Chapter 2 - Literature Review

Chapter 2: Literature Review

Chapter 2: Literature Review

Introduction

The purpose of this quantitative, comparative study was to determine whether there was a significant difference in the number of individual patient records affected in a digital breach compared to a nondigital breach of individual patient records for each of the three types of U.S. healthcare entities. The examination of digital and nondigital breaches across the three healthcare entities is important to both reducing the number of data breaches and ensuring proper allocation of resources to achieve that end. To examine the difference between variables, I used the comparative design to analyze information on the type of breach, the number of affected individuals, and the type of health care entity.

To aid in the accomplishment of the goals of this research project, I completed an exhaustive review of the literature within this chapter to more comprehensively understand previous research relevant to the topic of interest: security breaches within the U.S. health care system. Topics included in this chapter are seminal sources on the conceptual and theoretical framework employed in this study, the composition of the U.S. healthcare system, how the U.S. healthcare system operates, types of security breaches that can affect the U.S. healthcare system, and how all of the aforementioned factors interrelate.

Literature Search Strategy

I searched for relevant literature by means of an extensive online search of the following databases accessed through the Walden University Library: Communication & Mass Media Complete, Web of Science, PsycARTICLES, PsycINFO, and PsycCRITIQUES, PsycEXTRA, ERIC, Center for Disease Control, ResearchGate, SAGE Journals, and Google Scholar. The search of relevant topics was completed with established parameters to return results applicable to this research project. The parameters set focused on peer-reviewed articles published between 2015 and 2019. Search results yielded approximately 320 articles and other appropriate forms of literature; however, I did not use all returned results for the purposes of this literature review. Instead, only literature that met all inclusion criteria were employed. The adherence to inclusion criteria ensured that all literature included in this project were current, defined as within the context of this research study, and published within the past 5 years. Any sources of literature outside of that time were defined as classic sources for relevant topics needed for the appropriate explanation of theory or concept. Additionally, I used gray literature, which is reputable non-peer-reviewed information, in this literature review for emphasis or clarity but did not use gray literature as conclusive sources of information or to dictate topics of interest in this chapter.

Key search terms used included: NIST privacy framework, ecological systems theory, United States healthcare, healthcare, security and healthcare, healthcare security breach, consequences of healthcare breaches, and American healthcare, all in the title. Additionally, I made online searches using the terms of implications of security breach, cybercrime + American healthcare, and patient information and healthcare to ensure the comprehensive nature of literature search.

After I provide an exhaustive review of relevant topics, this chapter ends with a summary of the literature and an introduction to the subsequent chapter.

Theoretical Foundation

The conceptual and theoretical framework of a research project is important because it often aids in creating the context in which the establishment and results of research questions are applied in practice. Often, it is common to consider more than one theory within the framework of research to ensure the research topic is more comprehensively explained (CITE). The theoretical framework for this research study comprise of two theories: the NIST Privacy Framework and ecological system theory.

The NIST Privacy Framework

The NIST developed a comprehensive cybersecurity framework for a variety of private sector organizations in which these entities can better protect the information, especially sensitive or confidential data (Shen, 2014). The original version of this privacy framework, developed in 2014, is known as Version 1.0 (Shen, 2014). Version 1.0 was one of the first cybersecurity frameworks that could allow organizations within the private sector to be proactive in anticipating security risk (Shen, 2014). Risk management is often defined by cybersecurity experts as the continuous array of the process that identifies, assesses, and understands cybersecurity risks (Esser, 2018). Further cybersecurity and risk management include the framework necessary to reduce the impact of possible cybersecurity breaches and the overall prevalence of risk (Esser, 2018). Cybersecurity and risk management become increasingly important in the modern economy and a variety of other services because cybersecurity breaches can cause great financial loss, damage to an organization’s reputation, or cause violations of privacy for both employees and shareholders (Esser, 2018)

An updated version of the NIST Privacy Framework was released in 2017, known as Version 1.1, and added a variety of upgrades to Version 1.0 that allows organizations in the private sector to include guidance on how to perform self-assessments on possible risks regarding security and self-assessments of the risk factors on supply chains (Shen, 2014). The latter feature is especially important because supply chain security risks can also compromise sensitive data on private organizations that interact with one another (Shackelford et al., 2015). Version 1.1 also increased information on mitigating risk management and how to more appropriately interact with supply chain stakeholders (Shackelford et al., 2015). As such, Version 1.1 of the NIST Privacy Framework provides a comprehensive security framework for many of the organizations of the private sector (Shackelford et al., 2015). The NIST Privacy Framework is an integration of three separate but interrelated facets: the Core, the Profiles, and the Implementation of Tiers (Shen, 2014).

The Core The Core refers to an exhaustive body of privacy protection activity that permits the prioritization of possible security risks and activities that may jeopardize the privacy of data collected by organizations (Shen, 2014). When utilized appropriately, the Core allows for various ways of individual risks to be assessed and addressed to protect the organization from other related individual security or privacy risks (Shackelford et al., 2015). The Core facet of the NIST Privacy Framework comprises five simultaneously addressed functions: identify, protect, control, inform, and respond (Shen, 2014).

The first function of the Core of the NIST Privacy Framework is the ability to identify ways that organizations may become at risk for security or privacy breaches (Miron & Muita, 2014). This identification function includes a wide array of different forms of data collected by organizations for everyday operations as well as information important to development, research, or consumer trends (Miron & Muita, 2014). The first form of data that needs to be identified and assessed includes all the assets of the organization, which is known as asset management (AM; Miron & Muita, 2014). AM includes all data collected from the actual systems, devices, or technology present within an organization that allows for businesses to achieve functionality (Shen, 2014). When AM occurs, each of the aforementioned types of data are identified and then subsequently ranked by both importance to the company and how likely the data are to be compromised (Miron & Muita, 2014).

