Chapter 9: Conclusion and Future Scope

In this thesis, we aim to find solutions to some of the major concerns of healthcare

management through analysis of data from both India and the United States. Our approach includes

solutions that will help in better IT Governance and Risk Management of HIT in hospitals.

Our first study highlights the utility of machine-learning in telemedicine broadcasting.

Telemedicine broadcast needs to reach the right audience for effective resource utilization. For this

purpose, we propose a classification-based prediction (CBP) module and a strategic investment

planning (SIP) module within the CBP-SIP framework, that predicts the best region to broadcast

a particular telemedicine session. Our findings indicate that Classification and Regression Tree

(CART) is the most effective technique in predicting the right region for broadcast. We also

observe the importance of department or knowledge source, session type, and receiver hospital

type in such a decision. The SIP-module evaluates the utility of the CBP module based on the

prediction accuracy. We examined two different scenarios from the broadcasting hospital’s

perspective if it invests in the prediction model: one where patient is admitted if telemedicine

treatment fails (ADM scenario) and one where patient is not admitted (NO_ADM scenario). We

also alter the utility of the model based on two different risk-attitudes: risk-averse and risk-neutral.

We observe that in both cases our prediction model yields better payoff. We further note that

investment tendency is higher for risk-averse hospitals. The tendency accentuates for broadcasting

hospitals where patients are admitted if cannot be treated through telemedicine interaction. Thus,

we can opine that investing in risk-mitigating assets such as technology is favored by risk-averse

hospitals. We also observe that investment in technology to avoid patient admission is also

beneficiary from hospital performance point of view. However, our study limits to specific

departments and collates hospitals into regions. We also assume that consultation requirements
Page 257 of 319
through telemedicine would not change in receiver hospitals over time. Thus, this study can be

extended to predict telemedicine sessions based on: (i) specific receiver hospitals and more

departments, (ii) region-wise environment specific predictor, (iii) multiple hospital characteristics.

Multiple research opportunity also lies in (i) investigating investment willingness (K) of hospital

managers based on surveys, (ii) investigate investment willingness (K) of risk averse telemedicine

providers by varying the Arrow-Pratt coefficient; and (iii) explore other types of contracts between

a telemedicine broadcasting hospitals and receiver hospitals.

In the second study, we evaluate the impact of individual HIT applications on a hospital’s

clinical quality (CQual). We propose a clinical quality assessment (CQA) framework that

hypotheses that HIT applications reduce mortality rates, by increasing the quality and precision of

treatment, reducing the risks in surgical interventions, and resulting in faster recovery. We use

backward regression to investigate the contribution of each application, that is installed in a

hospital, in reducing the patient mortality rate of the hospital. The scope of our study is limited to

those admitted for pneumonia and cardiac disease treatment. We investigate the impact of

healthcare information technology (HIT) on pneumonia and cardiac disease mortality rates (PMR

and CDMR) for two time-periods 2008-2010 and 2011-2013. We also use clustering technique to

group each hospital in the dataset into homogeneous sets based on hospital characteristics (i.e.,

number of beds and number of physicians) and socio-economic factors (i.e., literacy rate and per-

capita income). From our results, we note that for pneumonia, Clinical Systems (CS) applications

such as Electronic Medical Admin Record (EMAR) and Medication Reconciliation Software

(MRS) are significant in both time periods. Further in 2011-2013, we note that Patient Acuity

(PA), that ensures nurses’ allotment to patients, has significantly high impact in reducing mortality

rate in small hospitals. For cardiac disease treatment, in 2008-2010, we observe significant and
Page 258 of 319
high impact of Radiology – Ultrasound (RUS), Operating Theatre – Pre-Operative (OTPrO) and

Cardiology – Computerized Tomography (CCT) in small hospitals in 2008-2010. Further, in 2011-

2013, medium hospitals also show significant impact of Radiology Information Systems (RIS) and

Cardiology Information Systems (CAIS) in cardiac disease treatment. We have also observed an

overall increase in HIT application’s significance in mortality rate reduction in a hospital. Our

study can be extended to include (i) patient’s initial health information at the time of admission,

(iii) other factors such as policy changes and demographic information of patients, (iii) HIT

applications that are used for administrative purposes which can help in faster treatment initiation

and effective handover of patients, (iv) among hospital characteristics, socio-economic factors,

and HIT applications and (v) primary data on the utilization of HIT in the U.S. hospitals.

In the third study, we investigate on the impact of clinical and administrative automation

systems (CAS and AAS) on patient mortality, and the impact of security in the performance of

CAS and AAS. For this purpose, we use a HITOSEC framework (HIT, organization characteristics

and security-based framework) that uses backward regression to investigate the contribution of

CAS, AAS and average presence of security measures (TotalSec) in reducing the patient mortality

rate in the hospital. The scope of our study is limited to patients admitted for pneumonia, heart

attack and heart failure treatment, and the time-period 2011-2013. We also use clustering technique

to group each hospital in the dataset into homogeneous sets based on hospital characteristics (i.e.,

number of beds and number of physicians) and socio-economic factors (i.e., literacy rate and per-

capita income). Our study, thus, provides us with the following understanding: (i) CAS and AAS

reduces mortality rate but are predominantly insignificant, (ii) hospital characteristics, hospital

type and socio-economic factors reiterate their effect on mortality rates and (iii) of security

measures have high positive correlation with HIT installment which indicates that hospitals are
Page 259 of 319
keen to install security measures while providing HIT; however, they are not essential in improving

HIT impact on patient mortality in a hospital. Our findings help healthcare managers to understand

that security does not impact hospitals strategically to improve care quality. This, in turn, helps

managers to understand that importance of security to (i) safeguard the reputation among

customers and shareholders and (iii) maintain the “safety first” culture of a healthcare organization

and comply with security policies mandated by Health Insurance Portability and Accountability

Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH).

