Chapter 5 - Discussion, Conclusions, and Recommendations

Chapter 5: Discussion, Conclusions, and Recommendations

Chapter 5: Discussion, Conclusions, and Recommendations

The purpose of this quantitative study was to determine if there is a significant difference between digital and nondigital breaches of individual patient records for each of the three types of U.S. health care entities. The results of this study are significant because understanding the differences between digital and nondigital breaches among the three types of health care entities can lead to information that can be used to reduce the overall number of breaches and better protect patient data. Furthermore, understanding the types of breaches that occur is useful in determining an appropriate allocation of security funding.

Chapter 4 contained the study findings. The present study uncovered several key findings related to health care data security breaches. First, 69.59% of all data breaches were digital (n = 1,810), while 30.41% of the cases were nondigital (n = 791). This suggests that the majority of data breaches were digital in origin. The number of breaches that occurred in health care providers is higher when comparing with health plan providers or health care clearinghouses.

RQ1: Is there a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care providers? The results of the study were sufficient to reject the null hypothesis for RQ1. The null hypothesis for RQ1 stated that there was no significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care providers.
RQ2: Is there a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health plan providers? The results of the study were sufficient to reject the null hypothesis for RQ2. The null hypothesis for RQ2 stated there was no significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health plan providers.
RQ3: Is there a significant difference between the average number of individual patient records affected for digital breaches and nondigital breaches for health care clearinghouses? The results of the study were sufficient to reject the null hypothesis for RQ3. The null hypothesis for RQ3 stated there was no significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care clearinghouses.

Interpretation of the Findings

The study findings indicated that 72% of all identified data breaches occurred through health care providers. Data from health plan providers accounted for 14% of data breaches, while 14% of data breaches occurred through health care clearinghouses. However, in terms of impact, more patient records are breached in the breaches at health plan providers followed by the health care providers and health care clearinghouses. Though numerous recent studies discussed security breaches in the context of health care, there is a gap in literature regarding the main source of health care data breaches (Martin et al., 2017). As previously mentioned, a number of health care-related entities have access to patient data, and the repetitious instances of individual private information provides additional opportunities for breaches in security (Martin et al., 2017). However, previous studies did not comparatively determine the frequency of breaches across various health care agencies. Therefore, the present study extends the literature by providing evidence that health care providers may be the most susceptible or the most targeted for data breach attacks.

RQ1

The major finding of this study was that there is sufficient evidence to reject the null hypothesis that there was no significant difference between the average number of individual patient records affected for digital breaches and nondigital breaches for health care providers. This implies that may be a significant difference between the average number of individual patient records affected for digital breaches and nondigital breaches for healthcare providers. In addition to this major finding, the data related to RQ1 revealed a number of other findings supported by recent literature.

The study findings revealed that 75% of all data breaches occurred digitally, while 25% included physical records. The implication that virtual data may be more susceptible or more targeted for theft is supported by literature (Kimani et al., 2019). Kimani et al. (2019) determined that digital information is vulnerable to attack and more security is necessary every year. Kimani et al. found that design flaws within the data or the security systems can result in easy access for unauthorized persons, thus making digital data susceptible. Additionally, unlike physical data where a person must be physically present to access the data, digital data are theoretically accessible by a much larger group of individuals looking to obtain it (Kimani et al., 2019). The study findings are, therefore, consistent with recent literature when implying that digital breaches are more common than physical breaches.

The first two findings are related to the type of breach and the type of health care organization breached. These findings provide useful background information to the major question of RQ1. nondigitalInstead of using all the data, I used the top 10% excluded data along with the transformation of log scale to reduce the skewness. The type of data breach was the independent variable, while the number of individuals impacted was the dependent variable. The results showed that there is a significant difference between the average number of individuals affected in digital and nondigital types of breaches (t = 8.204, p = .000). This shows that there is sufficient evidence to reject the null hypothesis, which stated that there is no significant difference between the average number of individual patient records affected for digital breach and nondigital breach for health care providers.

RQ2

The major finding of this study related to RQ2 was that there is sufficient evidence to reject the null hypothesis that there was no significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health plan providers. This implies there may be a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health plan providers. In addition to this major finding, the data related to RQ2 revealed a number of other findings supported by recent literature.

The study findings revealed that 51% of all data breaches for health plan providers occurred digitally, while 49% included physical records. This finding suggests that the occurances of breaches in the health plan providers are equally distributed among the digital breaches and physical breaches. Previous research established that there are a number of different public and private agencies with access to sensitive patient information (Papanicolas et al., 2018). Additionally, previous research established that health care information is susceptible to attack due to its sensitive nature and the frequency of information sharing which occurs between health care agencies to ensure continuity of patient care (Bhavnani et al., 2016). Combined, the relevant studies revealed that there are different types of health care agencies and that the data from the different types of agencies is sensitive to theft (Bhavnani et al., 2016). The study findings are, therefore, consistent with recent literature when implying the digital and physical breaches have major effects on the entity.

The first two findings are related to the type of breach and the health care organization breached. These findings provide useful background information to the addressing RQ2nondigital To test the hypothesis, I performed an individual sample t test. Instead of using the data, the top 10% excluded data were used along with the transformation of log scale to reduce the skewness. The type of data breach was the independent variable, while the number of individuals impacted was the dependent variable. The results showed that there is a significant difference between the average number of individuals affected in digital and nondigital types of breaches (t = 2.979, p = .003). Therefore, there is sufficient evidence to reject the null hypothesis, which stated that there is no significant difference between the average number of individual patient records affected by digital breach and nondigital breach for health plan providers.

