Data security in medical information systems: The Greek case
Sokratis Katsikas1991, Computers & Security
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
In this paper, initial results of an attitude survey on rhe security of medical information systems in Greece are reported. Greece for the moment lacks a gcncric data prorection act; therefore a systematic approach to introducing secure information systems in public health establishments rcquircs the determination of the security needs of the medical community. The survey was conducted using a properly designed questionnaire. This qucstionuaire addressed issues relevant to the extent of-infortllation technology currently in use, the need for information security, classification of used information with a view towards adopting methods, techniques and legislation providing sufficient sccurity guarantees, etc. The questionnaire was addressed to a sufticicnt number of cmployccs of organized health care establishments. so that the results would be worth while and reliable.
Related papers
Send Orders for Reprints to [email protected] The Open Medical Informatics Journal Information Security Risk Assessment in Hospitals
To date, many efforts have been made to classify information security threats, especially in the healthcare area. However, there are still many unknown risks which may threat the security of health information and their resources especially in the hospitals.
Special Issue in Clinical Information Systems Security
Security and Communication Networks, 2008
Managing patient care records has become an increasingly complex issue with the widespread use of advanced technologies. The vast amount of information for every routine care procedure must be securely processed within different databases. Clinical information systems (CIS) address the need for a computerized approach in managing personal health information. Hospitals and public or private health insurance organizations are continuously upgrading their database and data management systems to more sophisticated architectures. The possible support of today's large patient archives and the flexibility of a CIS in providing up-to-date patient information and worldwide doctors' collaboration, has leveraged research on CIS in both the academic and the government domains. At the same time, it has become apparent that patients require more control over their clinical data, these being either the results of clinical examinations or medical histories. Due to the large amount of information that can be found on the Internet and the free access to medical practitioners and hospitals worldwide, patients may choose to communicate their information so as to obtain several expert opinions regarding their conditions. Given the sensitive nature of the information stored and inevitably in transit, security has become an issue of outmost necessity. Numerous EU and US research projects have been launched to address security in CIS (e.g., EUROMED, ISHTAR, and RESHEN), whereas regulatory compliance to acts such as the HIPAA has become an obligation for centers moving to CIS.
Health Information Security in Hospitals: the Application of Security Safeguards
Acta Informatica Medica, 2016
Introduction: A hospital information system has potentials to improve the accessibility of clinical information and the quality of health care. However, the use of this system has resulted in new challenges, such as concerns over health information security. This paper aims to assess the status of information security in terms of administrative, technical and physical safeguards in the university hospitals. Methods: This was a survey study in which the participants were information technology (IT) managers (n=36) who worked in the hospitals affiliated to the top ranked medical universities (university A and university B). Data were collected using a questionnaire. The content validity of the questionnaire was examined by the experts and the reliability of the questionnaire was determined using Cronbach's coefficient alpha (α=0.75). Results: The results showed that the administrative safeguards were arranged at a medium level. In terms of the technical safeguards and the physical safeguards, the IT managers rated them at a strong level. