A new research study has come to a sobering conclusion – that investing more in IT security doesn’t necessarily reduce the number of breaches.
The research, which appeared in the MIS Quarterly, looked at how many breaches hospitals experienced relative to their IT security spending. The study authors started with the assumption that hospitals spending more on security would enjoy better protection from breaches.
The researchers assumed that looked at broadly, some security investments were “symbolic,” making superficial improvements that don’t get to the root of their problem, while others were substantive investments which met well-defined security needs.
After reviewing their data, researchers noted that many classes of hospitals turned out to be symbolic security investors, including members of smaller health systems, older hospitals, smaller hospitals and for-profit hospitals. They also noted that faith-based and less-entrepreneurial hospitals were prone to such investments. The only category of hospitals routinely making substantive security investments was teaching hospitals.
But that’s far from all. Their more controversial conclusions focused on the role of IT security investments in preventing security breaches. In short, their conclusion was pretty counterintuitive.
First, they found that larger IT security investments did not in and of themselves lower the likelihood of security breaches. Not only that, researchers concluded that the benefits of substantive adoption wouldn’t generate greater breach protection over time.
Researchers also concluded that the benefits of substantive IT security adoption by hospitals would take time to be realized. If I’m reading this correctly, mature IT security systems should offer more advantages over time, but not necessarily better breach protection.
Meanwhile, researchers concluded that the negative consequences of symbolic adoption would grow worse over time.
I don’t know about you, but I was pretty surprised by these results. Why wouldn’t substantively increasing security spending reduce the occurrence of breaches within hospitals? It’s something of a head-scratcher.
Of course, the answer to this question may lie in what type of substantive security investment hospitals make. The current set of results suggests, to me at least, that current technologies may not be as good at preventing breaches as they should be. Or maybe hospitals are investing in good technology but not hiring enough IT security experts to get the installation done right. Plus, purchasing security infrastructure can only do so much to stop bad user behavior. The issue deserves further research.
Regardless, this study offers food for thought. The industry can’t afford to do a bad job with preventing breaches.
