Optimal information security investment in a Healthcare Information Exchange: An economic analysis

摘要

The complexity of the problem, the increasing security breaches, and the regulatory and financial consequences of breached patient data highlight the fact that security of electronic patient information in Healthcare Information Exchanges (HIEs) is an organizational imperative and a research priority. This study applies classical economic decision analysis techniques and models the HIE based on its network characteristics to offer key insights into the issue of determining the optimal level of information security investment We find that for an organization in a HIE, only security events with the potential loss reaching some critical value are worth protecting, and organizations would only spend a fraction of the intrinsic security risk on protection measures. Even when business benefit from security investment exists, organizations in a HIE tend to invest based on risk reduction alone. The implications of such decisions made at the node level and the resulting built-in moral hazard at the HIE level is discussed.