Ranking the states most at risk of healthcare data breaches: an application of integrated multicriteria framework for prioritization in risk management

2.1 Prioritization in decision-making

An examination of prior literature (Jato-Espino et al., 2014; Kornyshova and Salinesi, 2007; Maalem Lahcen et al., 2020; Toloie-Eshlaghy and Homayonfar, 2011; Wang et al., 2009; Zavadskas et al., 2014; Zavadskas and Turskis, 2011), suggested addressing the prioritization issues in decision-making must include addressing five areas: objectives, criteria, indicators, ranking technique, and application. The first step requires understanding the purpose of ranking, concerning organizational cybersecurity operations. Why does ranking (prioritization) in cybersecurity matter? In what domain of cybersecurity can the results of prioritization add value? Developing the objectives will not only add context to the task but also define the boundaries of applicability of any findings (Ross, 2018). The second area is establishing the appropriate criteria—the conceptual factors that can drive the prioritization tasks (Zavadskas et al., 2014). The core of prioritization techniques is using criteria that are known, established, and rooted in prior literature and practices. Some study domains often rely on prior literature to establish such criteria (Toloie-Eshlaghy and Homayonfar, 2011). Others, such as studies in sustainability, may rely upon both prior literature and existing industry standards (Stojčić et al., 2019). The third area is selecting indicators appropriate to chosen criteria. Indicators are the operationalization of the conceptual criteria established in step 2 (Maalem Lahcen et al., 2020). The next step is selecting the right multicriteria decision-making technique (MCDM) and analyzing the data. Among various developed MCDM techniques, each has its unique attributes (Kornyshova and Salinesi, 2007; Toloie-Eshlaghy and Homayonfar, 2011). The purpose of these techniques in their respective stream of research is to aid decision-makers when they face a decision with multiple choices. These can include situations where decision-makers must select between several alternative solutions (Stević et al., 2020; Zavadskas and Turskis, 2011) or identify their biggest issues (Gürbüz et al., 2012; Petrović et al., 2019). Finally, the approach must address the matter of applicability. While the first step (objectives) aims to answer the questions of “what” and “why,” applicability aims to answer the question of “how.” In other words, having completed all prior steps, how can the findings be applied in practice? These areas provide a general road map of what needs to be done. The first two steps concern the conceptualization of the prioritization task. Steps three and four concern the operationalization of the task, and the final step concerns utilizing the findings. Figure 1 illustrates this layered model, where each step essentially encompasses the step after it and will affect its construction. For example, the objective is the outermost layer, overseeing all the other steps. Then, criteria oversee all other steps but the initial objective, and so on.

2.2 Prioritization in cybersecurity decision-making

To apply this approach in organizational cybersecurity, contextualization matters. From an academic point of view, theories provide the pivotal toolset advancing cybersecurity studies. A myriad of theories, from the unified security compliance model (Moody et al., 2018) to threat-avoidance theory (Liang and Xue, 2009), has developed and expanded over the years to push cybersecurity studies with adequate rigor. From a practical perspective, various standards, best practices, and training have been the primary resources in the cybersecurity domain. NIST special publications and the International Standards Organization (ISO) provide standards on all things cybersecurity, from risk management to infrastructure security (International Standard Organization, 2022; National Institute of Standards and Technology, 2018; Ross, 2018). Many organizations, such as SANS, [1] ISACA, [2] and CISA, [3] provide additional resources and training programs. Accordingly, relevancy and applicability appear to be the driving goals behind these efforts. While academia and practice have increased the connection over the years, the dichotomy of rigor versus relevance raised in the bigger information system field (Davenport and Markus, 1999) still appears in cybersecurity.

With this context in mind, the question arose of how this paper should develop the needed framework. Ultimately, the goal is findings that are both rigorous and relevant (Benbasat and Zmud, 2003; Davenport and Markus, 1999). Accordingly, the prioritization framework this study develops draws upon both theoretical models and practical standards. Figure 2 depicts the framework.

Overall, the framework for this study is the result of the integration of several security models, including the security action cycle (Straub and Welke, 1998), the NIST cybersecurity framework (National Institute of Standards and Technology, 2018), and security risk planning (Goodhue and Straub, 1991) integrated with requirements of MCDM models (Maalem Lahcen et al., 2020; Zavadskas et al., 2014). The goal of the framework is to provide a systematic approach to answering any prioritization questions in the context of cybersecurity. The section continues by discussing each step, then applies the framework to the study context to answer the research question.

