Essays on Human Error in Electronic Health Records (EHR) Information Security

Abstract

This dissertation presents a management framework designed to mitigate human error in information security, aiming to enhance the resilience of EHR systems to make them less attractive to cybercriminals. The framework enhances Reason's Resiliency Model by incorporating a socially oriented management approach based on socio-technical systems (STS) principles. The information security literature presents evidence that human error is a significant contributor to cybersecurity incidents. Human error has increased the vulnerability of healthcare information, exposing it to persistent and increasingly sophisticated malicious cyberattacks that threaten the security and privacy of the American people. People continue to make mistakes and there is no single solution in cybersecurity that can reliably protect the system from vulnerabilities created by human-technology interface errors. This dissertation focuses on the impact of error, as a consequence of the human-technology interface, in the information security of the healthcare sector. The research investigates: the role of STS factors for developing solutions aiming to enhance the resilience of EHR systems; how the location where data are breached influence the severity of data breaches impacting the security and privacy of patient records; how unintended consequences from EHR adoption impact the productivity performance of the states healthcare systems (DMUs); and, how the Health Insurance Portability and Accountability Act (HIPAA) monetary penalties influence compromised patient records. This dissertation concludes that addressing EHR information security threats requires a fundamental shift in the healthcare sector's approach to data security. The research determines that integrating STS factors with Reason's layered approach offers a comprehensive management framework for mitigating human error challenges in healthcare information security. The findings show that network servers and emails are the two most common sites where healthcare data are breached capturing 95% of the 713 million compromised patient records since 2009. Empirical analysis indicates that despite privacy concerns resulting from data breaches, the overall productivity performance of the DMUs has improved over time. However, cybersecurity challenges continue to have an impact on the DMUs productivity performance. The findings also demonstrate that monetary penalties from HIPAA violations have not been effective in slowing down the number of compromised patient records in the sector.