Does Sharing Make My Data More Insecure? An Empirical Study on Health Information Exchange and Data Breaches

This paper examines the information security implications of participating in inter-organizational systems (IOS) in the context of the healthcare industry. Public concern regarding data breach risks has increased as more hospitals share their data through electronic Health Information Exchange (HIE) systems, a type of IOS.

To study the impact of joining an HIE on a hospital’s data breach risk, we use a six-year panel data on hospital characteristics, HIE participation status, and data breach incidents from multiple sources.

The results show that the likelihood that a hospital experiences data breaches decreases by 1.7 percentage points (43% reduction) after joining an HIE.

Furthermore, we find that the magnitude of breach risk reduction is larger on an HIE member hospital with a higher ex-ante IT security investment level. Also, the likelihood of data breaches caused by insiders or illegal access to IT systems significantly decreases after a hospital joins an HIE (whereas there is no significant impact on breaches caused by outsiders or physical breaches).

This paper contributes to the information systems literature by studying the overall impact of IOS adoption on organizational data breaches. It also sheds light on the mechanisms of data security governance in the IOS context.