Skip to main content
NCBI home page
Sage Choice logoLink to Sage Choice
. 2023 Feb 24;53(3):198–205. doi: 10.1177/18333583231158886

For-profit versus non-profit cybersecurity posture: breach types and locations in healthcare organisations

Martin Ignatovski 1,
PMCID: PMC11403923  PMID: 36840419

Abstract

Background

The implementation of emerging technologies has resulted in an increase of data breaches in healthcare organisations, especially during the COVID-19 pandemic. Health information and cybersecurity managers need to understand if, and to what extent, breach types and locations are associated with their organisation’s business type.

Objective

To investigate if breach type and breach location are associated with business type, and if so, investigate how these factors affect information systems and protected health information in for-profit versus non-profit organisations.

Method

The quantitative study was performed using chi-square tests for association and post-hoc comparison of column proportions analysis on an archival data set of reported healthcare data breaches from 2020 to 2022. Data from the Department of Health and Human Services website was retrieved and each organisation classified as for-profit or non-profit.

Results

For-profit organisations experienced a significantly higher number of breaches due to theft, and non-profit organisations experienced a significantly higher number of breaches due to unauthorised access. Furthermore, the number of breaches that occurred on laptops and paper/films was significantly higher in for-profit organisations.

Conclusion

While the threat level of hacking techniques is the same in for-profit and non-profit organisations, certain breach types are more likely to occur within specific breach locations based on the organisation’s business type. To protect the privacy and security of medical information, health information and cybersecurity managers need to align with industry-leading frameworks and controls to prevent specific breach types that occur in specific locations within their environments.

Keywords: computer security, privacy, data security, health information systems, health information management, medical informatics, electronic health records, healthcare

Introduction

From paper records to electronic health record (EHR) systems, and now telehealth (TH) platforms and Internet of Things, healthcare organisations have implemented new technologies to keep up with recent advancements (Farid, 2019; Gu et al., 2019; Jin et al., 2020). Implementation of new information systems (IS), such as EHR and TH platforms, has allowed healthcare practitioners to spend more time on treating patients and less on administrative tasks, thus positively impacting patient safety and outcomes (Aldahiri et al., 2021; Blandford et al., 2020; McGrowder et al., 2021; Tapuria et al., 2021). While digital transformation has offered many benefits, it has also created challenges for healthcare organisations (Al-Issa, 2019; Massaro et al., 2021). Health information and cybersecurity managers now face obstacles when attempting to secure protected health information (PHI) that their organisations collect, process, and store. Cybersecurity attacks targeting IS and PHI within the healthcare industry are on the rise, especially during the COVID-19 pandemic (Ignatovski, 2022). According to the United States (US) Department of Health and Human Services (HHS) (2022), since the beginning of 2020, there have been more than 1500 instances of successful data breaches, totalling over 100,000,000 breached records.

Healthcare organisations run their business operations in either a for-profit or non-profit setting (Marwell and McInerney, 2005). For-profit organisations focus on generating profits for their shareholders, while non-profit organisations focus on using their extra income to reinvest in their mission, operations, or products they offer. Malicious actors deploy cybersecurity attacks on any organisation, regardless of business type. With the current rise of cybersecurity attacks, health information and cybersecurity managers have an obligation to the US Federal Government, under the Health Insurance Portability and Accountability Act (HIPAA) (Moore and Frye, 2019) and the Health Information Technology for Economic and Clinical Health Act (HITECH) (Kiel, 2022), and to the patients they serve, to protect the confidentiality, availability, and integrity of the medical information they collect, store, or process. To protect their IS, organisations need to appropriately budget for the hiring of appropriate personnel and the implementation of cybersecurity controls and frameworks to secure the PHI they store (Abraham et al., 2019; Moore and Frye, 2019).

