Human and Organizational Factors of Healthcare Data Breaches: The Swiss Cheese Model of Data Breach Causation And Prevention

Over the past few years, concerns related to healthcare data privacy have been mounting since healthcare information has become more digitized, distributed and mobile. However, very little is known about the root cause of data breach incidents; making it difficult for healthcare organizations to establish proper security controls and defenses. Through a systematic review and synthesis of data breaches literature, and using databases of earlier reported healthcare data breaches, the authors re-examine and analyze the causal factors behind healthcare data breaches. The authors then use the Swiss Cheese Model SCM to shed light on the technical, organizational and human factors of these breaches. The author's research suggests that incorporating the SCM concepts into the healthcare security policies and procedures can assist healthcare providers in assessing the vulnerabilities and risks associated with the maintenance and transmission of protected health information.

[1]  Stavros T. Ponis,et al.  Applying Discrete Event Simulation (DES) in Healthcare: The Case for Outpatient Facility Capacity Planning , 2013, Int. J. Heal. Inf. Syst. Informatics.

[2]  Elena Karahanna,et al.  An Exploratory Study of Patient Acceptance of Walk-In Telemedicine Services for Minor Conditions , 2009, Int. J. Heal. Inf. Syst. Informatics.

[3]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[4]  Steve Harrison,et al.  Healthcare and Security: Understanding and Evaluating the Risks , 2011, HCI.

[5]  Onur Seref,et al.  Support Vector Machines in Neuroscience , 2008 .

[6]  Boaventura DaCosta,et al.  Multimedia Design of Assistive Technology for Those with Learning Disabilities , 2010 .

[7]  J. Rothschild,et al.  Effects of health care provider work hours and sleep deprivation on safety and performance. , 2007, Joint Commission journal on quality and patient safety.

[8]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[9]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[10]  Jane Taggart,et al.  The Quality of Routinely Collected Data: Using the "Principal Diagnosis" in Emergency Department Databases as an Example , 2011 .

[11]  Roderick Neame Practical Measures for Keeping Health Information Private , 2012 .

[12]  James T. Reason,et al.  Managing the risks of organizational accidents , 1997 .

[13]  Joel J. P. C. Rodrigues,et al.  Health Information Systems: Concepts, Methodologies, Tools, and Applications , 2009 .

[14]  Jonathan Wareham,et al.  Intermediation Structures in Electronic Healthcare Portals , 2002 .

[15]  Rafae Bhatti,et al.  Regulatory Compliance and the Correlation to Privacy Protection in Healthcare , 2010, Int. J. Comput. Model. Algorithms Medicine.

[16]  Theodore J Kobus The A to Z of healthcare data breaches. , 2012, Journal of healthcare risk management : the journal of the American Society for Healthcare Risk Management.

[17]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[18]  Patrick Kierkegaard Medical data breaches: Notification delayed is notification denied , 2012, Comput. Law Secur. Rev..

[19]  M. Eric Johnson,et al.  Will HITECH Heal Patient Data Hemorrhages? , 2011, 2011 44th Hawaii International Conference on System Sciences.

[20]  Karin Garrety,et al.  A preliminary investigation of complex adaptive systems as a model for explaining organisational change caused by the introduction of health information systems , 2011 .

[21]  N. Wickramasinghe Encyclopedia of Healthcare Information Systems , 2008 .

[22]  Abdulwahed Mohammed Khalfan,et al.  Information security considerations in IS/IT outsourcing projects: a descriptive case study of two sectors , 2004, Int. J. Inf. Manag..

[23]  Stefane M. Kabene,et al.  Healthcare and the Effect of Technology: Developments, Challenges and Advancements , 2010 .

[24]  J. Reason Human error: models and management , 2000, BMJ : British Medical Journal.

[25]  Lakshmi Goel,et al.  A Framework for Conceptualizing the Current Role and Future Trends of Information Systems in Medical Training , 2012, Int. J. Heal. Inf. Syst. Informatics.

[26]  Christine M. O'Keefe,et al.  Regulation and Perception Concerning the Use of Health Data for Research in Australia , 2011 .

[27]  M. Eric Johnson,et al.  Data Hemorrhages in the Health-Care Sector , 2009, Financial Cryptography.

[28]  Vincenzo A. Sainato,et al.  Organizational Data Breaches 2005-2010: Applying SCP to the Healthcare and Education Sectors , 2011 .

[29]  Jacob D. Furst,et al.  Evaluation Challenges for Bridging Semantic Gap: Shape Disagreements on Pulmonary Nodules in the Lung Image Database Consortium , 2009, Int. J. Heal. Inf. Syst. Informatics.

[30]  Chen-Yang Cheng,et al.  Modeling and Analysis of Surgery Patient Identification Using RFID , 2009, Int. J. Inf. Syst. Serv. Sect..

[31]  Roberta Siliquini,et al.  Use and Reuse of Electronic Health Records: Building Information Systems for Improvement of Health Services , 2015 .

[32]  Patrick Rivers,et al.  Differences in Electronic Medical Record Implementation and Use According to Geographical Location and Organizational Characteristics of US Federally Qualified Health Centers , 2012, Int. J. Heal. Inf. Syst. Informatics.

[33]  Chia-Wen Tsai,et al.  Patient Safety Concerns among Emergency Medical Staff and Patients , 2013 .

[34]  Clifton L. Smith,et al.  The Development of Access Control Policies for Information Technology Systems , 2002, Comput. Secur..

[35]  Annie I. Antón,et al.  How internet users' privacy concerns have evolved since 2002 , 2010, IEEE Security & Privacy.

[36]  Juan C. Lavariega,et al.  Monitoring and Assisting Maternity-Infant Care in Rural Areas (MAMICare) , 2014, Int. J. Heal. Inf. Syst. Informatics.

[37]  Neha Jain,et al.  HIPAA's Effect on Web Site Privacy Policies , 2007, IEEE Security & Privacy.

[38]  J. Kulynych,et al.  The effect of the new federal medical-privacy rule on research. , 2002, The New England journal of medicine.

[39]  Rennie Naidoo,et al.  Exploring the Social Dynamics of Implementing Self-Managed Web-Based Wellness Tools: A Structuration Analysis , 2012, Int. J. Heal. Inf. Syst. Informatics.

[40]  Julie Fontecave Jallon,et al.  A Wearable Technology Revisited for Cardio-Respiratory Functional Exploration: Stroke Volume Estimation from Respiratory Inductive Plethysmography , 2013, Int. J. E Health Medical Commun..

[41]  Annie I. Antón,et al.  Evaluating existing security and privacy requirements for legal compliance , 2009, Requirements Engineering.

[42]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[43]  Matthew W. Guah,et al.  Changing Healthcare Institutions with Large Information Technology Projects , 2008, J. Inf. Technol. Res..