Ranking the states most at risk of healthcare data breaches: an application of integrated multicriteria framework for prioritization in risk management

Amir Fard Bahreini (Department of Information Technology and Supply Chain Management, University of Wisconsin-Whitewater, Whitewater, Wisconsin, USA)

Organizational Cybersecurity Journal: Practice, Process and People

ISSN: 2635-0270

Article publication date: 6 August 2024

Issue publication date: 12 November 2024

307

Abstract

Purpose

Data breaches in the US healthcare sector have more than tripled in the last decade across all states. However, to this day, no established framework ranks all states from most to least at risk for healthcare data breaches. This gap has led to a lack of proper risk identification and understanding of cyber environments at state levels.

Design/methodology/approach

Based on the security action cycle, the National Institute of Standards and Technology (NIST) cybersecurity framework, the risk-planning model, and the multicriteria decision-making (MCDM) literature, the paper offers an integrated multicriteria framework for prioritization in cybersecurity to address this lack and other prioritization issues in risk management in the field. The study used historical breach data between 2015 and 2021.

Findings

The findings showed that California, Texas, New York, Florida, Indiana, Pennsylvania, Massachusetts, Minnesota, Ohio, and Georgia are the states most at risk for healthcare data breaches.

Practical implications

The findings highlight each US state faces a different level of healthcare risk. The findings are informative for patients, crucial for privacy officers in understanding the nuances of their risk environment, and important for policy-makers who must grasp the grave disconnect between existing issues and legislative practices. Furthermore, the study suggests an association between positioning state risk and such factors as population and wealth, both avenues for future research.

Originality/value

Theoretically, the paper offers an integrated framework, whose basis in established security models in both academia and industry practice enables utilizing it in various prioritization scenarios in the field of cybersecurity. It further emphasizes the importance of risk identification and brings attention to different healthcare cybersecurity environments among the different US states.

Keywords

Citation

Fard Bahreini, A. (2024), "Ranking the states most at risk of healthcare data breaches: an application of integrated multicriteria framework for prioritization in risk management", Organizational Cybersecurity Journal: Practice, Process and People, Vol. 4 No. 2, pp. 53-84. https://doi.org/10.1108/OCJ-01-2023-0001

Publisher

:

Emerald Publishing Limited

Copyright © 2024, Amir Fard Bahreini

License

Published in Organizational Cybersecurity Journal: Practice, Process and People. Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) license. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this license may be seen at http://creativecommons.org/licences/by/4.0/legalcode


1. Introduction

Each state in the United States faces a range of data breaches in various sectors. Data breaches are security incidents that jeopardize the confidentiality, integrity, and availability of protected, sensitive, or confidential data that organizations hold (Khan et al., 2021). Across all industries, data breaches impact numerous users and impose a high cost on organizations (IBM, 2022). However, one sector stands above all concerning its existing data breach risks, namely, the healthcare sector. Today, data breaches in the healthcare sector incur the highest cost among industries in the United States (Giles, 2022; Health Sector Cybersecurity Coordination Center, 2019; IBM, 2022; McKeon, 2022). Between 2019 and 2021, the average data breach cost in the sector increased from $7.1mn (Landi, 2019) to $10.1mn (IBM, 2022; Landi, 2022). The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS), which publishes the list of breaches affecting 500 individuals or more, reported that in 2021, the approximate number of breaches had increased an alarming 350% in the last decade (The HIPAA Guide, 2022; U.S. Department of Health and Human Services Office for Civil Rights, 2023). Accordingly, the healthcare sector as a whole faces significant data breach risk at various levels, including organizational, state, and federal.

Particularly at the state level, the issue of risk identification is quite important, due to both stakeholders and the US regulatory model. First, in the healthcare sector, three stakeholders exist at the state level, namely, individuals who are the potential data breach victims (Seh et al., 2020), organizations that must understand the risk climate in which they work (including both the organization and its partners) (Nikkhah and Grover, 2022), and state policy-makers who must understand the level of risk facing their state’s private sector so they can propose effective policy (Sen and Borle, 2015). Second, entities working in the US healthcare sector follow federal laws and state statutes (if in place). On the federal side, the Health Insurance Portability and Accountability Act (HIPAA) is the de facto federal law upon which the healthcare sector relies, to protect against cyber threats (US Department of Health and Human Services, 2013). It consists of two laws, i.e. the HIPAA Privacy Rule (codified under Title 45 of the Code of Federal Regulations, Parts 160 and 164. A, and 164. E) (U.S. Department of Health and Human Services, 2023b), and the HIPAA Security Rule (codified under Title 45 of Code of Federal Regulations under Parts 160 and 164. A, and 164. C), which offer a comprehensive set of standards for covered entities (U.S. Department of Health and Human Services, 2023a). HIPAA applies to covered entities (i.e. healthcare providers, including hospitals, health plans, including insurance companies, and healthcare clearinghouses) and their business associates (i.e. organizations rendering service to covered entities, such as cloud providers) (Chapple and Shelly, 2021). HIPAA has brought enormous benefits to the cybersecurity of covered entities, e.g. unifying practices in the industry (HIPAA Administrative Simplification, 2013). Combined with the reputation of HIPAA as one of the most strictly enforced privacy laws, covered entities have prioritized staying compliant with the HIPAA Privacy and Security Rules. However, HIPAA is not the only law that covered entities must follow; other applicable laws may include state health laws. Stricter state privacy laws can preempt HIPAA (Chapple and Shelly, 2021). In simple terms, if states devise stricter health laws than HIPAA, then those laws will supplant HIPAA. California has led the states in devising stricter health laws (CalHHS, 2022). Several other states have also devised their own additional health laws in small areas (Health Information and The Law, 2020).

To address the issue of data breaches, prior literature has proposed implementing a risk management framework (Khan et al., 2021; Lyytinen et al., 1998). While frameworks vary, they almost always start with one important step, namely, risk identification (Khan et al., 2021; Whitman and Mattord, 2021). Theoretically, understanding what is most at risk can increase decision-makers’ security concerns and increase their call to action. Goodhue and Straub (1991) first proposed this in their theoretical model of security concerns, where the authors note that understanding the environment’s characteristics (e.g. industry susceptibility to threats) directly affects overall security concerns and influences decision-making.

Based on the current cyber climate in healthcare, the ever-increasing number of breaches, the co-regulatory model of the United States in this sector, and the impact on multiple stakeholders ranging from patients to policy-makers, identifying which states are most at risk of data breaches can be a critical step in the risk-identification process. From a theoretical standpoint, it can create awareness of the industry climate, raise concern, and call for action (Goodhue and Straub, 1991; Straub and Welke, 1998). Practically, the answer can address the concerns of the three primary stakeholders. From patients’ perspective, they have the right to understand which states are more at risk for privacy breaches. After all, their protected health information (PHI) is the target of these breaches. Any information from health, payment, or demographic data held or transmitted by a covered entity or its business associate that can be used to identify patients is considered PHI. (U.S. Department of Health and Human Services, 2023a). From the perspective of covered entities (i.e. healthcare providers, health plans, business associates, and healthcare clearing houses), management must understand each state’s climate for many important decisions. One is to determine the budget that cybersecurity purposes and other related decisions require, such as cyber insurance. Currently, only 5% of a hospital budget is typically spent on cybersecurity (Garrity, 2019). Furthermore, ranking can provide a guideline for organizations’ decision to increase or decrease this amount, based on the climate in which they currently operate. Finally, from the regulatory standpoint, the United States follows a co-regulatory model, where proposing and implementing stricter healthcare security privacy laws can occur. A comprehensive understanding of the state’s position on the risk scale can be a strong incentive for further statewide legislation.

From a theoretical perspective, the question becomes how to conduct such a ranking (prioritization). In the existing literature, both industry reports and prior academic works have used different proxies and single indicators for risk identification and ranking, such as the number of breaches or total records stolen (Giles, 2022; McKeon, 2022). However, this approach encounters two potential issues. First, while single indicators can be highly valuable, they can also overshadow other indicators that may contribute to the risk. For example, if such data were the sole indicator for risk identification, Indiana would be the state most at risk in terms of the number of people affected. The primary reason Indiana has such a high number of affected people is due to just one incident, i.e. a breach at Anthem Inc., which affected more than 78 million individuals (U.S. Department of Health and Human Services Office for Civil Rights, 2023). There is no question that the cause of this incident can provide valuable insight. However, should Indiana still be the state most at risk if we are examining the past five years? Are there other indicators that must play a role? What is the theoretical basis for only using the number affected as the sole indicator in risk identification? More importantly, how should other researchers follow suit in the future? All these questions point to an existing gap: the lack of an established framework for ranking (prioritization) in a cybersecurity context.

Accordingly, this study aims to address its primary motivation (i.e. ranking the states most at risk for privacy breaches in their healthcare sector), by developing a sound framework that addresses all the required steps, from setting ranking objectives to its application in practice. Drawing upon several models, including integrated risk model of data breach management (Khan et al., 2021), security action cycle (Straub and Welke, 1998), the NIST cybersecurity framework (National Institute of Standards and Technology, 2018), and security risk planning (Goodhue and Straub, 1991), with requirements of multicriteria decision-making models (MCDM) (Maalem Lahcen et al., 2020; Zavadskas et al., 2014), the paper develops a framework not only applicable to this study but also to any future research concerning the matter of ranking or alternative prioritization in cybersecurity decision-making. The framework labeled the integrated multicriteria framework for prioritization in risk management aims to provide a systematic approach to answering any ranking (prioritization) questions in the context of cybersecurity. Thus, the formal research question is:

RQ1.

Using a cybersecurity multicriteria decision-making framework, how does each state rank concerning data breach risk in the healthcare sector?

2. Theoretical development

Several studies have conducted descriptive analyses of breached data at the state level, but they primarily focused on single indicators, such as the number of affected people or the number of breaches. Wikina (2014) reported the number of individuals, covered entities, and business associates that data breaches affected between 2009 and 2014. Although the state-level analysis was not a primary target of their study, Dolezel and McLeod (2019) reported states with the highest number of individuals affected between 2009 and 2018, with Tennessee, California, and New York capturing the top spots. In another study, Schmeelk (2019) examined breach data between 2018 and 2019 and also reported the number of individuals affected in each state. Despite the valuable insights, these studies did not elaborate on why they selected their respective specific indicator and did not use more than one indicator.

