Information assurance or IA is essential to prevent data breaches because of the idea of making sure data is correctly stored to protect the user’s data. AI (Artificial Intelligence) stands by these simple principles: integrity, availability, authenticity, confidentiality, and non-repudiation [6]. These risk assessments help organizations identify vulnerabilities capable of allowing threats to impact an entire infrastructure, individual systems, or business processes; information assurance risk evaluation provides knowledge about the probability of a threat exploiting an asset’s vulnerability as well as the potential impact it could have from a cost, business operation, compliance, or technology perspective [6].

Information assurance identifies ways to control and safeguard critical information in a more effective manner, stressing organizational risk management and overall information quality [7]. IA is typically a broader strategic initiative comprised of a wide range of information protection and management processes; some examples of this can include security audits, network architecture, compliance audits, database management and development, implementation, and enforcement of organizational information management polices [7]. The goal is to main data integrity, reliability, and accessibility, including taking precautions against unauthorized destruction or alteration of information and ensuring non-repudiation and the authenticity of data [7]. The main goals of information assurance will make it an ideal method for helping prevent future data breaches.

To protect the healthcare sector’s data system, we must understand that HIPAA and EMRs (Electronic Medical Records) give assurance to protect the privacy and security of PHI (Protected Health Information) that must be managed in a technologically driven environment. A company under any healthcare service can acquire technological tools that can aid in monitoring security and privacy compliance to assure security. Trish Markus (2004) questioned the establishment of a “culture of compliance,” that indicates management involvement and commitment issues through employee communication and training procedures about information assurance. Mercuri (2004) quoted a chief information officer as stating that HIPAA “compliance is not sold in a bottle,” where, “providing employees with policies and procedures for their job classification and requiring them to read and sign off on them” is not adequate.

By the US Government’s definition information assurance is a measure that protects and defends information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation; these measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

To build an effective information assurance we often debate between technology-related sources and theory building and testing sources. Both TRA and TAM utilize factors including individual patients’ beliefs, attitudes, and intention to adopt technology such as EMRs that assure the information assurance policy associated with those EMRs. In the study of Hu, Chau, and Tulu et al. (1999, 2002, 2003), they mentioned TAM as adequate, with exception to TAM’s explanation of attitude and intention. This theory builds the perception of telemedicine for physicians useful, Hu et al. (1999) suggested, “proper user training is essential. Attitude also significantly influenced physician behavioral intention”. Figure 3 below shows the theory of reasoned action.

The widely accepted theory of TRA has often been used to support normal relationships between external factors, beliefs, attitudes, intentions, and behavior. According to the article, “TAM is a TRA spin-off and has supported the intention to use, perceived usefulness, and behavior when adopting modern technology.” For information assurance, these theoretical techniques can examine the acceptance and compliance behavior of a system user who wants to adopt new organizational policies. In the context of information assurance, the TRA model will have the capability to capture the compliance of healthcare security and protect privacy policies.

The Health Insurance Portability and Accountability Act of 1996 was signed into law by President William “Bill” Clinton. This new law created the national standards to protect patient health information that was deemed sensitive from being exposed with the consent of the patient. During the time of its creation the requirement of electronic medical records was nowhere on the public radar. “As a part of the American Recovery and Reinvestment Act, all public and private healthcare providers and other eligible professionals were required to adopt and demonstrate “meaningful use” of electronic medical records (EMR) by January 1, 2014 in order to maintain their existing Medicaid and Medicare reimbursement levels”. The ARRA sent the entire medical industry into a tailspin requiring the change from paper filing too digital in five years’ time. While this was occurring, HIPAA was also updating with the new information by enacting the HIPAA Breach Notification Rule in 2009. “The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information”. There is also a rule under the Federal Trade Commission, however for this paper we will focus on the Department of Health and Human Services (HHS). In HHA a data breach is defined as follows:

“An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business assessment of at least the following factors:

1) The nature and extent of the protected health information involved, including the types of identifiers and likelihood of re-identification;

2) The unauthorized person who used the protected health information or to whom the disclosure was made;

3) Whether the protected health information or to whom the disclosure was made;

4) The extent to which the risk to the protected health information has been mitigated” [8].

