Health-Care Security Strategies for Data Protection and Regulatory Compliance

This study identifies how security performance and compliance influence each other and how security resources contribute to two security outcomes: data protection and regulatory compliance. Using simultaneous equation models and data from 243 hospitals, we find that the effects of security resources vary for data breaches and perceived compliance and that security operational maturity plays an important role in the outcomes. In operationally mature organizations, breach occurrences hurt compliance, but, surprisingly, compliance does not affect actual security. In operationally immature organizations, breach occurrences do not affect compliance, whereas compliance significantly improves actual security. The results imply that operationally mature organizations are more likely to be motivated by actual security than compliance, whereas operationally immature organizations are more likely to be motivated by compliance than actual security. Our findings provide policy insights on effective security programs in complex health-care environments.

[1]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[2]  Amrit Tiwana,et al.  Complementarities Between Organizational IT Architecture and Governance Structure , 2010, Inf. Syst. Res..

[3]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[4]  Kuo-Chung Chang,et al.  Information systems resources and information security , 2011, Inf. Syst. Frontiers.

[5]  Anol Bhattacherjee,et al.  The Differential Performance Effects of Healthcare Information Technology Adoption , 2006, Inf. Syst. Manag..

[6]  Tasadduq A. Shervani,et al.  Market-Based Assets and Shareholder Value: A Framework for Analysis , 1998 .

[7]  Rajiv Kohli,et al.  Information Technology Payoff in the Health-Care Industry: A Longitudinal Study , 2000, J. Manag. Inf. Syst..

[8]  Dorothy E. Leidner,et al.  An Empirical Examination of the Influence of Organizational Culture on Knowledge Management Practices , 2005, J. Manag. Inf. Syst..

[9]  A. Marcus,et al.  On the Edge: Heeding the Warnings of Unusual Events , 1999 .

[10]  W. W. Muir,et al.  Regression Diagnostics: Identifying Influential Data and Sources of Collinearity , 1980 .

[11]  Fred Donovan Compliance Strategies – A.K.A. Alphabet Soup , 2011 .

[12]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[13]  María Dolores Moreno Luzón,et al.  Self-assessment application and learning in organizations: A special reference to the ontological dimension , 2003 .

[14]  A. Carmeli,et al.  The relationships between intangible organizational elements and organizational performance , 2004 .

[15]  Leonard M. Jessup,et al.  Does electronic monitoring of employee internet usage work? , 2002, CACM.

[16]  R. G. Fichman,et al.  Editorial Overview---The Role of Information Systems in Healthcare: Current Research and Future Trends , 2011 .

[17]  Jeffrey M. Wooldridge,et al.  Solutions Manual and Supplementary Materials for Econometric Analysis of Cross Section and Panel Data , 2003 .

[18]  R. Krishnan The Role of Information Systems in Healthcare : Current Research and Future Trends , 2011 .

[19]  Sandra Slaughter,et al.  Quality Improvement and Infrastructure Activity Costs in Software Development: A Longitudinal Analysis , 2003, Manag. Sci..

[20]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[21]  Elliot Bendoly,et al.  The Performance Effects of Complementarities Between Information Systems, Marketing, Manufacturing, and Supply Chain Processes , 2007, Inf. Syst. Res..

[22]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[23]  Dwayne Whitten,et al.  Effective Information Security Requires a Balance of Social and Technology Factors , 2012, MIS Q. Executive.

[24]  Deborah Bunker,et al.  Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization , 2010, MIS Q..

[25]  Alexander Hars,et al.  Web Based Knowledge Infrastructures for the Sciences: An Adaptive Document , 2000, Commun. Assoc. Inf. Syst..

[26]  Kevin Zhu,et al.  The Complementarity of Information Technology Infrastructure and E-Commerce Capability: A Resource-Based Assessment of Their Business Value , 2004, J. Manag. Inf. Syst..

[27]  Jason Bennett Thatcher,et al.  IS Employee Attitudes and Perceptions at Varying Levels of Software Process Maturity , 2012, MIS Q..

[28]  Hüseyin Tanriverdi,et al.  Performance Effects of Information Technology Synergies in Multibusiness Firms , 2006, MIS Q..

[29]  B. Wernerfelt,et al.  A Resource-Based View of the Firm , 1984 .

[30]  Joseph T. Mahoney,et al.  The resource-based view within the conversation of strategic management , 1992 .

[31]  Rajiv D. Banker,et al.  Value Implications of Investments in Information Technology , 2006, Manag. Sci..