3.1 Framework for ranking the states most at risk of data breaches in healthcare

Table 2 summarizes the application of the framework for this study. The methodology section discusses all steps (except the application in order), and the discussion further unpacks the application.

Objective: The goal of the study is to identify states most at risk for healthcare data breaches, to increase the understanding of individuals in the US healthcare system (i.e. policy-makers, patients, covered entities, and business associates). Thus, the study follows the “identify” core function of the NIST cybersecurity framework, or “deterrence” under the security action cycle. This process of statewide risk identification can be informative for all stakeholders and provide a clear picture of the characteristics of the cybersecurity environment in the healthcare sector, an attribute that can influence increasing security concerns and decision-making (Goodhue and Straub, 1991).

Criteria: Among the available risk and threat modeling approaches, the integrated risk model for data breach management that Khan et al. (2021) proposed was quite applicable to the context of the study. According to the model, the risk profile analysis for the identification of risk (the goal of this study) includes three facets: (1) data breach cause: the primary event causing the breach; (2) data breach locus: the point of adverse access to data (physical or logical); (3) data breach impact: adverse effect of breach on an organization (Khan et al., 2021). Accordingly, these three facets became criteria in the prioritization model.

Indicators: The breach data that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) (2023) publishes allows selecting indicators, based on the criteria the previous step discussed. Table 3 provides the summary of these indicators.

3.2 Data

Data from the OCR contained 2,658 incidents at the date of this study, from 2015 to 2021. Some incidents were removed. These included: incidents that OCR has closed for different reasons, such as incomplete information, entries that either did not have a web description or provided the type of PHI stolen in their descriptions, and entries that were recorded multiple times. All indicators were directly extracted from a public database, except for the number of stolen PHI items, which required examining the incident description by carefully reading and counting the number of stolen PHI items from the breach description in the dataset. Data from 2015 and on were selected because that year, OCR updated its portal requirements and harmonized its web descriptions (HIPAA Journal, 2019). Then, 2,279 remained for the analysis.

3.3 Indicator weight determination

The best-worst method (BWM), i.e. the latest MCDM technique proposed (Rezaei, 2015), uses pairwise comparisons to obtain the weights of alternatives and evaluates them with respect to a set of decision criteria. This method compensates for the shortcomings of pairwise comparison-based methods (e.g. analytical hierarchy process, analytical network process), such as inconsistency. Based on a nine-point scale, this method reduces the number of pairwise comparisons substantially by only executing reference comparisons—i.e. experts must only determine the preference for the best criterion over other criteria and the preference for all criteria over the worst criterion. By eliminating secondary comparisons, this method can obtain weights for any MCDM problem effectively and easily. According to Rezaei (2015), executing this method uses five steps:

• Step 1. A set of decision criteria is determined as {C1,C2,C3 …,C6}.

• Step 2. An expert or panel of experts determines the best and the worst criteria.

• Step 3. Using a number ranging from one to nine, which will result in the best-to-others vector, determines the preference for the best criterion over all other criteria:

• Step 4. Determine the preference for all other criteria over the worst criterion, using a number ranging from one to nine, resulting in the others-to-worst vector:

• Step 5. Find the optimal weights (w1*,w2*,…,wn*).

The pairwise comparison matrix will be perfectly consistent if aik×akj=aij,∀ i,j. The optimal weight for each criterion occurs when, for each pair of WB/ Wj and Wj/ Ww, we have WB/ Wj=aBj and Wj/ Ww=ajW. To satisfy these conditions for all j, we must identify a solution that minimizes the maximum absolute differences |wBwj−aBj| and |wjww−ajw| for all j. Based on the non-negativity and sum conditions, Eq. (1) can be used to obtain optimal weight:

This problem can also be rewritten as follows:

According to Rezaei (2015), a consistency ratio should be computed for pairwise comparisons, which can be expressed as Eq. (3):

