Why do Healthcare Organizations Choose to Violate Information Technology Privacy Regulations? Proposing the Selective Information Privacy Violations in Healthcare Organizations Model (SIPVHOM)

Privacy concerns about protected healthcare information (PHI) are rampant because of the ease of access to PHI from the advent of Healthcare IT (HIT) and its exploding use. Continual negative cases in the popular attest to the fact that current privacy regulations are failing to keep PHI sufficiently secure in the climate of increate HIT use. To address these issues, this paper proposes a theoretical model with testable hypotheses to explain and predict organizational IT privacy violations in the healthcare industry. Our model, the Selective Information Privacy Violations in Healthcare Organizations Model (SIPVHOM), explains how organizational structures and processes and characteristics of regulatory environments alter perceptions of risk and thereby the likelihood of rule violations. Finally, based on SIPVHOM, we offer recommendations for the structuring of regulatory environments and organizational structures to decrease abuse of PHI

Three Research Essays on Propensity to Disclose Medical Information Through Formal and Social Information Technologies

Abstract This dissertation, which is comprised of three essays, examined disclosure propensity of healthcare providers from the US and Thailand and disclosure of personal health problems of healthcare consumers in social media context. Essay 1: A Deterrence Approach in Medical Data Misuse among Healthcare Providers Information and communication technology (ICT) have long been available for use in health care. With the potential to improve the quality, safety, and efficiency of health care, the diffusion of these technologies has steadily increased in the health care industry. With the adoption of electronic health records, personal electronics devices, internet connections and social network connections, comes the increased risk of medical data breaches. Due to the sensitivity of the information involved, and the existence of laws governing the use of this data, the responsibilities of a healthcare provider after a data breach remain a concern. Based on previous breach reports, institutional insiders were among the leading causes of medical data breaches. The causes were related to unawareness of institutional information security policies and system misuse. Thus it has become important to understand how to reduce such behaviors. Previous studies suggested deterrence theory that relies on security countermeasures can deter individuals\u27 misuse behaviors by increasing the perceived threat of punishment. Thus our model posits that security countermeasures decrease medical data misuse through the two mediators; perceived certainty of sanctions and perceived severity of sanctions. This model was tested by 176 healthcare providers from different institutions across the US. The results suggested that perceived severity of sanctions has more effect in reducing medical data misuse than perceived certainty of sanctions. Hospital information security policies and HIPAA has stronger effect on perceived severity of sanctions than perceived certainty of sanctions whereas EHR monitoring and auditing has stronger effect on perceived certainty of sanctions than perceived severity of sanctions. Results of the study and implications for the research are discussed. Essay 2: Propensity to Misuse Medical Data in an International Context - Deterrence and Cultural Values As information abuse by healthcare providers is a problem that is faced around the globe, our study examined the effect of deterrence within two cultures; Asian and American (Thailand and the US). The reason to compare these two countries is because the foundation of the structures of the laws and the hospital policies for medical data protection of these two countries are similar. Thus others confounding factors are minimized. In terms of cultural influences, Hofstede\u27s cultural dimensions that describe the effects of society\u27s culture on the values to its members are considered as factors that can have an interaction effect with deterrence. Four Hofstede\u27s cultural values were used; individualism-collectivism (IDV); uncertainty avoidance (UAI); power distance (PD); and long-term orientation (LTO). Also, social norms and morality were included. This study employed espoused values of Hofstede\u27s cultural values, since all individuals from a country will not have identical values. In this study, we examined 1) the effect of espoused cultural values on deterrence, and 2) the effect of Hofstede\u27s national cultural values on deterrence in two different healthcare cultures. Our model was tested by 613 healthcare providers; 437 from Thailand and 176 from the US. The results suggested that technical countermeasures had stronger effect on certainty and severity perception for both Thai and US cases, whereas procedural countermeasures had uncertain effect on sanctions perception for both cultures. The young generation of Thais was found more individualized and tended to have the same perception on sanctions as the Westerners. Social norms played an important role in reducing medical data misuse for Thai providers, whereas moral beliefs were more important for the US providers. Individuals who espoused different cultural values had different responses on medical data misuse. Results of the study and implications for the research are discussed. Essay 3: Intention to self-disclose personal health information in social media context In recent years social media is quickly becoming a large part of people\u27s everyday lives. With the availability of smartphones and tablets, coupled with a slew of apps for these devices, people now have ubiquitous access to social media. Virtual social media application encourages people to meet, and share information. Health problems represent one aspect that is shared in a social media context. Benefits and risks of self-disclosure are two main factors that determine social media users\u27 intention to share their sensitive information on social network. This paper integrates social exchange theory, a theory that focuses on gains and losses of building a relationship, and the social penetration theory, a theory that explains human\u27s self-disclosure, to construct the model for investigating self-disclosure intention on personal health problems of social medial users. In addition, we included factors that affect self-disclosure intention including ease of use of social media, social influence, and nature of health problems. Through an online survey, we examined factors that determine self-posting in social media account with 374 social media users across the US. The results suggested that individual and social benefits of self- disclosure outweighed the risks and have significant effect on self-disclosure intention on personal health problems. The individual risks and social risks had little negative effect on self-posting about health problems. In addition, social influence, and social networking experiences were factors that encouraged social media users to reveal their personal health problems

