Link Search Menu Expand Document
Publications
  1. Chapter 1: Introduction to the Study
    1. Background of the Study
    2. Problem Statement
    3. Purpose of the Study
    4. Research Questions and Hypotheses
    5. Theoretical Foundation
    6. Nature of the Study
    7. Definitions
    8. Assumptions
    9. Scope and Delimitations
    10. Limitations
    11. Significance of the Study
      1. Significance to Theory
      2. Significance to Practice
      3. Significance to Social Change
    12. Summary and Transition

Chapter 1: Introduction to the Study

Cyberattackers widely target financial and health care entities because they are critical infrastructures. In 2019, there were 94 reported information breaches in the U.S. healthcare system from January to March, affecting a total of 3,486,735 individuals (U.S. Department of Health and Human Services, n.d.).The general problem is that providing adequate information security within the health care sector is both challenging and costly. For health care entities, providing information security increases the cost of health care for the U.S. public (Toé, 2013). Toé (2013) examined the explicit costs of sensitive information security breaches and found that breaches involving financial information, medical protected records, social security numbers, names, and addresses have an impact on the explicit costs associated with health care. The U.S. government has regulated the information security protocols for the health care organizations under the umbrella of Health Insurance Portability and Accountability Act (HIPAA) regulations since the enactment of HIPAA in 1996 to protect patient health information in this electronic era (Pekala, 2017).

The objective of this research study was to estimate the difference between digital and nondigital breaches of individual patient records for each of the three types of health care entities in the United States. The identification of the type of breach that occurs the most and the most targeted entity determined where health care organizations should focus their efforts and resources to decrease the number of breaches of individual patient records. Current literature provides analyses of which type of breach costs the health care industry the mostas well as information on breaches by entity type and the numbers of breached individual patient records (U.S Department of Health and Human Services, n.d.). The goal of this study was to examine these sets of data to determine any potential differences between digital and nondigital breaches.

This chapter includes the following key sections: (a) background of the study, (b) problem statement, (c) purpose of the study, (d) research questions and hypotheses, (e) theoretical foundation, (f) nature of the study, (g) definitions, (h) assumptions, (i) scope and delimitations, (j), limitations, and (k) significance of the study. A summary of the key points of the study and an overview of the succeeding chapters conclude the chapter.

Background of the Study

Phishing refers to the practice of obtaining computer credentials from authorized users through manipulation and deceit (Wright et al., 2016). In this instance of phishing, the hospital’s information technology (IT) department claiming the user needs to update their computer credentials through fraudulent emails sent to users pretending to be legitimate senders. While most computer users have heard of and are watchful for potential phishing schemes, the ever-evolving technology of scams means that phishing schemes are getting more elaborate and convincing, tricking users into giving away sensitive information that can grant a hacker access to the hospital’s private records (Wright et al., 2016). While the health care organizations must report breaches of protected health care information, the actual number of breaches is unknown because it is challenging to catch the vast majority of attacks (Wright et al., 2016). Between 2014 and 2016, there were 10 reported breaches of health care information associated with phishing schemes (Wright et al., 2016). However, security consultants estimate that hospitals routinely undergo several phishing attacks each week. The success rate of these attacks is difficult to estimate because users who fall for the scheme are unlikely to realize it (Martin et al., 2017).

Hackers steal and sell personal identifying information (e.g., social security numbers, Medicare numbers, and dates of birth) from healthcare organizations in online black markets or to criminal networks that use the information to commit financial fraud (Wright et al., 2016). The criminal entities highly prize the information stolen from health care organizations due to the completeness of the information. The information often sells for many times the cost of a stolen credit card number (Wright et al., 2016). While some estimates place the cost of an identity stolen from a health care organization at $10 per identity, other estimates are as high as several hundred dollars an identity (Wright et al., 2016). The sheer number of identities housed in hospital databases makes health care organizations an attractive target for hackers.

Hackers looking to illegally access health care databases may have schemes other than identifying possibilities for theft in mind. Once they gain access to the database, hackers may use falsified or stolen credentials to change direct payroll deposits to their bank accounts, thereby stealing employee wages (Martin et al., 2017). Similarly, attackers could use the credentials to forge prescriptions or steal clinical data for blackmail. Once hackers gain access to a database, it can be challenging to remove them. In 2016, Hollywood Presbyterian Hospital experienced extended downtimes due to malware installed by hackers (Wright et al., 2016). Eventually, the hospital paid the attackers a ransom of $17,000 to remove the malware from their hospital system (Wright et al., 2016). The ransom received was unlikely to be the hacker’s biggest prize because they had extended access to the hospital’s database, including payroll information and personally identifiable information for employees and patients.

