Application of Actor-Network theory in managing security breaches in healthcare


Actor-Network theory asserts that computing systems, environments and concepts are composed of both human and non-human entities. Referred to as actants, these entities act upon each other to accomplish the role and objective of the system (Luppicini, 2014). Basically, the theory provides an explanation of the involvement of the technical and sociological actants in the working of the systems. The contemporary health care information systems are viewed as an assemblage consisting of different actants. The non-human and human actants created in the assembled act upon each other to ensure the patients’ health information is protected from any form of data breach (Cresswell, 2010). However, recent development have seen an increase in the cases of patients’ protected health information (PHI) being leaked (Richard, Robert & Marilyn, 2015). The current paper evaluates how the ANT theory can be used to offer suggestions on mitigating of the patients’ protected health information breach. This paper argues that effective solutions for mitigating health data breach can be obtained through application of the ANT theory in identification of the various actants that need to be controlled; nevertheless, over-focus on the human actants may interfere with the possibility of obtaining effective mitigation strategies.

Applying ANT theory in the health care information system

Actor-Network theory is a predominantly influential, but still contested theory in providing an understanding on the human interaction with the non-human objects. The theory denies any form of difference between the non-human and human entities at the ontological levels making it very applicable in the field of information system and in studying computing (Hanseth, 2004). It is observed that the computing systems are concerned with the interactions between technologies, human and information systems, as such, a theory that deals with this socio-technical divide by denying the existence of such divide is suitable for its study (Cresswell, 2010). Actor- Network theory also recognizes that the non-human actants plays important role in any computing system and are neither partially nor fully controlled by the human actants in the system, further making it an important theory in computing studies.

The information systems in health care organizations can gain significantly from being informed by Actor-Network Theory. The information system for managing the protected health information of the patients has a number of actants that act on each other. These actants consists of both non-human and human characters (Dery, Hall, Wailes & Wiblen, 2013). The human characters consist of the patients who provide the information and the staff charged with the responsibility of managing the information. The non-human actants consists of the software and hardware used for the recording, transferring and accessing the information. Viewing the patient information management system in the context of the ANT theory means that all the actants are presumed to have significant role in ensuring that the goal of the system is accomplished. The effective management of the system will therefore be based on the ability of each of the actants acting within the assemblage to be controlled in a way that each accomplishes its role as required. Understanding the patients’ protected health information system in the context of the Actor-Network Theory means that there is significant information on the various actants that influence the performance of the system making it easily manageable.

Actor-Network theory can be used to offer appropriate suggestions for mitigating breach risks of patients’ protected health information. According to Pollack, Costello & Sankaran (2013) these suggestions are reliant on the three major constructs of the Actor-Network theory. That is the agnosticism, generalized symmetry and free association. The agnosticism construct invokes impartiality to all the actants interacting in a system whether they are the individuals, technology or organization. Both human and non-human actants are valued similarly under this construct (Dery, Hall, Wailes & Wiblen, 2013). The generalized symmetry construct holds that the viewpoint of all the actors within an assemblage, which could be contradictory to each other, is set to symmetry through the use of unbiased vocabulary. This ensures that a level-set and baseline of approaches and arguments are set across the actors. The last construct is the construct of free-association that advocates for the rejection of the distinctions between actors whether they are socially oriented or technological oriented (Worrell, Wasko & Johnston, 2013). Analyzing the occurrences within the health care information based on the aforementioned constructs is an effective approach in availing relevant suggestions needed to mitigate the potential risk of data breach.