The HIPAA Act (Centers for Disease Control and Prevention, 1996) defined how healthcare organisations, regardless of their business type, need to protect the security and privacy of PHI. Health executives and health information managers are required to implement controls defined by the HIPAA privacy rule (protecting the privacy of PHI) (Iguchi et al., 2018), the HIPAA security rule (securing PHI) (Thompson, 2020), and the HIPAA breach notification rule (reporting instances of data breaches) (Yaraghi, 2018). According to the HIPAA breach notification rule, healthcare organisations must report all data breaches that include 500 or more records (US DHHS, 2022). Due to the complexity of HIPAA, and lack of clear controls, organisations should employ or develop professionals who have full understanding of what threats impact the IS and resources that handle sensitive healthcare data (Krzyzanowski and Manson, 2022). Many health executives do not fully understand HIPAA regulations and are unable to appropriately prevent or mitigate the impacts of data breaches within for-profit and non-profit organisations (Dykstra et al., 2020).

The primary purpose of the HITECH Act (2009) was to incentivise the adoption of EHR systems by healthcare providers, and to move storage and processing of medical records from paper to electronic form. It allowed patients to request access to their electronic medical records from their healthcare providers, to increase transparency and access. While the HITECH Act incentivised the use of EHR systems, it also strengthened the HIPAA requirements regarding the protection of electronic PHI. HITECH introduced requirements for healthcare providers and other covered entities to enter into a business associate agreement with third-party vendors that have direct access to their PHI. Business associates, under the HITECH Act, became directly accountable for any HIPAA violations and data breaches. The regulation increased the penalties for HIPAA violations and the failure to report data breaches. HITECH requires all healthcare organisations to directly notify patients, the media, and the HHS if their medical records were involved in impermissible disclosures or data breaches (Kiel, 2022).

Due to the differences in their financial structures, organisational hierarchies, strategies, budgeting, overall operations, and organisational goals, for-profit and non-profit organisations operate using different business models (Marwell and McInerney, 2005). Therefore, the focus of this research was to determine if the data breach type and data breach location were associated with the healthcare entities’ business type, and if so, determine how these factors affect the IS and PHI in for-profit and non-profit healthcare organisations. While current research has addressed data breaches in healthcare entities, and certain factors that have affected the number of impacted individuals in a healthcare data breach (Ignatovski, 2021), the research has failed to address the relationships between the types and locations of data breaches in for-profit and non-profit organisations. This research will lay a foundation for the examination of additional organisational factors that could affect how the operational activities and IS of for-profit and non-profit organisations are targeted by external threat actors.

Through quantitative analysis of archival data from data breaches reported by the HHS since 1 January 2020, the author addressed if: (i) the business type of the healthcare organisation is associated with the type of data breach (threat); and (ii) the business type of a healthcare organisation is associated with the location where data breaches occurred. The purpose of this article was twofold. First, healthcare executives and health information and cybersecurity managers may use the findings, interpretation of the results, and recommendations to improve their overall information security posture and implement strategies and controls aimed at preventing or mitigating potential data breaches. Second, the results of this research could serve as a foundation for future research. The study addressed two specific questions:

Research Question 1. To what extent, if any, is the business type associated with the type of data breach?

  • Ho: Business type is not associated with type of data breach affecting healthcare organisations.

  • Ha: Business type is associated with type of data breach affecting healthcare organisations.

Research Question 2. To what extent, if any, is the business type associated with the location where the data breach occurs?

  • Ho: Business type is not associated with the location where the data breach occurs.

  • Ha: Business type is associated with the location where the data breach occurs.

Method

The author tested for associations using two-tailed chi-square analysis with 95% confidence interval, to select the population of data breaches from 1 January 2020, until the most recent data breach reported on 1 August 2022. Due to the significant increase in breached data records at healthcare organisations during the COVID-19 pandemic, and to ensure recency of the data and the results, the author decided to only use instances of data breaches that were reported since 1 January 2020 (Ignatovski, 2022). The initial HHS data set included 1779 instances of reported data breaches in the US. Some reported data breaches reported multiple values under data breach location. Since instances of data breaches were self-reported by healthcare organisations, each breach instance occurred at one initial location, and the focus of the research was to analyse the association between the initial occurrence and the business type, the author decided to remove 134 instances of reported data breaches. The final data set included 1645 instances of data breaches.

