Skip to main content

Chitra Marti, "Competition and Cybercrime: An Application to Healthcare Digitization"

Chitra Marti, an Economics PhD candidate at NYU Stern, studies how market structure impacts cybersecurity outcomes in the healthcare sector, and what that means for antitrust and healthcare policy.

Research Summary:
Cybercrime is a basic fact of digital life. As new technologies emerge, like blockchain and generative AI, an important question is whether these be tools for good or for simply more crime?

I approach the question of how to curtail cybercriminal activity through an economic viewpoint: is there a role for antitrust in cybersecurity policy? After all, the same digital technologies that are so vulnerable are also generally held in the hands of just a few companies, who may or may not be adequately incentivized to protect the sensitive information they hold — and the technologies on which our entire global economy depends.

I first point out to ways cybercrime is a special and new risk relative to anything we’ve seen before: first, attacks are strategic choices of malicious attackers who specifically choose their victims, unlike than non-targeted shocks like climate events. Further, just like the digital technologies they compromise, cyberattacks scale really well — a single exploit can be deployed against many many targets.

Both interact with market structure in nontrivial ways. I theorize that market concentration may be negative or positive for cybercrime outcomes thanks to four countervailing forces. First, on the negative side: having lots of data in one place creates a magnet effect, where attackers focus their effort on compromising just one firm. Further, since one firm serves many users, a contagion effect puts a larger fraction of the economy at risk. On the positive side, however, a single firm may be a great gatekeeper if properly incentivized, keeping all users safe behind a single wall. Second, as users add their own security and become away, they create a positive externality for other users, increasing the total effort an attacker would need to make to compromise the system.

I study the question in the context of U.S. healthcare, which has both heavily digitized in the last decade (with the encouragement of important policies such as the HITECH Act) and which has been highly targeted by cybercriminals (with over 150 million records stolen in the last decade). I focus on the use of electronic medical records (EMR) software, which has been near-universally adopted by hospitals in the U.S.

I combine data on outcomes (data breach events) and the technology stack of the hospital over time, down to the product level. I can then match potential causes — insecure technology — with the outcome of interest. Therefore, I can identify which products are weaker, meaning hospitals that use them are more likely to experience data breaches than those that don’t. Throughout the paper, I use a Cox Proportional Hazards Model, where a “death” is a data breach event. The model answers the questions: which choices and characteristics of hospitals hasten breaches, and which can postpone a breach (maybe infinitely)? About 10% of hospitals in my sample period (2010-2017) experienced a data breach.

On the extensive margin, I find that the act of digitization naturally hastens a hospital’s breach event, especially breaches that are cyber-based, and especially cyber-crimes. Physical breaches (e.g. stolen papers) and mistakes (e.g. emails sent to the wrong person), on the other hand, are postponed, suggesting a tradeoff in the manner of breach that comes from digitization. Further, hospitals that are larger, serve children, or are in big cities are more likely to experience breaches, perhaps because their records are more valuable on the black market and therefore entice the strategic attacker.

On the intensive margin, I identify which firms and products are “weaker” and associated with hastening breaches. I do not find that any products postpone breaches, suggesting none are gatekeepers here. However, a hospital that does implement a Spam/Spyware filter postpones its breaches.

Finally, on what I call the network margin I find that hospitals that use the same technology as another breached hospital are then more likely to experience a breach — exactly the contagion effect. I test different placebo networks, such as hospitals in the same state, in the same Group Purchasing Organization, or Health Information Exchange, and find the effect is only strong for using the same electronic medical records software, suggesting that attackers may specifically be using common vulnerabilities in technology to scale their attacks. I call the spread of an attack a negative network effect: using the same EMR as other hospitals creates a new risk hospitals may not understand when selecting their products.

I finally describe how the negative network effect interacts with the regulatory and technological push towards concentrated markets, complicating cybersecurity regulation. Regulators commonly mandate basic security provisions, but I show a strategic attacker could just end up investing even more, triggering an arms race between the offense and defense. On the other hand, antitrust activity that creates more competition in the space would disperse the negative network effect and limit contagion externalities. Which is more effective? This is the subject of ongoing analysis.