The next type of data examined by the NIST Privacy Framework is the data related to the respective business environment (BE; Shen, 2014). The BE includes all data concerning the purpose, functionality, and associated objectives of an organization (Shen, 2014). Further, the BE includes the integration of data from stakeholders and their associated activities within an organization. BE is often assessed by the NIST Privacy Framework to ensure the cybersecurity and recommended risk management protocols are in alignment with the organization (Esser, 2018).

Another form of data identified and prioritized within the Core of NIST Privacy Framework is referred to as governance (Shen, 2014). Governance includes the implementation of data related to the policies and operations procedures within the organization (Shen, 2014). This includes the data included in regulatory compliance on legal, environmental, and operational policies (Esser, 2018). In this way, the NIST Privacy Framework can assess risk related to these types of data and prioritize them respective to organizational importance (Esser, 2018).

Risk assessment (RA) is also a part of the Core component of the NIST Privacy Framework (Esser, 2018). RA includes any form of cybersecurity risk than can be associated with the mission or overall functionality of an organization (Esser, 2018). Additionally, the execution of RA is to ensure that any possible cybersecurity breach or privacy violation does not extensively damage the reputation or public image of a company (Esser, 2018). As security breaches can be catastrophic to the organization or associated personnel, RA is a vital component of proactive cybersecurity risk assessment (Shen, 2014).

The final assessment completed by the Core component of the NIST Privacy Framework is called risk management strategy (RMS; Esser, 2018). RMS includes the identification of an organization’s priorities regarding both functionality and potential cybersecurity risk (Esser, 2018). Additionally, RMS includes the identification of an organization’s limitations or constraints to obtaining functionality and mitigating cybersecurity and privacy breaches for both the organization and associated stakeholders (Scofield, 2016). To accomplish and implement effective RMSs, tolerance levels for an organization’s level of perceived risk are ascertained and then used to as part of the RMS (Scofield, 2016). Finally, within the RMS, assumptions about perceived security risks are established relative to the type of organization and integrated into the Core facet of the NIST Privacy Framework (Scofield, 2016).

The second function of the NIST Privacy Framework is to protect vital parts of an organization’s infrastructure (Shen, 2014). In order to protect an organization, there is a simultaneous implementation of a variety of interrelated steps that comprehensively protect the data, assets, and personnel of the organization (Esser, 2018). First, the NIST Privacy Framework establishes a variety of control measures that restrict access to sensitive data, known as access control (Esser, 2018). The establishment of access control through the physical restriction of inappropriate personnel to places in which sensitive material is housed or through the implementation of restriction protocols ensure that unauthorized personnel does not have access to sensitive data stored within the databases of the organization (Shen, 2014). Online restriction protocols can prohibit access to sensitive data by not only restricting personnel to the databases but also restricting access to sensitive processes and devices utilized to gather, store, or analyze data (Scofield, 2016).

Another facet is the categorization of awareness and training to protect function (Esser, 2018). Within this context, awareness and training refers to the training of personnel associated with the organization or the organization’s stakeholders regarding what types of behaviors can lead to an increased risk of cybersecurity risk (Shen, 2014). Additionally, this type of training can facilitate awareness of what types of data are targeted in cybersecurity breaches or security risks (Scofield, 2016). In this way, organizations and stakeholders can train personnel to perform duties regarding proper cybersecurity and integrate more comprehensive security-based initiatives within formal training sessions (Scofield, 2016).

Another aspect of the protective function of the NIST Security Framework includes the development and installation of data security measures within all portions of the company’s operational protocols (Shen, 2014). This type of data protection includes a variety of measures that can encrypt or encode data within organizational databases (Shen, 2014). When data are encrypted or encoded, the data relevant to the company can be better protected. Furthermore, in this way, the integrity and availability of sensitive information are largely inaccessible, even if a cyberdata breach occurs (Esser, 2018).

Information protection processes and procedures (PRIP) is another protective measure within the NIST Security Framework (Esser, 2018). PRIP refers to the development and implementation of various security policies needed by an organization (Esser, 2018). Security-based polices can include workplace rules on the purpose of security measures, the scope of security risks, and the commitment of the organization to ensure security measures are followed (Shen, 2014). Moreover, PRIP can include workplace procedures regarding the responsibilities of each employee to ensure cybersecurity is maintained and consequences for failure to adhere to policy (Scofield, 2016). PRIP is a vital component of the protection factor of NIST privacy Framework to ensure that all personnel within an organization are in agreement on security measures and that all procedures are cohesive and implemented the same way by all employees and stakeholders (Scofield, 2016).

Maintenance (MA) of all security features instituted within a workplace culture is imperative for all security measures to operate appropriately (Shen, 2014). As such, MA is the next component of the protection factor of the NIST privacy Framework (Shen, 2014). MA within this framework refers to the repairs needed for control systems or software utilized to encrypt, encode, house, or analyze the data within an organization (Esser, 2018). Often this type of MA requires professional cybersecurity professionals that employ within or externally to the organization (Esser, 2018). Often companies that handle large amounts of sensitive data employ full-time cybersecurity to staff to ensure protective measures are always working properly and avoid cybersecurity breaches (Esser, 2018).