RQ3

The major finding of this study related to RQ3 was that there is sufficient evidence to reject the null hypothesis that there was no significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care clearinghouses. This implies that may be a significant difference between the average number of individual patient records affected by digital breaches and nondigital breaches for health care clearinghouses. In addition to this major finding, the data related to RQ3 revealed a number of other findings supported by recent literature.

The study findings revealed that 63% of all data breaches through health care clearinghouse occurred digitally, while 37% included physical records.The implication that virtual data may be more susceptible or more targeted for theft is supported by literature (Kimani et al., 2019). Kimani et al. (2019) determined that digital information is vulnerable to attack and more security is required every year. Kimani et al. found that design flaws within the data or the security systems can result in easy access for unauthorized persons, thus making digital data susceptible. Additionally, unlike physical data where a person must be physically present to access the data, digital data are theoretically accessible to a much larger group of individuals looking to obtain it (Kimani et al., 2019). The study findings are, therefore, consistent with recent literature when implying that digital breaches are more common than physical breaches.

The first two findings are related to the type of breach and the health care organization breached. These findings provide useful background information to the major question of RQ3. nondigitalInstead of using all the data, I used the top 10% excluded data along with the transformation of log scale to reduce the skewness. The type of data breach was the independent variable, while the number of individuals impacted was the dependent variable. The results showed that there is a significant difference between the average number of individuals affected in digital and nondigital types of breaches (t = 2.726, p = .007). Therefore, there is sufficient evidence to reject the null hypothesis, which stated that there is no significant difference between the average number of individual patient records affected for digital breach and nondigital breach for health care clearinghouses.

This finding is significant because it extends and partially refutes recent literature on health care breaches (Woolhandler & Himmelstein, 2017). Woolhandler and Himmelstein (2017) found that health care databases contained mass amounts of sensitive personal data, including medical records, payment records, and personal identification data. Woolhandler and Himmelstein reported that the sheer quantity of data available digitally meant that there was a large opportunity for individuals looking to access a vast number of medical records. Though the study results indicate that more breaches occurred more often digitally than physically, the data results do not imply that the magnitude of the digital security breaches was greater than the physical security breaches. When combined, the study findings related to the three research questions extends literature by implying that, while there may be a greater opportunity for theft through digital channels, the magnitude of the digital theft may not be higher than the magnitude of physical theft.

Limitations of the Study

There are several limitations associated with the study. Firstly, I gathered and utilized the data from databases of government agencies. While these databases provide a robust and accessible dataset, using one specific source for data breach records could have affected the findings. Though I sought to establish protocols that would ensure the included sample was unbiased, the results may not apply to all organizations given the various funding streams and record-keeping methodologies utilized.

There were two other limitations to the study. First, the variables were from databases of government agencies. This sample might have limited the insights gathered from the analysis as the data might not have reflected the general population. Second, the use of a nonprobability sampling procedure, such as purposive sampling, reduces the possibility of generalizing the results to a larger population. Though these limitations prevent the study findings from applying universally to all types of breaches, agencies, and patient groups, the results do provide useful information for practitioners regarding data security and data security prioritization.

Recommendations

Woolhandler and Himmelstein (2017) found that healthcare databases contained large amounts of sensitive personal data, including medical records, payment records, and personal identification data. This study results indicated that data breaches occurred both digitally and nondigitally. Recent literature on the topic of data breaches within a healthcare context focused on digital data breaches (Woolhandler & Himmelstein, 2017). the study results indicated that, while digital data breaches were more common than physical data breaches, given the observed presence of nondigital data breaches and the impact of such breaches, future research could focus on determining how healthcare agencies can secure physical files in a decade when the focus is on digital security (Woolhandler & Himmelstein, 2017).

The study results indicated that a greater number of individuals were impacted due to health plan data breaches as opposed to health clearing house breaches and healthcare provider breaches. Though this result was established through the study, the study results did not indicate why health plan provider undergo huge record breaches compared to the other two entities. Future research could establish why more physical breaches are occurring with health plan providers as opposed to the other healthcare entities.

Implications

Based on the study results, I recommend that health plan providers review practices related to physical security as much as they allocate their budget for the digital security. The study results revealed that more individuals were impacted by digital data breaches from healthcare providers than from health plan providers or healthcare clearinghouses. It is recommended that individuals involved with data security at healthcare providers consider protocols for reducing security breach events and the magnitude of events should they occur.

Data security officials at healthcare organizations have more information on how to prioritize security spending. The study results indicate that more breaches occurred digitally, so security officials should consider whether it is appropriate to invest a greater proportion of funds towards preventing digital breaches as opposed to nondigital breaches However, the study results also indicated that nondigital breaches did still occur, and there was a significant difference in the number of individuals impacted. This information implies that the information security team in the healthcare entities should consider these facts when allocating their budget for digital and nondigital security.

The healthcare cost savings would result in positive social change. If healthcare agencies could implement protocols for improved data security and data management, it is possible that fewer data breaches would occur. Fewer data breaches would positively impact society by reducing losses associated with identity theft and theft of financial information. Furthermore, a reduction in data security breaches would benefit healthcare providers through an increase in reputation and a decrease in legal claims associated with data breaches.

Conclusion

The study results indicated that more breaches occurred digitally than nondigitally, but that the impact of the breaches was significantly associated with the type of breach. Additionally, the study found that health plan provider breaches resulted in a greater number of individuals impacted per incident. The study results both supported and extended recent literature on healthcare security breaches. Based on the study results and recent literature, future literature could focus on understanding physical breaches in the modern era. Additionally, future research could consider why health plan providers appear to have larger breaches than other types of healthcare institutions. The study has positive implications for social change such as the possibility of providing health security officers with valuable information related to security prioritizations. Reducing security breaches would benefit individuals by reducing the harm associated with financial and identity theft.