HHA has also provided information on what is deemed as protected health information that is breached. “Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance” [8]. If an applicable covered healthcare provider or eligible entity were to encounter a data breach HHA has provided the steps to notify them. “Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and in certain circumstances, to the media” [8]. The media must be notified by the protected entity if the data breach impacts over 500 residents of a state or jurisdiction. “Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach…” [8].

In Section 3, we detail our proposed design that moves information assurance to the front of policies and procedures in the human service sector on the organizational level.

The healthcare sector has the highest cost record of data breaches compared to other industries in the past decade. The reason to get attracted to healthcare data is that the attacker can get insurance information, tax information, and social security number easily. This information helps the criminal to conduct insurance and tax fraud which is profitable. The following are some ideas that we can prevent data breaches in the healthcare sector.

According to HIPAA, it is necessary to analyze the existing system, keep it upgraded and have a backup plan when any major threat appears. Keeping the running system up to date prevents a lot of malicious activity and reduces the annual maintenance cost [9].

The first step the health care providers can take that submit their system to a security evaluation according to HIPAA and HITECH (Health Information Technology for Economic and Clinical Health) (Health Information Technology for Economic and Clinical Health) (Health Information Technology for Economic and Clinical Health). When a system goes through constant analysis, it is easier to detect threats and prevent them [9].

The staff need to be well educated and trained to prevent data breaches and the training process needs to be constant. When any new case or technology update comes by the employers need to set up a meeting and discuss the topics with staff. The staff should educate themselves with the upgrade and adopt changes of technology [9].

Encryption technologies can help migrate the components of cyberattacks. As we know, encrypted data is secured in case of lost data without breaches. Encryption can also save the company from government petitions [9].

In exit strategy the employees should leave the work premises with a proper logout log and the time-to-time records. Every exit action should be maintained with restrictions and time maintenance. The records need to be well maintained to prevent data leakage and should be done by employees and authorities. All the login credentials and passwords should automatically update and should be generated at every instance of time. The employees should be aware of the company security terms & conditions, and the legal actions if someone breaks them [9].

Software companies are constantly inventing and updating new products and technologies to protect data and healthcare companies should stay up to date to protect their data. Sometimes the protection can be costly, but it prevents vulnerabilities and increases security. Right patches and updates allow for organizations to control threats and let them not affect their businesses [9].

Many companies focus on the training of staff to reduce the number of data breaches they encounter. Physical human error has been a major impact of the safety of protected medical information, however that was prior to the mandate of electronic medical records. All entities that collect or have access to protected medical information must submit notification to the U.S. Department of Human and Health Services of data breaches. Figure 4 below shows the percentage of data breaches reported to HHS and business associates present during 2018-2020. As shown in Figure 4, upon review of the last three years of data breaches notifications collected there were 31% that occurred in the presence of an employee [10]. Agencies experienced more than 50% of their overall breaches due to hacking.

Figure 5 below shows the percentage of hacking incident office locations reported to HHS. Figure 5 takes a closer look into the hacking reported by the agencies it shows that top percentage of hacking location was email at 45% and network server at 38% [10].

The error in both scenarios can be related to not having a strong information assurance program at the agency. During the push to electronic medical records health providers focused on improving their equipment and left information assurance to the back burner as something their employees needed to learn. Figure 6 below shows the disconnection of IA from human service sector.

A hacker breached health care providers over 50 percent of the notifications over a three-year period with over 40 percent of the access location being email [10]. Typically hacking attacks via email occur with phishing emails sent to employees that have links that let the hackers into the company. To reduce the amount of data breaches caused by email phishing healthcare providers need to pour more into information assurance. Figure 7 shows a graphical relationship between EMR, medical equipment and IA.

Section 4 will discuss the analysis of design based on descriptive statistics, inferential statistics, and tree classifiers for our hypothesis using data reported to the U.S. Dept. Of Health and Human Services (HHS) breach notification repository.