Exploring the Role of Contextual Integrity in Electronic Medical Record (EMR) System Workaround Decisions: An Information Security and Privacy Perspective

Many healthcare providers in the US are seeking increased efficiency and effectiveness by rapidly adopting information technology (IT) solutions such as electronic medical record (EMR) systems. Legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH), which codified the adoption and “meaningful use” of electronic records in the US, has further spurred the industry-wide adoption of EMR. However, despite what are often large investments in EMR, studies indicate that the healthcare industry maintains a culture of system workarounds. Though perhaps not uncommon, the creation of informal workflows among healthcare workers is problematic for assuring information security and patient privacy, particularly when involving decisions of information management (e.g., information storage, retrieval, and/or transmission). Drawing on the framework of contextual integrity, we assert that one can often explain workarounds involving information transmissions in terms of trade-offs informed by context-specific informational norms. We surveyed healthcare workers and analyzed their willingness to engage in a series of EMR workaround scenarios. Our results indicate that contextual integrity provides a useful framework for understanding information transmission and workaround decisions in the health sector. Armed with these findings, managers and system designers should be better able to anticipate healthcare workers’ information transmission principles (e.g., privacy norms) and workaround patterns (e.g., usage norms). We present our findings and discuss their significance for research and practice

Responders’ Responsibility: Liability and Immunity in Public Health Emergencies

Many experts predict the advent of a public health emergency resulting from a flu pandemic or bioterrorism attack in the foreseeable future. At the same time, many health care providers express significant concern about liability arising from emergency response activities, because it is unlikely that they would be able to provide optimal care in crisis conditions. They also state that this concern will likely influence their willingness to be involved in response activities. This article addresses issues that have received little attention in the legal literature: liability and immunity in public health emergencies. The article provides a first-of-its-kind comprehensive analysis of the different theories of liability that might be used by plaintiffs and the sources of immunity that are currently available to public health emergency responders. I will argue that the existing immunity scheme is a patchwork that leaves many gaps and unanswered questions. In particular, it largely excludes paid individual and corporate health care providers who may bear the greatest burden during a public health emergency as hundreds or thousands of patients simultaneously seek medical treatment. The specter of liability may induce these parties to refuse to participate in emergency response efforts, and thus, the unavailability of immunity could significantly compromise public welfare. Moreover, the risk of liability raises questions of justice because those that, unlike their more risk-averse counterparts, do treat patients, perhaps at great risk to their own health, would face potential liability rather than being rewarded for their altruism or professionalism. Consequently, the Article will craft recommendations for statutory reforms to remedy the piecemeal and deficient liability protection system that applies to health care providers responding to public health emergencies

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

Background: Cybersecurity is increasingly becoming a prominent concern among healthcare providers in adopting digital technologies for improving the quality of care delivered to patients. The recent reports on cyber attacks, such as ransomware and WannaCry, have brought to life the destructive nature of such attacks upon healthcare. In complement to cyberattacks, which have been targeted against the vulnerabilities of information technology (IT) infrastructures, a new form of cyber attack aims to exploit human vulnerabilities; such attacks are categorised as social engineering attacks. Following an increase in the frequency and ingenuity of attacks launched against hospitals and clinical environments with the intention of causing service disruption, there is a strong need to study the level of awareness programmes and training activities offered to the staff by healthcare organisations. Objective: The objective of this systematic review is to identify commonly encountered factors that cybersecurity postures of a healthcare organisation, resulting from the ignorance of cyber threat to healthcare. The systematic review aims to consolidate the current literature being reported upon human behaviour resulting in security gaps that mitigate the cyber defence strategy adopted by healthcare organisations. Additionally, the paper also reviews the organisational risk assessment methodology implemented and the policies being adopted to strengthen cybersecurity. Methods: The topic of cybersecurity within healthcare and the clinical environment has attracted the interest of several researchers, resulting in a broad range of literature. The inclusion criteria for the articles in the review stem from the scope of the five research questions identified. To this end, we conducted seven search queries across three repositories, namely (i) PubMed®/MED-LINE; (ii) Cumulative Index to Nursing and Allied Health Literature (CINAHL); and (iii) Web of Science (WoS), using key words related to cybersecurity awareness, training, organisation risk assessment methodologies, policies and recommendations adopted as counter measures within health care. These were restricted to around the last 12 years. Results: A total of 70 articles were selected to be included in the review, which addresses the complexity of cybersecurity measures adopted within the healthcare and clinical environments. The articles included in the review highlight the evolving nature of cybersecurity threats stemming from exploiting IT infrastructures to more advanced attacks launched with the intent of exploiting human vulnerability. A steady increase in the literature on the threat of phishing attacks evidences the growing threat of social engineering attacks. As a countermeasure, through the review, we identified articles that provide methodologies resulting from case studies to promote cybersecurity awareness among stakeholders. The articles included highlight the need to adopt cyber hygiene practices among healthcare professionals while accessing social media platforms, which forms an ideal test bed for the attackers to gain insight into the life of healthcare professionals. Additionally, the review also includes articles that present strategies adopted by healthcare organisations in countering the impact of social engineering attacks. The evaluation of the cybersecurity risk assessment of an organisation is another key area of study reported in the literature that recommends the organisation of European and international standards in countering social engineering attacks. Lastly, the review includes articles reporting on national case studies with an overview of the economic and societal impact of service disruptions encountered due to cyberattacks. Discussion: One of the limitations of the review is the subjective ranking of the authors associated to the relevance of literature to each of the research questions identified. We also acknowledge the limited amount of literature that focuses on human factors of cybersecurity in health care in general; therefore, the search queries were formulated using well-established cybersecurity related topics categorised according to the threats, risk assessment and organisational strategies reported in the literature.</jats:p

