Abstract
PurposeData breaches in the US healthcare sector have more than tripled in the last decade across all states. However, to this day, no established framework ranks all states from most to least at risk for healthcare data breaches. This gap has led to a lack of proper risk identification and understanding of cyber environments at state levels.Design/methodology/approachBased on the security action cycle, the National Institute of Standards and Technology (NIST) cybersecurity framework, the risk-planning model, and the multicriteria decision-making (MCDM) literature, the paper offers an integrated multicriteria framework for prioritization in cybersecurity to address this lack and other prioritization issues in risk management in the field. The study used historical breach data between 2015 and 2021.FindingsThe findings showed that California, Texas, New York, Florida, Indiana, Pennsylvania, Massachusetts, Minnesota, Ohio, and Georgia are the states most at risk for healthcare data breaches.Practical implicationsThe findings highlight each US state faces a different level of healthcare risk. The findings are informative for patients, crucial for privacy officers in understanding the nuances of their risk environment, and important for policy-makers who must grasp the grave disconnect between existing issues and legislative practices. Furthermore, the study suggests an association between positioning state risk and such factors as population and wealth, both avenues for future research.Originality/valueTheoretically, the paper offers an integrated framework, whose basis in established security models in both academia and industry practice enables utilizing it in various prioritization scenarios in the field of cybersecurity. It further emphasizes the importance of risk identification and brings attention to different healthcare cybersecurity environments among the different US states.
Reference94 articles.
1. Cybersecurity risks of blockchain technology;International Journal of Computer Applications,2020
2. Selecting the most efficient maintenance approach using fuzzy multiple criteria decision making;International Journal of Production Economics,2003
3. The identity crisis within the IS discipline: defining and communicating the discipline's core properties;MIS Quarterly,2003
4. CalHHS (2022), “Statewide health information policy manual”, available at: https://www.chhs.ca.gov/ohii/health-laws/ (accessed 12 August 2022).
5. California Consumer Privacy Act (2018), available at: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 (accessed 1 June 2023).