Healthcare Security Strategies for Regulatory Compliance and Data Security

Regulatory compliance and data security are important objectives for IT managers. Building on the resource-based view, this study examines the impact of IT security resources, functional capabilities, and managerial capabilities on regulatory compliance and data security. Using binomial and multinomial log it models, we analyze data from 250 healthcare organizations. The results show that IT security resources are positively associated with compliance and data security. Within functional capabilities, prevention capabilities improve both compliance and data security, and complement IT security resources. Functional audit capabilities are also associated with improved compliance but result in increased breaches, likely because such auditing helps organizations find, disclose and fix breach-related problems. Managerial capabilities (i.e., top management support, expertise, and data coordination) influence compliance more than data security. Our findings provide policy insight on effective security programs that harness IT resources, functional capabilities, and managerial capabilities.

[1]  Paul A. Pavlou,et al.  Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior , 2002, MIS Q..

[2]  R. Grant Toward a Knowledge-Based Theory of the Firm,” Strategic Management Journal (17), pp. , 1996 .

[3]  J. March,et al.  A Behavioral Theory of the Firm , 1964 .

[4]  Shari Lawrence Pfleeger,et al.  Security through Information Risk Management , 2009, IEEE Security & Privacy.

[5]  Himss 2008 HIMSS analytics report: security of patient data. , 2008, Journal of healthcare protection management : publication of the International Association for Hospital Security.

[6]  Chee-Sing Yap,et al.  Top Management Support, External Expertise and Information Systems Implementation in Small Businesses , 1996, Inf. Syst. Res..

[7]  N. Venkatraman,et al.  Knowledge relatedness and the performance of multibusiness firms , 2005 .

[8]  Likoebe M. Maruping,et al.  Offshore information systems project success: the role of social embeddedness and cultural characteristics , 2009 .

[9]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[10]  D. Teece,et al.  DYNAMIC CAPABILITIES AND STRATEGIC MANAGEMENT , 1997 .

[11]  C. Oliver SUSTAINABLE COMPETITIVE ADVANTAGE: COMBINING INSTITUTIONAL AND RESOURCE- BASED VIEWS , 1997 .

[12]  Dale Goodhue,et al.  Develop Long-Term Competitiveness through IT Assets , 1996 .

[13]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[14]  Detmar W. Straub,et al.  Information Security: Policy, Processes, and Practices , 2008 .

[15]  Allen C. Johnston,et al.  Improved security through information security governance , 2009, CACM.

[16]  Christopher Ittner,et al.  An Empirical Examination of Dynamic Quality-Based Learning Models , 2001, Manag. Sci..

[17]  Ivan P. L. Png,et al.  Information Security: User Precautions, Attacker Efforts, and Enforcement , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[18]  Paul Almeida,et al.  Learning - by - Hiring: When Is Mobility More Likely to Facilitate Interfirm Knowledge Transfer? , 2003, Manag. Sci..

[19]  Sebastiaan H. von Solms,et al.  Information Security Governance - Compliance management vs operational management , 2005, Comput. Secur..

[20]  Eitan Naveh,et al.  Innovation and Attention to Detail in the Quality Improvement Paradigm , 2004, Manag. Sci..

[21]  M. Wade,et al.  Review: the resource-based view and information systems research: review, extension, and suggestions for future research , 2004 .

[22]  Xia Zhao,et al.  Access Governance: Flexibility with Escalation and Audit , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[23]  B. Wernerfelt,et al.  A Resource-Based View of the Firm , 1984 .

[24]  Paul A. Pavlou,et al.  From IT Leveraging Competence to Competitive Advantage in Turbulent Environments: The Case of New Product Development , 2006, Inf. Syst. Res..

[25]  Philip Selznick,et al.  Law and the Structures of Social Action. , 1956 .

[26]  Sinan Aral,et al.  I.T. Assets, Organizational Capabilities and Firm Performance: Do Resource Allocations and Organizational Differences Explain Performance Variation? , 2007 .

[27]  Richard C. Hoffman,et al.  Top Management Influence on Innovations: Effects of Executive Characteristics and Social Culture , 1993 .

[28]  David L. Paul,et al.  A Field of Study of the Effect of Interpersonal Trust on Virtual Collaborative Relationship Performance , 2004, MIS Q..

[29]  Hüseyin Tanriverdi,et al.  Performance Effects of Information Technology Synergies in Multibusiness Firms , 2006, MIS Q..

[30]  Minh Chau,et al.  Individual Privacy and Online Services , 2011, 2011 44th Hawaii International Conference on System Sciences.

[31]  R. G. Fichman,et al.  Editorial Overview---The Role of Information Systems in Healthcare: Current Research and Future Trends , 2011 .

[32]  UrbaczewskiAndrew,et al.  Does electronic monitoring of employee internet usage work , 2002 .

[33]  Tasadduq A. Shervani,et al.  Market-Based Assets and Shareholder Value: A Framework for Analysis , 1998 .

[34]  Elliot Bendoly,et al.  The Performance Effects of Complementarities Between Information Systems, Marketing, Manufacturing, and Supply Chain Processes , 2007, Inf. Syst. Res..

[35]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[36]  J. Dutton,et al.  SELLING ISSUES TO TOP MANAGEMENT , 1993 .

[37]  Xianggui Qu,et al.  Multivariate Data Analysis , 2007, Technometrics.

[38]  Widener ANNETTA FORTUNE UNPACKING FIRM EXIT AT THE FIRM AND INDUSTRY LEVELS: THE ADAPTATION AND SELECTION OF FIRM CAPABILITIES , 2010 .

[39]  Dmitri Nizovtsev,et al.  Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers , 2009, J. Manag. Inf. Syst..

[40]  Kai Lung Hui,et al.  Analyzing Online Information Privacy Concerns: An Information Processing Theory Approach , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[41]  Dwayne Whitten,et al.  Effective Information Security Requires a Balance of Social and Technology Factors , 2012, MIS Q. Executive.

[42]  Kevin Zhu,et al.  The Complementarity of Information Technology Infrastructure and E-Commerce Capability: A Resource-Based Assessment of Their Business Value , 2004, J. Manag. Inf. Syst..

[43]  Mary J. Culnan,et al.  Why IT Executives Should Help Employees Secure Their Home Computers , 2008, MIS Q. Executive.

[44]  D. Larcker,et al.  The Performance Effects of Process Management Techniques , 1997 .

[45]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[46]  Roger G. Schroeder,et al.  Linking Routines to Operations Capabilities: A New Perspective , 2008 .

[47]  Ashwin W. Joshi Salesperson Influence on Product Development: Insights from a Study of Small Manufacturing Organizations , 2010 .

[48]  Jean-Noël Ezingeard,et al.  Perception of risk and the strategic impact of existing IT on information security strategy at board level , 2007, Online Inf. Rev..

[49]  Leonard M. Jessup,et al.  Does electronic monitoring of employee internet usage work? , 2002, CACM.

[50]  R. Krishnan The Role of Information Systems in Healthcare : Current Research and Future Trends , 2011 .

[51]  S. Menard Applied Logistic Regression Analysis , 1996 .

[52]  Dorothy E. Leidner,et al.  An Empirical Examination of the Influence of Organizational Culture on Knowledge Management Practices , 2005, J. Manag. Inf. Syst..