The first research question focused on the association between the business type and the data breach type (Figure 1), while the second focused on the association between the business type and the data breach location (Figure 2). Business type is a categorical variable that defines the tax status of a healthcare organisation. The two categories under business type were: (1) for-profit and (2) non-profit. Data breach type is a categorical variable with five categories as defined by the HHS: (1) hacking/IT incident; (2) improper disposal; (3) loss; (4) theft; and (5) unauthorised access/disclosure. Finally, the categories under the data breach location variable were: (1) desktop computer; (2) electronic medical record; (3) email; (4) laptop; (5) network server; (6) other; and (7) paper/films.

Figure 1.

Figure 1.

Open in a new tab

Conceptual framework for research question 1: To what extent, if any, is the business type associated with the type of data breach?

Figure 2.

Figure 2.

Open in a new tab

Conceptual framework for research question 2. To what extent, if any, is the business type associated with the location where the data breach occurs?

The author implemented a six-step process to identify, obtain, transform, and protect the integrity of the publicly available data reported by the HHS. The first step included identification of the website and confirmation of the validity of the data set. The same data set was provided by the US Government and has been used in other research articles (Angst et al., 2017; Dolezel and McLeod, 2019; Gabriel et al., 2018; Ignatovski, 2022; McLeod and Dolezel, 2018; Seh et al., 2020). The second step included extraction of data from the website and saving it into a comma-separated value file. Once the data set was extracted, downloaded, and saved, the author examined the data set and filtered out cases reported before 1 January 2020. Additionally, the author filtered out cases that had multiple data breach locations reported. During the fourth step, the author confirmed each of the organisations filing type by accessing the Secretary of State’s website for each of the states where the organisations were registered to operate. The next step included encryption of the files to protect the integrity of the data. The final step included loading the data into statistical software (SPSS).

Results

Prior to conducting the chi-square analysis, the author ran frequencies for each variable type. The business type variable had 1645 valid cases and no missing cases (see Table 1). Each data breach report submitted to the HHS included the US state in which the healthcare organisation was located. Data breach occurrences in for-profit organisations reported during the period of interest occurred at 72 organisations in the state of Texas, 65 organisations in the state of Florida, and 64 organisations in the state of California (Figure 3). Figure 3 shows additional details regarding the number of data breach occurrences per state that occurred in for-profit organisations. On the other hand, data breach occurrences in non-profit organisations reported during the period of interest occurred in 74 organisations in the state of California, 72 organisations in the state of New York, and 50 organisations in the state of Pennsylvania (Figure 4). Figure 4 shows additional details regarding the number of data breach occurrences per state that occurred in non-profit organisations.

Table 1.

Variable frequencies.

For-profit Non-profit
Variable Variable category Frequency Percent, % Frequency Percent, % Frequency Percent, %
Business type For-profit 826 50.2 826 100 0 0
Non-profit 819 49.8 0 0 819 100
Breach type Hacking/IT incident 1237 75.2 617 49.9 620 50.1
Improper disposal 22 1.3 13 59.1 9 40.9
Loss 24 1.5 15 62.5 9 37.5
Theft 50 3 40 80 10 20
Unauthorised access/disclosure 312 19 141 45.2 171 54.8
Breach location Desktop computer 16 1 10 62.5 6 37.5
Electronic medical record 79 4.8 41 51.9 38 48.1
Email 507 30.8 237 46.7 270 53.3
Laptop 20 1.2 16 80 4 20
Network server 818 49.7 402 49.1 416 50.9
Other 41 2.5 21 51.2 20 48.8
Paper/films 164 10 99 60.4 65 39.6
Open in a new tab

Figure 3.

Figure 3.

Open in a new tab

Data breach occurrences in for-profit organisations per state.

Figure 4.

Figure 4.

Open in a new tab

Data breach occurrences in non-profit organisations per state.

For the first research question, the author ran a two-tailed chi-square analysis between the business type and the breach type. According to the chi-square test results (Table 2), there was a significant association between business type and data breach type, X(1) = 23.09, p < .001. Results indicated the null hypothesis could be rejected, and the alternate hypothesis accepted. Since there was a significant association between business type and data breach type, results of the cross-tabulation (Table 3) and post-hoc comparison of column proportions analysis (Table 4) have been interpreted in the discussion section. Results are shown in a clustered bar chart (Figure S1, online supplement).