2.1 Prioritization in decision-making

An examination of prior literature (Jato-Espino et al., 2014; Kornyshova and Salinesi, 2007; Maalem Lahcen et al., 2020; Toloie-Eshlaghy and Homayonfar, 2011; Wang et al., 2009; Zavadskas et al., 2014; Zavadskas and Turskis, 2011), suggested addressing the prioritization issues in decision-making must include addressing five areas: objectives, criteria, indicators, ranking technique, and application. The first step requires understanding the purpose of ranking, concerning organizational cybersecurity operations. Why does ranking (prioritization) in cybersecurity matter? In what domain of cybersecurity can the results of prioritization add value? Developing the objectives will not only add context to the task but also define the boundaries of applicability of any findings (Ross, 2018). The second area is establishing the appropriate criteria—the conceptual factors that can drive the prioritization tasks (Zavadskas et al., 2014). The core of prioritization techniques is using criteria that are known, established, and rooted in prior literature and practices. Some study domains often rely on prior literature to establish such criteria (Toloie-Eshlaghy and Homayonfar, 2011). Others, such as studies in sustainability, may rely upon both prior literature and existing industry standards (Stojčić et al., 2019). The third area is selecting indicators appropriate to chosen criteria. Indicators are the operationalization of the conceptual criteria established in step 2 (Maalem Lahcen et al., 2020). The next step is selecting the right multicriteria decision-making technique (MCDM) and analyzing the data. Among various developed MCDM techniques, each has its unique attributes (Kornyshova and Salinesi, 2007; Toloie-Eshlaghy and Homayonfar, 2011). The purpose of these techniques in their respective stream of research is to aid decision-makers when they face a decision with multiple choices. These can include situations where decision-makers must select between several alternative solutions (Stević et al., 2020; Zavadskas and Turskis, 2011) or identify their biggest issues (Gürbüz et al., 2012; Petrović et al., 2019). Finally, the approach must address the matter of applicability. While the first step (objectives) aims to answer the questions of “what” and “why,” applicability aims to answer the question of “how.” In other words, having completed all prior steps, how can the findings be applied in practice? These areas provide a general road map of what needs to be done. The first two steps concern the conceptualization of the prioritization task. Steps three and four concern the operationalization of the task, and the final step concerns utilizing the findings. Figure 1 illustrates this layered model, where each step essentially encompasses the step after it and will affect its construction. For example, the objective is the outermost layer, overseeing all the other steps. Then, criteria oversee all other steps but the initial objective, and so on.

2.2 Prioritization in cybersecurity decision-making

To apply this approach in organizational cybersecurity, contextualization matters. From an academic point of view, theories provide the pivotal toolset advancing cybersecurity studies. A myriad of theories, from the unified security compliance model (Moody et al., 2018) to threat-avoidance theory (Liang and Xue, 2009), has developed and expanded over the years to push cybersecurity studies with adequate rigor. From a practical perspective, various standards, best practices, and training have been the primary resources in the cybersecurity domain. NIST special publications and the International Standards Organization (ISO) provide standards on all things cybersecurity, from risk management to infrastructure security (International Standard Organization, 2022; National Institute of Standards and Technology, 2018; Ross, 2018). Many organizations, such as SANS, [1] ISACA, [2] and CISA, [3] provide additional resources and training programs. Accordingly, relevancy and applicability appear to be the driving goals behind these efforts. While academia and practice have increased the connection over the years, the dichotomy of rigor versus relevance raised in the bigger information system field (Davenport and Markus, 1999) still appears in cybersecurity.

With this context in mind, the question arose of how this paper should develop the needed framework. Ultimately, the goal is findings that are both rigorous and relevant (Benbasat and Zmud, 2003; Davenport and Markus, 1999). Accordingly, the prioritization framework this study develops draws upon both theoretical models and practical standards. Figure 2 depicts the framework.

Overall, the framework for this study is the result of the integration of several security models, including the security action cycle (Straub and Welke, 1998), the NIST cybersecurity framework (National Institute of Standards and Technology, 2018), and security risk planning (Goodhue and Straub, 1991) integrated with requirements of MCDM models (Maalem Lahcen et al., 2020; Zavadskas et al., 2014). The goal of the framework is to provide a systematic approach to answering any prioritization questions in the context of cybersecurity. The section continues by discussing each step, then applies the framework to the study context to answer the research question.

2.2.1 Objective: determine the cybersecurity function

The first step is to determine the prioritization objective. Two similar frameworks help determine objective categories.

First is the security action cycle that Nance and Straub (1988) introduced and Straub and Welke (1998) later developed, which Willison and Warkentin (2013) extended for insider threats, providing a framework that managers can use to cope with identified risks. The model identifies four sequential activities within the security action cycle: deterrence (e.g. passive security controls, such as guidelines, general best practices, and reminders); prevention (active countermeasures with enforcement policies, such as passwords, access controls); detection (proactive countermeasures, such as intrusion detection systems and audits); recovery (reactive countermeasures to fix the issues that incidents caused and punish the perpetrators) (Straub and Welke, 1998). Each layer provides a line of defense and precedes the layer after it. For example, deterrence measures mean to dissuade bad actors and inform good actors of the security climate without any enforceable facet. If broken, the cycle will prevent the incidents from occurring in the prevention stage, through active countermeasures. Second is the NIST cybersecurity framework, currently at version 1.1, a collaboration between industry and academia to manage cybersecurity risk. The framework states that organizations must follow five goals, categorizing them according to five core functions: identify, protect, detect, respond, and recover (definitions appear in Table 1). Table 1 also summarizes both frameworks and their interconnectedness.

The proposed framework argues that the first step in a cybersecurity prioritization task must be to identify the objectives, categorizing them into one or more of these core functions (defined by NIST) or Straub and Welke’s (1998) Security Action Cycle. Using this model at this step provides several benefits. This model is an integrated structure of an established model in the information systems literature and the industry standard. The NIST cybersecurity framework is updated periodically. Most currently working in cyberspace understand it, and it is comprehensive enough to allow researchers and practitioners flexibility to define the boundaries of their goals.

2.2.2 Criteria: select the appropriate threat modeling approach

Once the objectives are set, the next layer defines the criteria for the prioritization model. What factors conceptually can or should be used for the prioritization objective? This is where the existing threat-modeling approaches can apply. Numerous models developed over the years help with threat assessment, many with similarities and differences. For instance, the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of services, Escalation of privileges) model was developed in the context of software security, to identify threats software commonly encounters (Kohnfelder and Garg, 1999). PASTA (Process of Attack Simulation and Threat Analysis) is another threat-modeling approach that assesses threats from the perspective of technology scope, vulnerability detection, and impact analysis (UcedaVelez and Morana, 2015). CORAS (not an abbreviation) is an asset-driven risk-modeling approach that examines the risk sequentially, starting from the source and threat, up to the unwanted incident and its impact on the asset (Lund et al., 2010). Finally, the integrated risk model for data breach management is a recent model that Khan et al. (2021) developed a proposed model for managing data breach risk from its identification to its resolution.

Cybersecurity has many facets. Accordingly, determining the criteria that any prioritization goal requires depends on the study context and goals. These models and many others allow identifying the appropriate criteria. Understanding which threat model to use is an important decision, at the research team’s discretion.

2.2.3 Indicators: determine risk indicators and their weight

This step of the framework is the main barrier for researchers to overcome. While criteria can be derived from threat models, indicators must be derived from data. This step is completed through secondary data or data that researchers collect. The criteria determine the indicators selected in each step, based on objectives set in step 1. In such domains as sustainability where numerous studies focus on alternative selection and prioritization problems, prior literature review provides the best anchor for selecting criteria and indicators (Stojčić et al., 2019). However, in cybersecurity, due to a lack of extant research and focus on single indicators, a gap exists (Maalem Lahcen et al., 2020). Thus, prior steps (objective and criteria) aim to address the issue by providing a sound framework.

Once selected, the weights of the indicators must be determined. Assuming that all indicators will have equal importance in prioritization is somewhat simplistic. For example, if the number of hacking breaches and improper disposal incidents are two of the indicators in a model, should both indicators be equally important, or is one more important than the other? Thankfully, the operations research literature provides two avenues for scholars to determine weights. One approach is to determine weight using only the available data. Methods such as CRITIC (Diakoulaki et al., 1995) and ENTROPY (Mukhametzyanov, 2021) can serve in these cases. The other approach is to determine weight using expert judgments. The best-worst method (BWM) approach fits this category (Rezaei, 2015). The integration of experts’ assessment in that latter approach provides an additional layer of validation and prevents solely relying upon on the available data.

2.2.4 Prioritization: apply MCDM techniques and determine ranking

Having everything established, conducting the prioritization analysis follows. With the increased complexity of decision-making, MCDMs’ development and expansion over the years not only help with optimization problems; they also help decision-makers understand their priorities and make the best possible decisions (Zavadskas et al., 2014). Despite different mathematical bases, the models follow the same structure—a set of alternatives is selected, receives an appropriate weight (i.e. relative importance), and is finally ranked (Maalem Lahcen et al., 2020). From social services (Díaz-Balteiro and Romero, 2004; Zhang and Lu, 2009) and business and strategic management (Chen and Wang, 2009; Wang and Chin, 2009), to manufacturing (Al-Najjar and Alsyouf, 2003; Tavana et al., 2007) and sustainability (Stojčić et al., 2019), MCDMs have found applications in all facets of social science. Likewise in cybersecurity, MCDMs have been used to develop criteria for sustainable security in Industry 4.0 (Torbacki, 2021), to model human errors in cybersecurity conceptually (Maalem Lahcen et al., 2020) and identify the biggest blockchain vulnerabilities (Abdelwahed et al., 2020).

MCDM has a vast literature that provides many approaches for ranking alternatives. Ultimately, selecting the most appropriate method occurs at the scholar’s discretion. However, using distinct techniques may yield different results. Thus, a robustness check to compare the results of various techniques is recommended (Kornyshova and Salinesi, 2007).

2.2.5 Application: integrate findings with security risk planning

Finally, the findings can apply to security risk planning and developing countermeasures in organizations. A security risk planning model grounded in Simon’s model of decision-making (Herbert, 1959), which Nance and Straub (1988) expanded, provides a four-step approach for organizations to effectively manage security risk. The model starts by recognizing security problems, followed by risk analysis and alternative generation (i.e. suggesting countermeasures), and ending with planning decisions (i.e. implementing countermeasures). According to Nance and Straub (1988), addressing the first two steps can occur by increasing management perception of the organizational environment (i.e. sustainability of environment to industry risk), IS environment (i.e. availability of actions to secure systems), and individual characteristics (i.e. awareness of individual systems and their risk) (Goodhue and Straub, 1991; Straub and Welke, 1998).

