Ubiquitous Healthcare Information System: Toward Crossing the Security Chasm

Ubiquitous healthcare information system is increasingly seen as a viable option for reducing the inherent time lag and inaccuracies in the traditional model of healthcare and promoting the delivery and practice of evidence-based healthcare―as and when needed―without any location and time constraints. Although promising, the realization of ubiquitous healthcare information system brings several threats and risks rooted in real-time collection, analysis, storage, transmission, and access of critical medical data. In this research, we address information security concerns pertaining to the paradigm of ubiquitous healthcare information system. To accomplish this we use National Institute for Standards and Technology’s (NIST’s) system development lifecycle model (SDLC) as the underlying framework to explore the current state of ubiquitous healthcare from the perspective of security. We then leverage the model to propose future research directions in this area. By implementing the NIST’s SDLC model in such a manner, we offer a different dynamic of healthcare security that has not been addressed in literature before

Un processus d’analyse des vulnérabilités technologiques comme mesure de protection contre les cyber-attaques.

Ce rapport de travail de synthèse, présenté comme exigence partielle de l'obtention d'une Maîtrise en Informatique de Gestion, propose une analyse sur l'utilisation de l'analyse des vulnérabilité en gestion de risque informationnel

The ISO/IEC 27002 and ISO/IEC 27799 information security management standards : a comparative analysis from a healthcare perspective

Technological shift has become significant and an area of concern in the health sector with regard to securing health information assets. Health information systems hosting personal health information expose these information assets to ever-evolving threats. This information includes aspects of an extremely sensitive nature, for example, a particular patient may have a history of drug abuse, which would be reflected in the patient’s medical record. The private nature of patient information places a higher demand on the need to ensure privacy. Ensuring that the security and privacy of health information remain intact is therefore vital in the healthcare environment. In order to protect information appropriately and effectively, good information security management practices should be followed. To this end, the International Organization for Standardization (ISO) published a code of practice for information security management, namely the ISO 27002 (2005). This standard is widely used in industry but is a generic standard aimed at all industries. Therefore it does not consider the unique security needs of a particular environment. Because of the unique nature of personal health information and its security and privacy requirements, the need to introduce a healthcare sector-specific standard for information security management was identified. The ISO 27799 was therefore published as an industry-specific variant of the ISO 27002 which is geared towards addressing security requirements in health informatics. It serves as an implementation guide for the ISO 27002 when implemented in the health sector. The publication of the ISO 27799 is considered as a positive development in the quest to improve health information security. However, the question arises whether the ISO 27799 addresses the security needs of the healthcare domain sufficiently. The extensive use of the ISO 27002 implies that many proponents of this standard (in healthcare), now have to ensure that they meet the (assumed) increased requirements of the ISO 27799. The purpose of this research is therefore to conduct a comprehensive comparison of the ISO 27002 and ISO 27799 standards to determine whether the ISO 27799 serves the specific needs of the health sector from an information security management point of view

The impact of information security awareness training on information security behaviour

Information Security awareness initiatives are seen as critical to any information security programme. But, how do we determine the effectiveness of these awareness initiatives? We could get our employees to write a test after the awareness to determine how well they understand the policies, but this does not show how they affect the employee’s on the job behaviour. Does awareness training have a direct influence on the security behaviour of individuals, and what is the direct benefit of awareness training? This research report aims to answer the question: To what extent does information security awareness training influence information security behaviour? Technologies meant to provide security ultimately depend on the effective implementation and operation of these technologies by people. Thus awareness of policies is needed by all individuals in an organisation to ensure that policies are well understood and not misinterpreted. Some researchers have maintained that educating users is futile mainly because it is believed that it is difficult to teach users complex security issues and, secondly, because if security is seen as secondary by the user they will not pay enough attention to it. This research found that, firstly, there is a shortage of in-depth information security awareness research and that behavioural concepts are not properly taken into account for security awareness programmes. There is a shortage of theoretical models explaining how awareness training affects behaviour. Secondly, this research tested a proposed model empirically using system-generated data as indicators of behaviour in a pretest-posttest experimental design. It was found that security awareness training was effective in terms of end-users retaining security knowledge. However, there was no evidence to suggest that security awareness by itself is sufficient to ensure compliant behaviour by endusers. Security awareness training is a necessary, integral component that could influence compliant behaviour, but is not adequate to do so fully. Practitioners must insist that their security awareness programmes are measured in terms of effectiveness and focus on behavioural aspects to complement traditional security awareness initiatives

A study of employees' attitudes towards organisational information security policies in the UK and Oman