The HIPAA established safeguards to protect sensitive information from cybercriminals, including requiring unique user identification numbers, emergency access procedures, automatic logoff functions, encryption, and decryption (Kruse et al., 2017). However, despite these protections, there are still ways to illegally access systems, and criminals try to be ahead of the security protocols. Health care organizations face the challenge of not only maintaining their systems but continuously improving them to keep up with more and more advanced hacking methods. In recent years, health care organizations have increased spending to improve hospital integration; however, they have not spent the same amount of resources improving their data security integration (Kruse et al., 2017). According to Kruse et al. (2017), there may be several reasons for this. Updating software can be a time-intensive process, so organizations may struggle to find the downtime necessary to make updates. Improved security may also come with increased roadblocks for users. Two-factor authentication is a method of improving security with logging on to the system, but it takes longer for the user, so organizations that try to implement it face pushback from busy staff (Kruse et al., 2017). Like network integration, security improvements are expensive (Kruse et al., 2017). However, unlike network integration, security improvements are not likely to produce a positive effect on the user (Martin et al., 2017). Improving integration means users can get the data they need faster and easier. The same is not applicable for data security; therefore, the incentive to improve security does not exist as it does for network integration (Martin et al., 2017).

While many researchers have discussed the rising prevalence of cyberattacks on health care organizations and trends relating to these attacks (Kruse et al., 2017; Martin et al., 2017; Pekala, 2017; Toé, 2013; Wright et al., 2016), there is scarce extant literature on the difference in the number of affected individuals between the types of information security breaches and types of healthcare entities in the U.S. healthcare system. This critical gap means that IT professionals, health care professionals, and health care consumers are unaware of their organization or data being at an increased risk for theft or hacking. Addressing this gap in the literature would allow organizations to be more aware of their risk and encourage them to take the steps necessary to protect the data.

Problem Statement

Even with the advent and implementation of stricter laws to prevent cyberattacks, the number of breaches increases every year, due primarily to the increasing adoption of digital infrastructure and the rise of software solutions to aid in operational tasks within the health care sector (Gomillion, 2017). From the end-user to the sensitive core health care storage infrastructure, there are several layers, such as firewalls, encryptions, and other cybersecurity measures (Shahri et al., 2012). Users remain the weakest link in information security because most users lack the awareness of the risk involved (Shahri et al., 2012). With such high reliance on the digitalization of patient records, IT is evolving to be one of the fastest-growing trends in the U.S. healthcare system (Nimkar, 2016). Although the majority of breaches occur because of human error (Lineberry, 2007), there are other ways to lower information security breaches in the health care industry. Digitalizing and securing patient data is expensive (Berwick & Gaines, 2018). As cybercriminals utilize the internet more frequently and in more varied ways, the need for more sophisticated defense countermeasures becomes increasingly apparent (Langer, 2017).

The three health care entities in the United States (i.e., health care providers, health plan providers, and health care clearinghouses) hold a large amount of digital patient data. There is a gap in the literature regarding the differences between nondigital and digital breaches of patient records within health care entities. Researchers have not studied the extent of digital and nondigital breaches of patient medical records in the past, leading to the specific management problem of health care providers not knowing the extent of digital and nondigital breaches of patient medical records. To combat cybercrime in health care organizations, identifying the type of breach that occurs the most frequently and the most targeted type of entity is necessary to determine the optimal information security resource allocation to decrease the number of breaches of individual patient records. The objective of this research study was to estimate the difference between digital and nondigital breaches of individual patient records and compare individual patient record breaches for each of the three types of health care entities in the United States. Identifying the type of breach that occurs the most and the most targeted entity can be used to determine where healthcare organizations should focus their efforts to decrease the number of breaches of individual patient records. Current literature provides analyses of which type of breach costs the health care industry the most and information on breaches by entity type and the numbers of breached individual patient records (U.S Department of Health and Human Services, n.d.). The goal of this study was to examine these sets of data to determine any potential differences.

Purpose of the Study

The purpose of this quantitative study was to determine if there is a significant difference between digital and nondigital breaches of individual patient records for each of the three types of health care entities in the United States. The examination of digital and nondigital breaches amongst the three health care entities is essential to both reducing the number of data breaches and ensuring proper allocation of resources to achieve that end. The independent variables were the types of information security breaches and health care entities, while the dependent variable was the number of breached individual patient records. To examine the difference between variables, I used statistical analysis of group means to estimate the differences in individual patient records affected between digital and nondigital breaches of health data in the three types of health care entities.