Table 2.

Chi-square test results for research questions 1 and 2.

Research question Tests Value df Sig. (2-sided)
Business type and data breach type Pearson chi-square 23.09 4 <0.001
Likelihood ratio 24.39 4 <0.001
Linear-by-linear association 0.1 1 0.756
Business type and data breach location Pearson chi-square 17.75 6 0.007
Likelihood ratio 18.32 6 0.005
Linear-by-linear association 3.31 1 0.069
Open in a new tab

Table 3.

Business type and breach type cross-tabulation.

Cross-tabulation Variable category Count For-profit Non-profit
Business type and data breach type Hacking/IT incident Count 617 620
EC 621.1 615.9
Improper disposal Count 13 9
EC 11 11
Loss Count 15 9
EC 12.1 11.9
Theft Count 40 10
EC 25.1 24.9
Unauthorised access/disclosure Count 141 171
EC 156.7 155.3
Business type and data breach location Desktop computer Count 10 6
EC 8 8
Electronic medical record Count 41 38
EC 39.7 39.2
Email Count 237 270
EC 254.6 252.4
Laptop Count 16 4
EC 10 10
Network server Count 402 416
EC 410.7 407.3
Other Count 21 20
EC 20.6 20.4
Paper/films Count 99 65
EC 82.3 81.7
Open in a new tab

Table 4.

Comparisons of column properties.

Comparison Variable category For-profit (A) Non-profit (B)
Business type and data breach type Hacking/IT incident
Improper disposal
Loss
Theft B
Unauthorised access/disclosure A
Business type and data breach location Desktop computer
Electronic medical record
Email
Laptop B
Network server
Other
Paper/Films B
Open in a new tab

For the second research question, the author ran the analysis between business type and data breach location. Chi-square test results (Table 2), showed a significant association between business type and data breach location, X(1) = 17.75, p = .007. Results indicated that the null hypothesis could be rejected, and the alternate hypothesis accepted. Results demonstrated a significant association between business type and breach location. Results of the cross-tabulation (Table 3) and post-hoc comparison of column proportions analysis (Table 4) have been interpreted in the discussion section. Results are shown in a clustered bar chart (Figure S2, online supplement).

Discussion

Interpretation and recommendations

Results of the chi-square analysis of the first research question highlighted a significant association between business type and data breach type, with post-hoc column comparison analysis (Table 4) showing no significant difference between for-profit and non-profit organisations that experienced data breaches caused by hacking/IT incidents, improper disposal, or loss. Results of the comparisons of column proportions (Table 4) and the clustered bar chart (Figure S1, online supplement) also showed that for-profit organisations experienced a significantly higher number of data breaches due to theft compared to non-profit organisations. Finally, non-profit organisations experienced a significantly higher number of data breaches due to unauthorised access/disclosure compared to for-profit organisations.

Based on our results, malicious actors did not appear to discriminate against for-profit or non-profit organisations when using hacking techniques to cause data breaches within the healthcare industry. Health information and cybersecurity managers need to implement comprehensive vulnerability management (Syed, 2020), network protection (Latha et al., 2022), configuration management (Sun et al., 2022), endpoint protection (Baballe et al., 2022), and audit logging and monitoring controls (Djeki et al., 2022) to prevent or mitigate data breaches caused by hacking/IT incidents. Comprehensive security programs and frameworks, such as the HITRUST Common Security Framework (CSF) and NIST Cybersecurity Framework (CSF), could improve the overall security posture when it comes to preventing data breaches caused by hacking (Udroiu et al., 2022).

While for-profit organisations experienced significantly higher numbers of data breaches caused by theft when compared to non-profit organisations, other additional factors, not covered in this study, could have played a role in this association (see Limitations below). Executives and managers of for-profit organisations should consider the implementation of physical and environmental security processes and controls to protect medical information in cases of potential data breaches caused by theft of organisational equipment and records that contain PHI. Physical security controls created to address the security of specific organisational systems and records could help for-profit organisations to better protect their assets (Rawal et al., 2022).

