Introduction

Health care data breaches are a growing threat to the health care industry, causing not only data loss and monetary theft but also attacks on medical devices and infrastructure . Hospital data security breaches in particular have the potential to cost a single hospital as much as US $7 million, including fines, litigation, and damaged reputation. A data breach has a combined estimated effect on the health care industry of about US $6 billion . Meanwhile, the health care industry lags behind other industries in securing its data, and in response, health care organizations must invest considerable capital and effort in protecting their systems.Competing Needs in Cybersecurity in Healthcare Organization.

However, this is easier said than done, given the complexity of health care organizations. Hospitals are extraordinarily complex organizations with many typical organizational characteristics dialed up or down to extremes  such as

• Technology saturated environment: similar to other organizations, they struggle to manage an array of devices ranging from legacy information technology (IT) to connected medical devices; unlike other organizations, they have orders of magnitude more of them, procured not by a single IT department but purchased ad hoc by clinicians, or given for free by medical device companies .Competing Needs in Cybersecurity in Healthcare Organization.

• Internal politics: they deal with the same internal politics that other large organizations do but complicated by the complexity of functions contained within the organization: finance, IT, and human resources, just like other organizations; unlike other organizations, they also must support radiology, cardiology, and pediatrics among others . The degree of specialization is high. Each department requires totally different equipment, caters to different patient needs, has different workflows, and employs a highly specialized labor force that requires years to train.Competing Needs in Cybersecurity in Healthcare Organization.

• Regulatory pressures: similar to other organizations, they must abide by the regulations imposed on them by state and federal government; but in the United States, health care data is considered to be particularly sensitive, and thus, is protected under additional specific data protection laws .

• Patient-centered care: like all organizations in the United States, hospitals care about their ability to generate positive net revenue for survival, but unlike other organizations, their first mission is to care for their patients, even when they are for-profit .Competing Needs in Cybersecurity in Healthcare Organization.

It is interesting to consider what the systemic effect of these characteristics might be on a single hospital’s ability to remain robust to cyber breaches. But now consider the range of possible differences among these entities, eg, a rural community hospital has dramatically different priorities than a large, urban research hospital. Specific to IT, outsourcing services is more common in smaller or more rural hospitals, with transcription services being the most commonly outsourced function . The decision to outsource interacts with the tendency of these hospitals to make symbolic rather than substantive IT security investments—see Angst and Kelley  for more discussion.Competing Needs in Cybersecurity in Healthcare Organization.

Furthermore, significant variability in cybersecurity as a priority has been observed throughout the hospital industry—in the United States, 70% of hospital boards include cybersecurity in their risk management oversight, and only 37% of hospitals perform annual incident response exercises . Similar vulnerabilities in hospitals are also observed in other countries . Specifically, pressure from the board of directors appears to be essential in creating substantive cyber resiliency, as research shows that hospital management support is essential for user compliance with information security policies, which in turn are written by health care IT security professionals .Competing Needs in Cybersecurity in Healthcare Organization.

The importance and complexity of cybersecurity capability development at hospitals raise critical questions: how do the inter- and intradynamics of hospitals interact to form a system of hospital cybersecurity in the United States? Does this leave the health care infrastructure of the United States vulnerable as a whole? As data interoperability becomes an imperative, driven by Affordable Care Act requirements and payment reform, will hospitals with lower cyber capabilities leave all patients vulnerable?Competing Needs in Cybersecurity in Healthcare Organization.

To answer these questions, we interviewed chief information officers (CIOs), chief information security officers (CISOs), and health care cybersecurity experts at hospitals and developed a system dynamics model to study the dynamics of implementation and maintenance of cybersecurity capabilities in hospitals.

This study helps health care leaders reduce hospital vulnerabilities by detailing the outcomes resulting from strategic decisions of cybersecurity development. It also aids cybersecurity professionals in understanding the complexities of cybersecurity capability development in hospitals.Competing Needs in Cybersecurity in Healthcare Organization.

Cybersecurity and Competing Needs

The major healthcare stressor that affects the healthcare institution is cyber security, which is a significant stressor considering the impact that cyber security has on data protection and patient health information. The federal government, under the HIPAA rule, mandates that all healthcare institutions install measures for patient data protection and prevention of data loss and misuse. Additionally, the healthcare realm has adopted the use of informatics in its data management, hence, warranting the need for cyber security measures that meet the requirements of the HIPAA.

Competing Needs in Cybersecurity in Healthcare Organization

A handling significant competing need in handling cyber security issues in the healthcare organization is nursing leadership. Nursing leadership is a pertinent need in cyber security because nurse leaders are supposed to help in the cyber security policy development within the organization. The nurse leaders are also an integral need in cybersecurity matters because they provide education to their nursing teams and patients on how to prevent security attacks and maintain confidentiality (Stockwell, 2020). Nurse leadership is a competing need because nurses must be competent enough to understand the importance of cyber security in a healthcare organization, and teach their nursing teams how to enhance security and comply with HIPAA.Competing Needs in Cybersecurity in Healthcare Organization.

