Meaningful healthcare security

Juhee Kwon and Eric Johnson recently published an article aimed at the question Does “meaningful-use” attestation improve information security performance? 

Certification mechanisms are often employed to assess and signal difficult-to-observe management practices and foster improvement. In the U.S. healthcare sector, a certification mechanism called meaningful-use attestation was recently adopted as part of an effort to encourage electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. This new regime motivated us to examine how meaningful-use attestation influences the occurrence of data breaches. Using a propensity score matching technique combined with a difference-in-differences (DID) approach, our study shows that the impact of meaningful-use attestation is contingent on the nature of data breaches and the time frame. Hospitals that attest to having reached Stage 1 meaningful-use standards observe fewer external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches but eventually see long-term reductions. We do not find any link between malicious internal breaches and attestation. Our findings offer theoretical and practical insights into the effective design of certification mechanisms.

The full paper appears in in MIS Quarterly. Vol. 42, No. 4 (December), 1043-1067, 2018. DOI: 10.25300/MISQ/2018/13580

 

THaW paper at CIST (INFORMS)

THaW professor Eric Johnson (Vanderbilt) recently presented a new paper at the Conference on Information Systems and Technology (CIST), a division of INFORMS.

See the video abstract. A full version of the paper is under review at a journal.

Meaningful healthcare security: Does “Meaningful-use” attestation improve information security performance?
Juhee Kwon and M. Eric Johnson
Abstract:
Certification mechanisms are often employed to signal performance of difficult-to-observe management practices. In the healthcare sector, financial incentives linked to “meaningful-use” attestation have been a key policy initiative of the Obama administration to accelerate electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. Given the rapid push for safe digitization of patient data, this study examines how hospital attestation influences the occurrence of subsequent data breaches and also how breach performance is associated with penalties from prior breaches. Using a propensity score matching technique combined with a difference-in-differences approach, we analyze a matched sample of 869 U.S. hospitals. We find that hospitals that attest to having reached Stage-1 meaningful-use standards observe reduced external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches, but eventually see longer-term reductions. We do not find any link between malicious internal breaches and attestation. Further, we find that the interaction between meaningful-use attestation (carrot) and prior failure resulting in penalties (stick) enhances short-term reductions of accidental internal and external breaches. Our findings offer both theoretical and practical insights into the effective design of certification mechanisms and breach regulations.

Hospitals Must Develop IT Security Plans To Avoid Target’s Fate

In a recent study examining data from 243 hospitals, THaW researcher Eric Johnson found that while compliance with state and federal IT security mandates like HIPAA helps the worst hospitals protect patient information better, organizations that maintain and regularly update a security plan get far more from their security investments. Eric defines these organizations as “operationally mature.” These strategic plans — along with periodic reviews — enable organizations to learn of potential new risks and evaluate their own security posture. As a consequence, organizations’ security resources are better targeted to address their specific needs and the environments in which they operate. Eric’s results show that the impact of security investments varies depending on the operational maturity of the organization.

Read more about this study and its results in Eric’s blog. The study was funded by an earlier NSF grant on Trustworthy Information Systems for Healthcare.

Five trends in healthcare IT – and their implications for security

In the previous post we described the current landscape for healthcare information technology. In this post, we note how healthcare information systems increasingly face daunting security challenges due to five economic and technological trends. First, the locus of care is shifting, as the healthcare system seeks more efficient and less-expensive ways to care for patients, particularly outpatients with chronic conditions. Second, strong economic incentives are pushing health providers to innovate by rewarding providers for keeping their patient population healthy, rather than paying only to fix patients when they are ill. Third, the treatment of chronic conditions and the implementation of prevention plans entail more continuous patient monitoring, outside of the clinical setting. Fourth, mobile consumer devices (smartphones and tablets) are quickly being adopted for health & wellness applications, both by caregivers and patients, in addition to their many other uses – making it difficult to protect sensitive health-related data and functions from the risks posed by a general-purpose Internet device. Finally, significant emerging threats are targeting healthcare information systems, while new regulations strive to protect medical integrity and patient privacy. Let’s look at each of these five trends in more detail.

Continue reading

The healthcare IT landscape

The United States spends over $2.6 trillion annually on healthcare. This amount represents approximately 18% of the gross domestic product (GDP), a percentage that has doubled in the last 30 years and is the highest of any country in the world [11]. Over 75% of these costs are due to the management of chronic diseases, which currently affects 45% of the U.S. population. By 2023, it is expected that costs to manage chronic diseases alone will rise to $4.2 trillion [3]. Many look to information technology to help reduce costs, increase efficiency, broaden access to healthcare, and improve the health of the population.

Meanwhile, recent years have seen a dramatic shift in the nature of computing with the advent of smartphones and tablet computers; the latest surveys estimate that over 50% of Americans have smartphones [10]. This wide-spread availability of a powerful mobile computing platform, with a rich interface and a variety of built-in sensors, has created a boom in mobile health (mHealth) applications like RunKeeper and Fooducate [9]; mHealth application downloads increased from 124 million in 2011 to 247 million in 2012 [8]. These mHealth apps and devices are becoming more prevalent due in part to the rising cost of healthcare and their suitability for managing chronic diseases, particularly in the aging population [5, 6], and in prevention and wellness programs [1].

Smartphones and tablets are rapidly moving into the clinical workplace as well. A recent estimate indicates that as many as 62% of doctors use mobile tablets [4]. Although some hospitals embrace smartphones and tablets by distributing them to their staff [7], a 2012 survey found that 85% of hospitals allow their clinicians to bring their own device to work [2].

Furthermore, universal connectivity (cellular, wireless, and home broadband) has enabled a tremendous variety of services to move to the “cloud.” Services like Dropbox and Google Drive make it easy for individuals to store, manipulate, and share content on cloud servers located in distant data centers. Services like Amazon S3 and Google App Engine make it easy for developers to build scalable computational backends without installing or managing their own infrastructure. These trends are pushing more individuals and enterprises to push an increasing fraction of their computing into Internet-connected servers run by other organizations – raising important questions about security and privacy.

Finally, recent years have seen rapid developments in smart, miniaturized, low-power, adaptive and self-calibrating instrumentation, enabling the emergence of mobile devices for monitoring and managing individual health conditions; examples range from wearable devices that measure physical activity (such as the BodyMedia armband) to Wi-Fi enabled bathroom scales (such as those from Withings or Fitbit) to stick-on ECG patches to monitor heart conditions (such as those from Corventis) to implanted insulin pumps (such as one from Medtronic). Most are wireless, able to upload data to a smartphone or to a cloud server for analysis and access by both the individual and caregivers.

The dynamic healthcare ecosystem and rapid technology evolution lead to new challenges in securing tomorrow’s healthcare information infrastructure. More on that in the next post!

Continue reading