Applying the agnosticism construct of ANT theory in the management of patients’ protected health information can enhance the ability of St. Joseph’s Health System to mitigate health data breach risk. The organization recently reported a breach of its health care data that affected more than 30000 patients (Heath, 2016). The breach resulted into the accessibility of confidential patient’s information and data that could be used for criminal activities. In fact, some of the individuals affected filed a law suit against the organization citing their negligence and violation of confidentiality of medical information Act as the major offences caused by the organization. The breach did not just cause the health care organization a bad reputation but also led to the significant loss of its clients (Heath, 2016).. Applying the agnosticism construct in the analysis of the protected health information network is one of the approaches that can be adopted by the organization to mitigate the potential risks that may promote the occurrence of such kind of data breach. Under this construct, both human and non-human actors have the same value within the network. As such encouraging increased and appropriate activity of the actors within the network will ensure that the network accomplishes its objectives (Iyamu & Roode, 2012). The human actants in the protected health information network consists of the health care practitioners charged with the responsibility of managing the patients’ information. Since some of the data breaches are engineered by human actants, training them on how to identify threat points and making them account for their illicit action in case the breach is intentionally done is an approach that can be adopted by St. Joseph’s to prevent future data breaches from occurring (Robey, Anderson & Raymond, 2013). The organization’s management should also inform the actants to create a greater awareness across the protected health information network in case of any breach. The organization realized that there was a breach two months after its occurrence. Immediate communication of the breach is essential since it makes all the actants within the network prepared for any developing threats. In addition, the information can be swiftly communicated to the affected patients to take steps for mitigating the damage. Application of the agnosticism construct in health data breach management is effective in availing suitable solutions capable of mitigating the data breach risks.

The generalized symmetry construct of ANT advocates for the use of impartial and unbiased vocabulary across all the actants in a network. All the actants must be conversant with the standards and regulations established to manage the patients’ data and information (Robey, Anderson & Raymond, 2013). Moreover, all the actants needs to comply with the policies and procedures set in place to mitigate breaches of the patients’ data. This may include policies such as risk management programs and sound audit. Apart from the human actants, the technical actants should also comply with the standards and regulations set in ensuring that maximum security is provided for the recorded data. Improvement such as single-sign-on can be adopted to eliminate the threat of hackers who make use of password vulnerabilities (Iyamu & Roode, 2012). Masking of the data should also be done to identify the groups of person who can have access to the data and from which kind of devices (Dery, Hall, Wailes & Wiblen, 2013).. The use of digital watermark is also vital in tracking sensitive data throughout the protected health information network. Ensuring that all the actants comply with the policies and regulations in the management of health data security is essential in mitigating any potential risk of the health data breach.

The use of impartial vocabulary across all the actants within the assemblage could have assisted the City of Hope, a cancer based research centre prevent its recent data breach. The organization had focused on the human actants and worked towards ensuring that they complied with the data protection and security set by the organization (Snell, 2016). However, their negligence in including the technical actants in the data management process made them loose confidential patient information as was reported on the 18th of January 2016 (Snell, 2016). The attackers exploited the vulnerability of the password to the various emails of the employees and accessed the vital information. The organization could have survived the attack if only they considered the generalized symmetry construct in their analysis and management of the system and ensured that every actant within the network complied with the policies and standards set to offer maximum security to the patients’ protected health information (Robey, Anderson & Raymond, 2013).

The free association construct supports the rejection of the assertion that the biggest threats to data breach are external. It is observed that most organizations focus on the external human actants as the major threats to the organizational data. Moreover, other organizations have also associated the human actants within the network as major threats to data breach. Major emphasis in mitigation of data breach therefore focuses on controlling the actions of the human actants to ensure there is no information leakage (Luppicini, 2014). Nevertheless, the overreliance on human actants as Dery, Hall, Wailes & Wiblen (2013) indicates may lead to the ineffective mitigation of the data breach. The devices used in the storage of the information can also leak information without the interference of the human actants operating within the system. Apart from applying security to the devices that are used for storing the patients’ data, emphasis should be on security the data itself and ensuring it can only be accessed and transferred to specific individuals. This will offer maximum security to the patients’ protected information and prevent any form of data breach that would have occurred.


ANT theory can be applied in the patients’ protected health information network to obtain solutions that can be adopted to mitigate the risk of data breach. The agnosticism, generalized symmetry and free association construct of the theory when applied in the management of the patients’ information provides solutions that can be adopted by the health care organizations to mitigate the risk of the patients’ information loss. The constructs requires that the human actants within the network be taught on how to identify the potential risk to data breach and to take responsibility for any intentional breach conducted. Moreover, all the actants in the network should be managed and controlled in a way that they comply with security and data protection policies and standards set. Overreliance on the human actants as the major threat to data breach should be abolished, rather, the organizations should focus on protecting the patients’ protected health information by managing and controlling the actions of all the actants in the network.

Leave a Reply