Non-profit organisations experienced significantly higher numbers of data breaches due to unauthorised access. While unauthorised access is usually associated with access controls and identity management, there could be additional factors affecting the association (see Limitations below). Executives and managers of non-profit organisations need to implement employee awareness programs that allow their employees to understand the risks of sharing credentials and accounts (Sharif and Ameen, 2020), technical access security controls (Danter, 2022), and transmission protection processes and controls, such as encryption of data in transit (Wu and Zha, 2022). Additionally, implementation of single sign-on and multifactor authentication controls could prevent potential data breaches caused by unauthorised access (Wu and Zha, 2022).

Results of the chi-square analysis of the second research question showed a significant association between business type and data breach location. To further analyse and interpret the results of the association, a post-hoc column comparison analysis (Table 4) showed no significant difference between the for-profit and non-profit organisations that experienced data breaches in desktop computers, electronic medical records, or email. Results of comparisons of column proportions (Table 4) and clustered bar chart (Figure S2, online supplement) also showed that for-profit organisations experienced a significantly higher number of data breaches that occurred in laptops and paper/films compared to non-profit organisations.

Our results demonstrated that occurrences of data breaches in desktop computers, electronic medical records, emails, and network servers were similar for for-profit and non-profit organisations. Health information and cybersecurity managers need to implement comprehensive controls specific to each of the locations where breaches might occur. Some controls include, but are not limited to, endpoint protection for network servers and desktop computers (Baballe et al., 2022), encrypting data (electronic medical records) at rest and in transit using 256-bit AES keys or better (Khan et al., 2021), and protection from social engineering attacks deployed via emails (Adil et al., 2020). Like the interpretation of the results of the first research question, healthcare organisations should adopt the HITRUST CSF or NIST CSF framework to improve their overall cybersecurity programs and posture (Udroiu et al., 2022).

For-profit organisations experienced a significantly higher number of data breaches in laptops and paper/films when compared to non-profit organisations. While there is significance to this result, other factors may also have played a role in the association (see Limitations). Executives and managers of for-profit organisations need to implement appropriate endpoint protection (Baballe et al., 2022), mobile device management, and laptop encryption processes and controls to prevent or mitigate data breaches that occur within the laptops they use. Additionally, they need to implement appropriate encryption standards and physical protection processes and controls to protect paper records and backup films (Khan et al., 2021).

Study limitations

The study had some limitations. First, analyses were performed on the population of data breaches reported to and published by the HHS only. While the HIPAA breach notification rule requires all data breaches that impact 500 or more individuals to be reported immediately, the lack of understanding of the HIPAA regulation may have caused some organisations to neglect reporting data breaches in a timely manner, if at all. It is possible there may have been other instances of relevant data breaches in other unpublished data sets, but these were beyond the scope and capacity of this research. Second, data breaches that impacted on fewer than 500 individuals were not reported to the HHS, thus rendering the data breach set incomplete and not representative of the entire population. Not having access to data on all data breaches may have skewed our results. Third, the chi-square analysis only provided significance of association between two categorical variables, without providing additional details of any causal effects of one variable on the other. Finally, other factors not included in this study could have played a role in the significant association between the healthcare business type and data breach type or healthcare business type and data breach location, such as organisational hierarchy, technology and cybersecurity budgets, employee awareness and education, and state-based regulations related to specific business types.

Future work

Future researchers could build on the results of this study by using additional qualitative or quantitative analyses that could have changed implications within the fields of IS, cybersecurity, and healthcare technology. Additional causal analysis could provide insights on how, and to what extent, each of the healthcare business types are targeted by malicious actors. Future research could also evaluate the impact of data breach type and data breach location on the number of impacted individuals in data breaches within healthcare organisations. Finally, a survey on specific focus groups conducted at for-profit and non-profit organisations could provide additional information on organisational factors that play a role in the significance of the associations found for each of the two research questions. Those insights could provide beneficial information on how each of the two healthcare business types, for-profit and non-profit, approach their cybersecurity programs, the systems and technology they implement, and the administrative, technical, and physical controls in place to prevent and mitigate data breaches that affect the security and privacy of PHI.

