Optimal information security investment in a Healthcare Information Exchange: An economic analysis

a r t i c l e i n f o The complexity of the problem, the increasing security breaches, and the regulatory and financial consequences of breached patient data highlight the fact that security of electronic patient information in Healthcare Information Exchanges (HIEs) is an organizational imperative and a research priority. This study applies classical economic decision analysis techniques and models the HIE based on its network characteristics to offer key insights into the issue of determining the optimal level of information security investment. We find that for an organization in a HIE, only security events with the potential loss reaching some critical value are worth protecting, and organizations would only spend a fraction of the intrinsic security risk on protection measures. Even when business benefit from security investment exists, organizations in a HIE tend to invest based on risk reduction alone. The implications of such decisions made at the node level and the resulting built-in moral hazard at the HIE level is discussed. The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, unleashed a major IT overhaul of the entire healthcare sector in the United States. Along with the promised benefits, however, came the challenge of safeguarding patient information in the digital world [42]: In 2010 and 2011, based on the Department of Health and Human Services (HHS) mandated public notification of breaches involving 500 or more patient records, more than 16 million individuals have been affected by healthcare data breach [80]. In a benchmark study on patient privacy and data security [59], 28% of the respondents have no staff dedicated to managing data protection , while 35% have fewer than two such dedicated staff. It was estimated that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go un-detected [59]. Healthcare organizations are just beginning to appreciate the scale and impact of the information security problem. Decision makers are faced with the multitude of technical and economic issues involved in securing their data and systems. This is further compounded by the fact that there are many health care providers and organizations, including some small, unsophisticated players, involved that handle, share, and coordinate care [42] via a Health Information Exchange (HIE), the electronic network for sharing health-related information among organizations according to nationally or regionally …