The last facet of the protection factor within the NIST privacy Framework is the implementation of protective technology (PT) (Esser, 2018). PT includes a variety of security measures that has the main objective of properly monitoring security features and ensure that developed security features are performing accurately (Shen, 2014). Additionally, PT can include cybersystems needed to respond to repair security measures should they fail, quickly before a cyber breach occurs (Shen, 2014).

The third factor of the NIST privacy Framework is detection (Esser, 2018). Within this context, detection refers to the examination and identification of different possible security threats and cybersecurity breaches (Esser, 2018). Detection for cybersecurity threats and security breaches focuses on searching for Anomalies and Events (AE). Often, employees responsible for cybersecurity will scan virtual activity for any events that appear abnormal or out of context (Walser, 2018). Abnormal events are largely subjective and unique to the respective organization; however, they are defined by the online presence by unauthorized or unrecognized participants or within the discovery of pervasive online activity (Walser, 2018). The pervasive online activity includes unusual behavior that is largely unnecessary when proper access is established (Walser, 2018). Pervasive online activity may include multiple log-in attempts to restricted data, trying to gain access to data outside normal access methods, or trying to access sensitive data anonymously (Walser, 2018). If the case of identification of abnormal or pervasive online activity, then cybersecurity professionals can isolate the incident and hopefully avoid cybersecurity breaches (Esser, 2018).

The next detection method utilized by the NIST Security Framework is continuous monitoring (Shen, 2014). As the aforementioned AE locate with the training and employment of cybersecurity experts, an organization must employ continuous monitoring to ensure that if cybersecurity becomes jeopardized, the identification occurs quickly and in real-time (Walser, 2018). CM included the examination of all sensitive data within established intervals to ensure that all data can be monitored effectively (Shen, 2014). Additionally, CM implementation occurred to also monitor the efficacy of established security measures and the effectiveness of responses to cybersecurity breaches (Walser, 2018).

The last facet of detection methods utilized within the NIST Security Framework is known as detection processes (Esser, 2018). DP includes the identification of various processes or protocols that are maintained by the organization or associated stakeholders (Esser, 2018). DP also includes the establishment of novel modes of detection for cybersecurity breaches and the development of new ways to ensure that AE’s can be addressed adequately and in a timely manner (Shen, 2014).

The next facet of the Core function of the NIST privacy Framework is known as respond (Shen, 2014). This facet involves the development and execution of protocols needed when a cybersecurity breach is detected (Esser, 2018). The first part of the respond is response planning (Esser, 2018). Response planning within this context refers to the need for any processes or initiatives in case of a cybersecurity breach (Shen, 2014). Within RP, the organization and associated stakeholders create a comprehensive response protocol if a cybersecurity breach should occur to ensure that there can be timely response and little ambiguity (Walser, 2018).

To ensure that an RP is comprehensive and situationally appropriate, organizations and their stakeholders establish a variety of communications (Esser, 2018). The creation of communications ensures that verbiage and syntax describing cybersecurity risks are universally understood (Walser, 2018). In this way, when a cyber breach occurs, response times can be reduced, and the confusion largely mitigated (Esser, 2018). Further, communications are often shared with external law enforcement agencies to guarantee that if law enforcement services are needed, they understand the gravity of the situation and how best to mitigate cyber breaches (Shen, 2014).

After COs for a company are established and distributed to appropriate personnel, and analysis (AN) is often conducted by an organization to ensure that response to cybersecurity breaches were adequate (Esser, 2018). Often the AN is conducted by an outside cybersecurity firm that specializes in testing response protocols (Keller, 2017). In this way, the AN can be more comprehensive and unbiased than the completion by cybersecurity specialists associated with the organization or stakeholders (Keller, 2017).

After the AN is complete, then cybersecurity experts can make recommendations on how to best address issues that arise during AN (Keller, 2017). Often these issues include inadequacy within the response itself or shortcomings in identifying the initial cybersecurity breach (Esser, 2018). When the identification issues occur, then mitigation (MI) can occur (Keller, 2017). MI often include the activities or policies needed to contain the consequences of a cybersecurity breach or keep the cybersecurity breach from spreading into other data while occurring (Shen, 2014). Finally, MI can include the policies or activities needed to erase traces of the incident and repair the breach within the future (Keller, 2017). Subsequently, Improvements made to the cybersecurity framework of an organization (Keller, 2017). Improvements can include novel ways to make the establishment, execution, and analyses of cybersecurity protocols for a given organization or associated stakeholders (Esser, 2018).

The last part of the Core Function is known as Recover (Esser, 2018). Recover includes the development and execution of any protocols or activities needed to mitigate the scope and effects of cybersecurity attacks (Keller, 2017). Within this type of recovery includes the restoration of all functionality of all data-related programs within the organization or associated stakeholders (Esser, 2018). Within the recovery step, it is imperative that the restoration of functionality is expedient and comprehensive. Moreover, the documentation of all necessary steps, and if these issues are novel, they often contribute to the communications and plans associated with security within the organization (Esser, 2018)

The aforementioned list of components represents the components that create the Core function of the NIST privacy Framework. It is within the Core that the needs of an organization are identified and examined (Shen, 2014).

Further, the Core allows the organization and associated stakeholders to establish priorities regarding cybersecurity needs and initiatives (Shen, 2014). Finally, the core establishes a set language for individuals that are employed within cybersecurity and law enforcement to ensure the reduction of confusion and ambiguity if a cyber breach should occur (Esser, 2018). Once the Core needs are established and prioritized, information ascertained from the Core in order to make a profile of the organization (Keller, 2017).