Conclusion

The author focused on understanding cybersecurity threats that caused data breaches, and the locations where those data breaches occurred within specific healthcare business types. Through quantitative analysis, using chi-square tests, the author was able to determine that there was a significant association between the business type and data breach type for data breaches that occurred within the healthcare industry. Similarly, the author was able to determine that there was a significant association between business type and data breach location for healthcare data breaches. The author provided process and cybersecurity control recommendations that organisations can implement to improve their overall security posture. This article could serve as a foundational building block for future research, as well as change the perspective of health information and cybersecurity managers at for-profit and non-profit healthcare organisations on how to implement processes and controls that prevent or mitigate data breaches caused by various data breach types within various data breach locations.

Supplemental Material

Supplemental Material - For-profit versus non-profit cybersecurity posture: breach types and locations in healthcare organisations
sj-pdf-1-him-10.1177_18333583231158886.pdf (156.5KB, pdf)

Supplemental Material for For-Profit versus non-profit cybersecurity posture: Breach types and locations in healthcare organisations by Martin Ignatovski in Health Information Management Journal

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding: The author(s) received no financial support for the research, authorship, and/or publication of this article.

Data availability statement: All data used in this study are publicly available secondary data published on the United States Department of Health and Human Services website.

Supplemental material: Supplemental material for this article is available online.