3.4 Prioritization technique: grey relational analysis

Julong (1989) introduced the Grey Relational Analysis (GRA) as part of Grey systems theory; it can solve problems that intricate interrelationships between factors and variables characterize. The GRA method has been extensively used for solving problems associated with ambiguity under discrete data and incomplete information (Wei, 2011; Wu, 2009). This method first translates the performances of each alternative into comparability sequences, through a process analogous to normalization (Kuo et al., 2008b). Afterward, an ideal or reference sequence is defined, which is then used to calculate the grey relational coefficient between all comparability sequences and the reference sequence. Finally, based on the computed grey relational coefficients, the grey relational degree between every comparability sequence and the reference sequence is calculated, and alternatives are ranked accordingly. This procedure is fulfilled through the following steps:

• Step 1: Based on the experts’ opinions, a decision-making matrix assumed to have m alternatives characterized with n criteria is determined:

• Step 2: All performance values for each alternative are normalized and processed into a comparability sequence Yi=(yi1,yi2,yi3,…,yin) using Eqs. (5) and (6) for the-larger-the-better criteria and the-smaller-the-better criteria, respectively:

It is important to note that in this paper, we rank different states with regard to risks, and, therefore, all criteria are considered to be the-smaller-the-better criteria.

• Step 3: A reference sequence is defined and compared with each comparability sequence from Step 2 and expressed as follows:

• Step 4: The values of grey relational coefficients are calculated using Eq. (8), which indicates how close the values of yij are to the reference sequence y0:

The value of ζ reflects the degree to which the minimum scores are emphasized relative to the maximum scores (Zhang et al., 2005). Decision-makers determine the distinguishing coefficient (Kuo et al., 2008a, b); this study sets decision-makers as 0.5.

• Step 5: After all grey relational coefficients φ(y0,yij) are calculated, the grey relational degree can be calculated as follows:

3.5 Data analysis

4.1 Calculating the weight of indicators

As the methodology section mentioned, the weight of all indicators was calculated using BWM. On this basis, focus-group meetings determined the comparisons to find the best indicator as compared to other indicators, as well as the comparisons of other indicators to find the worst. Tables 5 and 6 show the preferences for the best criterion over other criteria and for other criteria over the worst criterion, respectively. The output related to the weight of the indicators was determined using LINGO 11.0 software and appears in Table 7.

The bigger the ζ, the higher the consistency ratio is and the less reliable the comparisons become. BWM always results in consistent (not necessarily fully consistent) comparisons (Rezaei, 2015). According to the comparison between Analytical Hierarchy Process (AHP) and BWM, the consistency ratio is less than 0.1, which means that the weights obtained are acceptable and can be used for prioritization.

4.2 Ranking the states

Figure 3 displays the summary of primary analysis. Results indicate that California, Texas, New York, Florida, Indiana, Pennsylvania, Massachusetts, Minnesota, Ohio, and Georgia are the top 10 states at risk. South Dakota, Wyoming, North Dakota, Idaho, Vermont, Rhode Island, Montana, New Hampshire, Hawaii, and Alaska have the lowest privacy breach risk in their respective health sectors.

Since the indicators are negative, the minimum values are the basis for determining the reference series. As a result, smaller values of grey relational degrees represent that a specific alternative is closer to the reference sequence. Therefore, the alternative with the smallest grey relational degree value represents the first rank. Consequently, by default, the method generates the results from the safest states to those most at risk. However, since it is more crucial to understand the states most at risk, the findings appear from worst to best (i.e. in the tables and figures, rank one represents the states most at risk, and rank 50 represents the state least at risk).

Moreover, since the distinguishing coefficient should be between zero and one, calculations were performed in three situations (ζ=0.1,ζ=0.5,and ζ=0.9), to perform sensitivity analysis for this parameter. The results appear in Table 8, where it is evident that the differentiation coefficient does not affect the ranking of states and has the same results.