The Profiles. Profiles created by the information contained within the Core of the organization (Keller, 2017). The utilization of profiles occurs in two main ways regarding cybersecurity (Esser, 2018). First, the use of the profile of an organization as the framework of a company’s current cybersecurity protocols (Esser, 2018). This includes all initiatives, training, and safety measures that are implemented within an organization and by associated stakeholders (Esser, 2018). Further, the profile of a company also includes the framework needed to meet cybersecurity needs in the future, including the development of new cybersecurity protection (Shen, 2014).

The other function of the profile of an organization is to make connections between facets, which aids in the comprehensive nature of the assessment of risk and the distribution of resources needed to combat cyber breaches (Esser, 2018). Organizations can have many profiles depending on the type of data the company obtains and utilizes within an operation (Shen, 2014). Additionally, profiles on an organization may affect the way in which an organization interacts within the third factor of the NIST Security Framework, the Implementation of Tiers (Esser, 2018).

Implementation of Tiers The Implementation of Tiers is the last major portion of the NIST privacy Framework (Shen, 2014). Tiers refer to the level or scope that the implementation of the cybersecurity measures within an organization (Shen, 2014). The greater the tier, the more sophisticated or comprehensive the cybersecurity measure (Esser, 2018). Often the designation of Tiers is given to various measures in order to convey importance between various levels of cybersecurity experts and operational management (Esser, 2018). Within the NIST privacy Framework, there are four tiers to denote differences in sophistication and integration (Shen, 2014). The lowest tier within this system is Tier I (Shen, 2014). Tier I refer to cybersecurity measures that are largely transient in nature and only partially integrated within the cybersecurity framework (Esser, 2018). Often, Tier I measures are largely unofficial within the organizational operation and are often informal and receive little or no cybersecurity coordination (Esser, 2018).

Tier II is the next inclusive level. Within Tier II, there exists some level of awareness of potential cybersecurity threats (Esser, 2018). As such, there is a small amount of coordination and resources shared between cybersecurity employees and management to ensure implementation, and however, if the implementation fails, cybersecurity risk is low (Keller, 2017). Moreover, if the access of data is by the cybersecurity breach, the type of data is often not sensitive in nature (Keller, 2017).

Tier III refers to cybersecurity protection measures that are primarily implemented in the company and with associated stakeholders (Esser, 2018). Often, Tier III security measures are formal parts of security procedure and, as such, are repeated regularly (Esser, 2018). Tier III security measures are revised and updated as needed, and a good amount of resources spent on Tier III security (Keller, 2017). If the breach occurred to the data protected by Tier III protocols, sensitive data becomes exposed, and often breaches within this tier can be problematic across multiple types of data (Esser, 2018).

The last tier, Tier IV, is the most sophisticated security measures (Esser, 2018). Security measures within Tier IV have large amounts of resources devoted to the implementation and appropriate integration with the system in lower tiers (Shen, 2014). Security measures within Tier IV are often largely cohesive within other security protocols and are common practice within the organization and with stakeholders (Shen, 2014). Tier IV cybersecurity often occur in response to prior breaches and, as such, are largely unique to respective organizations (Esser, 2018). Massive consequences arise if the breach occurred to the data protected by Tier IV cybersecurity of the organization (Esser, 2018).

Within the NIST privacy Framework, practices and identification of security issues are largely based on effective predictive indicators and experience (Esser, 2018). Often the development of security measures ascertained through the NIST privacy Framework is implemented throughout organizations and within the security measures of associated stakeholders (Shen, 2014). Currently, the identification of Core security issues, the development of Profiles, and the implementation of the Tiers are largely voluntary (Shen, 2014). However, the NIST privacy Framework is one of the most comprehensive cybersecurity initiatives in existence (Esser, 2018). As such, the NIST privacy Framework is an adequate framework in which to study the topic of this study, security breaches in the healthcare system.

Ecological Systems Theory

In addition to the NIST privacy Framework, the exploration of Ecological Systems Theory (EST) helps to establish the systems theory. Although the NIST privacy Framework gives context to how cybersecurity is employed and how it relates to addressing cybersecurity threats, the NIST privacy Framework does not adequately explain the connection between cybersecurity and the healthcare system. Additionally, the utilization of the EST can give context to why cybersecurity crimes occur and why and in which ways the healthcare system within the United States can be more diligent in protecting information.

Ecological systems theory, or human ecology theory, was established by Urie Bronfenbrenner in 1979 to explain better the variety of environmental factors that influence human behavior. Bronfenbrenner (1992) believed that much of human behavior could attribute to various interactions between an individual and their ecological system, which includes socialization between different spheres of influence. Additionally, Bronfenbrenner posited that interactions within the ecological system are often interrelated and can be both conscious and unconscious. As such, Bronfenbrenner recognized five central environmental systems that influence the entirety of human behavior: the individual, the microsystem, the exosystem, the mesosystem, and the macrosystem. Within Bronfenbrenner’s ecological construct, all levels interact, especially with levels that are positioned prior and subsequently (Bronfenbrenner, 1992). With the construction of the ecological spheres of influence on human interaction, human behaviors can be examined and contextualized (Bronfenbrenner, 1992).