In the fourth study, we investigate the amount of data that can be exposed from an attack

to an organization. For this purpose, we propose an AOL framework (asset-organization-location

framework) that uses backward OLS regression methods for exploratory analysis of factors such

as the asset characteristics (i.e. physical or digital and account details content or financial content),

the organization type (i.e., hospital or non-hospital) and the location characteristics (i.e., literacy

rate, crime rate, internet usage, population density and per-capita income) in predicting the amount

of data breached in an attack on a hospital. It provides empirical evidence to existing criminology

theories such as situational crime prevention and rational activity theory. We observe that

locational socio-economic factors such as literacy rate, crime rate and per-capita income have

significant and positive effect on amount of data exposure in a breach. We also observe that digital

data and internal attackers result in larger amount of data exposure in a breach than physical data

or external attackers. Our findings will help healthcare managers to identify the different factors

and set policies to reduce data exposure during a breach. Our work contributes towards present

day research on minimizing impact of cyber-attack on organizations.

Page 260 of 319

 Our final study proposes a Cyber-risk quantification and cyber-risk mitigation (CRQ-

CRM) framework that uses inputs such as organization type, asset characteristics and location

characteristics to classify and determine the most probable type of attack (hacking, insider attack,

physical attack and unintended disclosure). We observe that Naïve Bayes classifier gives us the

best prediction accuracy with superior receiver operating curve (ROC) results. From the hospital

point of view, we note that attacker type is the primary determinant in our classification model.

We also observe that most overall insider attacks and hacking attacks (in general profit-making

hospitals) involve exposing financial details of patients. We also observe that employees handling

physical data in low literacy state often lead to unintended disclosure of patient data. Such

observations from our study will help managers in determining organization policies and security

strategies against data breach possibilities. Our study is unique in the field of cyber-attack

mitigation research as our work explains how we can use a classification tree and the consequent

probability-impact matrix to determine organization policies and set resource management

strategies. Limitations of our research are: (i) no data on security present in the hospital as a

predictor, (ii) lack of other predictive methods such as support vector machines and neural-

networks, and (iii) limited to healthcare industry and the year 2017. Some of the possible

extensions that are not included in this study are (i) use of security measures as a factor to

investigate its effect on attack type and data breach exposure rate (DBER) determination, (ii) use

of unsupervised learning methods and non-linear classifiers to check for better predictor accuracy

and (iii) using risk-utility modelling for determining insurance based on probability-impact matrix.

We further summarize the theoretical and managerial contributions of the thesis chapter-

wise in Table 9.1.

Page 261 of 319

 Table 9.1: Summarization of theoretical and managerial contributions chapter-wise
Chapter # Theoretical Contribution Managerial Contribution
Chapter 4 Our study contributes to the resource- This study provides a blueprint for other healthcare
based view (RBV) of a production firm organizations who broadcast telemedicine and want
that suggests optimal resource utilization to optimize their workflows. In India, most of the
and cost reduction to ensure sustained telemedicine providers are not-for-profit
competitive advantage. organizations. Thus, our study of a not-for-profit
organization will interest healthcare managers who
are involved in managing telemedicine sessions.
We compare risk-neutral and risk-averse attitudes
of hospital managements to study their keenness to
invest in IT owing to its uncertainty.
Chapter 5 Our study contributes to the continued Our study contributes towards (i) IT prioritization
work towards resolving the IT by managers for selective investment, (ii)
productivity paradox. The evaluation of understanding of the change in HIT application
the impact of IT resources towards usefulness from 2010 to 2013 for both acute and
fulfilling the treatment process in a critical diseases, (iii) importance of usage of
hospital contributes to the resource- hospital characteristics and socio-economic factors
based view of a firm. while considering the role of technology in
addressing a strategic risk.
Chapter 6 Our research contributes to the IT Our research aims to enable managers to understand
productivity paradox in a healthcare firm the role of security in a complex hospital
by evaluating the impact of security and ecosystem. Our study further motivates healthcare
HIT applications on hospital management researchers to dig more into the
performance. Our findings also influence of applications, if any, on cardiac and
contribute to the resource-based view pneumonia mortality rates.
(RBV) perspective which states that
meaningful use of IT resources (such as
HIT applications and security) should
Page 262 of 319
 help in the treatment process and thereby
reduce mortality.
Chapter 7 It contributes to the existing situational Our research contributes to the understanding of the
crime prevention (SCP) theory and the important factors that affect data breach severity.
routine activity theory (RAT) which are Our research further provides factors to security
the building blocks for our hypothesis. It managers to control and track so that they can make
also sets the stage for academicians to provisions for a prospective cyber-attack.
use these factors to determine resource
allocation trade-offs.
Chapter 8 Our study contributes to the use of Our research proposes a robust and effective
prediction technique in the field of prediction framework that compares different
security protocol enforcement where the classification techniques to achieve the best result,
organization determines the probability in terms of prediction accuracy. Its contribution to
of a specific attack type on a set of data management includes (ii) calculating expected loss
based on the organization type, type of as part of framework evaluation and (ii) use of
storage and data and the state-level socio- probability-impact matrix to determine strategy to
economic factors. The significance of the prepare for the most probable attacks in a healthcare
mentioned factors in the prediction organization.
framework contributes to establishing
the usefulness of existing theories such as
SCP and RAT.

Page 263 of 319