4.3 Post-hoc analysis: sensitivity analysis

To analyze the sensitivity of results, other methods with different calculation bases were used. For robustness checks, combined compromise solution (CoCoSo), multiattributive border approximation area comparison (MABAC), and multiattributive ideal real comparative analysis (MAIRCA) were utilized (Gigović et al., 2016). These techniques have a different structure than GRA, in terms of both the data normalization technique and the formulas that lead to the prioritization of alternatives. These methods can be used in situations where the criteria are only positive or negative. Other methods, such as TOPSIS, VIKOR, and COPRAS, are mainly based on positive or negative ideal distance, which cannot be used in such situations. The basis of the MABAC method originated from the definition of the distance of the indicator function of each alternative from the border approximation area (Pamučar and Ćirović, 2015). Although the MAIRCA method has the same calculation structure as MABAC, the best alternative in the ranking is the one with the closest values to the ideal rating by all criteria (Pamucar et al., 2018). Alternatively, the CoCoSo method, proposed by Yazdani et al. (2019), is based on integrating simple additive weighting and an exponentially weighted product model. The method has eliminated the shortcomings of other MCDM methods, such as TOPSIS and COPRAS. The first table in the supplementary materials displays the results in full. As we can see, different calculation methods also confirm the results from the GRA and show a high degree of correlation.

Finally, comparing the three methods used for robustness checks with the primary analysis method (i.e. GRA), the finding remains consistent across all four methods for 45 states, with the remaining five states showing consistent ranking across three methods. Table 9 displays the summary of this comparative assessment, while the entire table can be seen under Supplementary Materials.

5.1 Policy discussion

First, from a policy standpoint, all covered entities have a baseline they must follow, namely, the HIPAA privacy and security rules (U.S. Department of Health and Human Services, 2013). However, as noted, stricter state laws can preempt HIPAA. Thus, state laws (whether signed for the healthcare sector or as a comprehensive law) can be a differentiating factor. An estimate by Health Information & The Law, a George Washington University project, showed that by the end of 2019, 32 states had approved additional sporadic bills governing healthcare organizations, on individual issues (Health Information and The Law, 2020). For example, New York and Massachusetts had additional safeguard laws (e.g. encryption and authentications) in place. However, there is a need for comprehensive state laws.

According to the US State Privacy Legislation Tracker (Desai, 2023), at the time of this study, only 10 states had signed comprehensive privacy bills into law, 11 states had active bills, and other states did not have any active bills or any comprehensive privacy bills introduced. Table 10 displays some of the states that had signed the bills into law, their data breach rank, and their effective date. Of nine that had signed bills into law, only California (CCPA – California Privacy Act and Proposition 24 – California Consumer Privacy Rights Act), and Colorado (SB 190, Colorado Privacy Act) were currently effective (IAPP, 2023).

Here, the major takeaway is a general lack of comprehensive state security and privacy laws. While there had been various sporadic state legislation during the period in which this study occurred, almost no state (except California for 2 years) had any comprehensive privacy and security law in place. California had been the subject of 71 breaches (an average of 35.5 per year), compared to 200 breaches (an average of 40 per year) in the final dataset this study used. No conclusion is valid while we wait a few years to see how effective these policies were, but the statistics may support some optimism. Regardless, the current status quo also highlights that many states are not actively pursuing a comprehensive law, particularly concerning the states at the top of the risk list.

Second, neither HIPAA nor state policies seem to have evolved as fast as the methods of hacking/IT incidents. Collectively, hacking/IT incidents characterize most threats for all states. Furthermore, among the five categories of threats (i.e. hacking/IT incident, theft, loss, improper disposal, and unauthorized access/disclosure), hacking/IT incidents have evolved, become more complex, and occurred using many more novel methods. Thus, they deserve to be an integral facet of any new amendments and laws. From a legislative perspective, state policies appear to focus on increasing consumer rights and business obligations (IAPP, 2023). Risk assessments are part of business obligations, requiring a concerted effort to enhance this process and address the most pressing issues. This effort must be twofold: creating obligations to enhance the defense mechanism (human/technical) against malicious threats and understanding how to mitigate unintentional errors. Unintentional errors can be a more significant source of threat. Yet, a keyword search within the legislative drafts available to the public shows that none of the existing state policies explicitly raise the issue of hacking, which can be concerning. Even though the US seems headed in the right direction by devising comprehensive state laws governing all aspects of security and privacy, these laws do not address the most pressing issues—hacking and IT incidents.

5.2 Socioeconomic discussion

From a socioeconomic perspective, this study looked at the correlation between the final risk ranking and the latest available socioeconomic indicators that appear in Table 11.