The data collected from HHS data breach notification database offers quite an insight into the human service sector breaches. Figure 9 shows data breaches reported to HHS by state. The following graph displays notification based on which state has seen the most breaches in their human service sectors. The state of California had 109 reported breaches over the three-year period with only three entities with a repeat report. The state of Texas had 97 reported breaches over the three-year period with only four entities with a repeat report. There are some states that reported less than ten breaches over the three-year period which are Arkansas, Delaware, North & South Dakota, and Vermont.

Figure 10 shows data breaches reported to HHS by business associate present. The following graph shows a business associate was present at the time of the breach. For most of the breaches no one was present, therefore showing a preview into why information assurance is needed.

Figure 11 shows data breaches reported to HHS during 2018-2020. The following graph offers a look at the breakdown of breaches over the three-year period. In 2018 there were 369, in 2019 there were 477, and in 2020 there were 358 reported breaches, respectively.

The following set of tables is the summary statistics for each attribute in the dataset retrieved from HHS over the three-year period.

The top covered entity that reported breaches was Walmart Inc. with a frequency of six reports. The top covered entity type was Healthcare Provider with a frequency of 919. The top type of breach was Hacking/IT Incident with a frequency of 681. The top location of a breach was email with a frequency of 394.

Figure 12 displays the summary statistics for the attributes “Name of Covered Entity”, “State”, and “Covered Entity Type”. Both are categorical attributes, therefore the only information computed was the total count of records, the count of unique records, and the most frequent record. The top record for each attribute was Walmart Inc., California, and Healthcare Provider, respectively.

Figure 13 displays the summary statistics for the attributes “Individual Affected”, “Breach Submission Date”, and “Type of Breach”. The average number of people affected by the breaches over the three-year period was 58,948. Out of the 1204 total records 553 of them had unique submission dates. The top or most frequent type of breach was Hacking/IT Incident over the three-year period.

Figure 14 displays the summary statistics for the attributes “Location of Breached Information” and “Business Associate Present”. The top location of breaches was “email,” and the top response of business associate present was “no”.

Figure 15 shows a summary statistics of web description. In the figure below, it displays the last attribute which is “Web Description” which is an open text field for reporters to describe the incident.

Based on the data collected from HHS hacking is the leading way the data has been breached in the human service sector. We believe that the type of breach has a higher importance on the location of the breach than the presence of a business associate. Using the python model “ExtraTreesClassifier” to find the feature importance of the data we were able to test HHS data based on if no changes are to the human services sector, which proves our hypothesis. “ExtraTreesClassifier” is imported into Python from the “sklearn” program which using an estimator to fit several randomized decision trees on various samples of data then using it to improve the predictive accuracy and control over-fitting to the data. Using this model to determine the likelihood that type of breach or presence of business associate will appear again based on decisions made prior.

Figure 16 below displays the modeling results of the top two attributes from the dataset “Business Assoicate Presence” and “Type of Breach” after the data was normalized to the same scale. On a scale of zero to one the presence of a business associate (BAP) was 0.15 of importance based on the location of the breach. On a scale of zero to one the type of breach (ToB) was 0.8 of importance based on the location of the breach. It can be inferred from Figure 15 that ToB has a higher importance than BAP on the location of the breach, therefore the focus should be on using information assurance to prevent hacking.

Based on the results of the “ExtraTreesClassifier” we decided to explore further the implications of no increase of information assurance in the human service sector. Naïve Bayes Classifier is a set of supervised learning algorithms based on applying Bayes’ theorem with the “naive” assumption of conditional independence between every pair of features given the value of the class variable. Using python for Naïve Bayes Classifier we were able to predict the location of data breaches. The locations were coded as follows:

1 = Desktop Computers;

2 = Electronic Medical Record;

3 = Email;

4 = Laptop;

5 = Network Server;

6 = Other;

7 = Paper/Films.

The classifier predicted next several locations of breaches that will occur to be notified to HHS and the average location of the breach will be “Laptops” based on the HHS breach notification data. Figure 17 shows the prediction result.