Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Doing Business As Name:Vanderbilt University Medical Center
  • Daniel Fabbri
  • (615) 936-6867
  • Bradley A Malin
  • Laurie Novak
Award Date:07/06/2015
Estimated Total Award Amount: $ 300,000
Funds Obligated to Date: $ 300,000
  • FY 2015=$300,000
Start Date:10/01/2015
End Date:09/30/2018
Transaction Type:Grant
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:EAGER: Managing Information Risk and Breach Discovery
Federal Award ID Number:1536871
DUNS ID:079917897
Parent DUNS ID:024199668
Program:Secure &Trustworthy Cyberspace

Awardee Location

Street:1161 21st Ave. South
Awardee Cong. District:05

Primary Place of Performance

Organization Name:Vanderbilt University Medical Center
Street:1400 18th Avenue South
Cong. District:05

Abstract at Time of Award

Increasing demands for data access dominate privacy concerns, putting both data and organizations at risk. However, there is currently a shortage of research on how organizations develop and maintain practices to ensure information privacy. Small scale, preliminary investigations suggest there is variation in organizational practices and those that have been studied only minimally reflect documented organizational policies. While technologies exist to help monitor accesses to data, they are rarely deployed, such that manual audits remain the norm. This project aims to improve security measures in organizations by better understanding risk management and breach discovery life cycles. Traditional technological solutions lack grounding in real organizational routines, resulting in poor fit with existing work practices and limited adoption. The problem demands a multi-disciplinary effort to represent organizational risks and practices, theory to quantify the risk, and methods to translate the findings for privacy and security practices and technologies that seek to mitigate the risk. This work will influence the development and deployment of technological cybersecurity tools in multiple industries. Specifically, it will provide concrete assessments of breach management routines, how they are structured, and the uptake that can reasonably be expected of breach management technologies given industry-specific constraints. This project uses a sociotechnical approach, integrating qualitative data on privacy practices, and perceived constraints and influences within the process, into a computational model that will be used to represent constraints and influences on the deployment of privacy and security measures. This model will account for various actors within the privacy and security hierarchy, such as compliance officers, security officers and executives. It allows for conceptualization of organizational practices and the areas of potential adaptation for the practices. In particular, the computational contributions are two-fold: (i) an optimization problem formulation of the risk management and breach discovery life cycle, and (ii) a taxonomy of perceived organizational risks and their mapping to mitigating technological measures. In addition, these computational methods will inform changes in life cycle process, and gaps among current technological offerings. Results include tools for analyzing an organization's security routines and risk perspectives, and output organization guidance to better manage risk.

Publications Produced as a Result of this Research

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Daniel Fabbri, Mark Frisse, Bradley Malin "The Need for Better Breach Statistics" JAMA Internal Medicine, v., 2018, p..

Project Outcomes Report


This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

Due to the rapidly changing, threat-rich environment, healthcare cybersecurity is achieved through a variety of organizational routines. The execution of these routines creates tensions with clinical operations. The purpose of this project is to understand, from the perspective of working cybersecurity professionals, the organizational routines involved in their work and tensions created when deploying security controls in care settings. Our aim is to identify strategies for cybersecurity that minimize conflicts in existing clinical care routines while also protecting data.

We conducted semi-structured interviews with cybersecurity professionals at multiple levels in health care. Interviews explored everyday cybersecurity activities, perceived risks, mitigating measures, and constraints in implementing the ideal privacy and security environment. The work of cybersecurity involves routines for implementing and maintaining a variety of mitigation measures, technologies, access controls, training, audits, and responding to incidents. Deploying these controls creates tensions with clinical operations, and managing the tensions involves substantial effort.

Our data suggest three conclusions: 1) Cybersecurity should be considered a dynamic organizational capability, given the nature of the external threat environment, 2) Seemingly intractable tensions that arise between cybersecurity and clinical operations are the result of patient involvement in the underlying capability routines, and 3) Understanding the sources of tensions between cybersecurity and the internal dynamics of clinical operations is the key to developing and deploying new technologies to protect health data. Moreover, when choosing which cybersecurity capabilities to deploy, cybersecurity professionals should consider the capability?s gain in security posture with its impact on clinical care routines.

Additionally, our data suggests that actors at all levels of an organization interpret and act on data privacy and security threats. Variations in interpretation of threats between senior executives, functional management, data security personnel, and front-line workers can result in a) organizational policies that have unintended impacts, and b) missed opportunities for technical and policy solutions based on a lack of understanding of front-line activity. Analysis of the interviews revealed different interpretations of the threat landscape, appropriate solutions, and the definitions of key terms. Our findings suggest the need for transparency regarding control implementations and an enriched discourse on privacy and security that can improve coherence in organizational practices and provide more concrete guidance to technology solution developers.

Going forward, the government, industry, and the research community need to go beyond detecting simple attacks and seriously consider insider threats, as well as cyberattacks emanating from beyond their institutions. Without better visibility into complex threats and better tools to detect those threats, organizations are only to defend what they can see.

Last Modified: 12/28/2018
Modified by: Daniel Fabbri

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.