Help or hindrance The practicality of applying security standards in healthcare

The protection of patient information is now more important as a national e-health system approaches reality in Australia. The major challenge for health care providers is to understand the importance information security whilst also incorporating effective protection into established workflow and daily activity. Why then, when it is difficult for IT and security professionals to navigate through and apply the myriad of information security standards, do we expect small enterprises such as primary health care providers to also be able to do this. This is an onerous and impractical task without significant assistance. In the development of the new Computer and Information Security Standards (CISS) for Australian General Practice, a consistent and iterative process for the interpretation and application of international standards was used. This involved both the interpretation of the standards and the application of knowledge to create a practical but acceptable level of security for the primary healthcare environment. From a security perspective such practical application of standards poses the dichotomous challenge (and criticism) of how much security is sufficient versus how much can the primary healthcare environment manage. This paper describes the path of development from standards to implementation using the CISS as an example. It is concluded that more practical assistance is required by the security profession to support the national e-health initiative if Australia is to provide a safe and secure healthcare environment

Measuring information security governance within general medical practice

Information security is becoming increasingly important within the Australian general medical practice environment as legal and accreditation compliance is being enforced. Using a literature review, approaches to measuring information security governance were analysed for their potential suitability and use within General Practice for the effective protection of confidential information. The models, frameworks and guidelines selected were analysed to evaluate if they were Key Performance Indicator (KPI), or process driven; whether the approach taken was strategic, tactical or operational; and if governance or management assessment tools were presented. To measure information security governance, and be both effective and practical, the approach to be utilised within General Practice would need to function at an operational level and be KPI driven. Eight of the 29 approaches identified, were deemed to be applicable for measuring information security governance within the General Practice environment. However, further analysis indicated that these measurement approaches were either too complex to be directly implemented into General Practice, or collected self-assessment security data rather than actual security measurements. The literature review presented in this paper establishes the need for further research to develop an approach for measuring information security governance within General Practice

Medical Identity Theft – Not Feeling Like Yourself?

Hospital and general practice healthcare providers today rely heavily on the information and communication technologies they employ to provide access to patient and associated data. The continuing migration to wireless means of data transfer has afforded system users more convenient and timely access to information via the use of 802.11 based wireless network capable devices. Through the increased digital connectivity of these internet and wireless based networks, new avenues of criminal activity such as medical identity theft have been steadily increasing as malicious individuals and organisations seek to abuse the digital ubiquity of the electronic medical record. The increased need for vigilance, protective measures and tightened security policy surrounding patient data practices concerning the use of wireless devices has never been greater. This paper discusses the potential patient and organisational ramifications of medical identity theft through wireless networks and other means as well as suggesting possible risk mitigation strategies to counteract such unauthorised information access

Improving the Information Security Model by using TFI

In the context of information systems and information technology, information security is a concept that is becoming widely used. The European Network of Excellence INTEROP classifies information security as a nonfunctional aspect of interoperability and as such it is an integral part of the design process for interoperable systems. In the last decade, academics and practitioners have shown their interest in information security, for example by developing security models for evaluating products and setting up security specifications in order to safeguard the confidentiality, integrity, availability and accountability of data. Earlier research has shown that measures to achieve information security in the administrative or organisational level are missing or inadequate. Therefore, there is a need to improve information security models by including vital elements of information security. In this paper, we introduce a holistic view of information security based on a Swedish model combined with a literature survey. Furthermore we suggest extending this model using concepts based on semiotic theory and adopting the view of an information system as constituted of the technical, formal and informal (TFI) parts. The aim is to increase the understanding of the information security domain in order to develop a well-founded theoretical framework, which can be used both in the analysis and the design phase of interoperable systems. Finally, we describe and apply the Information Security (InfoSec) model to the results of three different case studies in the healthcare domain. Limits of the model will be highlighted and an extension will be proposed.In the context of information systems and information technology, information security is a concept that is becoming widely used. The European Network of Excellence INTEROP classifies information security as a nonfunctional aspect of interoperability and as such it is an integral part of the design process for interoperable systems. In the last decade, academics and practitioners have shown their interest in information security, for example by developing security models for evaluating products and setting up security specifications in order to safeguard the confidentiality, integrity, availability and accountability of data. Earlier research has shown that measures to achieve information security in the administrative or organisational level are missing or inadequate. Therefore, there is a need to improve information security models by including vital elements of information security. In this paper, we introduce a holistic view of information security based on a Swedish model combined with a literature survey. Furthermore we suggest extending this model using concepts based on semiotic theory and adopting the view of an information system as constituted of the technical, formal and informal (TFI) parts. The aim is to increase the understanding of the information security domain in order to develop a well-founded theoretical framework, which can be used both in the analysis and the design phase of interoperable systems. Finally, we describe and apply the Information Security (InfoSec) model to the results of three different case studies in the healthcare domain. Limits of the model will be highlighted and an extension will be proposed.Monograph's chapter

