally, that “financial incentives tied to technology adoption are likely to substantially speed uptake” across hospitals (Adler-Milstein and Jha 2017), but just because they can roll out these systems out quickly does not mean that it is being done safely and efficiently. Looking at the caregiver documentation patterns in the visualizations below helps show what limited oversight can look like in practice/organizations. All of this information points back to the main idea, that healthcare cannot continue to treat privacy and security like it is on the back burner while continuing to build and upgrade technologies that make both privacy and security even that much more necessary.

Data Visualizations

The data visualizations examines patient 171628 regarding the terminal hospital stay. This patient is a 50-year-old male patient, identified as white and single, who was admitted to the hospital on February 4, 2112, at 2:49PM through the emergency department. His admission was primarily due to a unspecified tracheal and bronchial disease, which progressed to aspiration pneumonia and caused cardiac arrest. He had a past medical history of Down Syndrome and intellectual disability. Records have indicated a period of ventilator dependence during the hospital stay. He died six days later, on February 11, 2112, at 12:00PM. This context helps frame the type of care provided by the nursing and caregiver activity that was observed throughout the hospital stay as shown in the visualizations below.

Data Visualization One

 SELECT CAST(julianday(chartevents.charttime)-julianday(admissions.admittime)as integer) as day_of_stay,
  CAREGIVERS.label as caregiver_role,
  count(*) as num_entries
FROM chartevents
INNER JOIN caregivers ON CHARTEVENTS.cgid = caregivers.cgid
INNER JOIN admissions ON chartevents.hadm_id = admissions.hadm_id
WHERE chartevents.hadm_id = 171628
GROUP BY day_of_stay, caregiver_role
ggplot(data = myquery1,
       aes(x=day_of_stay, y= num_entries, color = caregiver_role)) +
  geom_line()+
theme_minimal()+
  labs(
    title= "Caregiver Documentation Activity by Role Over the course of Terminal Stay",
    subtitle = "Data taken from admissions, caregivers and chartevents table within MIMIC-III",
    x= "Day of Stay",
    y= "Documentation Frequency", 
    caption = "Source: MIMIC-III Clinical Database v1.4"
  )

In data visualization one, I connected chartevents, caregivers, and the admissions table to produce the graph above. To understand how involved the care team was during this patients terminal stay, Visualization One tracks caregivers documentation activity by role across each day of admission. Registered nurses (RN’s) accounted for the majority of charted entries, logging nearly 950 entries on the first day of admissions alone before declining to around 300 entries by day one, as shown on the graph. By day two, we see an increase in entries again, which spikes back up to around 900 entries, which carried over to day three, which steadily declines the rest of the days of stay. Looking at the fluctuation in entries throughout this chart shows that nursing entries were heavy at the time of admission but also in the middle of the patients stay which could indicate that the patients status could have changed requiring more attentive care. The other caregiver roles, RRT, IMD, RD, remained flat for the majority of the stay, meaning they did not have as much involvement as RNs, although their involvement was steady throughout. Greater visability into caregiver activity patterns through EHR systems could help nurse management and care coordinators identify staffing gaps or documentation lapses in real time rather than discovering them later.

Data Visualization Two

SELECT CAST(julianday(chartevents.charttime)-julianday(admissions.admittime)as integer) as day_of_stay,
  COUNT(distinct chartevents.cgid) as num_unique_caregivers
  FROM chartevents
  INNER JOIN admissions ON chartevents.hadm_id = ADMISSIONS.hadm_id
  WHERE chartevents.hadm_id = 171628
  GROUP BY day_of_stay
ggplot(data = myquery2,
       aes(x=day_of_stay, y= num_unique_caregivers, fill= factor(day_of_stay))) +
  geom_col()+
theme_minimal()+
  labs(
    title= "Number of Unique Caregivers Involved by Day of Stay",
    subtitle = "Data taken from admissions and chartevents table within MIMIC-III",
    x= "Day of Stay",
    y= "Number of Unique Caregivers", 
    fill= "Day of Stay", 
    caption = "Source: MIMIC-III Clinical Database v1.4"
  )

Building on the caregiver role activity shown in visualization one, visualization two examines the same terminal stay through a different lens, the number of distinct caregivers involved on each day of admission. Rather than counting total documentation entries, I have created this visualization to count the number of unique caregiver IDs per day, showing how many different caregivers were engaged in this patients care over the days of their stay. The data on this table shows different caregiver variation among six days of the patients stay, with caregiver involvement peaking on day zero and day three and not as strong by day five as the days of stay began to end. This pattern suggest that care coordination is not persistent across admission, but instead fluctuated as different days/phases of treatment occurred. This may reflect that certain days required more specialized or intensive intervention involving a bigger caregiver staff.

