Which information locations in covered entities under HIPAA must be secured first? A multi-criteria decision-making approach.
Journal
Journal of healthcare risk management : the journal of the American Society for Healthcare Risk Management
ISSN: 2040-0861
Titre abrégé: J Healthc Risk Manag
Pays: United States
ID NLM: 9305245
Informations de publication
Date de publication:
Oct 2023
Oct 2023
Historique:
revised:
25
06
2023
received:
27
04
2023
accepted:
24
07
2023
medline:
23
10
2023
pubmed:
24
8
2023
entrez:
24
8
2023
Statut:
ppublish
Résumé
Creating adequate safeguards for physical and online locations (e.g., desktop computers, network servers) where protected health information (PHI) may be breached is critical for management within entities compliant with the Health Information Portability and Accountability Act (HIPAA). With the increasing complexity of cyber breaches and budgetary issues, prioritizing which locations require the most immediate attention by top management through a data-driven model is more important than ever. Using CORAS threat modeling and five methods for multi-criteria decision-making, these locations were ranked from greatest to least risk of data breaches. Statistical methods were subsequently used for consistency and robustness checks. The findings illustrate that each type of covered entity under HIPAA must prioritize a different set of locations to safeguard first: health care providers must focus on the security of network servers, other portable electronic devices, and category of others (i.e., miscellaneous locations); health plans must focus on the security of paper and films, network servers, and others; and business associates must focus on the security of category of others, network servers, and other portable electronic devices. Combined with data on the source of the breaches (external vs. internal) and type of threats (e.g., hacking, theft), these findings provide recommendations for risk identification for privacy officers across health care.
Types de publication
Journal Article
Langues
eng
Pagination
27-36Informations de copyright
© 2023 The Authors. Journal of Healthcare Risk Management published by Wiley Periodicals LLC on behalf of American Society for Healthcare Risk Management.
Références
Liu V, Musen MA, Chou T. Data breaches of protected health information in the United States. JAMA. 2015;313(14):1471-1473. https://doi.org/10.1001/jama.2015.2252
Moore W, Frye S. Review of HIPAA, part 1: history, protected health information, and privacy and security rules. J Nucl Med Technol. 2019;47(4):269-272. https://doi.org/10.2967/jnmt.119.227819
Angst CM, Agarwal R. Adoption of electronic health records in the presence of privacy concerns: the elaboration likelihood model and individual persuasion. MIS Quarterly. Published online 2009:339-370. https://doi.org/10.2307/20650295
US Department of Health and Human Services. Office of civil rights. 45 CFR Parts 160, 162, and 164. HIPAA administrative simplification. Published online 2013. Accessed December 20, 2022. www.hhs.gov/sites/default/files/hipaa-simplification-201303pdf
Centers for Disease Control and Prevention. HIPAA privacy rule and public health. Guidance from CDC and the US Department of Health and Human Services. MMWR Morb Mortal Wkly Rep. 2003;52(Suppl 1):1-17.
HITECH Act of 2009, 42 USC Sec 139w-4(0)(2) (February 2009), Subtitle D, Part 1, Sec 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions.
HealthIT.gov. Security Risk Assessment Tool. Published 2022. Accessed December 1, 2022. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
Chapple M, Shelley J. IAPP CIPP/US Certified Information Privacy Professional Study Guide. Sybex; 2021.
Peyton D. Healthcare breaches on the rise in 2022. Published June 20, 2022. Accessed December 5, 2022. https://www.techtarget.com/searchsecurity/news/252521771/Healthcare-breaches-on-the-rise
Landi H. Healthcare data breach costs reach record high at $10 M per attack: IBM report. Published July 27, 2022. Accessed November 1, 2022. https://www.fiercehealthcare.com/health-tech/healthcare-data-breach-costs-reach-record-high-10m-attack-ibm-report
IBM. Cost of a data breach report. 2022. Accessed November 3, 2022. https://www.ibm.com/security/data-breach
Landi H. Healthcare data breaches hit all-time high in 2021, impacting 45 M people. Published February 1, 2022. Accessed November 3, 2022. https://www.fiercehealthcare.com/health-tech/healthcare-data-breaches-hit-all-time-high-2021-impacting-45m-people
Herjavec Group. The 2020-2021 Healthcare Cybersecurity Report. Published 2021. Accessed November 3, 2022. https://www.herjavecgroup.com/wp-content/uploads/2020/09/HG-Healthcare-Cybersecurity-Report-2020-2021.pdf
Garrity M. Published March 12, 2019. Accessed November 4, 2022. https://www.beckershospitalreview.com/cybersecurity/5-of-hospital-it-budgets-go-to-cybersecurity-despite-82-of-hospitals-reporting-breaches.html
Devaraj S, Kohli R. Information technology payoff in the health-care industry: a longitudinal study. J Manag Inf Syst. 2000;16(4):41-67. https://doi.org/10.1080/07421222.2000.11518265
Fichman R, Kohli R, Krishnan R, Kane G. The role of information systems in healthcare: current research and future trends. Inf Syst Res. 2011;22(3):419-428. https://doi.org/10.1287/isre.1110.0382
Kim SH, Kwon J. How do EHRs and a meaningful use initiative affect breaches of patient information? Inf Syst Res. 2019;30(4):1184-1202. https://doi.org/10.1287/isre.2019.0858
Litton SC. What's causing our healthcare breaches? A Comparison of data from 2013 to 2020. TMS Proceedings 2021. 2021. https://doi.org/10.1037/tms0000149
Schmeelk S. 2019. Where is the risk? Analysis of government reported patient medical data breaches. In IEEE/WIC/ACM International Conference on Web Intelligence-Companion Volume (WI '19 Companion). Association for Computing Machinery, New York, NY, USA, 269-272. https://doi.org/10.1145/3358695.3361754
Wikina SB. What caused the breach? An examination of use of information technology and health data breaches. Perspect Health Inf Manag. 2014;11(Fall):1-16.
