Cybersecurity Using Risk Management Strategies of U.S. Government Health Organizations

Seismic data loss attributed to cybersecurity attacks has been an epidemic-level threat currently plaguing the U.S. healthcare system. Addressing cyber attacks is important to information technology (IT) security managers to minimize organizational risks and effectively safeguard data from associated security breaches. Grounded in the protection motivation theory, the purpose of this qualitative multiple case study was to explore risk-based strategies used by IT security managers to safeguard data effectively. Data were derived from interviews of eight IT security managers of four U.S. government health institutions and a review of relevant organizational documentation. The research data were coded and organized to support thematic development and analysis. The findings yielded four primary themes: effective cyber-risk management strategies: structured, systematic, and timely cyber risk management; continuous and consistent assessment of the risk environment; system and controls development, implementation, and monitoring; and strategy coordination through centralized interagency and interdepartmental risk management. The key recommendation based on the study findings is for IT security managers to employ cybersecurity strategies that integrate robust cybersecurity controls and systematic processes based on comprehensive risk management. The implications for positive social change include the potential to positively stimulate patient trust and confidence in healthcare systems and strengthen healthcare professionals\u27 commitments to ensure patient privacy