Three essays on data breaches and hospital operations : examining relationships with operating performance, it investments, and patient choice

Abstract

The importance of information in modern society cannot be overemphasized. The entry into the information society created the new opportunities for firms and the convenience for customers, but at the same time created an anxiety about data breaches. Despite the warnings and concerns of IT security experts, the number of data breaches is increasing every year, especially in the healthcare field. The purpose of this dissertation is to examine the direct and indirect effects of data breaches on healthcare organization. While the first essay examines the indirect effect of data breaches, the third essay explorers the direct effect. The second essay is about the critical factors of data breach incident at the healthcare organization.The chapter 2 investigates the relationship between data breaches and hospital operating expenses in the year of the data breach and in subsequent years with sample size of 9,430 hospitals with 128 data breach cases from 2012 to 2016. The data are collected from different sources. The list of hospitals that had the data breaches are collected U.S. Department of Health and Human Services Office for Civil Rights (HHS) and Privacy Rights Clearinghouse (PRC) and other variables are from RAND hospital data, the Centers for Medicare & Medicaid Servi ces (CMS), and HIMMS Analytics. The result of panel regression fixed model shows that when there’s a data breach in hospital, the operating expenses tend to increase. To explore whether this effect changes depending on the hospital characteristics, this essay adapts Routine Activity Theory from criminology. Since the data breaches can be occurred from insider, such as lost, improper disposal, or unauthorized access, this essay focuses the training the employees as the corrective action plan after data breaches which is the effort of decreasing the motivated offender inside the hospital. The two factors, Case Mix Index (CMI) and resident intensity are turned out to be function as the moderators of relationship between data breaches and hospital operating expenses. To be specific, if the CMI is higher, the hospital operating expenses tend to increase by 0.12% with the data breach incident. Likewise, the hospitals with high resident intensity shows 1.4% increase in operating expenses when the data breach occurred in the hospital. The chapter 3 seeks to find the antecedents of the data breach at the healthcare organizations. This essay begins from the contradictory result of the prior studies that while some studies found that more IT investments are associated with more likelihood of data breaches while another study found that IT investment decreases the chances of the data breaches. Employing the theory of information technology capability, this essay classifies EMR adoption speed, administrative HIT, and clinical HIT as the IT infrastructure, and augmented HIT as the human IT resources. With the 12,129 hospitals (200 data breaches) from 2012 to 2016, this study uses panel probit model to test the hypothesis. The result shows that while the EMR adoption speed, administrative HIT, and clinical HIT are associated with more data breach occurrences, the augmented HIT is with less data breach occurrences. The chapter 4 begins from the research question if the hospital volume decreases after data breaches for the short-term period while the prior paper found that there is no significant relationship between data breach and the number of patients with yearly data. Employing the theory of information privacy concern, this essay uses the data from Florida HealthFinder.gov which provides the quarterly data of the number of inpatient and outpatient data. By 1:5 propensity score matching using nearest neighbor within a caliper, this essay uses the difference-in-differences regression analysis to test the hypothesis.