Ultimately, the findings of this study, which aims to rank states from most to least at risk, and any other aimed at prioritization in cybersecurity, enhance understanding of the environment in which organizations are active. By enhancing this perception and making management experts aware of issues and a list of priorities that did not exist before, this line of research aims to assist with recognizing security problems and risk-analysis phases of the security risk planning model. Subsequently, management can use the enhancement of perception based on this finding, generate alternative courses of action, and plan decisions.

3. Methodology

3.1 Framework for ranking the states most at risk of data breaches in healthcare

Table 2 summarizes the application of the framework for this study. The methodology section discusses all steps (except the application in order), and the discussion further unpacks the application.

Objective: The goal of the study is to identify states most at risk for healthcare data breaches, to increase the understanding of individuals in the US healthcare system (i.e. policy-makers, patients, covered entities, and business associates). Thus, the study follows the “identify” core function of the NIST cybersecurity framework, or “deterrence” under the security action cycle. This process of statewide risk identification can be informative for all stakeholders and provide a clear picture of the characteristics of the cybersecurity environment in the healthcare sector, an attribute that can influence increasing security concerns and decision-making (Goodhue and Straub, 1991).

Criteria: Among the available risk and threat modeling approaches, the integrated risk model for data breach management that Khan et al. (2021) proposed was quite applicable to the context of the study. According to the model, the risk profile analysis for the identification of risk (the goal of this study) includes three facets: (1) data breach cause: the primary event causing the breach; (2) data breach locus: the point of adverse access to data (physical or logical); (3) data breach impact: adverse effect of breach on an organization (Khan et al., 2021). Accordingly, these three facets became criteria in the prioritization model.

Indicators: The breach data that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) (2023) publishes allows selecting indicators, based on the criteria the previous step discussed. Table 3 provides the summary of these indicators.

3.2 Data

Data from the OCR contained 2,658 incidents at the date of this study, from 2015 to 2021. Some incidents were removed. These included: incidents that OCR has closed for different reasons, such as incomplete information, entries that either did not have a web description or provided the type of PHI stolen in their descriptions, and entries that were recorded multiple times. All indicators were directly extracted from a public database, except for the number of stolen PHI items, which required examining the incident description by carefully reading and counting the number of stolen PHI items from the breach description in the dataset. Data from 2015 and on were selected because that year, OCR updated its portal requirements and harmonized its web descriptions (HIPAA Journal, 2019). Then, 2,279 remained for the analysis.

3.3 Indicator weight determination

The best-worst method (BWM), i.e. the latest MCDM technique proposed (Rezaei, 2015), uses pairwise comparisons to obtain the weights of alternatives and evaluates them with respect to a set of decision criteria. This method compensates for the shortcomings of pairwise comparison-based methods (e.g. analytical hierarchy process, analytical network process), such as inconsistency. Based on a nine-point scale, this method reduces the number of pairwise comparisons substantially by only executing reference comparisons—i.e. experts must only determine the preference for the best criterion over other criteria and the preference for all criteria over the worst criterion. By eliminating secondary comparisons, this method can obtain weights for any MCDM problem effectively and easily. According to Rezaei (2015), executing this method uses five steps:

  • Step 1. A set of decision criteria is determined as {C1,C2,C3,C6}.

  • Step 2. An expert or panel of experts determines the best and the worst criteria.

  • Step 3. Using a number ranging from one to nine, which will result in the best-to-others vector, determines the preference for the best criterion over all other criteria:

AB=(aB1,aB2,aB3,,aBn),
where aBj indicates the preference for the best criterion B over criterion j and aBB=1.
  • Step 4. Determine the preference for all other criteria over the worst criterion, using a number ranging from one to nine, resulting in the others-to-worst vector:

AW=(a1W,a2W,a3W,,anW)T,
where ajW indicates the preference for the criterion j over the worst criterion W and aWW=1.
  • Step 5. Find the optimal weights (w1*,w2*,,wn*).

The pairwise comparison matrix will be perfectly consistent if aik×akj=aij,i,j. The optimal weight for each criterion occurs when, for each pair of WB/Wj and Wj/Ww, we have WB/Wj=aBj and Wj/Ww=ajW. To satisfy these conditions for all j, we must identify a solution that minimizes the maximum absolute differences |wBwjaBj| and |wjwwajw| for all j. Based on the non-negativity and sum conditions, Eq. (1) can be used to obtain optimal weight:

minmax{|wBwjaBj|,|wjwwajw|}
s.t.
jwj=1
(1)wj0,for all j

This problem can also be rewritten as follows:

minξ
s.t.
|wBwjaBj|ξ,for all j
|wjwwajw|ξ,for all j
jwj=1
(2)wj0,For all j

According to Rezaei (2015), a consistency ratio should be computed for pairwise comparisons, which can be expressed as Eq. (3):

(3)ConsistencyRatio=ξ*ConsistencyIndex
where ξ* is obtained by solving Eq. (2). For the “consistency index,” Rezaei (2015) proposes a set of values indicating the corresponding index for each possible value of aBW, which is the preference for best criterion over worst criterion (i.e. a number between one and nine) and the maximum value of ξ for each aBW. These values came from Rezaei (2015).

3.4 Prioritization technique: grey relational analysis

Julong (1989) introduced the Grey Relational Analysis (GRA) as part of Grey systems theory; it can solve problems that intricate interrelationships between factors and variables characterize. The GRA method has been extensively used for solving problems associated with ambiguity under discrete data and incomplete information (Wei, 2011; Wu, 2009). This method first translates the performances of each alternative into comparability sequences, through a process analogous to normalization (Kuo et al., 2008b). Afterward, an ideal or reference sequence is defined, which is then used to calculate the grey relational coefficient between all comparability sequences and the reference sequence. Finally, based on the computed grey relational coefficients, the grey relational degree between every comparability sequence and the reference sequence is calculated, and alternatives are ranked accordingly. This procedure is fulfilled through the following steps:

  • Step 1: Based on the experts’ opinions, a decision-making matrix assumed to have m alternatives characterized with n criteria is determined:

(4)G=[G11G12G1nG21G22G2nGm1Gm2Gmn]
where Gij represents the performance of alternative i with regard to criterion j.
  • Step 2: All performance values for each alternative are normalized and processed into a comparability sequence Yi=(yi1,yi2,yi3,,yin) using Eqs. (5) and (6) for the-larger-the-better criteria and the-smaller-the-better criteria, respectively:

(5)yij=GijMin{Gij,i=1,2,m}Max{Gij,i=1,2,m}Min{Gij,i=1,2,m},i=1,2,,m;j=1,2,,n
(6)yij=Max{Gij,i=1,2,m}GijMax{Gij,i=1,2,m}Min{Gij,i=1,2,m},i=1,2,,m;j=1,2,,n

It is important to note that in this paper, we rank different states with regard to risks, and, therefore, all criteria are considered to be the-smaller-the-better criteria.

  • Step 3: A reference sequence is defined and compared with each comparability sequence from Step 2 and expressed as follows:

(7)y0=(y10,y20,,yn0)=(mini=1myi1,mini=1myi2,mini=1myi3,,mini=1myin)
where y0 is the reference value related to the criterion j, and yij denotes the values obtained from the normalized matrix calculated in Step 2.
  • Step 4: The values of grey relational coefficients are calculated using Eq. (8), which indicates how close the values of yij are to the reference sequence y0:

(8)φ(y0,yij)=Δmin+ζΔmaxΔij+ζΔmax for i=1,2,,m;j=1,2,,n
where φ(y0,yij) is the grey relational coefficient between y0 and yij and
Δij=|y0yij|,
Δmin=Min{Δij,i=1,2,,m;j=1,2,,n},
Δmax=Max{Δij,i=1,2,,m;j=1,2,,n},
ζ is the distinguishing coefficient, and ζ[0,1].

The value of ζ reflects the degree to which the minimum scores are emphasized relative to the maximum scores (Zhang et al., 2005). Decision-makers determine the distinguishing coefficient (Kuo et al., 2008a, b); this study sets decision-makers as 0.5.

  • Step 5: After all grey relational coefficients φ(y0,yij) are calculated, the grey relational degree can be calculated as follows:

(9)Φ(y0,yi)=j=1nwjφ(yj0,yij) for i=1,2,,m
where Φ(y0,yi) is the grey relational degree between y0 and yi, which demonstrates the degree of correlation between the reference sequence and the comparability sequence, wj is the weight of criterion j, and j=1nwj=1. Accordingly, smaller values of grey relational degrees represent a specific alternative closer to the reference sequence. Therefore, the alternative with the smallest grey relational degree value represents the first rank.

3.5 Data analysis

3.5.1 Focus group for weight determination

The focus group is a “research technique that collects data through group interaction on a topic determined by the researcher” (Morgan, 1996, p. 130). A moderator runs a focus group and sets out the topic as a question the group has been designed to answer (Fontana and James, 2005). However, focus groups provide one other benefit, namely, they allow participants to interact with each other (Ryan et al., 2014). Additionally, to assess the appropriateness of focus groups, one must consider the purpose of the study and desired outputs (Wilkinson, 1998). In this study, the goal was to determine the weight of indicators selected for the study to use in the BWM method. Accordingly, the goal was to gather experts with different backgrounds to articulate the results. That was deemed the most appropriate approach, as they would have an opportunity to discuss the criteria and interact with each other (Qin et al., 2023). Table 4 highlights the expertise of the focus group.

The focus group met in two sessions. The first session was to brief participants on the objective of the meetings. There was also a demonstration/explanation using an example (in another context) on how the best-worst method (BWM) works. In the second session, the expert provided the ranking, and discussions ensued. Several points emerged; as expected, differences of opinion on some of the indicators occurred. The experts’ background and personal experience seem to affect this. However, the consensus existed around “Hacking/IT incidents” and “Loss” as the best and worst indicators, respectively. In particular, the experts agreed that “Hacking/IT incidents” should receive the greatest weight because they could signal several issues, ranging from technical deficiencies to organizational negligence, while other indicators only signal one particular issue. For example, improper disposal mainly concerns entities’ disposal policies and, thus, should receive less weight than hacking.

