Assessing the impact of health information exchange on hospital data breach risk.

Publisher: Elsevier Science Ireland Ltd Country of Publication: Ireland NLM ID: 9711057 Publication Model: Print-Electronic Cited Medium: Internet ISSN: 1872-8243 (Electronic) Linking ISSN: 13865056 NLM ISO Abbreviation: Int J Med Inform Subsets: MEDLINE

Original Publication: Shannon, Co. Clare, Ireland : Elsevier Science Ireland Ltd., c1997-

Health Information Exchange*; United States ; Humans ; Hospitals ; Computer Security ; Information Technology ; Electronic Health Records

Objective: Widespread electronic health information exchange (HIE) across hospitals remains an important policy goal for reducing costs and improving the quality of care. Meanwhile, cybersecurity incidents are a growing threat to hospitals. The relationship between the electronic sharing of health information and cybersecurity incidents is not well understood. The objective of this study was to empirically examine the impact of hospitals' HIE engagement on their data breach risk.
Materials and Methods: A balanced panel dataset included 4,936 US community hospitals spanning the period 2010-2017, which was assembled by linking the American Hospital Association annual survey database and the Information Technology (IT) supplement, and the Department of Health and Human Services reports of health data breaches. The relationship between HIE engagement and hospital data breaches was modeled using a difference-in-differences specification controlling for time-varying hospital characteristics.
Results: The percentage of hospitals electronically exchanging information has more than tripled (from 18% to 68%) from 2010 to 2017. Hospital data breaches increased concurrently, largely due to the rise in hacking and unauthorized access. HIE engagement was associated with a 0.672 percentage point increase in the probability of an IT breach three years after the engagement. Hospitals actively engaging in a health information organization and exchanging data with outside providers were associated with a higher risk of IT related breaches in the long run; however, hospitals actively engaging in HIE and exchanging data with inside providers were not associated with any significant risk of IT related breaches.
Discussion: Over time, the increasing amount and complexity of patient information being exchanged can create challenges for cybersecurity if data protection is not up to date. Additionally, data security depends on the weakest link of HIE, and providers with fewer resources for data governance and infrastructure are more vulnerable to data breaches.
Conclusion: Moving toward widespread health information exchange has important cybersecurity implications that can significantly impact both patients and healthcare organizations.
Competing Interests: Declaration of Competing Interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
(Copyright © 2023 Elsevier B.V. All rights reserved.)

Keywords: Cybersecurity risk; Data breach; Electronic Information Exchange; HIE; Privacy

Date Created: 20230715 Date Completed: 20230814 Latest Revision: 20230814

20231215

10.1016/j.ijmedinf.2023.105149

37453177