Research Questions and Hypotheses

The theoretical framework guided the formation of the research questions. I developed the following research questions to aid in the examination of the impact of digital and nondigital security breaches on individual patient records nondigitalfor each of the three types of health care entities in the United States. The research questions and associated hypotheses were as follows:

  • RQ1: Is there a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care providers?

    • H01: There is no significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care providers.

    • Ha1. There is a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care providers.

  • RQ2: Is there a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health plan providers?

    • H02: There is no significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health plan providers.

    • Ha2: There is a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health plan providers.

  • RQ3: Is there a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care clearinghouses?

    • H03: There is no significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care clearinghouses.

    • Ha3: There is a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care clearinghouses.

Theoretical Foundation

The theoretical framework for this quantitative, comparative study consisted of two theories: Allman’s privacy regulation theory (and the associated National Institute of Standards and Technology (NIST) Privacy Framework) and the ecological systems theory. In the privacy regulation theory, Allman (2018) posited that the goal of privacy regulation is to achieve the most favorable level of privacy. Privacy is a nonmonotonic function, meaning that there can be too much privacy or too little privacy (Margulis, 2003). Health care information systems require health care entities to protect patient data without decreasing the ease of access for authorized users and risking security breaches. Allman’s position is that privacy has two levels: individual and group. HIPAA requires the protection of an individual’s data; yet, the protection of private information is a group process (CITE). The underlying assumption of the NIST Privacy Framework is that if an information system’s security plan also includes privacy protections, the resilience of the system will provide the resilience of privacy (Hiller & Russell, 2017). The NIST Framework includes the position of privacy as a fundamental part of resilient cybersecurity, which should work towards maintaining the privacy of citizens as mandated by HIPAA. The NIST Framework is useful as it can help determine what types of data breaches and in which health care entities breaches may occur prior to actual data breaches. The findings of this study may prove to be a valuable resource to the information security professionals in the health care entities and be used to bring about a positive social change by increasing information security protocols and reducing the cost of information security.

In addition to the NIST Privacy Framework, I used the ecological systems theory as part of the theoretical framework for this quantitative, comparative study. Although the NIST Security Framework gives context regarding how to employ cybersecurity and how it relates to addressing cybersecurity threats, it does not adequately explain the connection between cybersecurity and the health care system. The ecological systems theory can be used to create the context for why cybersecurity criminals commit crimes, how these cyber breaches affect targeted individuals, and in what ways the employees within the health care systems in the United States can be more diligent in protecting information.

Urie Bronfenbrenner developed an ecological systems theory, or human ecology theory, in 1979 to explain better the variety of environmental factors that influence human behavior. Bronfenbrenner (1992) believed a great deal of human behavior can be attributed to various interactions between individuals and their respective ecological systems, which includes socialization between different spheres of influence. Additionally, Bronfenbrenner posited that interactions interrelate within the ecological system and can be both conscious and unconscious in nature. As such, Bronfenbrenner recognized five main environmental systems that influence the entirety of human behavior: the individual, the microsystem, the exosystem, the mesosystem, and the macrosystem. Within Bronfenbrenner’s ecological construct, all levels interact, especially with levels that are sequential. It is possible to examine and contextualize human behaviors by constructing the ecological spheres of influence on human interaction (Bronfenbrenner, 1992).

Nature of the Study

In this study, I used a quantitative approach to examine group means to determine if there was a difference between digital and nondigital breaches of health care information stored by U.S. health care entities. Specifically, I determined whether there was a significance between the number of individual patient records affected per digital breach and per nondigital breach for each of the three different types of health care entities. This allowed me to conclude whether there were significant differences between digital and nondigital breaches within health care entities based on the number of breached patient records for each type of breach.

Definitions

BYOD management: A data security process where employees who use a particular device frequently at home decide to use the same in their organization as well (Technopedia, 2019).

Data loss prevention systems: A set of tools and processes used to ensure that sensitive data are not lost, misused, or accessed by unauthorized users (Digital Guardian, 2019).

Encryption: The method by which plaintext or any other type of data converted from a readable form to an encoded version that can decode only by another entity if they have access to a decryption key (SearchSecurity, 2019).

Endpoint and malware protection: An approach to detecting malicious network activity and protecting computer networks, including servers, desktops, and mobile devices, from intrusions and malware attacks (SearchSecurity, 2019)

Health care entities: Organizations, including health care providers like hospitals and clinics, health plan providers like insurance agencies, and health care clearinghouses, also known as billing agencies (National Practitioner Data Bank, n.d,).