4. Results

4.1 Calculating the weight of indicators

As the methodology section mentioned, the weight of all indicators was calculated using BWM. On this basis, focus-group meetings determined the comparisons to find the best indicator as compared to other indicators, as well as the comparisons of other indicators to find the worst. Tables 5 and 6 show the preferences for the best criterion over other criteria and for other criteria over the worst criterion, respectively. The output related to the weight of the indicators was determined using LINGO 11.0 software and appears in Table 7.

The bigger the ζ, the higher the consistency ratio is and the less reliable the comparisons become. BWM always results in consistent (not necessarily fully consistent) comparisons (Rezaei, 2015). According to the comparison between Analytical Hierarchy Process (AHP) and BWM, the consistency ratio is less than 0.1, which means that the weights obtained are acceptable and can be used for prioritization.

4.2 Ranking the states

Figure 3 displays the summary of primary analysis. Results indicate that California, Texas, New York, Florida, Indiana, Pennsylvania, Massachusetts, Minnesota, Ohio, and Georgia are the top 10 states at risk. South Dakota, Wyoming, North Dakota, Idaho, Vermont, Rhode Island, Montana, New Hampshire, Hawaii, and Alaska have the lowest privacy breach risk in their respective health sectors.

Since the indicators are negative, the minimum values are the basis for determining the reference series. As a result, smaller values of grey relational degrees represent that a specific alternative is closer to the reference sequence. Therefore, the alternative with the smallest grey relational degree value represents the first rank. Consequently, by default, the method generates the results from the safest states to those most at risk. However, since it is more crucial to understand the states most at risk, the findings appear from worst to best (i.e. in the tables and figures, rank one represents the states most at risk, and rank 50 represents the state least at risk).

Moreover, since the distinguishing coefficient should be between zero and one, calculations were performed in three situations (ζ=0.1,ζ=0.5,and ζ=0.9), to perform sensitivity analysis for this parameter. The results appear in Table 8, where it is evident that the differentiation coefficient does not affect the ranking of states and has the same results.

4.3 Post-hoc analysis: sensitivity analysis

To analyze the sensitivity of results, other methods with different calculation bases were used. For robustness checks, combined compromise solution (CoCoSo), multiattributive border approximation area comparison (MABAC), and multiattributive ideal real comparative analysis (MAIRCA) were utilized (Gigović et al., 2016). These techniques have a different structure than GRA, in terms of both the data normalization technique and the formulas that lead to the prioritization of alternatives. These methods can be used in situations where the criteria are only positive or negative. Other methods, such as TOPSIS, VIKOR, and COPRAS, are mainly based on positive or negative ideal distance, which cannot be used in such situations. The basis of the MABAC method originated from the definition of the distance of the indicator function of each alternative from the border approximation area (Pamučar and Ćirović, 2015). Although the MAIRCA method has the same calculation structure as MABAC, the best alternative in the ranking is the one with the closest values to the ideal rating by all criteria (Pamucar et al., 2018). Alternatively, the CoCoSo method, proposed by Yazdani et al. (2019), is based on integrating simple additive weighting and an exponentially weighted product model. The method has eliminated the shortcomings of other MCDM methods, such as TOPSIS and COPRAS. The first table in the supplementary materials displays the results in full. As we can see, different calculation methods also confirm the results from the GRA and show a high degree of correlation.

Finally, comparing the three methods used for robustness checks with the primary analysis method (i.e. GRA), the finding remains consistent across all four methods for 45 states, with the remaining five states showing consistent ranking across three methods. Table 9 displays the summary of this comparative assessment, while the entire table can be seen under Supplementary Materials.

5. Discussion

The final step in the integrated multicriteria framework for prioritization in risk management is concerned with applying findings using the risk planning model (Straub and Welke, 1998). The findings, which Figure 3 illustrates, help with the first two steps of the risk-planning model. First is the recognition of a particular security problem or need (Straub and Welke, 1998). As the ranking results, based on seven-year data, indicate, each state faces a different level of data breach risk in its healthcare sector, with California, Texas, New York, Florida, and Pennsylvania facing the biggest such risk nationwide. Thus, states must take advantage of the co-regulatory model and further enhance their efforts to increase healthcare sector security in their state. At the surface level, this risk map can help with increasing decision-makers’ concern by making them aware of the characteristics of their industry (Goodhue and Straub, 1991; Straub and Welke, 1998). At a deeper level, it can assist with the second step of the risk planning model, risk analysis.

With respect to the risk analysis, one immediate question comes to mind: What is the driving cause of such rankings? While the answer to this question is out of the scope of this study, two potential explanations can arise: the role of governing federal and state healthcare privacy and security policies and the influence of socioeconomic factors.

5.1 Policy discussion

First, from a policy standpoint, all covered entities have a baseline they must follow, namely, the HIPAA privacy and security rules (U.S. Department of Health and Human Services, 2013). However, as noted, stricter state laws can preempt HIPAA. Thus, state laws (whether signed for the healthcare sector or as a comprehensive law) can be a differentiating factor. An estimate by Health Information & The Law, a George Washington University project, showed that by the end of 2019, 32 states had approved additional sporadic bills governing healthcare organizations, on individual issues (Health Information and The Law, 2020). For example, New York and Massachusetts had additional safeguard laws (e.g. encryption and authentications) in place. However, there is a need for comprehensive state laws.

According to the US State Privacy Legislation Tracker (Desai, 2023), at the time of this study, only 10 states had signed comprehensive privacy bills into law, 11 states had active bills, and other states did not have any active bills or any comprehensive privacy bills introduced. Table 10 displays some of the states that had signed the bills into law, their data breach rank, and their effective date. Of nine that had signed bills into law, only California (CCPA – California Privacy Act and Proposition 24 – California Consumer Privacy Rights Act), and Colorado (SB 190, Colorado Privacy Act) were currently effective (IAPP, 2023).

Here, the major takeaway is a general lack of comprehensive state security and privacy laws. While there had been various sporadic state legislation during the period in which this study occurred, almost no state (except California for 2 years) had any comprehensive privacy and security law in place. California had been the subject of 71 breaches (an average of 35.5 per year), compared to 200 breaches (an average of 40 per year) in the final dataset this study used. No conclusion is valid while we wait a few years to see how effective these policies were, but the statistics may support some optimism. Regardless, the current status quo also highlights that many states are not actively pursuing a comprehensive law, particularly concerning the states at the top of the risk list.

Second, neither HIPAA nor state policies seem to have evolved as fast as the methods of hacking/IT incidents. Collectively, hacking/IT incidents characterize most threats for all states. Furthermore, among the five categories of threats (i.e. hacking/IT incident, theft, loss, improper disposal, and unauthorized access/disclosure), hacking/IT incidents have evolved, become more complex, and occurred using many more novel methods. Thus, they deserve to be an integral facet of any new amendments and laws. From a legislative perspective, state policies appear to focus on increasing consumer rights and business obligations (IAPP, 2023). Risk assessments are part of business obligations, requiring a concerted effort to enhance this process and address the most pressing issues. This effort must be twofold: creating obligations to enhance the defense mechanism (human/technical) against malicious threats and understanding how to mitigate unintentional errors. Unintentional errors can be a more significant source of threat. Yet, a keyword search within the legislative drafts available to the public shows that none of the existing state policies explicitly raise the issue of hacking, which can be concerning. Even though the US seems headed in the right direction by devising comprehensive state laws governing all aspects of security and privacy, these laws do not address the most pressing issues—hacking and IT incidents.

5.2 Socioeconomic discussion

From a socioeconomic perspective, this study looked at the correlation between the final risk ranking and the latest available socioeconomic indicators that appear in Table 11.

Pearson correlations was calculated between the final ranking and values of each state for each indicator. Since the ranking was from highest breach risk (rank 1, indicating the most insecure state) to lowest breach risk (rank 50, indicating the most secure), a negative correlation indicates that higher values for the socioeconomic factors are associated with lower ranks in the table (i.e. higher data breach risk).

Starting with indicators from the US Bureau of Labor Statistics, a strong negative correlation exists between state data privacy breach ranking and the number of employees per hospital (r = −0.80), number of hospitals (r = −0.68), and number of people per hospital (r = −0.34). The higher those indicators, the higher the data breach risk will be for that state, and thus, the lower its ranking. Additionally, we a similar pattern where higher population correlates with higher data breach risk (r = −0.74). Finally, using GSP—the level of economic output by state and indicator of wealth (National Center for Education Statistics, 1991)—we see that wealthier states have more exposure to privacy data breach risk. If a malicious source causes the breach, “having more people” or “being wealthier” may indicate the source had more financial incentives to steal the data. However, what this correlation indicates about breaches that inadvertent mistakes cause is less clear. Does having more patients and work pressure in populated areas increase the tendency of the staff to make more mistakes? Do more populated areas have a lower quality of Security Education and Training Awareness (SETA) programs in their entities? This may be a question worth exploring in the future. Combining the two facets of policy and socioeconomic aspects, Table 12 provides recommendations surrounding discussions in this paper.

5.3 Theoretical implications

The study provides an integrated framework drawn upon the security action cycle (Straub and Welke, 1998), the NIST Cybersecurity Framework (National Institute of Standards and Technology, 2018), the Risk-Planning Model (Goodhue and Straub, 1991), and MCDM methods (Toloie-Eshlaghy and Homayonfar, 2011), to answer the research question. The framework provides a roadmap, starting from setting the objective, to the application of the findings. This study applied this framework for risk identification at the state level across the US healthcare industry. The framework provides guidelines and flexibility that allow it to apply in other cybersecurity contexts. Table 13, on future research, provides a snapshot of how other potential questions can arise. The components of the framework itself provide two more implications.

First, despite the sporadic usage of MCDM models and propositions to enhance their utilization, using these methods in cybersecurity has received less attention (Maalem Lahcen et al., 2020). By integrating these methods into the framework, the study encourages researchers to further consider applying the methods in various contexts. MCDM methods do not answer the question of causality or association. However, they can help tremendously in assisting decision-making, as demonstrated in a plethora of other literature, find the best solution, and prioritize a list of alternatives. Rarely does any decision involve a single choice (Samuelson and Zeckhauser, 1988). Rather, decisions are complex, include various alternatives, and face time and monetary constraints. Whether risk identification (as in this study), prioritization in risk assessments, or finding the best alternatives for risk solutions, MCDM approaches can useful with such questions.