Regulating Physician Behavior: Taking Doctors’ \u27Bad Law\u27 Claims Seriously

Physician behavior is a key target of government regulation intended to improve the efficiency, quality, and accessibility of health care. Yet according to physicians’ bad law claims, the legal effort to promote patient health and well-being has actually caused significant harm. These bad law claims - that malpractice litigation prompts defensive medicine, that patients’ rights policies prompt doctors to provide futile care, that controlled substance laws cause physicians to undertreat patients in pain - have diminished in significance due to the deconstruction of professionalism. Claims are often discarded as the cries of bad apple doctors or in the interest of creating a more egalitarian or consumer-oriented model of medicine. This article argues that physicians’ bad law claims should be taken seriously. The way physicians react to legal requirements can negatively impact the effectiveness of the law and the quality of patient care. Thus physician behavior must be included as an important factor in the effort to evaluate and improve the performance of the law. Taking seriously physicians’ bad law claims is a first step to understanding how physicians react to legal risks and consequently, how well laws perform. This article begins by addressing the dynamic relationship between the health law reform agenda and the medical profession. Part II considers categories of physicians’ bad law claims, recognizing that some may be dishonest or misinformed but arguing that many claims have credence as legitimate responses to extralegal shadow systems or truly harmful legal standards. Part III assesses common responses to physicians’ bad law claims. Providing specific examples, the article argues that current responses - e.g. educating doctors on the law; immunity statutes; safe harbor provisions - are inadequate because they fail to account for the realities of the medical professional or the nature of the law Finally, Part IV makes two recommendations for taking physicians bad law claims seriously and thereby effectively evaluating and improving the reform effort. First, it advocates evaluating the law through its population-based effects on physician behavior. Second, it recommends tailored monitoring and investigative processes that allow formal legal standards rather than policy decisions to govern the regulatory process

Effects of EMR on Community Health Center Communication

Electronic medical record (EMR) systems impact healthcare communication in a significant number of ways. The physical presence of the EMR in the examination room can negatively impacts patient-provider communication. This research examined the impact of EMR on patient-provider communication within the microcosm of the community health center. The data for this research was collected via a quantitative survey using a random sample of 513 (10%) of the 5,101 patients of the Northwest Community Health Center (August 2021 to August 2022). These participants were at least 18 years of age and had seen their medical provider in the previous 12 months. Many themes arose from the research participants who were uncomfortable with the EMR or the use of technology in the exam room. Understanding the benefits or even the general functionality of the EMR allows the patient to feel more comfortable with its use and to become more tolerant of the presence and use of technology during the physician encounter. Furthermore, as the possession and use of current technologies diminishes amongst the study’s participants, so does their preference for their provider to use an EMR. To comprehend the impact EMR knowledge has on the patients’ perception of its utilization, a crosstabulation between staff and non-staff patients underlined the fundamental difference. When asked what type of chart they would prefer their medical provider to use, a quarter of non-staff patients preferred electronic medical records, whereas two-thirds of the staff, who are also patients of the community health center, preferred the same. These findings indicate a need to educate patients about the benefits of the EMR and the advantage of accessing the EMR in the exam room. Furthermore, enhancing the providers’ communication skills will help them comprehend the prevalent communication barriers created by accessing the EMR in the exam room. The quality of the interaction between the patient and provider is critical to the patient’s health outcomes. Improved communication leads to better emotional and physiological health, compliance with treatment recommendations, pain management, and symptom resolution