Bronfenbrenner (1992) identified the smallest sphere of influence as the individual. It is within this level, and intrinsic interactions create the majority of influence upon an individual (Bronfenbrenner, 1992). Interactions within the individual level include factors such as sex, age, quality of health, ethnicity, and socioeconomic station. Interactions between the aforementioned factors can explain the way in which a person interprets and reacts within their respective environment (Hertler et al., 2018). Additionally, the many factors within the individual level of behavioral influence may be the primary motivators for many behaviors as these factors create perspective (Hertler et al., 2018). An individual’s perspective concerning the environment in which they often live dictates which actions and beliefs consider as normative (Hertler et al., 2018). Within the context of this project, Bronfenbrenner’s individual level becomes vital for understanding why some people commit cybercrime, as behaviors that are considered risky to much of the American population, may be perceived as normative to some individuals. Further, the individual level can explain why some individuals feel compelled to protect the personal information of others’ from cybercrime and properly protect sensitive data relevant to organizations from cyber breaches.

The next most proximal level to the explanation of human behavior within the EST is the microsystem (Bronfenbrenner, 1992). Factors that influence human interaction within the microsystem includes any thoughts, emotions, or actions that are possessed by people that are close to the individual (Bronfenbrenner, 1992). The microsystem includes interaction with peers, family, schools, or religious affiliations and community members (Bronfenbrenner, 1992). The influence of the microsystem is conscious primarily to the individual within the interactions (Hertler et al., 2018). The beliefs and actions of others in the microsystem can directly impact the behaviors, actions, and disposition of the individual and often connect to deep-rooted behaviors or beliefs within an individual’s value system.

Additionally, the individual can influence the microsystem, as the microsystem comprises of individuals that are important to the individual. In this way, the microsystem is reciprocal in nature (Hertler et al., 2018). In the microsystem, much of the influence on an individual’s behavior that does not comprise of intrinsic factors are explained as members of the microsystem often project their own beliefs about normative and non-normative behavior within this sphere of influence (Bronfenbrenner, 1992). This level helps to understand how the collaborative behaviors of individuals within the healthcare system interact with one another and interact with patients to address the patients’ needs.

The level subsequent to the microsystem refers to as the mesosystem (Bronfenbrenner, 1992). It is within the mesosystem where various microsystems can interact. This collaboration between microsystems can often influence the behavior of the individual (Bronfenbrenner, 1992). The mesosystem is also where the influence of consciousness ends, and subconscious influence begins (Hertler et al., 2018). According to Bronfenbrenner (1992), although an individual is aware of the interactions between themselves and the mesosystem, individuals are largely unaware of how the mesosystem work together with various microsystems to influence behavior. The level of the mesosystem is another level that becomes influential to this project as the mesosystem is largely representative of interactions between the patients and healthcare systems, which may lead to unintended consequences. For example, a patient can interact with a healthcare provider but may not be aware of how their information storage procedure by the overall healthcare system or how that may put them at risk of a cyber breach was to occur.

The exosystem is the next most inclusive layer within Bronfenbrenner’s EST. In the exosystem, it influenze the individual, and their respective behaviors; however, the individual plays no direct role within this sphere of influence (Bronfenbrenner, 1992). The exosystem may include interactions between entities like healthcare providers and insurance companies or healthcare providers and legislative bodies (Bronfenbrenner, 1992). In this way, the resultant actions of the interactions affect the individual and future interactions; however, the individual is absent from the collaboration (Bronfenbrenner, 1992). Moreover, although the interactions can directly influence the individual, much of the influence of the exosystem is an unconscious influence (Hertler et al., 2018).

The exosystem gives way to the macrosystem, the next level in Bronfenbrenner’s ecological systems theory (Bronfenbrenner, 1992). Within the macrosystem occurs all influences on behaviors that facilitate governance within the ecosystem of an individual. The macrosystem includes legislation, religious doctrine, and ethnic customs that shape and influence the behavior of an individual (Bronfenbrenner, 1992). Bronfenbrenner believes much of the influence of the macrosystem to unconscious influence as these factors are omnipresent and have been acting upon an individual since childhood. In this way, the mesosystem also influences the smaller levels of not only the individual but also of all the smaller levels of every individual that inhabit similar locales (Hertler et al., 2018).

The last and most inclusive level of influence within the ecological systems theory is the chronosystem. The chronosystem includes the time in which an individual lives. The chronosystem, according to Bronfenbrenner (1992), gives context to all the aforementioned levels of influence on human behavior (Bronfenbrenner, 1992). In addition to time, the chronosystem also encompasses all types of transition events that are important for development and may influence behavior (Bronfenbrenner, 1992) For example, the death of a loved one or the onset of sickness can influence the behavior of an individual (Hertler et al., 2018).

The ecological systems theory was included as part of the theoretical framework of this project as this theory can more comprehensively explain the influence on human behavior. The theory of ecological systems use to infer that human behavior is not part of an isolated event but a part of an interrelated system of influence (Bronfenbrenner, 1992). As such, the ecological systems theory utilize to not only explain why people commit cybercrimes but also many of the behaviors of the healthcare system of the United States. The ecological systems theory can aid in understanding the behaviors of individuals associated with the healthcare system, including how they protect patient information, why they protect patient information, and how these protective behaviors influence cybercrime.

Review of the Literature

In addition to the conceptual and theoretical framework of the project, a comprehensive review of literature relevant to research topics occur. As the topic of this research project is increased healthcare costs associated with cyber breaches within the United States, topics covered within this section include an overview of the U.S. healthcare system, an overview of how cyber breaches occur, and how costs of healthcare increase in relation to prevention measures against cybercrime.