Second, the study attempts to address the challenge of relevancy vs rigor (Benbasat and Zmud, 2003; Davenport and Markus, 1999) in risk identification, by providing a balanced framework that considers both prior academic risk models (e.g. risk-planning model, security action cycle) and widely accepted industry standards (NIST). Furthermore, the framework suggests using various threat-modeling approaches, such as PASTA, CORAS, or other models, as time progress. One final thought is that even though the framework was developed to address an issue in the United States, it is very conceivable that with enough substitution, the model is applicable in contexts outside of the US

5.4 Practical implications

First, practitioners can apply the model to use with their own available data, to answer any prioritization questions they may have. The model was presented as flexible, so users can apply their threat-modeling approach to developing the criteria or using their own MCDM method. Table 13 presents avenues for practical applications. The method here is for demonstration purposes, and ultimately, the researchers can decide the best approach.

The remaining practical applications stem from the application of the framework for ranking the US states most at risk of healthcare data breaches. The study findings show that various states face different levels of risk. It provides transparency for stakeholders, lets patients know of the potential risk facing their PHI in their respective states, and lets privacy officers at covered entities know the degree of risk their entity and state face. Furthermore, it lets legislators know the existing climate in the healthcare sector. The latter seems to be a very grave point in this story. Not only have there not been comprehensive laws, but the existing laws do not address the most pressing issue, namely, Hacking/IT incidents.

Finally, the discussion highlights the seemingly significant correlation between state risk ratings and several socioeconomic indicators, including populations (e.g. state population, number of patients, hospitals), and wealth indicators.

6. Limitations and future research

The current study has two limitations. It does not distinguish between various types of PHI (e.g. billing, demographic). Rather, it focuses on total types stolen. The decision not to make this distinction was to avoid both generalizability and operationalization issues. First, all indicators the study used also occur in other industries. However, PHI and many of its types (e.g. diagnoses, lab results) occur only in the healthcare industry. As it stands, the model and criteria the study used can apply in other contexts. However, including such distinctions would reduce the robustness of the findings. Second, the study does not separate the cause of a breach into intentional and unintentional, as prior literature has suggested (Willison and Warkentin, 2013). This limitation was mainly due to a lack of enough data. While the intention of breaches may be noted in the OCR web description, many of the available descriptions are vague about the incident’s intentionality. Additionally, HHS can improve in their future reporting practice in this area. Both limitations offer opportunities for future research.

Additionally, the integrated multicriteria framework for risk management can apply in various domains of risk management. In this study, the focus was primarily on risk identification and state-level analysis. The framework can apply to other objectives and inner organizational contexts, to aid their cybersecurity management with decision-making. Future studies can also apply the model in non-US contexts and compare the findings with those from the United States. How can examining different facets improve the prioritization model? How does each European Union country rank, in terms of risk in their healthcare sectors? What socioeconomic factors accompany place on the risk map? Additionally, by understanding the risk ranking of the states, future work can also examine how breaches in risky states impact other states. If a state is subject to a data breach, the residents of that state are not the only ones affected; people in other states may also be affected. For example, while Indiana has approximately 6.8mn residents, the Anthem breach affected more than 70mn people. Thus, the states that are most at risk expose both their own residents and residents from other states. This could be due to shared databases or to entities having branches in different states. If we were able to distinguish the effect of a breach with regard to impact within state versus impact outside state, we can better understand how breaches originating in one state might be transmitted through other states (e.g. shared databases or other improper practices). Finally, examining why US states appear at their current rank can open avenues for future study. Applying time series analysis or difference-in-difference models to elicit causality can be highly valuable to addressing the questions this paper raised.

7. Conclusion

While single indicators, such as the number of affected people or the number of breaches, can be useful in discovering states that have suffered the most devastating breaches, sole reliance on single indicators cannot showcase the totality of privacy-breach risk. Multicriteria cybersecurity prioritization framework to enable solving questions related to cybersecurity ranking and prioritization. The framework consists of five steps, from the conceptualization stage—setting objectives based on security action cycle and NIST cybersecurity framework (National Institute of Standards and Technology, 2018; Straub and Welke, 1998), determining criteria based on an appropriate risk-modeling approach (Khan et al., 2021)—to the operationalization stage—determining the indicators and their weight, analysis via MCDM method, and application using the risk-planning model (Goodhue and Straub, 1991). Using rankings between 2015 and 2021, US states were ranked from greatest at risk to least at risk for data breaches in their healthcare sector. This risk-based ranking has significance for three stakeholders. For patients, the findings provide transparency with respect to the risk patients face when storing their data in each state. Similar to other socioeconomic rankings (e.g. crime, safety), the findings fill the gap that existed for patients and the risk their PHI faced. For covered entities, the study illustrated the risk they face in the states where they operate. Understanding such a climate can be crucial for many important decisions with respect to safeguarding PHI. Finally, for policy-makers, the findings showed much to be desired, in terms of both the quantity of comprehensive state policies and their content. A particular need exists to reevaluate current state laws and enact additional laws addressing novel and sophisticated hacking and IT incidents in the healthcare sector.

Figures

Conceptual steps required for prioritization (ranking) decisions

Figure 1

Conceptual steps required for prioritization (ranking) decisions

Integrated multicriteria framework for prioritization in risk management

Figure 2

Integrated multicriteria framework for prioritization in risk management

State ranking from most at risk (represented by 1) to least at risk (represented by 50)

Figure 3

State ranking from most at risk (represented by 1) to least at risk (represented by 50)

Summary of indicators

CriteriaIndicatorIndicator descriptionOther notes
Data breach causeHacking/IT IncidentTotal number of hacking/IT breaches
Improper DisposalTotal number of improper disposal breaches
LossTotal number of loss breaches
TheftTotal number of theft breaches
Unauthorized Access/DisclosureTotal number of unauthorized access/disclosure breaches
Data breach locusLocationsTotal number of locations affected as a result of breachesHIPAA classifies locations holding PHI into eight categories: desktop computers, electronic medical records (EMRs), emails, laptops, network servers, paper/films, other portable electronic devices, and others (U.S. Department of Health and Human Services, 2013). These locations represent both physical (e.g. paper records) and online locations (e.g. email, network servers)
Data breach impactPHI StolenNumber of types of PHI stolen. For example, if the breach led to the loss of medical diagnoses and billing numbers, the cell in data should show the number “2,” indicating that two types of PHI were stolenHIPAA web description provides the type of PHI stolen. While covered entities can select predefined categories, they can enter additional types of PHI as they find appropriate. Examples included names, social security numbers, diagnoses, medications prescribed, and treatment information
Number of Individuals AffectedNumber of individuals affected as a result of the data breach

Source(s): Table by authors

Focus group details

ExpertDescription
# 1Privacy officer in healthcare, 2 years of experience
# 2CIO in healthcare IT solution (i.e. business associate) working in compliance under HIPAA, 3 years of experience
# 3Security engineer for tech and healthcare, 5 years of experience
# 4Professor with expertise in the economics of healthcare security research, 6 years
# 5Professor with expertise in operations management and research portfolio in healthcare management, 10 years

Source(s): Table by authors

Best indicator over other indicators’ preferences

Best indicatorIndividuals affectedUnauthorized access/DisclosureTheftLossImproper disposalHacking/IT incidentLocationsPHI stolen
Hacking/Incident53698145

Source(s): Table by authors

Other indicators over worst indicator preferences

Worst criterionLoss
PHI Stolen2
Locations2
Hacking/IT incident9
Improper disposal1
Loss1
Theft2
Unauthorized access/disclosure3
Individuals affected2

Source(s): Table by authors

Weight of indicators and consistency ratio

CriteriaIndicatorIndicator weight
Data breach causeHacking/IT Incident0.416
Improper Disposal0.050
Loss0.044
Theft0.074
Unauthorized Access/Disclosure0.133
Data breach locusLocations0.104
Data breach impactPHI Stolen0.089
Number of Individuals Affected0.089

Note(s): ξ = 0.347, Consistency ratio = 0.066

Source(s): Table by authors

Ranking based on GRA

Rankζ=0.1Φζ=0.5Φζ=0.9Φ
1CA0.651CA0.272CA0.771
2TX0.452TX0.141TX0.597
3NY0.355NY0.099NY0.498
4FL0.332FL0.091FL0.473
5PA0.246PA0.061PA0.370
6IN0.235IN0.058IN0.356
7MN0.229MN0.056MN0.348
8OH0.228OH0.056OH0.347
9MA0.228MA0.056MA0.347
10GA0.224GA0.055GA0.342
11WA0.224WA0.055WA0.342
12MI0.214MI0.052MI0.328
13IL0.212IL0.051IL0.326
14TN0.210TN0.051TN0.324
15NC0.209NC0.050NC0.322
16CT0.208CT0.050CT0.321
17MD0.207MD0.050MD0.320
18AZ0.205AZ0.049AZ0.316
19KY0.204KY0.049KY0.316
20VA0.204VA0.049VA0.315
21NJ0.203NJ0.049NJ0.315
22OR0.203OR0.048OR0.314
23MO0.198MO0.047MO0.308
24IA0.197IA0.047IA0.306
25AR0.196AR0.047AR0.305
26CO0.194CO0.046CO0.303
27WI0.193WI0.046WI0.301
28SC0.192SC0.045SC0.299
29LA0.188LA0.044LA0.295
30NV0.188NV0.044NV0.294
31AL0.187AL0.044AL0.293
32NM0.185NM0.043NM0.290
33MS0.184MS0.043MS0.289
34WV0.182WV0.043WV0.287
35OK0.182OK0.043OK0.286
36UT0.180UT0.042UT0.283
37ME0.180ME0.042ME0.283
38DE0.180DE0.042DE0.283
39KS0.179KS0.042KS0.282
40NE0.179NE0.042NE0.282
41AK0.179AK0.042AK0.282
42HI0.178HI0.042HI0.281
43NH0.177NH0.041NH0.279
44MT0.177MT0.041MT0.279
45RI0.177RI0.041RI0.279
46VT0.176VT0.041VT0.278
47ID0.175ID0.041ID0.276
48ND0.174ND0.040ND0.275
49WY0.174WY0.040WY0.275
50SD0.174SD0.040SD0.274

Note(s): 1: most at risk, 50: least at risk

Source(s): Table by authors

Comparison of Findings Between Methods

RankState ranking isGRA (ζ=0.5)CoCoSoMABACMARICA
1–4
10–50
Supported by 4 MethodsResults are similar across all methods. (Rankings match findings in Table 8)
5Supported by 3 MethodsPAINPAPA
6Supported by 3 MethodsINPAININ
7Supported by 3 MethodsMNMAMNMN
8Supported by 3 MethodsOHMNOHOH
9Supported by 3 MethodsMAOHMAMA