Securing small business - the role of information technology policy

As small and medium enterprises develop their capacity to trade&nbsp; electronically, they and their trading partners stand to gain considerable benefit from the resulting transaction efficiencies and business&nbsp; relationships. However, this raises the question of how well small business manages its IT security and the threats that security lapses may pose to the wider trading network. It is in the interest of all members of an electronic trading network, as well as governments, to assist smaller companies to secure their business data. This paper considers the relationship between IT security management and IT policy implementation among small&nbsp; businesses involved in business-to-business eCommerce. It reports the results of a survey of 240 Australian small and medium businesses&nbsp; operating in a cross-industry environment. The survey found a low level of strategic integration of eCommerce along with inadequate IT security among the respondents, despite the fact that 81% were doing business online and 97% identified their business data as confidential. Businesses which implemented satisfactory levels of security technologies were more likely than others to have an information technology policy within the organisation. The paper proposes a model that outlines the development of security governance and policy implementation for small and medium businesses.<br /

The ISO/IEC 27002 and ISO/IEC 27799 information security management standards : a comparative analysis from a healthcare perspective

Technological shift has become significant and an area of concern in the health sector with regard to securing health information assets. Health information systems hosting personal health information expose these information assets to ever-evolving threats. This information includes aspects of an extremely sensitive nature, for example, a particular patient may have a history of drug abuse, which would be reflected in the patient’s medical record. The private nature of patient information places a higher demand on the need to ensure privacy. Ensuring that the security and privacy of health information remain intact is therefore vital in the healthcare environment. In order to protect information appropriately and effectively, good information security management practices should be followed. To this end, the International Organization for Standardization (ISO) published a code of practice for information security management, namely the ISO 27002 (2005). This standard is widely used in industry but is a generic standard aimed at all industries. Therefore it does not consider the unique security needs of a particular environment. Because of the unique nature of personal health information and its security and privacy requirements, the need to introduce a healthcare sector-specific standard for information security management was identified. The ISO 27799 was therefore published as an industry-specific variant of the ISO 27002 which is geared towards addressing security requirements in health informatics. It serves as an implementation guide for the ISO 27002 when implemented in the health sector. The publication of the ISO 27799 is considered as a positive development in the quest to improve health information security. However, the question arises whether the ISO 27799 addresses the security needs of the healthcare domain sufficiently. The extensive use of the ISO 27002 implies that many proponents of this standard (in healthcare), now have to ensure that they meet the (assumed) increased requirements of the ISO 27799. The purpose of this research is therefore to conduct a comprehensive comparison of the ISO 27002 and ISO 27799 standards to determine whether the ISO 27799 serves the specific needs of the health sector from an information security management point of view

Effective information assurance with risk management

Today's businesses base their operation on their IT infrastructure, which consequently demands that it should be protected accordingly. Nevertheless, surveys tend to indicate that the number of IT security incidents is increasing, resulting in significant losses for the organisations concerned. Leading in poor security practices, and therefore frequent victims of related security incidents, are Small and Medium Enterprises (SMEs). Even though there are a number of solutions, ranging from baseline guidelines to a detailed Risk Assessment (which can be followed to guide organisations through systematically selecting appropriate controls and practices to properly secure their networked assets), evidence suggests that these are not being employed by SMEs. Constraints such as lack of budget, security personnel and awareness are amongst the factors that are deterring SMEs from adopting such solutions, and therefore contributing to their continued problem with security incidents. This thesis specifically targets the problem of security risk assessment within SME environments. Following an examination of the aforementioned constraints, the investigation considers the existing solutions, establishing the reasons that they are not appropriate for SME users. The research identifies that SMEs are in need of a solution that represents a progression of current guidelines, but without being as complicated as existing forms of Risk Analysis. Therefore a new methodology is designed, known as PRAM (Profile-based Risk Analysis and Management), which enables SMEs to analyse and manage their risks in a way that is simple to use and understand, as well as providing economic considerations on threats, their likelihood, effect and the spending required to reduce them to an acceptable level. The methodology is then implemented within a working prototype, which is evaluated using a series of test scenarios. These scenarios are also used as the basis for evaluating existing SME-oriented Risk Analysis solutions, and the findings determine that the PRAM approach is able to deliver a more comprehensive solution. In addition, an evaluation of the PRAM prototype by a series of end-users suggests that it also succeeds in providing a more user-friendly solution than the current alternatives. Overall, this thesis presents a solution that can be adopted by SMEs lacking in-house security expertise. It can assist them in understanding the threats they are under, while at the same time presenting appropriate information to enable management to evaluate their organisation's current IT security situation and select appropriate countermeasures.A. G. Leventis foundatio