Healthcare Systems Within the United States

Healthcare Composition Within the United States, much of the healthcare system privatization, meaning that they majority stake by the private entities (Barr, 2016). Conversely, there exist medical facilities that are owned and operated by varying facets of the government (Barr, 2016). Although medical practices are similar regarding medical practice in both private and governmental healthcare facilities, often the private healthcare providers are more convenient to the patient (Singh, 2015). In most privately owned healthcare facilities, a patient can make an appointment, and accommodations are far less crowded in comparison to public health care entities (Barr, 2016). Access to the facilities varies primarily by the type of health insurance possessed by the patient (Singh, 2015). Private insurance often offers a broader array of healthcare options than does governmental insurance programs, such as Medicaid or Medicare (Barr, 2016).

In addition to private or governmentally run or private healthcare facilities, there exist healthcare options known as free clinics (Singh, 2015). Often free clinics are considered as part of social networks for community residents that do not possess the resources to obtain insurance in other ways, like employment or through government programs (Barr, 2016). Free clinics often are subsidized by private or corporate donations to continue operations (VanderWielen & Ozcan, 2015). Although free clinics are often widely used within communities, free clinics often only offer a limited number of healthcare services (VanderWielen & Ozcan, 2015). Most free clinics are able to provide services to patients based on short-term or situational needs such as acute sickness, some sexually transmitted diseases (STDs), and some limited dental or vision care (VanderWielen & Ozcan, 2015).

Conversely, free clinics are often not equipped to offer long-term care or care for chronic diseases such as cancer (VanderWielen & Ozcan, 2015). To determine which services the free clinic offers, often, the needs of the community dictate the type of services offered (VanderWielen & Ozcan, 2015). For example, if the community experiences a high incidence of STD free clinics within that area often offer more comprehensive services for STD treatment and prevention.

As healthcare within the United States comprise of interrelated networks of privately owned and publicly operated facilities, often the costs and access to different forms of healthcare are dictated by resources available to those in need of services (Papanicolas et al., 2018). Often the costs associated with services can vary greatly between community, service type, and severity of the condition (Papanicolas et al., 2018). As such, understanding healthcare costs is important for the overall comprehension of the healthcare system within the United States.

Healthcare Costs The healthcare system within the United States consists of many interrelated private and public entities that offer an array of services and goods that influence the health of the American people (Dietz et al., 2016). According to the World Health Organization (WHO), within the United States, approximately 65% of healthcare is subsidized by the government, including Medicare and Medicaid systems (WHO, 2016). Medicare is a governmental program that often grants health insurance coverage to Americans older than 65 years of age or younger persons with disabilities (WHO, 2016). Each year an estimated 55 million Americans utilize Medicare to meet healthcare costs. Similarly, Medicaid is a governmentally funded program that grants healthcare subsidies to Americans living in poverty, which as of 2017 was approximately 70 million Americans (WHO, 2016) The remaining costs of healthcare is assumed by U.S. persons as often respective healthcare is a result of employment benefits (Papanicolas et al., 2018).

Although the U.S. government agencies largely subsidize the price of healthcare, the cost of healthcare within the United States can become quite costly (Papanicolas et al., 2018). Currently, within the United States, it is estimated that the cost of healthcare is almost 4,000,000,000,000 dollars annually, an almost 6500% increase than 50 years ago (WHO, 2016). These costs estimates indicate that healthcare costs within the United States comprise approximately 20% of the overall gross domestic product (WHO, 2016).

This increase in health care costs results in an estimated cost of healthcare of $10,000 per year per adult, which includes a variety of both proactive healthcare measures and treatments for various illnesses and injuries (Papanicolas et al., 2018). As such, the average American adult will contribute approximately 15% of all earnings to healthcare costs (Papanicolas et al., 2018). The contribution ratio of earnings to the healthcare cost increases continuously; however, if health ailments are severe or chronic in nature (Papanicolas et al., 2018).

There are two causal factors that contribute to the inexorable rise in healthcare costs within U.S., lifestyle habits, and operational costs. (Dietz et al., 2016). The first causal factor lifestyle habits refer to the way in which the average American lives today (Dietz et al. , 2016). When compared to U.S. adults 50 years ago, the rates of disease such as diabetes, obesity, and heart disease are much more prevalent, as are other diseases attributed to unhealthy habits (Dietz et al., 2016). This is due mostly to change in lifestyle, as many adults are now more sedentary and eat less healthy diets overall (Kim & Basu, 2016). As these diseases and many others are largely preventable with proper diet and exercise, adhering to proactive measures can greatly reduce the prevalence of these diseases; however, once they are acquired, healthcare costs can be great to mitigate symptoms (Kim & Basu, 2016).

According to research, healthy American adults only contribute to about 5% of overall healthcare costs within the United States (Dietz et al., 2016). This indicates that with proper healthy lifestyle habits reduce the overall the price of healthcare. Moreover, 50% of Americans that identify as unhealthy are responsible for the other 95% of healthcare costs annually (Dietz et al., 2016). As the population of the United States becomes less healthy, the cost of healthcare increases dramatically (Kim & Basu, 2016).

The second reason the costs of healthcare costs have risen drastically within the past few decades is operational costs (Yeganeh, 2019). As the U.S. healthcare system relies heavily on insurance costs and government initiatives such as Medicare and Medicaid, expansion of services to accommodate changing healthcare needs largely increased the cost of healthcare (Yeganeh, 2019). Additionally, research associated with the development of novel treatments and more efficient technology also raises the prices of healthcare (Yeganeh, 2019). Finally, within the past few decades, the need to digitize all data collected within the healthcare systems has been expensive and have increased the cost of healthcare (Yeganeh, 2019).