ORCID iD

Martin Ignatovski, PhD https://orcid.org/0000-0002-8320-3457

References

  1. Abraham C, Chatterjee D, Sims RR. (2019) Muddling through cybersecurity: Insights from the U.S. Healthcare Industry. Business Horizons 62(4): 539–548. DOI: 10.1016/j.bushor.2019.03.010 [DOI] [Google Scholar]
  2. Adil M, Khan R, Nawaz U, et al. (2020) Preventive techniques of phishing attacks in networks. In: 2020 3rd International Conference on Advancements in Computational Sciences (ICACS), 17–19 Febuary 2020, Lahore, Pakistan. DOI: 10.1109/icacs47775.2020.9055943 [DOI] [Google Scholar]
  3. Al-Issa Y, Ottom MA, Tamrawi A. (2019) EHealth cloud security challenges: A survey. Journal of Healthcare Engineering 2019: 7516035–7516115. DOI: 10.1155/2019/7516035 [DOI] [PMC free article] [PubMed] [Google Scholar]
  4. Aldahiri A, Alrashed B, Hussain W. (2021) Trends in using IOT with machine learning in Health Prediction System. Forecasting 3(1): 181–206. DOI: 10.3390/forecast3010012 [DOI] [Google Scholar]
  5. Angst CM, Block ES, D’Arcy J, et al. (2017) When DO IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly 41(3): 893–916. DOI: 10.25300/MISQ/2017/41.3.10 [DOI] [Google Scholar]
  6. Baballe MA, Hussaini A, Bello MI, et al. (2022) Online Attacks Types of Data Breach and CyberAttack Prevention Methods. Trends in Information Technology 12(2). doi: 10.37591/CTIT. [DOI] [Google Scholar]
  7. Blandford A, Wesson J, Amalberti R, et al. (2020) Opportunities and challenges for telehealth within, and beyond, a pandemic. The Lancet Global Health 8: e1364–e1365. DOI: 10.1016/S2214-109X(20)30362-4 [DOI] [PMC free article] [PubMed] [Google Scholar]
  8. Centers for Disease Control and Prevention (1996) Health Insurance Portability and Accountability Act of 1996 (HIPAA). Available at: https://www.cdc.gov/phlp/publications/topic/hipaa.html
  9. Danter E. (2022) System and application access controls. Palgrave Studies in Accounting and Finance Practice: 131–151. DOI: 10.1007/978-3-030-92466-9_9 [DOI] [Google Scholar]
  10. Djeki E, Degila J, Bondiombouy C, et al. (2022) Preventive measures for Digital Learning Spaces’ security issues. In: 2022 IEEE Technology and Engineering Management Conference, Izmir, Turkey, 25-29 April 2022. DOI: 10.1109/temsconeurope54743.2022.9801945 [DOI]
  11. Dolezel D, McLeod A. (2019) Managing security risk: Modeling the root causes of data breaches. The Health Care Manager 38(4): 322–330. DOI: 10.1097/HCM.0000000000000282 [DOI] [PubMed] [Google Scholar]
  12. Dykstra J, Mathur R, Spoor A. (2020) Cybersecurity in medical private practice: Results of a survey in Audiology. In: 2020 IEEE 6th International Conference on Collaboration and Internet Computing (CIC), 1–3 December 2020, Atlanta, GA. [Google Scholar]
  13. Farid SF. (2019) Conceptual framework of the impact of health technology on healthcare system. Frontiers in Pharmacology 10: 933. DOI: 10.3389/fphar.2019.00933 [DOI] [PMC free article] [PubMed] [Google Scholar]
  14. Gabriel MH, Noblin A, Rutherford A, et al. (2018) Data breach locations, types, and associated characteristics among US hospitals. The American Journal of Managed Care 24: 78–84. [PubMed] [Google Scholar]
  15. Gu D, Li T, Wang X, et al. (2019) Visualizing the intellectual structure and evolution of electronic health and Telemedicine Research. International Journal of Medical Informatics 130: 103947. DOI: 10.1016/j.ijmedinf.2019.08.007 [DOI] [PubMed] [Google Scholar]
  16. Ignatovski M. (2021) Contributing Factors to the Number of Individuals Impacted by Data Breaches in Healthcare Organisations. PhD Thesis. Laurel, MD: Capitol Technology University. [Google Scholar]
  17. Ignatovski M. (2022) Healthcare breaches during COVID-19: the effect of the healthcare entity type on the number of impacted individuals. Perspectives in Health Information Management 19(4): 1. PMID: 36348732; PMCID: PMC9635044. [PMC free article] [PubMed] [Google Scholar]
  18. Iguchi M, Uematsu T, Fujii T. (2018) The anatomy of the HIPAA privacy rule: a risk-based approach as a remedy for privacy-preserving data sharing. Advances in Information and Computer Security 174–189. doi: 10.1007/978-3-319-97916-8_12. [DOI] [Google Scholar]
  19. Jin MX, Kim SY, Miller LJ, et al. (2020) Telemedicine: current impact on the future. Cureus 12: e9891. DOI: 10.7759/cureus.9891 [DOI] [PMC free article] [PubMed] [Google Scholar]
  20. Khan F, Kim JH, Mathiassen L, et al. (2021) Data breach management: an integrated risk model. Information and Management 58: 103392. DOI: 10.1016/j.im.2020.103392 [DOI] [Google Scholar]
  21. Kiel JM. (2022) Data privacy and security in the US: HIPAA, hitech and beyond. Health Informatics 2022: 427–435. DOI: 10.1007/978-3-030-91237-6_28 [DOI] [Google Scholar]