Together, visualization one and two illustrate a bigger picture of this patients terminal stay. Not only was the RN’s documentation the heaviest early on in this stay, but the overall size of this patients care team shifted day to day of the patients stay. Looking at this type of data helps shows a better understanding of EHR documentation volume and caregivers. This information could help nurse managers staff and coordinate care to the fullest rather than risking the issue of care gaps during the patients stay.

Recommendations for Industry

Bringing both data visualizations together along with the research discussed throughout this analysis, helped me identify actionable steps healthcare administrators could make to strengthen both their operational and defensive data strategies. In both visualizations, the caregiver documentation pattern show a real time gap in oversight due to the fluctuation in caregiver involvement day to day without any data showing when coverage was limited or not as available as it was on another day. Administrators in healthcare should invest in EHR dashboards that give management and care coordinators live visability into documentation activity in order to see the staffing on that day, rather than this being data that is pulled after the fact. This same real time data is important from a privacy and security stand point as well, to ensure the system is being used honestly and accurately. Next, healthcare organizations need to stop treating EHR adoption as the gold standard or finish line. There is much more that needs to be done when obtaining an EHR system. Like Gold and McLaughlin said, HITECH was successful in getting providers to adopt these EHR systems but ensuring that the data was being used to its full potential while maintaining security was never fully built out (Gold and McLaughlin 2016), and that gap in adoption is exactly where attackers have found opportunities to attack. Healthcare organizations have seen more ransomware attacks and data breaches over the past decade (Neprash et al. 2022; Jiang, Ross, and Bai 2025), which paints a clear picture that healthcare administrators need to make secure data sharing a top priority throughout the organization. Which brings me to my next point, that same gap in security means that incident response planning needs to assume extended downtime as the normal way of things, since Change Healthcare showed how fast one breach could affect operations nationwide (Rundle and Stupp 2024). Lastly, administrators should not assume that HIPAA alone covers every app or feature that touches patient data. There are third party apps, patient portals and more that uses patient data. This information needs to be evaluated and audited to ensure that the “industry standard” is being met and data is not being mishandled (Haggin 2023). Ultimately, all of these recommendations come down to one thing, healthcare cannot continue to treat the data into caregiver activity and patient data, or patient care and data protection, into two different problems when they are one in the same (Adler-Milstein and Jha 2017).

References

Adler-Milstein, Julia, and Ashish K. Jha. 2017. “HITECH Act Drove Large Gains in Hospital Electronic Health Record Adoption.” Health Affairs 36 (8): 1416–22.
Gold, MARSHA, and CATHERINE McLaughlin. 2016. “Assessing HITECH Implementation and Lessons: 5 Years Later.” The Milbank Quarterly 94 (3): 654–87. https://doi.org/https://doi.org/10.1111/1468-0009.12214.
Haggin, Patience. 2023. “Telehealth Apps Sharing Consumer Data Draw FTC Crackdown.” The Wall Street Journal.
Jiang, John Xuefeng, Joseph S. Ross, and Ge Bai. 2025. “Ransomware Attacks and Data Breaches in US Health Care Systems.” JAMA Network Open 8 (5): e2510180–80. https://doi.org/10.1001/jamanetworkopen.2025.10180.
Neprash, Hannah T, Claire C. McGlave, Dori A. Cross, Beth A. Virnig, Michael A. Puskarich, Jared D. Huling, Alan Z. Rozenshtein, and Sayeh S. Nikpay. 2022. “Trends in Randsomware Attacks on US Hopsitals, Clinics, and Other Health Delivery Organizations, 2016-2021.” JAMA Health Forum 3 (12): e224873.
Rundle, James, and Catherine Stupp. 2024. “Change Healthcare Starts Notifying Data-Breach Victims.” The Wall Street Journal.