Blog

Professor Eric Johnson and I presented the paper, “The Impact of Security Practices on Regulatory Compliance and Security Performance in the Healthcare Industry”, at the 2011 International Conference on Information Systems (ICIS 2011), held in Shanghai, China from December 4 to 7.
Data breaches in the healthcare industry could bring more serious results than other industries, since healthcare data can be misused to more various frauds (e.g., billing for services not rendered, billing for a higher reimbursable service than performed, performing unnecessary services, unbundling of tests and services to generate higher fees, durable medical equipment fraud, pharmaceutical drug diversion, outpatient surgery fraud, and Internet pharmacy sales).
With the increased concerns, the US Government has increased the severity of fines for security violation, ranging up to $1.5M. Thus, we demonstrated how a healthcare organization’s security practices (including security applications, policies, and procedures) and culture influence information security and regulatory compliance.
This study found :

• IT security systems and security policies are synergistic, having complementary effects.
• Audit practices help an organization detect and report breaches rather than prevent breaches.
• Security cultural values significantly influence compliance and information security
• A top down approach improve information security rather than compliance.
• High collaboration makes information more exposed to risks while improving compliance.

Comments are welcome. The presentation poster is below:

Teaching high school students about security: