In recent years, management in the healthcare domain has become burdened with multiple managerial issues related to cost, quality, accessibility, medical errors and security concerns. Nation Master (2014) notes that even though healthcare spending in the United States (U.S.) is the highest in the world, it still exhibits a mediocre cost-to-quality ratio. On the other hand, India experienced 22-25 percent growth in healthcare tourism in 2017 due to low cost and high quality of healthcare services (India Brand Equity Foundation Report 2018). However, the country lags in technology infrastructure and physician-to-patient ratio. Thus, while U.S. hospitals are focusing on healthcare cost reduction and care quality improvement, Indian hospitals are trying to improve the efficiency of existing technologies such as telemedicine. However, investment in healthcare information systems (HIS) has come under scrutiny of management researchers in recent years. This is because the positive perception about HIS has gradually begun to fade due to negligible returns on investments.
Prior researches also focus on concerns related to information security of patient’s electronic medical records. IBM-Ponemon (2017) reports that healthcare data fetches the highest price in the black markets and makes it a lucrative target for cyber-criminals. As a result, cyber risk determination and risk mitigation is of utmost importance for healthcare managers. Our study on IT governance in healthcare follows the Control Objectives for Information and Related Technologies (COBIT) framework for strategic alignment, resource planning, risk management, value delivery and performance measure to improve the impact of HIS. In our study, we aim to provide solutions to mitigate (i) strategic risks and (ii) operational risks. Our research contributes to existing healthcare issues related to strategic risk mitigation such as better accessibility, improved care quality, cost reduction and resource management. It also addresses operational risk through proactive detection of attack type to ensure better allocation of resources and reduction of financial loss due to cyber-attack.
In the Indian healthcare system, government or not-for-profit healthcare organizations are continuously making efforts to improve healthcare accessibility. The 2017-18 Indian budget saw the launch of the DigiGaon initiative, which aims to make telemedicine accessible to more than one lakh villages. As the demand for telemedicine increases in India, lack of strategic planning may induce inefficiency and result in financial loss to telemedicine providers. Thus, in this study, we propose a two-module Classifier-Based Prediction and Strategic Investment Planning (CBPSIP) framework based on resource-based view (RBV) and business-IT alignment. The use of machine learning techniques (Classification and Regression tree, Naive Bayes, Bagging tree) and payoff matrix for investment planning are novel in terms of an Indian telemedicine scenario. The CBP module includes knowledge source or department, broadcasting session type and type of remote institute, and performs various functions such as (i) compare machine-learning based classification techniques, (ii) predict the remote broadcasting location and (iii) report the model evaluation measures. The SIP module takes inputs like: (1) prediction accuracy from CBP module, (ii) scenarios (i.e., with admissions available and with no admissions) and (iii) risk profile (i.e., risk-averse or risk-neutral). Within this module, we further (a) assess the business model in terms of expected payoff and utility under risk, (b) determine the optimal investment structure in the CBP framework, and (c) calculate the change in investment in the framework vis-a-vis the increase in consultation fee. Our frameworks helpful as a decision-making tool and can be used to assess the cost effectiveness of such systems and take the necessary decisions to improve their overall profit potential.
