Does Sharing Make My Data More Insecure? An Empirical Study on Health Information Exchange and Data Breaches

This paper examines the information security implications of hospitals participating in health information exchanges (HIE). While data security threats may increase when hospitals join HIEs to share data across organizational boundaries, HIEs institute “secure exchange” and promote security practices among participants. Due to these countervailing effects, it is unclear how joining an HIE affects hospitals’ data breach risk. This study seeks to understand the security implications of HIEs from the lens of governance and coordination. We compiled a panel dataset of more than 3,000 hospitals over six years. By leveraging different identification strategies, including difference-in-differences design, matching, and instrumental variables, we found that the likelihood of a hospital experiencing a data breach decreased by more than 35.37 % after joining an HIE. We further show that the effect was more pronounced among HIE member hospitals with more sophisticated clinical IT systems or after HIE security laws were enacted. We discuss the implications for research and practice.