Note(s): 1: most at risk; 50: least at risk

Source(s): Table by authors

Details of states that passed comprehensive privacy bills into laws

Healthcare data breach rankComprehensive state privacy bill effective dateReferenceDoes the bill mention “hacking?”
California11/1/2020California Consumer Privacy (2018)No
Texas31/1/2024Texas Privacy and Security Act (2023)
Indiana61/1/2026Indiana Consumer Data Protection Act (2023)
Tennessee147/1/2024Tennessee Information Protection Act (2023)
Connecticut161/1/2023Connecticut Data Privacy Act (2022)
Virginia201/1/2023Virginia Consumer Data Protection Act (2023)
Iowa241/1/2025Iowa Consumer Data Protection Act (2023)
Colorado261/1/2023Colorado Privacy Act (2022)
Utah3612/31/2023Utah Consumer Privacy Act (2023)
Montana4410/1/2024Montana Consumer Data Privacy Act (2023)

Source(s): Table by authors

Correlation between risk ranking and socioeconomic indicators

Indicator (in each state)Pearson correlationSource (year of data)
Number of employees per hospital−0.80U.S. Bureau of Labor Statistics (2019)
Population in each state−0.74U.S. Census Bureau (2021)
Gross State Product (GSP)−0.70Kaiser Family Foundation (2022)
Number of hospitals−0.68U.S. Bureau of Labor Statistics (2019)
Number of people per hospital−0.34U.S. Bureau of Labor Statistics (2019)

Source(s): Table by authors

Recommendation for additional healthcare security policies for states

The policy issueState health policies have not evolved as fast as the methods of hacking/IT incidents, and they do not address novel hacking methods specifically
What new policies are required?Policies address specific novel hacking techniques (e.g. business email compromise, phishing, ransomware)
How can new policies address the issue?Policies can address four facets of requirements for covered entities:
Deterrence: Prepare and increase security educational training programs covering novel hacking techniques
Prevention: Implement and enforce policies with a punishment system for hacking incidents, such as those already in place for theft or unauthorized disclosure
Detection: Implement particular safeguards based on the type of IT incidents/hacking methods
Recovery: Create specific guidelines for post-breach actions based on the type of incident
Based on Socioeconomic Factors, which states must prioritize enacting new policies?States with higher populations and numbers of covered entities and employees. Wealthier states must prioritize devising statewide anti-hacking policies in their healthcare sector

Source(s): Table by authors

Examples of practical applications of the framework

Prioritization questionWhich type of data must be secured first?What types of software threats must be prioritized first?Which types of threat detection must be prioritized firstWhich actions must be prioritized after breach?
Framework steps
Determine the cybersecurity functionProtect/PreventionProtect/PreventionDetectionRecovery
Select the appropriate threat-modeling approachCORAS (Asset-Driven Risk Modeling)STRIDEPASTA (Attack and Threat Modeling)Integrated Data Breach Risk Model
Determine risk indicators and their weightDecided based on the criteria and availability of data (firsthand data collection, secondary public or proprietary data)
Apply MCDM technique(s) and determine rankingsApply choosing technique based on the attributes of indicators. Using additional techniques for robustness checks is highly recommended. See Toloie-Eshlaghy and Homayonfar (2011) for a comprehensive history of the methodology
Integrate findings with security risk planningRisk AnalysisRisk AnalysisAlternative GenerationPlanning Decisions

Source(s): Table by authors

Ranking based on CoCoSo, MABAC, MARICA

RankCoCoSokMABACQMAIRCAQ
1CA0.996CA−0.690CA0.018
2TX1.903TX−0.549TX0.015
3NY2.507NY−0.424NY0.012
4FL2.657FL−0.384FL0.012
5IN3.261PA−0.164PA0.007
6PA3.456IN−0.125IN0.006
7MA3.521MN−0.100MN0.006
8MN3.679OH−0.097OH0.006
9OH3.683MA−0.096MA0.006
10GA3.746GA−0.081GA0.006
11WA3.751WA−0.080WA0.006
12MI3.906MI−0.035MI0.005
13IL3.931IL−0.028IL0.005
14TN3.959TN−0.020TN0.004
15NC3.981NC−0.014NC0.004
16CT4.002CT−0.008CT0.004
17MD4.006MD−0.007MD0.004
18AZ4.054AZ0.007AZ0.004
19KY4.065KY0.010KY0.004
20VA4.068VA0.011VA0.004
21NJ4.077NJ0.014NJ0.004
22OR4.081OR0.015OR0.004
23MO4.165MO0.039MO0.003
24IA4.194IA0.047IA0.003
25AR4.207AR0.051AR0.003
26CO4.243CO0.062CO0.003
27WI4.271WI0.070WI0.003
28SC4.292SC0.076SC0.002
29LA4.359LA0.095LA0.002
30NV4.369NV0.098NV0.002
31AL4.380AL0.101AL0.002
32NM4.423NM0.114NM0.002
33MS4.445MS0.120MS0.002
34WV4.482WV0.131WV0.001
35OK4.495OK0.135OK0.001
36UT4.530UT0.145UT0.001
37ME4.531ME0.145ME0.001
38DE4.531DE0.145DE0.001
39KS4.551KS0.151KS0.001
40NE4.554NE0.152NE0.001
41AK4.555AK0.152AK0.001
42HI4.577HI0.158HI0.001
43NH4.596NH0.164NH0.001
44MT4.601MT0.165MT0.001
45RI4.603RI0.166RI0.001
46VT4.624VT0.172VT0.001
47ID4.647ID0.179ID0.000
48ND4.665ND0.184ND0.000
49WY4.675WY0.187WY0.000
50SD4.679SD0.188SD0.000

Note(s): 1: most at risk; 50: least at risk

Source(s): Table by authors

Comparison of findings between methods

RankGRA (ζ=0.5)CoCoSoMABACMARICAState ranking is
1CACACACASupported by 4 Methods
2TXTXTXTXSupported by 4 Methods
3NYNYNYNYSupported by 4 Methods
4FLFLFLFLSupported by 4 Methods
5PAINPAPASupported by 3 Methods
6INPAININSupported by 3 Methods
7MNMAMNMNSupported by 3 Methods
8OHMNOHOHSupported by 3 Methods
9MAOHMAMASupported by 3 Methods
10GAGAGAGASupported by 4 Methods
11WAWAWAWASupported by 4 Methods
12MIMIMIMISupported by 4 Methods
13ILILILILSupported by 4 Methods
14TNTNTNTNSupported by 4 Methods
15NCNCNCNCSupported by 4 Methods
16CTCTCTCTSupported by 4 Methods
17MDMDMDMDSupported by 4 Methods
18AZAZAZAZSupported by 4 Methods
19KYKYKYKYSupported by 4 Methods
20VAVAVAVASupported by 4 Methods
21NJNJNJNJSupported by 4 Methods
22ORORORORSupported by 4 Methods
23MOMOMOMOSupported by 4 Methods
24IAIAIAIASupported by 4 Methods
25ARARARARSupported by 4 Methods
26COCOCOCOSupported by 4 Methods
27WIWIWIWISupported by 4 Methods
28SCSCSCSCSupported by 4 Methods
29LALALALASupported by 4 Methods
30NVNVNVNVSupported by 4 Methods
31ALALALALSupported by 4 Methods
32NMNMNMNMSupported by 4 Methods
33MSMSMSMSSupported by 4 Methods
34WVWVWVWVSupported by 4 Methods
35OKOKOKOKSupported by 4 Methods
36UTUTUTUTSupported by 4 Methods
37MEMEMEMESupported by 4 Methods
38DEDEDEDESupported by 4 Methods
39KSKSKSKSSupported by 4 Methods
40NENENENESupported by 4 Methods
41AKAKAKAKSupported by 4 Methods
42HIHIHIHISupported by 4 Methods
43NHNHNHNHSupported by 4 Methods
44MTMTMTMTSupported by 4 Methods
45RIRIRIRISupported by 4 Methods
46VTVTVTVTSupported by 4 Methods
47IDIDIDIDSupported by 4 Methods
48NDNDNDNDSupported by 4 Methods
49WYWYWYWYSupported by 4 Methods
50SDSDSDSDSupported by 4 Methods

Note(s): 1: most at risk; 50: least at risk

Source(s): Table by authors

Notes

Supplementary materials

Table A1

Table 1

Setting the objectives for prioritization decision in cybersecurity

NIST cybersecurity framework coresStraub and Welke (1998) security action cycleObjectiveOutcome
IdentifyDeterrenceEnhancement of organizational understanding of cybersecurity risk to systems, data, people, assets, data, and capabilityPassive countermeasures; guidelines, best practices, advisories, reminders
ProtectPreventionDevelopment and implementation of appropriate safeguardsActive countermeasures; enforceable policies, such as password and access control policies
DetectDetectionDevelopment and implementation of appropriate activities to recognize security eventsProactive countermeasures; intrusion detection systems, audits
RespondRemediesDevelopment and implementation of appropriate activities to take action against security incidentsReactive countermeasures; Incidence response procedure, disaster recovery
RecoverDevelopment and implementation of appropriate activities to take action to maintain resiliency and restore any impaired services

Source(s): Table by authors

Table A2

Table 2

Summary of framework application

Framework stepApplication in this studySource
ObjectiveRisk Identification/DeterrenceNIST Cyber Framework, Core Function 1 (National Institute of Standards and Technology, 2018)
Security Action Cycle (Straub and Welke, 1998)
CriteriaCause of Breach
Locus of Breach
Impact of Breach
Integrated Risk Model (Khan et al., 2021)
IndicatorsCause
Hacking/IT Incident
Improper Disposal
Loss
Theft
Unauthorized Access/Disclosure
Locus:
Locations
Impact
PHI Stolen
Individuals Affected
U.S. Department of Health and Human Services Office for Civil Rights (2023)
Indicator Weight DeterminationExperts’ OpinionBest-Worst Method (BWM)
Rezaei (2015)
PrioritizationPrimary Analysis: Grey Analysis method
Robustness Checks: MABAC, MAIRCA, CoCoSo
Pamučar and Ćirović (2015), Pamučar et al. (2018), Wu (2009), Yazdani et al. (2019), Zhang et al. (2005)
ApplicationRecognition of Security Problem or Need
Risk Analysis
Risk Planning Model (Goodhue and Straub, 1991)

Source(s): Table by authors

References

Abdelwahed, I.M., Ramadan, N. and Hefny, H.A. (2020), “Cybersecurity risks of blockchain technology”, International Journal of Computer Applications, Vol. 177 No. 42, pp. 8-14, doi: 10.5120/ijca2020919922.