Seh AH, Zarour M, Alenezi M, et al. Healthcare data breaches: insights and implications. Healthcare. 2020; 8(2):133. https://doi.org/10.3390/healthcare8020133
Gabriel MH, Noblin A, Rutherford A, Walden A, Cortelyou-Ward K. Data breach locations, types, and associated characteristics among US hospitals. Am J Manag Care. 2018;24(2):78-84.
HIPAA Journal. HIPAA History. Published 2019. Accessed November 10, 2022. https://www.hipaajournal.com/hipaa-history/
Lund MS, Solhaug B, Stølen K. Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media; 2010.
Jato-Espino D, Castillo-Lopez E, Rodriguez-Hernandez J, Canteras-Jordana JC. A review of application of multi-criteria decision making methods in construction. Autom Constr. 2014;45:151-162. https://doi.org/10.1016/j.autcon.2014.05.013
Aruldoss M, Lakshmi TM, Venkatesan VP. A survey on multi criteria decision making methods and its applications. Am J Inf Syst. 2013;1(1):31-43.
Wang JJ, Jing YY, Zhang CF, Zhao JH. Review on multi-criteria decision analysis aid in sustainable energy decision-making. Renew Sust Energ Rev. 2009;13(9):2263-2278. https://doi.org/10.1016/j.rser.2009.06.021
Diakoulaki D, Mavrotas G, Papayannakis L. Determining objective weights in multiple criteria problems: the critic method. Application of Computers and Operations Research in the Mineral Industry: proceedings of the 30th International Symposium. 1995;22(7):763-770. https://doi.org/10.1016/0305-0548(94)00059-h
Biswas S. Measuring performance of healthcare supply chains in India: a comparative analysis of multi-criteria decision making methods. Decis Mak: Appl Manag Eng. 2020;3(2):162-189. https://doi.org/10.31181/dmame2003162b
Pamučar D, Ćirović G. The selection of transport and handling resources in logistics centers using multi-attributive border approximation area comparison (MABAC). Expert Syst Appl. 2015;42(6):3016-3028. https://doi.org/10.1016/j.eswa.2014.11.057
Yazdani M, Zarate P, Zavadskas EK, Turskis Z. A Combined Compromise Solution (CoCoSo) method for multi-criteria decision-making problems. Manag Decis. 57(9):2501-2519. Published online 2018. https://doi.org/10.1108/md-05-2017-0458
Gomes LFAM. An application of the TODIM method to the multicriteria rental evaluation of residential properties. Eur J Oper Res. 2009;193(1):204-211. https://doi.org/10.1016/j.ejor.2007.10.046
Gomes L, Lima M. TODIMI: basics and application to multicriteria ranking. Found Comput Decis Sci. 1991;16(3-4):1-16.
Gigović L, Pamučar D, Bajić Z, Milićević M. The combination of expert judgment and GIS-MAIRCA analysis for the selection of sites for ammunition depots. Sustainability. 2016;8(4):372. https://doi.org/10.3390/su8040372
Keshavarz Ghorabaee M, Zavadskas EK, Turskis Z, Antucheviciene J. A new combinative distance-based assessment (CODAS) method for multi-criteria decision-making. Econ Comput Econ Cybern Stud Res. 2016;50(3):25-44.
Cadle J, Paul D, Turner P. Business Analysis Techniques. Chartered Institute for IT; 2014.
Van Erp M, Schomaker L. Variants of the borda count method for combining ranked classifier hypotheses. In: International Unipen Foundation; 2000:443-452.
Fleming PJ, Wallace JJ. How not to lie with statistics: the correct way to summarize benchmark results. Commun ACM. 1986;29(3):218-221.