Security Practices and Regulatory Compliance in the Healthcare Industry

OBJECTIVE Securing protected health information is a critical responsibility of every healthcare organization. We explore information security practices and identify practice patterns that are associated with improved regulatory compliance. DESIGN We employed Ward's cluster analysis using minimum variance based on the adoption of security practices. Variance between organizations was measured using dichotomous data indicating the presence or absence of each security practice. Using t tests, we identified the relationships between the clusters of security practices and their regulatory compliance. MEASUREMENT We utilized the results from the Kroll/Healthcare Information and Management Systems Society telephone-based survey of 250 US healthcare organizations including adoption status of security practices, breach incidents, and perceived compliance levels on Health Information Technology for Economic and Clinical Health, Health Insurance Portability and Accountability Act, Red Flags rules, Centers for Medicare and Medicaid Services, and state laws governing patient information security. RESULTS Our analysis identified three clusters (which we call leaders, followers, and laggers) based on the variance of security practice patterns. The clusters have significant differences among non-technical practices rather than technical practices, and the highest level of compliance was associated with hospitals that employed a balanced approach between technical and non-technical practices (or between one-off and cultural practices). CONCLUSIONS Hospitals in the highest level of compliance were significantly managing third parties' breaches and training. Audit practices were important to those who scored in the middle of the pack on compliance. Our results provide security practice benchmarks for healthcare administrators and can help policy makers in developing strategic and practical guidelines for practice adoption.

[1]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[2]  Ted Cooper,et al.  Case report: Breaching the Security of the Kaiser Permanente Internet Patient Portal: the Organizational Foundations of Information Security , 2007, J. Am. Medical Informatics Assoc..

[3]  Carol V. Brown,et al.  IT Human Resource Management Configurations and IT Turnover: Theoretical Synthesis and Empirical Analysis , 2005, Inf. Syst. Res..

[4]  M. Leavitt,et al.  Department of Health and Human Services , 2007, Disaster Medicine and Public Health Preparedness.

[5]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[6]  Isaac S. Kohane,et al.  Strategies for maintaining patient privacy in i2b2 , 2011, J. Am. Medical Informatics Assoc..

[7]  Thiagarajan Ravichandran,et al.  Total Quality Management in Information Systems Development: Key Constructs and Relationships , 1999, J. Manag. Inf. Syst..

[8]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[9]  Leonard M. Jessup,et al.  Does electronic monitoring of employee internet usage work? , 2002, CACM.

[10]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[11]  Kumanan Wilson,et al.  The challenges in making electronic health records accessible to patients , 2012, J. Am. Medical Informatics Assoc..

[12]  André Hardy,et al.  An examination of procedures for determining the number of clusters in a data set , 1994 .

[13]  BarkiHenri,et al.  User participation in information systems security risk management , 2010 .

[14]  E. P. Lewis In perspective. , 1972, Nursing outlook.

[15]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[16]  Dwayne Whitten,et al.  Effective Information Security Requires a Balance of Social and Technology Factors , 2012, MIS Q. Executive.

[17]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..