Ranking the states most at risk of healthcare data breaches: an application of integrated multicriteria framework for prioritization in risk management

Amir Fard Bahreini

doi:10.1108/OCJ-01-2023-0001

Organizational Cybersecurity Journal (Nov 2024)

Ranking the states most at risk of healthcare data breaches: an application of integrated multicriteria framework for prioritization in risk management

Amir Fard Bahreini

Affiliations

Amir Fard Bahreini: Department of Information Technology and Supply Chain Management, University of Wisconsin-Whitewater, Whitewater, Wisconsin, USA

DOI: https://doi.org/10.1108/OCJ-01-2023-0001
Journal volume & issue: Vol. 4, no. 2
pp. 53 – 84

Abstract

Read online

Purpose – Data breaches in the US healthcare sector have more than tripled in the last decade across all states. However, to this day, no established framework ranks all states from most to least at risk for healthcare data breaches. This gap has led to a lack of proper risk identification and understanding of cyber environments at state levels. Design/methodology/approach – Based on the security action cycle, the National Institute of Standards and Technology (NIST) cybersecurity framework, the risk-planning model, and the multicriteria decision-making (MCDM) literature, the paper offers an integrated multicriteria framework for prioritization in cybersecurity to address this lack and other prioritization issues in risk management in the field. The study used historical breach data between 2015 and 2021. Findings – The findings showed that California, Texas, New York, Florida, Indiana, Pennsylvania, Massachusetts, Minnesota, Ohio, and Georgia are the states most at risk for healthcare data breaches. Practical implications – The findings highlight each US state faces a different level of healthcare risk. The findings are informative for patients, crucial for privacy officers in understanding the nuances of their risk environment, and important for policy-makers who must grasp the grave disconnect between existing issues and legislative practices. Furthermore, the study suggests an association between positioning state risk and such factors as population and wealth, both avenues for future research. Originality/value – Theoretically, the paper offers an integrated framework, whose basis in established security models in both academia and industry practice enables utilizing it in various prioritization scenarios in the field of cybersecurity. It further emphasizes the importance of risk identification and brings attention to different healthcare cybersecurity environments among the different US states.

Published in Organizational Cybersecurity Journal

ISSN: 2635-0270 (Print); 2635-0289 (Online)
Publisher: Emerald Publishing
Country of publisher: United Kingdom
LCC subjects: Technology: Technology (General): Industrial engineering. Management engineering: Information technology; Technology: Technology (General): Industrial engineering. Management engineering: Management information systems
Website: https://www.emeraldgrouppublishing.com/journal/ocj

About the journal

Abstract

Keywords