Optimal information security investment in a Healthcare Information Exchange: An economic analysis

• This study helps determine security investment by organizations in an HIE.
• The HIE environment is modeled with scale-free network principles.
• Both risk reduction and business benefits are considered as values of investment.
• Only events with potential loss above a critical level are worth protecting against.
• Security risks may be transferred from one organization to another unintentionally.

The complexity of the problem, the increasing security breaches, and the regulatory and financial consequences of breached patient data highlight the fact that security of electronic patient information in Healthcare Information Exchanges (HIEs) is an organizational imperative and a research priority. This study applies classical economic decision analysis techniques and models the HIE based on its network characteristics to offer key insights into the issue of determining the optimal level of information security investment. We find that for an organization in a HIE, only security events with the potential loss reaching some critical value are worth protecting, and organizations would only spend a fraction of the intrinsic security risk on protection measures. Even when business benefit from security investment exists, organizations in a HIE tend to invest based on risk reduction alone. The implications of such decisions made at the node level and the resulting built-in moral hazard at the HIE level is discussed.