Pearson correlations was calculated between the final ranking and values of each state for each indicator. Since the ranking was from highest breach risk (rank 1, indicating the most insecure state) to lowest breach risk (rank 50, indicating the most secure), a negative correlation indicates that higher values for the socioeconomic factors are associated with lower ranks in the table (i.e. higher data breach risk).

Starting with indicators from the US Bureau of Labor Statistics, a strong negative correlation exists between state data privacy breach ranking and the number of employees per hospital (r = −0.80), number of hospitals (r = −0.68), and number of people per hospital (r = −0.34). The higher those indicators, the higher the data breach risk will be for that state, and thus, the lower its ranking. Additionally, we a similar pattern where higher population correlates with higher data breach risk (r = −0.74). Finally, using GSP—the level of economic output by state and indicator of wealth (National Center for Education Statistics, 1991)—we see that wealthier states have more exposure to privacy data breach risk. If a malicious source causes the breach, “having more people” or “being wealthier” may indicate the source had more financial incentives to steal the data. However, what this correlation indicates about breaches that inadvertent mistakes cause is less clear. Does having more patients and work pressure in populated areas increase the tendency of the staff to make more mistakes? Do more populated areas have a lower quality of Security Education and Training Awareness (SETA) programs in their entities? This may be a question worth exploring in the future. Combining the two facets of policy and socioeconomic aspects, Table 12 provides recommendations surrounding discussions in this paper.

5.3 Theoretical implications

The study provides an integrated framework drawn upon the security action cycle (Straub and Welke, 1998), the NIST Cybersecurity Framework (National Institute of Standards and Technology, 2018), the Risk-Planning Model (Goodhue and Straub, 1991), and MCDM methods (Toloie-Eshlaghy and Homayonfar, 2011), to answer the research question. The framework provides a roadmap, starting from setting the objective, to the application of the findings. This study applied this framework for risk identification at the state level across the US healthcare industry. The framework provides guidelines and flexibility that allow it to apply in other cybersecurity contexts. Table 13, on future research, provides a snapshot of how other potential questions can arise. The components of the framework itself provide two more implications.

First, despite the sporadic usage of MCDM models and propositions to enhance their utilization, using these methods in cybersecurity has received less attention (Maalem Lahcen et al., 2020). By integrating these methods into the framework, the study encourages researchers to further consider applying the methods in various contexts. MCDM methods do not answer the question of causality or association. However, they can help tremendously in assisting decision-making, as demonstrated in a plethora of other literature, find the best solution, and prioritize a list of alternatives. Rarely does any decision involve a single choice (Samuelson and Zeckhauser, 1988). Rather, decisions are complex, include various alternatives, and face time and monetary constraints. Whether risk identification (as in this study), prioritization in risk assessments, or finding the best alternatives for risk solutions, MCDM approaches can useful with such questions.

Second, the study attempts to address the challenge of relevancy vs rigor (Benbasat and Zmud, 2003; Davenport and Markus, 1999) in risk identification, by providing a balanced framework that considers both prior academic risk models (e.g. risk-planning model, security action cycle) and widely accepted industry standards (NIST). Furthermore, the framework suggests using various threat-modeling approaches, such as PASTA, CORAS, or other models, as time progress. One final thought is that even though the framework was developed to address an issue in the United States, it is very conceivable that with enough substitution, the model is applicable in contexts outside of the US

5.4 Practical implications

First, practitioners can apply the model to use with their own available data, to answer any prioritization questions they may have. The model was presented as flexible, so users can apply their threat-modeling approach to developing the criteria or using their own MCDM method. Table 13 presents avenues for practical applications. The method here is for demonstration purposes, and ultimately, the researchers can decide the best approach.

The remaining practical applications stem from the application of the framework for ranking the US states most at risk of healthcare data breaches. The study findings show that various states face different levels of risk. It provides transparency for stakeholders, lets patients know of the potential risk facing their PHI in their respective states, and lets privacy officers at covered entities know the degree of risk their entity and state face. Furthermore, it lets legislators know the existing climate in the healthcare sector. The latter seems to be a very grave point in this story. Not only have there not been comprehensive laws, but the existing laws do not address the most pressing issue, namely, Hacking/IT incidents.

Finally, the discussion highlights the seemingly significant correlation between state risk ratings and several socioeconomic indicators, including populations (e.g. state population, number of patients, hospitals), and wealth indicators.