Al-Najjar, B. and Alsyouf, I. (2003), “Selecting the most efficient maintenance approach using fuzzy multiple criteria decision making”, International Journal of Production Economics, Vol. 84 No. 1, pp. 85-100, doi: 10.1016/s0925-5273(02)00380-8.

Benbasat, I. and Zmud, R.W. (2003), “The identity crisis within the IS discipline: defining and communicating the discipline's core properties”, MIS Quarterly, Vol. 27 No. 2, pp. 183-194, doi: 10.2307/30036527.

CalHHS (2022), “Statewide health information policy manual”, available at: https://www.chhs.ca.gov/ohii/health-laws/ (accessed 12 August 2022).

California Consumer Privacy Act (2018), available at: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 (accessed 1 June 2023).

Chapple, M. and Shelly, J. (2021), IAPP CIPP/US Certified Information Privacy Professional Study Guide, Sybex.

Chen, L.Y. and Wang, T.-C. (2009), “Optimizing partners' choice in IS/IT outsourcing projects: the strategic decision of fuzzy VIKOR”, International Journal of Production Economics, Vol. 120 No. 1, pp. 233-242, doi: 10.1016/j.ijpe.2008.07.022.

Colorado Privacy Act (2022), available at: https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf (accessed 1 June 2023).

Connecticut Data Privacy Act (2022), available at: https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF (accessed 2 June 2023).

Davenport, T.H. and Markus, M.L. (1999), “Rigor vs. Relevance revisited: response to Benbasat and Zmud”, MIS Quarterly, Vol. 23 No. 1, pp. 19-23, doi: 10.2307/249405.

Desai, A. (2023), “US state privacy legislation tracker”, available at: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ (accessed 24 May 2023).

Diakoulaki, D., Mavrotas, G. and Papayannakis, L. (1995), “Determining objective weights in multiple criteria problems: the critic method”, Computers and Operations Research, Vol. 22 No. 7, pp. 763-770, doi: 10.1016/0305-0548(94)00059-h.

Díaz-Balteiro, L. and Romero, C. (2004), “In search of a natural systems sustainability index”, Ecological Economics, Vol. 49 No. 3, pp. 401-405, doi: 10.1016/j.ecolecon.2004.02.005.

Dolezel, D. and McLeod, A. (2019), “Cyber-analytics: identifying discriminants of data breaches”, Perspectives in Health Information Management, Vol. 16 Summer.

Fontana, A. and James, F. (2005), The Sage Handbook of Qualitative Research, The interview.

Garrity, M. (2019), “5% of hospital IT budgets go to cybersecurity despite 82% of hospitals reporting breaches”, available at: https://www.beckershospitalreview.com/cybersecurity/5-of-hospital-it-budgets-go-to-cybersecurity-despite-82-of-hospitals-reporting-breaches.html (accessed 20 November 2022).

Gigović, L., Pamučar, D., Bajić, Z. and Milićević, M. (2016), “The combination of expert judgment and GIS-MAIRCA analysis for the selection of sites for ammunition depots”, Sustainability, Vol. 8 No. 4, p. 372, doi: 10.3390/su8040372.

Giles, B. (2022), “Top 10 states where your medical data is most likely to be breached”, available at: https://www.beckershospitalreview.com/cybersecurity/top-10-states-where-your-medical-data-is-most-likely-to-be-breached.html (accessed 12 November 2022).

Goodhue, D.L. and Straub, D.W. (1991), “Security concerns of system users: a study of perceptions of the adequacy of security”, Information and Management, Vol. 20 No. 1, pp. 13-27, doi: 10.1016/0378-7206(91)90024-v.

Gürbüz, T., Alptekin, S.E. and Alptekin, G.I. (2012), “A hybrid MCDM methodology for ERP selection problem with interacting criteria”, Decision Support Systems, Vol. 54 No. 1, pp. 206-214, doi: 10.1016/j.dss.2012.05.006.

Health Information and The Law (2020), “Healthcare laws in each state”, available at: http://www.healthinfolaw.org/state (accessed 21 October 2022).

Health Sector Cybersecurity Coordination Center (2019), “A cost analysis of healthcare sector data breaches”, available at: https://www.hhs.gov/sites/default/files/cost-analysis-of-healthcare-sector-data-breaches.pdf (accessed 11 November 2022).

Herbert, S. (1959), “Theories of decision-making in economics and behavioral science”, The American Economic Review, Vol. 49, pp. 253-283.

HIPAA Journal (2019), “HIPAA history”, available at: https://www.hipaajournal.com/hipaa-history/(accessed 5 November 2022).

IAPP (2023), “Comprehensive consumer privacy bills”, available at: https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf (accessed 1 June 2023).

IBM (2022), “Cost of a data breach report”, available at: https://www.ibm.com/security/data-breach (accessed 5 December 2022).

Indiana Consumer Data Protection Act (2023), available at: https://legiscan.com/IN/text/SB0005/id/2628665 (accessed 31 May 2023).

International Standard Organization (2022), “ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection—information security controls”, available at: https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:ed-3:v2:en (accessed 29 May 2023).

Iowa Consumer Data Protection Act (2023), available at: https://www.legis.iowa.gov/legislation/BillBook?ga=90&ba=SF%20262 (accessed 1 June 2023).

Jato-Espino, D., Castillo-Lopez, E., Rodriguez-Hernandez, J. and Canteras-Jordana, J.C. (2014), “A review of application of multi-criteria decision making methods in construction”, Automation in Construction, Vol. 45, pp. 151-162, doi: 10.1016/j.autcon.2014.05.013.

Julong, D. (1989), “Introduction to grey system theory”, The Journal of Grey System, Vol. 1 No. 1, pp. 1-24.

Kaiser Family Foundation (2022), “Total gross state product (GSP)”, available at: https://www.kff.org/other/state-indicator/total-gross-state-product/ (accessed 1 June 2023).

Khan, F., Kim, J.H., Mathiassen, L. and Moore, R. (2021), “Data breach management: an integrated risk model”, Information and Management, Vol. 58 No. 1, 103392, doi: 10.1016/j.im.2020.103392.

Kohnfelder, L. and Garg, P. (1999), The Threats to Our Products, Microsoft Interface, Microsoft Corporation, Vol. 33.

Kornyshova, E. and Salinesi, C. (2007), “MCDM techniques selection approaches: state of the art”, 2007 IEEE Symposium on Computational Intelligence in Multi-Criteria Decision-Making. doi: 10.1109/mcdm.2007.369412.

Kuo, Y., Yang, T. and Huang, G.-W. (2008a), “The use of a grey-based Taguchi method for optimizing multi-response simulation problems”, Engineering Optimization, Vol. 40 No. 6, pp. 517-528, doi: 10.1080/03052150701857645.

Kuo, Y., Yang, T. and Huang, G.-W. (2008b), “The use of grey relational analysis in solving multiple attribute decision-making problems”, Computers and Industrial Engineering, Vol. 55 No. 1, pp. 80-93, doi: 10.1016/j.cie.2007.12.002.

Landi, H. (2019), “Average cost of healthcare data breach rises to $7.1M, according to IBM report”, Fierce Healthcare, available at: https://www.fiercehealthcare.com/tech/average-cost-healthcare-data-breach-rises-to-7-1m-according-to-ibm-report (accessed 1 December 2023).

Landi, H. (2022), “Healthcare data breach costs reach record high at $10M per attack: IBM report”, Fierce Healthcare, available at: https://www.fiercehealthcare.com/health-tech/healthcare-data-breach-costs-reach-record-high-10m-attack-ibm-report (accessed 1 December 2023).

Liang, H. and Xue, Y. (2009), “Avoidance of information technology threats: a theoretical perspective”, MIS Quarterly, Vol. 33 No. 1, p. 71.

Lund, M.S., Solhaug, B. and Stølen, K. (2010), Model-driven Risk Analysis: the CORAS Approach, Springer Science & Business Media, Berlin, Heidelberg.

Lyytinen, K., Mathiassen, L. and Ropponen, J. (1998), “Attention shaping and software risk—a categorical analysis of four classical risk management approaches”, Information Systems Research, Vol. 9 No. 3, pp. 233-255, doi: 10.1287/isre.9.3.233.

Maalem Lahcen, R.A., Caulkins, B., Mohapatra, R. and Kumar, M. (2020), “Review and insight on the behavioral aspects of cybersecurity”, Cybersecurity, Vol. 3 No. 1, pp. 1-18, doi: 10.1186/s42400-020-00050-w.

McKeon, J. (2022), “US orgs have suffered 5,000 healthcare data breaches since 2009”, available at: https://healthitsecurity.com/news/us-orgs-have-suffered-5000-healthcare-data-breaches-since-2009 (accessed 9 October 2022).

Montana Consumer Data Privacy Act (2023), available at: https://leg.mt.gov/bills/2023/billpdf/SB0384.pdf (accessed 1 June 2023).

Moody, G.D., Siponen, M. and Pahnila, S. (2018), “Toward a unified model of information security policy compliance”, MIS Quarterly, Vol. 42 No. 1, pp. 285-311, doi: 10.25300/MISQ/2018/13853.

Morgan, D.L. (1996), “Focus groups”, Annual Review of Sociology, Vol. 22 No. 1, pp. 129-152, doi: 10.1146/annurev.soc.22.1.129.

Mukhametzyanov, I. (2021), “Specific character of objective methods for determining weights of criteria in MCDM problems: entropy, CRITIC and SD”, Decision Making: Applications in Management and Engineering, Vol. 4 No. 2, pp. 76-105, doi: 10.31181/dmame210402076i.

Nance, W.D. and Straub, D.W. (1988), “An investigation into the use and usefulness of security software in detecting computer abuse”, ICIS 1988 Proceedings, available at: https://aisel.aisnet.org/icis1988/36/

National Institute of Standards and Technology (2018), “Framework for improving critical infrastructure cybersecurity”, available at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (accessed 13 October 2022).

Nikkhah, H.R. and Grover, V. (2022), “An empirical investigation of company response to data breaches”, Management Information Systems Quarterly, Vol. 46 No. 4, pp. 2163-2196, doi: 10.25300/misq/2022/16609.

