Essays on Human Error in Electronic Health Records (EHR) Information Security
| dc.contributor.author | Alvarado, Wilmer | en |
| dc.contributor.committeechair | Triantis, Konstantinos P. | en |
| dc.contributor.committeemember | Ghaffarzadegan, Navid | en |
| dc.contributor.committeemember | Pettis, Roy Carson | en |
| dc.contributor.committeemember | Hosseinichimeh, Niyousha | en |
| dc.contributor.department | Industrial and Systems Engineering | en |
| dc.date.accessioned | 2025-05-24T08:04:13Z | en |
| dc.date.available | 2025-05-24T08:04:13Z | en |
| dc.date.issued | 2025-05-23 | en |
| dc.description.abstract | This dissertation presents a management framework designed to mitigate human error in information security, aiming to enhance the resilience of EHR systems to make them less attractive to cybercriminals. The framework enhances Reason's Resiliency Model by incorporating a socially oriented management approach based on socio-technical systems (STS) principles. The information security literature presents evidence that human error is a significant contributor to cybersecurity incidents. Human error has increased the vulnerability of healthcare information, exposing it to persistent and increasingly sophisticated malicious cyberattacks that threaten the security and privacy of the American people. People continue to make mistakes and there is no single solution in cybersecurity that can reliably protect the system from vulnerabilities created by human-technology interface errors. This dissertation focuses on the impact of error, as a consequence of the human-technology interface, in the information security of the healthcare sector. The research investigates: the role of STS factors for developing solutions aiming to enhance the resilience of EHR systems; how the location where data are breached influence the severity of data breaches impacting the security and privacy of patient records; how unintended consequences from EHR adoption impact the productivity performance of the states healthcare systems (DMUs); and, how the Health Insurance Portability and Accountability Act (HIPAA) monetary penalties influence compromised patient records. This dissertation concludes that addressing EHR information security threats requires a fundamental shift in the healthcare sector's approach to data security. The research determines that integrating STS factors with Reason's layered approach offers a comprehensive management framework for mitigating human error challenges in healthcare information security. The findings show that network servers and emails are the two most common sites where healthcare data are breached capturing 95% of the 713 million compromised patient records since 2009. Empirical analysis indicates that despite privacy concerns resulting from data breaches, the overall productivity performance of the DMUs has improved over time. However, cybersecurity challenges continue to have an impact on the DMUs productivity performance. The findings also demonstrate that monetary penalties from HIPAA violations have not been effective in slowing down the number of compromised patient records in the sector. | en |
| dc.description.abstractgeneral | President Biden's March 2023 National Cybersecurity Strategy outlines a path for achieving two significant shifts: the need for more capable cybersecurity-human actors to defend our systems and the need to make investments in long-term resilience capabilities. This dissertation addresses both paths. It presents a management framework to mitigate human error in information security, aiming to enhance the long term resilience of EHR systems and make them less attractive to cybercriminals. The framework builds on Reason's Resiliency Model to create a socially oriented management framework based on socio-technical systems (STS) principles. The adoption of EHR technology has led to data breaches and compromised patient records as unintended consequences. While digital platforms in healthcare organizations are enabling the sector to provide better services to patients, they have also risen awareness about the increasing risk of healthcare system vulnerabilities to data breaches. Despite continuous investment in IT security, the sector continues to experience an increase in the volume of data breaches and their complexity, making them difficult to identify their location, prevent, and mitigate the severity to the security of patient records. This dissertation focuses on the impact of error, as a consequence of the human-technology interface, in the information security of the healthcare sector. The significance of the problem is undisputable, as the present day healthcare has become the main victim of external and internal cybersecurity incidents. Data breach reports show that there has been a sharp increase in the number of compromised patient records in the last seven years. It is also observed that 84% of all data breaches are directly or indirectly caused by human error. Additionally, it is demonstrated that the location where data are breached influence the severity of data breaches impacting the privacy of patient records. The first hypothesis studies how the location where data are breached influences the severity of compromised patient records. To investigate this hypothesis, empirical data from the Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) were analyzed to determine the most frequent locations where data are breached and their impact on patient records security. The second hypothesis investigates the unintended consequences from EHR adoption, specifically how privacy concerns impact the productivity performance of the states healthcare systems (DMUs). A linear programming model using the Malmquist productivity index (MPI) was applied to assess productivity and technological improvements across three state clusters: high-capacity, mid-capacity, and low-capacity states. Historical data on compromised patient records from 2009 to 2022 were then used to formally test this hypothesis. The third hypothesis evaluates whether monetary penalties influence the number of compromised patient records resulting from human error data breaches. To test this hypothesis, multiple regression analysis models were employed to assess the relationship between HIPPA violation penalties and the volume of patient records compromised in the sector. This dissertation concludes that addressing EHR information security threats requires a fundamental shift in the healthcare sector's approach to data security. The research determines that integrating STS factors into Reason's layered approach offers a comprehensive management framework for mitigating human error challenges in healthcare information security. The findings show that network servers and emails are the two most common sites where healthcare data are breached capturing 95% of the 713 million compromised patient records since 2009. Empirical analysis of the DMUs data indicates that despite privacy concerns resulting from data breaches, the overall productivity performance of the healthcare sector has improved over time. However, cybersecurity challenges impact the DMUs productivity performance. The findings also demonstrate that monetary penalties from HIPAA violations as a result of human error have not been effective in slowing down the number of compromised patient records in the sector. | en |
| dc.description.degree | Doctor of Philosophy | en |
| dc.format.medium | ETD | en |
| dc.identifier.other | vt_gsexam:43625 | en |
| dc.identifier.uri | https://hdl.handle.net/10919/134222 | en |
| dc.language.iso | en | en |
| dc.publisher | Virginia Tech | en |
| dc.rights | In Copyright | en |
| dc.rights.uri | http://rightsstatements.org/vocab/InC/1.0/ | en |
| dc.subject | Data Breaches | en |
| dc.subject | Electronic Health Records | en |
| dc.subject | Human Errors | en |
| dc.subject | Health Insurance Portability and Accountability Act Penalties | en |
| dc.subject | Reason's Resiliency Model | en |
| dc.subject | Socio-Technical Systems | en |
| dc.title | Essays on Human Error in Electronic Health Records (EHR) Information Security | en |
| dc.type | Dissertation | en |
| thesis.degree.discipline | Industrial and Systems Engineering | en |
| thesis.degree.grantor | Virginia Polytechnic Institute and State University | en |
| thesis.degree.level | doctoral | en |
| thesis.degree.name | Doctor of Philosophy | en |
Files
Original bundle
1 - 1 of 1