In the United States, rising healthcare management issues led to stringent government policies which aimed to reduce readmission rates, improve value-based care and ensure maintenance of data security standards. Hefty penalties to hospitals were introduced in case of any non-compliance with quality and security regulatory policies. Under such circumstances, it became essential for the health providers to devise investment strategies towards installing or reinvesting healthcare information technology (HIT) applications based on their impact towards reducing mortality rates: pneumonia mortality rates (PMR) and cardiac disease mortality rates (CDMR). We propose a Clinical Quality Assessment (CQA) framework that helps healthcare managers in devising their HIT investment strategy through prioritization based on IT impact. W contribute to the existing research on the IT productivity paradox as we investigate whether or not the HIT applications in a hospital reduce patient mortality. Our result also reflects the processes that are positively impacted by IT as a resource, while treating a patient admitted in a hospital. Thus, our study also contributes to the resource-based view (RBV) of IT. The inputs needed for this purpose are: (i) HIT applications needed to treat either pneumonia or cardiac disease or both, (ii) hospital characteristics (number of physicians and number of beds), (iii) socio-economic factors (literacy and per-capita income) and(iv) hospital type (i.e., voluntary, government and proprietary). We use secondary data of U.S. hospitals and apply data analytic methods such as K-means clustering, linear regression and stepwise regression. Our results provide (i) the impact of HIT applications in reducing mortality rates (PMR and CDMR) for all hospitals, (ii) impact of HIT applications in reducing mortality rates (PMR and CDMR) for small and medium hospitals and (iii) compare the change in HIT usage for the treatment of pneumonia and cardiac disorder over two time periods, 2008-2010 and 2011-2013. We also note that though HIT deployed in most healthcare units are still at the transactional level (i.e., storing, aggregating and forwarding healthcare information), they are making crucial contributions in reducing PMR and CDMR. Our CQA model will help healthcare managers to deploy HIT applications on a priority basis in terms of their impact on reducing mortality rates to ensure better utility of their IT investment. Apart from socio-economic factors and hospital characteristics, HIT application functions are also affected by hospital’s security installations. In this study, we classify the HIT applications in a hospital into clinical and administrative automation systems (CAS and AAS) and investigate the impact of IT security (i.e., anti-virus, intrusion detection systems and user authentication systems) on PMR and CDMR. For this purpose, we propose the HITOSEC framework, where IT acts as a hospital’s resource and aids in patient’s treatment processes. Our study also contributes to the IT productivity paradox by evaluating the impact of the integration of HIT applications and security measures with hospital’s treatment processes. In the HITOSEC framework, we use the backward regression technique to explore (i) the effect of each of the factors towards reducing mortality rates (heart attack mortality rates (HAMR), heart failure mortality rates (HFMR) and pneumonia mortality rates (PMR)), and (ii) check the impact of IT security measures on the performance of HIT applications in reducing mortality rates. The input variables to HITOSEC are: (i) HIT applications: CAS and AAS, (ii) hospital characteristics (number of physicians and number of beds) (iii) socio-economic factors (literacy and per-capita income), (iv) hospital type (government, voluntary, and proprietary) and (v) IT security measures (anti-virus, user authentication and intrusion detection system). Based on the study, we conclude that (1) Impact of IT security on HIT in reducing mortality rates is insignificant, (11) security implementations in hospitals may have detrimental effect during on the clinical quality, especially during emergencies, and, (iii) healthcare managers should measure the impact of security implementation in terms of the reduction of operational risks only (like cyber-attacks and data breaches).
Nearly 75%of the U.S. residents are Internet users. The U.S. is also the most affected country in terms of average size of data breach (Ponemon 2017). For this purpose, we propose the AOL framework to predict the amount of data breach per attack, based on historical data. The equation for the proposed linear model includes factors such as: (1) asset characteristics, i.e., data storage type, and data content type, and attacker type with respect to the organization, i.e., internal or external, (ii) organization type, i.e., hospital or non-hospital, and (111) location factors, Le., crime rate, population density, literacy, Internet usage and per-capita income. Our study is in line with criminology theories such as (i) situational crime prevention which supports organization type and asset characteristics and(ii) rational activity theory which emphasizes on locational characteristics as an incentivizing factor for criminal activities. We perform the OLS backward regression to determine the coefficient and significance of the input variables in determining the amount of data breach exposure. This study helps healthcare managers to identify the determining variables that are significant in predicting the number of data breached in an attack. It will help in making policies to avoid excess data exposure during a potential breach. It also encourages researchers to focus on organizational and locational factors in addition to improving the technological prowess of an organization’s security.
We also try to address the problem of minimizing operational risk (security breach) in hospitals by using a Cyber-Risk Quantification and Cyber-Risk Mitigation (CRQ-CRM) framework. Our CRQ-CRM framework is important as it aims to solve issues of confidentiality, integrity and availability (C-I-A) of patient data that can lead to tangible as well as intangible losses to a healthcare organization. Our framework is built on the theory of criminology that tries to explain the impact of a crime-conducive environment, typically in terms of the corruption index. We study past records of identity theft incidents pertaining to the healthcare industry to (i) establish the importance of the form of target data and agent source, and(ii) explain the effect of the state level factors like crime rate, population density, literacy rate, Internet usage, and per-capita income. Our methodology includes: (i) comparing prediction accuracy of classification techniques in order to predict the attack type (hacking, insider attack, physical attack or unintended disclosure), (ii) evaluating the expected loss due to misclassification and(iii) using the probability impact matrix to suggest risk mitigation strategies. Thus, our study will help security managers in policy making and taking precautionary countermeasures to reduce loss due to identity theft attacks while encouraging them to consider state-level factors. It will also encourage academicians to work on locational factors and their interactions with individuals and technology in determining cyberattack severity.