Pamučar, D. and Ćirović, G. (2015), “The selection of transport and handling resources in logistics centers using Multi-Attributive Border Approximation area Comparison (MABAC)”, Expert Systems with Applications, Vol. 42 No. 6, pp. 3016-3028, doi: 10.1016/j.eswa.2014.11.057.

Pamucar, D.S., Pejcic Tarle, S. and Parezanovic, T. (2018), “New hybrid multi-criteria decision-making DEMATELMAIRCA model: sustainable selection of a location for the development of multimodal logistics centre”, Economic Research-Ekonomska Istraživanja, Vol. 31 No. 1, pp. 1641-1665, doi: 10.1080/1331677x.2018.1506706.

Petrović, G., Mihajlović, J., Ćojbašić, Ž., Madić, M. and Marinković, D. (2019), “Comparison of three fuzzy MCDM methods for solving the supplier selection problem”, Facta Universitatis, Series: Mechanical Engineering, Vol. 17 No. 3, pp. 455-469, doi: 10.22190/fume190420039p.

Qin, J., Ma, X. and Liang, Y. (2023), “Building a consensus for the best-worst method in group decision-making with an optimal allocation of information granularity”, Information Sciences, Vol. 619, pp. 630-653, doi: 10.1016/j.ins.2022.11.070.

Rezaei, J. (2015), “Best-worst multi-criteria decision-making method”, Omega, Vol. 53, pp. 49-57, doi: 10.1016/j.omega.2014.11.009.

Ross, R. (2018), Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, available at: https://doi.org/10.6028/NIST.SP.800-37r2 (accessed 31 May 2023).

Ryan, K.E., Gandha, T., Culbertson, M.J. and Carlson, C. (2014), “Focus group evidence: implications for design and analysis”, American Journal of Evaluation, Vol. 35 No. 3, pp. 328-345, doi: 10.1177/1098214013508300.

Samuelson, W. and Zeckhauser, R. (1988), “Status quo bias in decision making”, Journal of Risk and Uncertainty, Vol. 1 No. 1, pp. 7-59, doi: 10.1007/bf00055564.

Schmeelk, S. (2019), “Where is the risk? Analysis of Government reported patient medical data breaches”, IEEE/WIC/ACM International Conference on Web Intelligence - Companion Volume. doi: 10.1145/3358695.3361754.

Seh, A.H., Zarour, M., Alenezi, M., Sarkar, A.K., Agrawal, A., Kumar, R. and Ahmad Khan, R. (2020), “Healthcare data breaches: insights and implications”, Healthcare, Vol. 8 No. 2, p. 133, doi: 10.3390/healthcare8020133.

Sen, R. and Borle, S. (2015), “Estimating the contextual risk of data breach: an empirical approach”, Journal of Management Information Systems, Vol. 32 No. 2, pp. 314-341, doi: 10.1080/07421222.2015.1063315.

Stević, Ž., Pamučar, D., Puška, A. and Chatterjee, P. (2020), “Sustainable supplier selection in healthcare industries using a new MCDM method: measurement of alternatives and ranking according to COmpromise solution (MARCOS)”, Computers and Industrial Engineering, Vol. 140, 106231, doi: 10.1016/j.cie.2019.106231.

Stojčić, M., Zavadskas, E.K., Pamučar, D., Stević, Ž. and Mardani, A. (2019), “Application of MCDM methods in sustainability engineering: a literature review 2008-2018”, Symmetry, Vol. 11 No. 3, p. 350, doi: 10.3390/sym11030350.

Straub, D.W. and Welke, R.J. (1998), “Coping with systems risk: security planning models for management decision making”, MIS Quarterly, Vol. 22 No. 4, pp. 441-469, doi: 10.2307/249551.

Tavana, M., Smither, J.W. and Anderson, R.V. (2007), “D-side: a facility and workforce planning group multi-criteria decision support system for Johnson Space Center”, Computers and Operations Research, Vol. 34 No. 6, pp. 1646-1673, doi: 10.1016/j.cor.2005.06.020.

Tennessee Information Protection Act (2023), available at: https://legiscan.com/TN/text/HB1181/id/2672877 (accessed 1 June 2023).

Texas Privacy and Security Act (2023), available at: https://capitol.texas.gov/tlodocs/86R/billtext/pdf/HB04518I.pdf (accessed 1 June 2023).

The HIPAA Guide (2022), “Healthcare data breach statistics”, available at: https://www.hipaaguide.net/healthcare-data-breach-statistics/ (accessed 29 May 2023).

Toloie-Eshlaghy, A. and Homayonfar, M. (2011), “MCDM methodologies and applications: a literature review from 1999 to 2009”, Research Journal of International Studies, Vol. 21, pp. 86-137.

Torbacki, W. (2021), “A hybrid MCDM model combining DANP and PROMETHEE II methods for the assessment of cybersecurity in industry 4.0”, Sustainability, Vol. 13 No. 16, p. 8833, doi: 10.3390/su13168833.

UcedaVelez, T. and Morana, M.M. (2015), Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis, John Wiley & Sons.

U.S. Bureau of Labor Statistics (2019), “The Economics Daily, Number of hospitals and hospital employment in each state in 2019”, available at: https://www.bls.gov/opub/ted/2020/number-of-hospitals-and-hospital-employment-in-each-state-in-2019.htm (accessed 28 May 2023).

U.S. Census Bureau (2021), “1990, 2000, 2010, 2020 Censuses of population, and the population estimate program”, available at: https://data.ers.usda.gov/reports.aspx?ID=17827 (accessed 1 June 2023).

US Department of Health and Human Services (2013), “HIPAA Administrative Simplification”, 45 CFR Parts 160, 162, and 164, available at: http://www. hhs. Gov/Sites/Default/Files/Hipaa-Simplification-201303. Pdf (accessed 11 November 2023).

U.S. Department of Health and Human Services (2023a), “HIPAA security rule”, available at: https://www.hhs.gov/hipaa/for-professionals/security/index.html (accessed 9 October 2022).

U.S. Department of Health and Human Services (2023b), “The HIPAA privacy rule”, available at: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html (accessed 9 October 2022).

U.S. Department of Health and Human Services Office for Civil Rights (2013), “HIPAA administrative simplification, no. 45 C.F.R 160”, available at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf (accessed 9 October 2022).

U.S. Department of Health and Human Services Office for Civil Rights (2023), “Breach portal: notice to the secretary of HHS breach of unsecured protected health information”, available at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (accessed 10 September 2022).

Utah Consumer Privacy Act (2023), available at: https://le.utah.gov/∼2022/bills/static/SB0227.html (accessed 28 May 2023).

Virginia Consumer Data Protection Act (2023), available at: https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/ (accessed 28 May 2023).

Wang, Y.-M. and Chin, K.-S. (2009), “A new data envelopment analysis method for priority determination and group decision making in the analytic hierarchy process”, European Journal of Operational Research, Vol. 195 No. 1, pp. 239-250, doi: 10.1016/j.ejor.2008.01.049.

Wang, J.-J., Jing, Y.-Y., Zhang, C.-F. and Zhao, J.-H. (2009), “Review on multi-criteria decision analysis aid in sustainable energy decision-making”, Renewable and Sustainable Energy Reviews, Vol. 13 No. 9, pp. 2263-2278, doi: 10.1016/j.rser.2009.06.021.

Wei, G.-W. (2011), “Grey relational analysis method for 2-tuple linguistic multiple attribute group decision making with incomplete weight information”, Expert Systems with Applications, Vol. 38 No. 5, pp. 4824-4828, doi: 10.1016/j.eswa.2010.09.163.

Whitman, M.E. and Mattord, H.J. (2021), Principles of Incident Response and Disaster Recovery, Cengage Learning.

Wikina, S.B. (2014), “What caused the breach? An examination of use of information technology and health data breaches”, Perspectives in Health Information Management, Vol. 11 Fall.

Wilkinson, S. (1998), “Focus group methodology: a review”, International Journal of Social Research Methodology, Vol. 1 No. 3, pp. 181-203, doi: 10.1080/13645579.1998.10846874.

Willison, R. and Warkentin, M. (2013), “Beyond deterrence: an expanded view of employee computer abuse”, MIS Quarterly, Vol. 37, pp. 1-20, doi: 10.25300/misq/2013/37.1.01.

Wu, D.D. (2009), “Supplier selection in a fuzzy group setting: a method using grey related analysis and Dempster–Shafer theory”, Expert Systems with Applications, Vol. 36 No. 5, pp. 8892-8899, doi: 10.1016/j.eswa.2008.11.010.

Yazdani, M., Zarate, P., Kazimieras Zavadskas, E. and Turskis, Z. (2019), “A combined compromise solution (CoCoSo) method for multi-criteria decision-making problems”, Management Decision, Vol. 57 No. 9, pp. 2501-2519, doi: 10.1108/md-05-2017-0458.

Zavadskas, E.K. and Turskis, Z. (2011), “Multiple criteria decision making (MCDM) methods in economics: an overview”, Technological and Economic Development of Economy, Vol. 17 No. 2, pp. 397-427, doi: 10.3846/20294913.2011.593291.

Zavadskas, E.K., Turskis, Z. and Kildienė, S. (2014), “State of art surveys of overviews on MCDM/MADM methods”, Technological and Economic Development of Economy, Vol. 20 No. 1, pp. 165-179, doi: 10.3846/20294913.2014.892037.

Zhang, G. and Lu, J. (2009), “A linguistic intelligent user guide for method selection in multi-objective decision support systems”, Information Sciences, Vol. 179 No. 14, pp. 2299-2308, doi: 10.1016/j.ins.2009.01.043.

Zhang, J., Wu, D. and Olson, D.L. (2005), “The method of grey related analysis to multiple attribute decision making problems with interval numbers”, Mathematical and Computer Modelling, Vol. 42 Nos 9-10, pp. 991-998, doi: 10.1016/j.mcm.2005.03.003.

Corresponding author

Amir Fard Bahreini can be contacted at: fardbaha@uww.edu

About the author

Amir Fard Bahreini, Ph.D., CIPP/US, is an assistant professor of Information Technology and Supply Chain Management at the University of Wisconsin-Whitewater. He holds a Ph.D. in Business Administration with a focus on Management Information Systems from the University of British Columbia. He has obtained his MBA and MSc from the University of Oklahoma. His research focuses on the role of privacy laws in organizations, risk management, and contemporary issues in behavioral information security, such as addressing inadvertent human errors and application of cognitive decision models. His works have been published in proceedings of ICIS, HICSS, and journals such as Information and Management and IEEE Transactions on Engineering Management.

Related articles