The need to digitize data facilitated by the increased need and ability to share patient files more quickly between healthcare providers and share billing information with insurance companies to decrease payment times (Bhavnani et al., 2016). To digitized data, many healthcare entities needed to code and upload a variety of data; including patient files, billing information, administrative files, employee information and procedural protocols (Bhavnani et al., 2016) This feat required the hiring of a large amount of staff and cybersecurity professionals to complete (Bhavnani et al., 2016). Additionally, now that all information is digitized, staff must be maintained to organize, upkeep, and monitor all digital data (Bhavnani et al., 2016).

The cost of healthcare has been rising considerably within the last few decades, and the average U.S. adult is often unable to compensate for increased expenditure on healthcare options. As such, many U.S. adults suffer a variety of consequences that can be contributed directly to inadequate coverage and associated issues obtaining treatment or medication.

Consequences of Healthcare Expense As the high costs of U.S. healthcare persist, many people are unable to gain reliable access to healthcare. According to the WHO, approximately 28 million Americans (25%) of all adults within the United States were uninsured in 2016 (WHO, 2016). As many adults lack healthcare coverage, the number of preventative deaths within the United States expect to increase within the next few years (WHO, 2016). Woolhandler and Himmelstein (2017) examined Americans that lacked adequate health insurance coverage and were able to demonstrate a connection between inadequate healthcare coverage and preventative mortality rates. Woolhandler and Himmelstein found that it is possible to avoid almost 50,000 deaths on an annual basis if Americans had access to healthcare options. Moreover, the risk of mortality is higher in adults than in lack of health insurance than within similar cohorts that possess health insurance options (Woolhandler & Himmelstein, 2017).

In addition to preventative mortality, the cost of healthcare within U.S. largely contributes to personal debt. According to Scott et al. (2018), the costs of treating injury or sickness can lead to high amounts of debt to American adults. Further, the likelihood of oppressive debt increases if the condition is chronic or rare as often treatments are more expensive (Scott et al., 2018). Increased personal debt is most common within older Americans than within younger cohorts (Banegas et al., 2016). Debt is often more common with older individuals as they often lived on fixed incomes and possess an overall higher prevalence of health issues (Banegas et al., 2016).

As such, almost 45% of individuals over the age of 65 must declare bankruptcy to try and mitigate their respective health care debt (Banegas et al., 2016). The incidence of personal bankruptcy claims is similar to the overall population (Scott et al., 2018). When examined, the debt accrued through healthcare costs can account for almost 50% of all personal bankruptcies within the United States (Scott et al., 2018). As such, the debt attributed to treating disease and injury is the highest of all developed nations globally (WHO, 2016).

As the various organization and additional stakeholders comprise the American healthcare systems, the cost and associated access to services can vary greatly (Woolhandler & Himmelstein, 2017). Although the health risks of not gaining access to appropriate medical care are significant, there is another risk to the American public concerning the healthcare system (Woolhandler & Himmelstein, 2017). As the amount of sensitive data contained within the databases of the healthcare system is great, the possible consequences of inappropriate or unauthorized access can be catastrophic (Abouelmehdi et al., 2018). Files containing confidential medical information, sociodemographic data, and billing information are accessible within the cyber framework of almost all healthcare systems (Abouelmehdi et al., 2018). As such, ensuring these files are adequately protected is essential, and also the implementation of cybersecurity.

Cyber Security

Cybersecurity is an array of behaviors and actions of information technology (IT) experts, including the protection of data from theft, corruption, and interruption (Kimani et al., 2019). As reliance on technology increases throughout the country for completion of everyday personal and professional tasks, the amount of cyber information must be protected increases annually (Kimani et al., 2019). Information protected by cybersecurity measures can include any information accessed by the internet, personnel files, payment information, identification tools, sociodemographic data, as well as personal or private information (Kimani et al., 2019). As the breadth and depth of information that requires protection with cybersecurity increases, it should use dynamic information protection (Kimani et al., 2019). Cybersecurity tools must be useful in identifying a variety of threats and also addresses cyber breaches quickly and comprehensively.

Sensitive data may be vulnerable to cyber breaches in a few different approaches by cybercriminals. First, the programs that utilize to store sensitive files may include design flaws that allow cybercriminals to access sensitive data more easily (Kimani et al., 2019). Design flaws found in both the design of the data itself or within the framework in which it contained (Kimani et al., 2019). Three of the most common types of cyber breaches include backdoor, denial-of-service, and direct-access cyber breaches (Kimani et al., 2019.

Common Types of Cyber Breaches

The first type of vulnerability refers to as a backdoor security breach (Tuptuk & Hailes, 2018). Within a backdoor security breach, a cybercriminal is able to bypass installed authentication or access restriction protocols (Tuptuk & Hailes, 2018). Subsequently, the cybercriminal can access sensitive data in much the same way as authorized users (Tuptuk & Hailes, 2018). Often backdoor security breaches are indicative of poor design within the data storage program (Tuptuk & Hailes, 2018). As such, the flaw in the design of the program often passes through until a backdoor security breach occurs (Tuptuk & Hailes, 2018).

Another type of cybersecurity breach includes a cyber breach called a denial-ofservice attack that largely interrupts the accessibility and functionality of data or data storage (Adat et al., 2018) A denial-of-service attack can work in two ways. First, the cybercriminal may be able to corrupt the login function on sensitive data that would force the intended user to enter the “wrong” password until their login information fails (Adat et al., 2018). Similarly, cybercriminals may be able to overload the login capability of data storage platforms to disrupt the login capabilities of all authorized users (Adat et al., 2018).