  22. Krzyzanowski B, Manson SM. (2022) Twenty years of the health insurance portability and accountability act safe harbor provision: unsolved challenges and ways forward. JMIR Medical Informatics 10(8): e37756. DOI: 10.2196/37756 [DOI] [PMC free article] [PubMed] [Google Scholar]
  23. Latha CM, Ahmed MMR, Soujanya KLSet al. (2022) A novel architecture for detecting and preventing network intrusions. Advanced Technologies and Societal Change 159–167. doi: 10.1007/978-981-19-3045-4_16. [DOI] [Google Scholar]
  24. Marwell NP, McInerney P-B. (2005) The nonprofit/for-profit continuum: theorizing the dynamics of mixed-form markets. Nonprofit and Voluntary Sector Quarterly 34(1): 7–28. DOI: 10.1177/0899764004269739 [DOI] [Google Scholar]
  25. Massaro M. (2021) Digital transformation in the healthcare sector through blockchain technology. insights from academic research and business developments. Technovation 120: 102386. DOI: 10.1016/j.technovation.2021 [DOI] [Google Scholar]
  26. McGrowder DA, Miller FG, Vaz K, et al. (2021) The utilization and benefits of telehealth services by health care professionals managing breast cancer patients during the COVID-19 pandemic. Healthcare 9(10): 1401. DOI: 10.3390/healthcare9101401 [DOI] [PMC free article] [PubMed] [Google Scholar]
  27. McLeod A, Dolezel D. (2018) Cyber-analytics: modeling factors associated with healthcare data breaches. Decision Support Systems 108: 57–68. DOI: 10.1016/j.dss.2018.02.007 [DOI] [Google Scholar]
  28. Moore W, Frye S. (2019) Review of HIPAA, part 1: history, protected health information, and privacy and security rules. Journal of Nuclear Medicine Technology 47(4): 269–272. DOI: 10.2967/jnmt.119.227819 [DOI] [PubMed] [Google Scholar]
  29. Rawal BS, Manogaran G, Peter A. (2022) Control physical and logical access to assets. Cybersecurity and Identity Access Management 141–148. doi: 10.1007/978-981-19-2658-7_9. [DOI] [Google Scholar]
  30. Seh AH, Zarour M, Alenezi M, et al. (2020) Healthcare data breaches: Insights and implications. Healthcare 8(2): 133. DOI: 10.3390/healthcare8020133 [DOI] [PMC free article] [PubMed] [Google Scholar]
  31. Sharif KH, Ameen SY. (2020) A review of security awareness approaches with special emphasis on gamification. In: 2020 International Conference on Advanced Science and Engineering (ICOASE), 23-24 December 2020. DOI: 10.1109/icoase51841.2020.9436595 [DOI]
  32. Sun C-M, Wang Y-Y, Yang C-B. (2022) Information security assurance and the role of security configuration management: SUBSTANTIVE and symbolic perspectives. Journal of Information Systems 36: 181–199. DOI: 10.2308/isys-2020-065 [DOI] [Google Scholar]
  33. Syed R. (2020) Cybersecurity vulnerability management: a conceptual ontology and cyber intelligence alert system. Information and Management 57: 103334. DOI: 10.1016/j.im.2020.103334 [DOI] [Google Scholar]
  34. Tapuria A, Porat T, Kalra D, et al. (2021) Impact of patient access to their electronic health record: systematic review. Informatics for Health and Social Care 46(2): 194–206. DOI: 10.1080/17538157.2021.1879810 [DOI] [PubMed] [Google Scholar]
  35. Thompson EC. (2020) Hipaa security rule and cybersecurity operations. Designing a HIPAA-Compliant Security Operations Center 23–36. doi: 10.1007/978-1-4842-5608-4_2. [DOI] [Google Scholar]
  36. Udroiu A-M, Dumitrache M, Sandu I. (2022) Improving the cybersecurity of medical systems by applying the NIST framework. In: 2022 14th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), 30 June–1 July 2022, Ploiesti, Romania. DOI: 10.1109/ecai54874.2022.9847498 [DOI] [Google Scholar]
  37. US. DHHS (2022) Department of health and human services office for civil rights breach portal: notice to the secretary of HHS breach of unsecured protected health information. Available at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (accessed 24 August 2022).
  38. Wu J, Zha P. (2022) A data security model for altering data ecosystem and affirmatively prevent mass data breaches. DOI: 10.31219/osf.io/d479z [DOI] [Google Scholar]
  39. Yaraghi N, Gopal RD. (2018) The role of HIPAA OMNIBUS rules in reducing the frequency of medical data breaches: insights from an empirical study. The Milbank Quarterly 96(1): 144–166. DOI: 10.1111/1468-0009.12314 [DOI] [PMC free article] [PubMed] [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Supplementary Materials

Supplemental Material - For-profit versus non-profit cybersecurity posture: breach types and locations in healthcare organisations
sj-pdf-1-him-10.1177_18333583231158886.pdf (156.5KB, pdf)

Supplemental Material for For-Profit versus non-profit cybersecurity posture: Breach types and locations in healthcare organisations by Martin Ignatovski in Health Information Management Journal

Articles from Health Information Management are provided here courtesy of SAGE Publications

RESOURCES