A code of practice for practitioners in private healthcare: a privacy perspective

Whereas there are various initiatives to standardize the storage, processing and use of electronic patient information in the South African health sector, the sector is fragmented through the adoption of various approaches on national, provincial and district levels. Divergent IT systems are used in the public and private health sectors (“Recommendations of the Committee on …” 2003). Furthermore, general practitioners in some parts of the country still use paper as a primary means of documentation and storage. Nonetheless, the use of computerized systems is increasing, even in the most remote rural areas. This leads to the exposure of patient information to various threats that are perpetuated through the use of information technology. Irrespective of the level of technology adoption by practitioners in private healthcare practice, the security and privacy of patient information remains of critical importance. The disclosure of patient information whether intentional or not, can have dire consequences for a patient. In general, the requirements pertaining to the privacy of patient information are controlled and enforced through the adoption of legislation by the governing body of a country. Compared with developed nations, South Africa has limited legislation to help enforce privacy in the health sector. Conversely, Australia, New Zealand and Canada have some of the most advanced legislative frameworks when it comes to the privacy of patient information. In this dissertation, the Australian, New Zealand, Canadian and South African health sectors and the legislation they have in place to ensure the privacy of health information, will be investigated. Additionally, codes of practice and guidelines on privacy of patient information for GPs, in the afore-mentioned countries, will be investigated to form an idea as to what is needed in creating and formulating a new code of practice for the South African GP, as well as a pragmatic tool (checklist) to check adherence to privacy requirements

What does security culture look like for small organizations?

The human component is a significant factor in information security, with a large numbers of breaches occurring due to unintentional user error. Technical solutions can only protect information so far and thus the human aspect of security has become a major focus for discussion. Therefore, it is important for organisations to create a security conscious culture. However, currently there is no established representation of security culture from which to assess how it can be manoeuvred to improve the overall information security of an organization. This is of particular importance for small organizations who lack the resources in information security and for whom the culture of the organization exerts a strong influence. A review of multiple definitions and descriptions of security culture was made to assess and analyse the drivers and influences that exist for security culture in small organizations. An initial representation of the factors that should drive security culture, together with those that should only influence it, was constructed. At a fundamental level these drivers are related to a formulated response to security issues rather than a reaction to it, and should reflect the responsibility allocated in a secure environment. In contrast, the influences on security culture can be grouped by communities of practice, individual awareness and organizational management. The encapsulation of potential driving and influencing factors couched in information security terms rather than behavioural science terms, will allow security researchers to investigate how a security culture can be fostered to improve information security in small organizations

INFORMATION TECHNOLOGY GOVERNANCE (ITG) PRACTICES AND ACCOUNTABILITY OF INFORMATION TECHNOLOGY (IT) PROJECTS – A CASE STUDY IN A MALAYSIAN GOVERNMENT-LINKED COMPANY (GLC)

This paper analyses and presents a case study on ITG practices in a Government-linked company (GLC) by looking at the ITG process, accountability and the desirable behaviours of IT at the project level of the organization. The study reveals a number of important findings in the context of ITG implementation at the project level. As far as ITG documentation is concerned, there are numerous standards currently available of which many are continuously undergoing further development by IT professionals. Nonetheless, there is still no one correct way of governing IT in an organization, more specifically, in IT project management. In addition, there is not much known concerning the ITG outcome of ITG practices in Malaysian organizations. Thus, this paper shares the level of readiness and awareness of ITG practices, for this particular case, when it comes to implementing IT projects