There is a need to understand what makes information security successful in an organization. What are the threats that the organization must deal with and what are the criteria of a beneficial information security policy? Policies are in place, but why employees are not complying? This study is the first step in trying to highlight effective approaches and strategies that might help organizations to achieve good information security through looking at success factors for the implementation. This dissertation will focus on human factors by looking at what concerns employees about information security. It will explore the importance of information security policy in organizations, and employee’s attitudes to compliance with organizations' policies. This research has been divided into four stages. Each stage was developed in light of the results from the previous stage. The first two stages were conducted in the Sultanate of Oman in order to use a population just starting out in the information security area. Stage one started with a qualitative semi-structured interview to explore and identify factors contributing towards successful implementation of information security in an organization. The results suggested a number of factors organizations needed to consider to implement information security successfully. The second stage of the research was based on the first stage’s results. After analysing the outcomes from the semi-structured interviews a quantitative questionnaire was developed to explore for information security policy. The findings did suggest that the more issues the organization covers in their security policy the more effective their policy is likely to be. The more an organization reports adoption of such criteria in their security policy, the more they report a highly effective security policy. The more the organization implements the ‘success factors’ the more effective they feel their security policy will be. The third stage was conducted in the UK at Glasgow University because employees are somewhat familiar with the idea of information security. It was based on the findings derived from the analysis of the quantitative questionnaire at stage two. The findings revealed different reasons for employee’s non-compliance to organization security policy as well as the impact of non-compliance. The fourth stage consolidates the findings of the three studies and brings them together to give recommendations about how to formulate a security policy to encourage compliance and therefore reduce security threats

The adoption of ICT in Malaysian public hospitals: the interoperability of electronic health records and health information systems

There have been a number of researches that investigated ICT adoption in Malaysian healthcare. With the small number of hospitals that adopt ICT in their daily clinical and administrative operations, the possibility to enable data exchange across 131 public hospitals in Malaysia is still a long journey. In addition to those studies, this research was framed under six objectives, which aim to critically review existing literature on the subject matter, identify barriers of ICT adoption in Malaysia, understand the administrative context during the pre and post-ICT adoption, and recommend possible solutions to the Ministry of Health of Malaysia (MoHM) in its efforts to implement interoperable electronic health records (EHR) and health information systems (HTIS). Specifically, this research aimed to identify the factors that had significant impacts to the processes of implementing interoperable EHR and HTIS by the MoHM. Furthermore, it also aimed to propose relevant actors who should involve in the implementation phases. These factors and actors were used to develop a model for implementing interoperable EHR and HTIS in Malaysia. To gather the needed data, series of interviews were conducted with three groups of participants. They were ICT administrators of MoHM, ICT and medical record administrators of three hospitals, and physicians of three hospitals. To ensure the interview feedback was representing the context of EHR and HTIS implementation in Malaysia, two hospital categories were selected, which included the hospitals with HTIS and non-HTIS hospitals. The government documents were then used to triangulate the feedback to ensure dependability, credibility, transferability and conformity of the findings. Two techniques were used to analyse the data, which were thematic analysis and theme matching. These two techniques were modified from its original method, known as pattern matching. The originality of this research was presented in the findings and methods to transform them into solutions and provide recommendation to the MoHM. In general, the results showed that the technological factors contributed less to the success of the implementation of interoperable EHR and HTIS compared to the managerial and administrative factors. Four main practical and social contributions were identified from this research, which included synchronisation of managerial elements, political determination and change management transformation, optimisation of use of existing legacy system (Patient Management System) and finally the roles of actors. Nevertheless, the findings of this research would be more dependable and transferable if more participants had been willing to participate especially among the physicians and those who managed the ICT adoptions under the MoHM

An evaluation model for information security strategies in healthcare data systems

This thesis presents a newly developed evaluation model, EMISHD (An "Evaluation Model for Information Security Strategies in Healthcare Data Systems") which can address the specific requirements of information security in healthcare sector. Based on a systematic literature review and case study, the information security requirements and the existing evaluation models used to examine the information security strategies of healthcare data systems have been analysed. The requirements of information security in any sector generally vary in line with changes in laws and regulations, and the emergence of new technologies and threats, which require existing information security strategies to be strengthened to deal with new challenges. The systemic review of the existing evaluation models identified from the previous research resulted in the development of a new evaluation model (EMISHD) specifically designed to examine the information security strategies in healthcare data systems according to the specific requirements. A case study of a healthcare organisation in Saudi Arabia is conducted in order to apply the newly developed evaluation model (EMISHD) in a real life case and to validate the evaluation results through observation

An evaluation model for information security strategies in healthcare data systems

This thesis presents a newly developed evaluation model, EMISHD (An "Evaluation Model for Information Security Strategies in Healthcare Data Systems") which can address the specific requirements of information security in healthcare sector. Based on a systematic literature review and case study, the information security requirements and the existing evaluation models used to examine the information security strategies of healthcare data systems have been analysed. The requirements of information security in any sector generally vary in line with changes in laws and regulations, and the emergence of new technologies and threats, which require existing information security strategies to be strengthened to deal with new challenges. The systemic review of the existing evaluation models identified from the previous research resulted in the development of a new evaluation model (EMISHD) specifically designed to examine the information security strategies in healthcare data systems according to the specific requirements. A case study of a healthcare organisation in Saudi Arabia is conducted in order to apply the newly developed evaluation model (EMISHD) in a real life case and to validate the evaluation results through observation