Research News

For secure health care data, thwart the attacks of tomorrow – not yesterday

Jesse Ehrenfeld
Jesse Ehrenfeld, director of perioperative data systems research, points out specific areas of perioperative informatics use in ORs and other clinical spaces.

The best way to keep digital health care records safe is to invest in proactive measures that aim to help security specialists stay a step ahead of hackers, said the dean of Vanderbilt’s Owen Graduate School of Management.

Eric Johnson
M. Eric Johnson (Vanderbilt University)

“In most areas of health care the adage that ‘an ounce of prevention is worth a pound of cure’ holds true,” said M. Eric Johnson on his blog at the Owen School. “But for information security professionals in the field, the answer has not been so clear.”

One group of researchers advocates sticking to using past attacks as the guideline to building defenses. Others – including Johnson – believe more must be anticipated on the front end if real security is to be attained.

“Investments in preventing security breaches help stimulate organizational learning, a point for which the research literature provides some support,” Johnson said. “Rather than simply reacting to failures, proactive initiatives involve identifying weaknesses and investing in the most likely failure points.”

Johnson was recently named the principal co-investigator on a $10-million, five-year grant from the Secure and Trustworthy Cyberspace Program of the National Science Foundation to examine security and privacy issues surrounding the transition to electronic health information.

A study set to appear later this fall will provide evidence that proactive security investments are more effective than reactive ones, Johnson said.

“Examining the security investment decisions and breach history of 2,386 U.S. hospitals over a five-year period, we found that proactive investments were associated with lower security failure rates than investments made in reaction to breaches,” Johnson said. “Combine that with the costs of breach disclosure and security program costs and we show that proactive investments are more cost effective than reactive investments.”