The second type of denial-of-service cyber-breach attacks the sensitive data by bombarding security measures that protect the data by a collection of “ghost” accounts (Mallela & Jonnalagadda, 2018). Due to this, it becomes incredibly difficult for IT professionals and cybersecurity experts to adequately defend the sensitive information from the array of simultaneous attacks (Mallela & Jonnalagadda, 2018). Attacks from “ghost” accounts can continue until access goes through, as security measures will inevitably fail after enough attacks have occurred (Mallela & Jonnalagadda, 2018).

The third type of cyber-data breach is called a direct-access attack. This type of attack occurs when a cybercriminal gains physical access to a computer or other device that contains sensitive information (Duffany, 2018). When this occurs, cybercriminals can physically modify the device in such a way that securing sensitive data is easier (Duffany, 2018). This type of attack may include copying software or access credentials (Duffany, 2018). Further cybercriminals can add spy-ware or other software that allows the cybercriminal to access data from a remote location (Duffany, 2018). Often when direct-access attacks occur, they can infect the rest of the devices that utilize the identical platform and can then access increased amounts or levels of sensitive data (Duffany, 2018). As cyber breaches can occur in varied ways and affect different types of fail-safes and security measures, it is imperative to have a comprehensive cybersecurity protocol to effectively thwart the efforts of cybercriminals (Mishra et al., 2018). Much of this cybersecurity measure involves protocols that integrate well into workplace culture (Mishra et al., 2018). In this way, sensitive data can be better protected and ensure that data that is sensitive to the organization, consumers, and associated stakeholders remain guarded.

Integration of Cybersecurity

The more integrated cybersecurity measures are into an organization’s workplace culture, often, the more effective they are (Li et al., 2019). To ensure that a cybersecurity protocol is well integrated, it is necessary to follow five basic steps. First, a preevaluation must occur to bring awareness of possible security breaches to employees. In this way, employees become more aware of possible issues with cybersecurity and allow employees to feel vested within the protection of sensitive data relevant to their organization (Li et al., 2019). Often, when employees feel more integrated with the cybersecurity process, they are more likely to adhere to cybersecurity initiatives (Li et al., 2019). Also, within the pre-evaluation, the cybersecurity measures of the organization need to be evaluated to ensure that no obvious faults or shortcomings are observed (Irons et al., 2016). The next step includes the implementation and initiation of strategic planning sessions that allow the employees to become more aware of current cybersecurity protocols and measures within the future (Irons et al., 2016). Within these sessions, goals, and deadlines are established to ensure proper integration of cybersecurity measures (Irons et al., 2016). After the strategic planning stage, the initiation of the integration of cybersecurity measures occurs (Irons et al., 2016). After installation and initiation, a post-evaluation process can take place to ensure the cybersecurity measures are working correctly and quickly address the problems (Irons et al., 2016).

Effects of Cyber Breaches

A completed cyber breach can negatively impact an organization in a variety of ways (Makridis & Dean, 2018). The first way an organization is affected is through theft. Theft of data can compromise the personal and financial information of employees, consumers, and stakeholders within an organization (Makridis & Dean, 2018). Further, it can be costly for an organization to recover or repay stolen funds. The stolen intellectual property and ideas implemented elsewhere, causing a loss of revenue for the organization (Makridis & Dean, 2018). When this occurs, an organization may lose rights to the stolen intellectual property, creating setbacks within research and development (Makridis & Dean, 2018).

The reputation, or image, of an organization, can also be damaged after a security breach (Chen & Jai, 2019). If sensitive data is stolen or distributed by cyber criminals, an organization can be held accountable within public opinion (Chen & Jai, 2019). Often, consumers blame the organization for not adequately safeguarding sensitive information (Chen & Jai, 2019). When this occurs, the services or goods provided by the organization may not be used by future customers and lose the business they already possess (Biener et al., 2015). This may create a large loss of revenue and trouble with trustworthiness long term (Biener et al., 2015).

As the U.S. healthcare system is so multifaceted, the organizations affiliated amass large amounts of sensitive data that could be harmful if accessed or distributed (Martin et al., 2017). It is imperative that such a diverse system be protected from cyber breaches to ensure that sensitive data is adequately protected (Martin et al., 2017). When cybersecurity measures fail, the healthcare system can suffer a variety of breaches that affect different individuals and different types of data (Martin et al., 2017).

Summary and Conclusions

The purpose of this quantitative, comparative study was to determine if there is a significant difference between digital and non digital breaches of individual patient records and to determine if there is a significant difference between the number of individual patient records breaches for each of the three types of healthcare entities in the United States. The examination of digital and non digital breaches amongst the three healthcare entities is important to both reducing the number of data breaches and ensuring proper allocation of resources to achieve that end. To aid in a more comprehensive understanding of how cybersecurity breaches affect individuals within the healthcare system of the United States, this chapter contains a literature review. The conceptual framework selected for this project was the NIST privacy Framework, which explains how cybersecurity breaches occur and in which ways organizations can protect themselves and their associated stakeholders. Similarly, the theoretical framework for this project is the ecological systems theory, which helps to give context between behaviors within the healthcare system and in relation to cybercrimes. This study includes an overview of the U.S healthcare system, common types of cyber breaches, and a discussion of how cyber breaches can affect organizations.

In the next chapter, I describe the methodological approach. The framework of Chapter 3 includes the methods for sampling, data collection, and subsequent data analysis in order to address the research questions associated with this research project.