Another competing need pertinent to cybersecurity in a healthcare organization would be the investment in security measures such as firewalls and software which enhance cyber security efforts within the institution. According to Kamerer & McDermott (2020), the main cyber security concerns that most healthcare organizations have include data authentication, data theft, data loss, and human errors. Implementing measures such as installing better malware detectors, proper authentication systems, robust health information systems, and encryption requires heavy investment that poses challenges for organizations in many instances.Competing Needs in Cybersecurity in Healthcare Organization.

Policy that Influences Cybersecurity in Organization

In the healthcare organization, a significant policy that may affect the state of the cybersecurity is the organizational policy on information management by clinicians and administrators in the healthcare organization. The hospital’s policy is that there is a strict code of privacy, where all employees handling and managing patient information must maintain confidentiality, observe security protocols and ensure information integrity, as well as follow the protocols in place for medical record distribution. This policy requires that all employees that handle information must have a two-step authentication procedure in their workstations, which include a strong password and a fingerprint or any other form of biometric authentication. This two-step authentication procedure ensures that information in the system can only be accessed by authorized personnel.Competing Needs in Cybersecurity in Healthcare Organization.

To implement the policy on maintaining patient information confidentiality and enhancing security and integrity of the information, the hospital has a policy on bi-annual training on the same. It remains critical that the management in the hospital ensures that all its workers under the HIPAA rules and regulations, to avoid the legal ramification of breaching the rules. The trainings act as reminders to the employees of the rules and the expectations. Additionally, the management conducts frequent assessments of the security software installed in the systems to ensure that there security and integrity of the patient information. To further enhance this, it is part of hospital policy to undertake the employee through frequent trainings on using the installed software, as well as introductory trainings for new software installed, each time the management changes the system software. The trainings are also mandatory for all employees dealing with patient information and other forms of records, which helps the hospital improve its cybersecurity levels.Competing Needs in Cybersecurity in Healthcare Organization.

Critiquing the Policy

The hospital’s policy is a strict code of privacy, where all employees handling and managing patient information must maintain confidentiality, observe security protocols and ensure information integrity, as well as follow the protocols in place for medical record distribution. As mentioned before, the employees handling any form of information must maintain confidentiality, observe security protocols and ensure information integrity, as well as follow the protocols in place for medical record distribution, and have two-step authentication procedures when accessing the health information system in the organization.Competing Needs in Cybersecurity in Healthcare Organization.

This policy meets the ethical consideration of enhancing patient confidentiality and privacy of information. By having a two-step authentication procedure in the organization, the management promotes this ethical principle because only authorized personnel can access the patient information. To add to this, part of the organization’s policy includes training the employees on using new security software and enhancing the integrity of the information by making it a policy that all employees handling patient information and records must ensure that the information is accurate before loading it into the system.Competing Needs in Cybersecurity in Healthcare Organization.

A major strength with this policy is that it reduces the chances of HIPAA rules violations by the employees, hence, saving the organization the legal complications that may arise from this breach. Another strength with this policy is that it enhances patient outcomes because of the elevated patient satisfaction levels since patients feel comfortable with the healthcare provider when they know that their information is safe, secure, and remains confidential. Studies by Peikari et al. (2018) and Shan et al. (2016) indicate that patients tend to trust hospitals where they feel that their information is physically secure, which increases their satisfaction levels. The researchers contend that with patients, knowing that their information is confidential helps them open up to the clinicians easily, which also enhances their health outcomes since they reveal information important in designing clinical interventions for their conditions. Therefore, this policy presents as a major strength to the healthcare organization.Competing Needs in Cybersecurity in Healthcare Organization.

However, a major drawback with this policy is that there are still challenges with implementing the concepts taught in training sessions, which are part of the policy. After the training sessions, some employees still experience challenges in remembering how to apply the information taught. Therefore, there are some security breaches which the management swiftly handles. There is a need for additional training, which presents the need for nurse leadership involvement in the education of clinicians on security issues and nursing informatics.Competing Needs in Cybersecurity in Healthcare Organization.

Policy Recommendation

            A practice change to address the identified competing needs would be to involve the nurse leaders in the training of employees in information management. As noted earlier, the policy’s shortcoming is the instances where employees forget how to implement the concepts taught during the training, leading to security breaches. This situation calls for the need of nurse leadership intervention, where they should hold sessions with the nurses and other clinicians on informatics and reinforce the concepts taught in the training. Competing Needs in Cybersecurity in Healthcare Organization.The involvement of nurse leadership in information management is critical in promoting the ethical considerations of patient confidentiality and security of their information. Additionally, the management should develop a policy on a financial allocation plan, where the management budgets for security technology annually, in the event that the existing technologies are difficult to use, or portray inefficiencies in security of information.Competing Needs in Cybersecurity in Healthcare Organization.