[32]  Pratima Bansal,et al.  Creating Economic Value Through Social Values: Introducing a Culturally Informed Resource-Based View , 2011, Organ. Sci..

[33]  Dmitri Nizovtsev,et al.  Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers , 2009, J. Manag. Inf. Syst..

[34]  Shari Lawrence Pfleeger,et al.  Security through Information Risk Management , 2009, IEEE Security & Privacy.

[35]  Siegfried P. Gudergan,et al.  Resource-based view of the firm , 2008 .

[36]  Sebastiaan H. von Solms,et al.  Information Security Governance - Compliance management vs operational management , 2005, Comput. Secur..

[37]  Iit INFORMATION SYSTEMS CONTROL AND AUDIT , 2007 .

[38]  M. Gordon,et al.  PUBLICATION RECORDS AND TENURE DECISIONS IN THE FIELD OF STRATEGIC MANAGEMENT , 1996 .

[39]  T. C. Powell Total Quality Management as Competitive Advantage , 1995 .

[40]  R. Grant Toward a Knowledge-Based Theory of the Firm,” Strategic Management Journal (17), pp. , 1996 .

[41]  N. Venkatraman,et al.  Knowledge relatedness and the performance of multibusiness firms , 2005 .

[42]  Sinan Aral,et al.  I.T. Assets, Organizational Capabilities and Firm Performance: Do Resource Allocations and Organizational Differences Explain Performance Variation? , 2007 .

[43]  Likoebe M. Maruping,et al.  Offshore information systems project success: the role of social embeddedness and cultural characteristics , 2009 .

[44]  J. Sargan THE ESTIMATION OF ECONOMIC RELATIONSHIPS USING INSTRUMENTAL VARIABLES , 1958 .

[45]  F. Fehle,et al.  Dynamic Risk Management: Theory and Evidence , 2005 .

[46]  Young U. Ryu,et al.  Unrealistic optimism on information security management , 2012, Comput. Secur..

[47]  Dale Goodhue,et al.  Develop Long-Term Competitiveness through IT Assets , 1996 .

[48]  Christopher Ittner,et al.  An Empirical Examination of Dynamic Quality-Based Learning Models , 2001, Manag. Sci..

[49]  Andrew B. Whinston,et al.  Decision support for managing organizational design dynamics , 1998, Decis. Support Syst..

[50]  Jerry N. Luftman Assessing Business-IT Alignment Maturity , 2000, Commun. Assoc. Inf. Syst..

[51]  C. Oliver SUSTAINABLE COMPETITIVE ADVANTAGE: COMBINING INSTITUTIONAL AND RESOURCE- BASED VIEWS , 1997 .

[52]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[53]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[54]  Detmar W. Straub,et al.  Information Security: Policy, Processes, and Practices , 2008 .

[55]  Allen C. Johnston,et al.  Improved security through information security governance , 2009, CACM.

[56]  Carol V. Brown,et al.  Managing the Next Wave of Enterprise Systems: Leveraging Lessons from ERP , 2003, MIS Q. Executive.

[57]  Sungjune Park,et al.  Understanding the Value of Countermeasure Portfolios in Information Systems Security , 2008, J. Manag. Inf. Syst..

[58]  Ivan P. L. Png,et al.  Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers , 2009, J. Manag. Inf. Syst..

[59]  Jeffrey M. Woodbridge Econometric Analysis of Cross Section and Panel Data , 2002 .

[60]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[61]  David Lacey Understanding and transforming organizational security culture , 2010, Inf. Manag. Comput. Secur..

[62]  Qing Hu,et al.  A Process Approach to Information Security: Lessons from Quality Management , 2006, AMCIS.

[63]  D. Teece,et al.  DYNAMIC CAPABILITIES AND STRATEGIC MANAGEMENT , 1997 .

[64]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[65]  Rajiv Kohli,et al.  Performance Impacts of Information Technology: Is Actual Usage the Missing Link? , 2003, Manag. Sci..

[66]  L. R. Chao,et al.  An integrated system theory of information security management , 2003, Inf. Manag. Comput. Secur..

[67]  Karel Cool,et al.  Asset stock accumulation and sustainability of competitive advantage , 1989 .

[68]  D. Larcker,et al.  The Performance Effects of Process Management Techniques , 1997 .

[69]  Daniel L. Sherrell,et al.  Communications of the Association for Information Systems , 1999 .