Information breach: The theft of either physical or virtual data. A confirmed incident in which sensitive, confidential, or otherwise protected data are exposed in an unauthorized fashion (SearchSecurity, 2019).

Information security: The processes and methodologies that protect the print, electronic, or any other form of confidential, private, and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption (SANS, 2019)

Intrusion prevention systems: A system that monitors a network for malicious activities, such as security threats or policy violations (Technopedia, 2019).

OSI Layer Firewall 7: Layer 7 of a firewall sorts traffic according to which application or application service the traffic is trying to reach and what the specific contents of that traffic are. Rather than simply blocking all traffic on a certain port, Layer 7 allows some traffic through while blocking traffic that may contain a threat (DigitalGuardian, 2019)

Web proxy: A method for hiding an IP address from the websites an individual visits (SANS, 2019).

Assumptions

The primary assumption in this study was that the data gathered from the respective government agencies would be accurate. I sought assistance from the data managers or administrators of the government agencies that keep the data to ensure that I determined the correct number of affected individuals for each of the different information security breaches across different health care entities.

Scope and Delimitations

The scope of this study included individuals affected by information breaches across different U.S. health care entities. The participants, selected through purposeful sampling, consisted of a cross-representation of different individuals having different educational backgrounds, ages, and social statuses. I located records for the individuals in this study in the HIPAA breach database available for use from 2016 to 2018. The analysis involved estimation of comparative differences in the number of affected individuals by digital versus nondigital information security breaches across different healthcare entities by the comparative research design.

Limitations

There were two limitations to the study. First, I gathered data for the variables from databases of government agencies. Use of such a method might have limited the insights produced from the analysis because the data might not have reflected the general population. Second, the use of a nonprobability sampling procedure, such as purposive sampling, reduces the possibility of generalizing the results to a larger population.

Significance of the Study

Significance to Theory

This study may enable information security professionals in the health care industry to identify the critical areas in healthcare information security that require more attention to avoid information breaches. Over the past 2 decades, the cost of health care cost in the United States has proliferated. In an annual report, the Health Care Cost Institute (2019) reported that healthcare costs rose 3.9% per year on average between 2013 and 2017. This figure is higher than the rise of the gross domestic product, which averaged a 3.1% increase between 2013 and 2017. Within the same period, the use of health care services declined by 0.2%, indicating that there has been an inverse relationship between the use of health care services and the cost of health care. One of the significant contributors to the increase in health care costs is due to the adaption of IT and the digitalization of patient data (Langer, 2017). In the overall IT budget, management allocates a significant portion towards information security (Langer, 2017).

Significance to Practice

The significance of this study to practice is two-fold. The goal was to further explore the importance of information security in the U.S. health care system. Though information security has been a growing interest for almost a decade now, only a few research studies on the topic existed in the health care field. The health care system holds an enormous amount of digital information about patients, doctors, and health care providers; therefore, information security is of paramount priority.

Significance to Social Change

The goal of this study was to provide a better understanding of how different types of information breaches impact the number of individual patient records affected per breach. The findings may help to provide health care entities with information to incentivize them to invest in information security to safeguard health care processes and patients and lessen the opportunity for information breaches. Furthermore, the results of this research could provide positive social change by decreasing the cost of information security for the health care entity, which, in turn, would lower the cost of health care for the patients.

Summary and Transition

The specific problem addressed in this study was identifying the most vulnerable entity to data breaches and the type of breach that results in the most individuals affected to determine where the most resources are necessary to decrease the number of breaches and individuals affected. As such, the purpose of this quantitative, comparative study was to determine the difference in the number of affected individuals between the types of information security breaches for the three types of U.S. healthcare entities. In this study, I used a comparative design to analyze data from the HIPAA breach database, which contains information on the type of data breach, the number of affected individuals, and the type of health care entity.

This study consists of four more chapters. Chapter 2 is a review of the pertinent literature relating to information security in the health care industry. In the literature review, I will provide a summary of the previous findings as well as previous researchers’ recommendations for implementation strategies and future research. In Chapter 3, I will present an overview of the research methodology for the study. The research design, population and sampling, methods of data collection and data analysis, ethical considerations, and the validity and reliability of the instruments will be discussed in the chapter. In Chapter 4, I will elaborate on the results of the data analysis to answer the research questions. Finally, Chapter 5 includes a discussion of the results and my recommendations to the health care industry regarding improving information security.

Table of Contents