JMIR Publications

ABSTRACT

Background:

The Healthcare industry is the only vertical industry that has more insiders behind breaches than external actors. The next generation of individuals will soon become trusted the trusted insiders, with the knowledge and insight to significantly compromise organizational security systems.

Objective:

The objective of this research was to identify the role that monetary incentives play in violating HIPAA regulations and privacy laws by the next generation of employees. The research model was developed using a research model based on the economics of crime literature and rational choice theory.

Methods:

Scenarios were developed for five situations to determine if monetary incentives could be used to influence subjects to obtain health care information and to release that information to individuals and media outlets. The subjects were also asked about the probability of getting caught for violating HIPAA laws. A pilot study was first conducted using sixty-four medical residents and thirty-two executive MBA candidates to test the constructs.The main survey data involved 523 students with an average age of 21 that are on the cusp of entering the workforce.

Results:

In the pilot study, only (6%) six of the sixty-four medical residents and thirty-two executive MBA candidates, would succumb to monetary incentives and violate HIPAA laws. The amount of money required by the six individuals to violate HIPAA ranged from $50,000 to $1 billion dollars. It is our assertion that the medical interns and the executive MBA participants in the pilot test were very concerned with social desirability issues. The main study involved 523 individuals that are on the cusp of entering the workforce. In the main study, many of the subjects believed there was a high probability of being caught. Nevertheless, many of them could be incentivized to violate HIPAA laws. Our analysis shows that approximately 35% to 46% of the survey participants indicated that there is a price, ranging from $1,000 to over $10 million, that is acceptable for violating HIPAA laws. When a personal context is involved, the percentage increases substantially. Over 78% of the subjects would accept $100,000 to obtain information on a politician to pay for an experimental treatment for their mother. Over 64% would accept $50,000 to obtain medical records about a famous reality star to help a friend in need of medical transportation.

Conclusions:

A key finding is that Individuals perceiving a high probability of being caught are less likely to release private information. But that when the personal context involves a friend or family member at risk, they will probably succumb to the incentive, regardless of the probability of being caught. The key to reducing non-compliance will be to implement organizational procedures, constantly monitor, and develop educational and training programs to encourage HIPAA compliance. Several recommendations will be made to identify strategies to deal with the issue of insider threats.