Meaningful Healthcare Security: Does “Meaningful-Use” Attestation Improve Information Security Performance?
Dr. KWON Juhee
Department of Information Systems
City University of Hong Kong
Certification mechanisms are often employed to assess and signal difficult-to-observe management practices and foster improvement. In the U.S. healthcare sector, a certification mechanism called meaningful-use attestation was recently adopted as part of an effort to encourage electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. This new regime motivated us to examine how meaningful-use attestation influences the occurrence of data breaches. Using a propensity score matching technique combined with a difference-in-differences (DID) approach, our study shows that the impact of meaningful-use attestation is contingent on the nature of data breaches and the timeframe. Hospitals that attest to having reached Stage 1 meaningful-use standards observe fewer external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches but eventually see long-term reductions. We do not find any link between malicious internal breaches and attestation. Our findings offer theoretical and practical insights into the effective design of certification mechanisms.
Keywords: Data breaches, Electronic Healthcare Records, Healthcare, Meaningful-use, Security
Juhee Kwon is an Associate Professor of the Information Systems Department in the College of Business at City University of Hong Kong. Her research interests include information security, healthcare IT, IT business values, and business–IT alignment. She earned a Ph.D. from Krannert School of Management, Purdue University. Her research articles have appeared in such academic journals as MIS Quarterly, Information Systems Research, Journal of Management Information Systems, Journal of the American Medical Informatics Association, IEEE Security & Privacy, and Journal of Information Systems.
[ Back ]