Taming Complexity in Cybersecurity of Multihospital Systems: The Role of Enterprise-wide Data Analytics Platforms

A widely accepted notion in cybersecurity practice and research posits that complexity is detrimental to cybersecurity. While this notion mainly focuses on IT, the prevalence of complexity extends beyond IT into organizational domains. Whether the assertion that complexity is detrimental to cybersecurity holds true when applied to organizational domains remains largely unexplored. Moreover, 'complexity' and 'complicatedness' are often used interchangeably to refer to a large number of interconnected components. We build on complexity science to distinguish the two terms: complexity arises from ad-hoc, non-linear interactions among interconnected components whereas complicatedness arises from structured, linear interactions. The field lacks sufficient understanding of these distinctions and their implications for cybersecurity risks and mitigations. We theorize how an organization's complicatedness and complexity in both IT and organizational domains influence cybersecurity breaches. Our context of empirical inquiry is multihospital systems (MHSs), a complex organizational form that uses IT in complex ways. Drawing on complexity science, we posit that complicatedness in medical services, health IT, and governance arrangements of an MHS increases cybersecurity breaches. We also posit that using enterprise-wide data analytics platforms (EWDAP) to structure and control ad-hoc information sharing practices of the complicated units can reduce breaches despite adding more technology components and dependencies to enterprise IT. We test these ideas in a sample of 445 MHSs in the U.S. spanning from 2009 to 2017. Complicatedness in medical services, health IT, and governance stands out as the primary contributor to cybersecurity breaches in MHSs. Ad-hoc, non-linear interactions contribute to complexity and exacerbate the cybersecurity breach effects of complicatedness. In contrast, structured interactions, exemplified by patient data sharing through EWDAP, achieve simplification and mitigate the cybersecurity breaches associated with complicatedness.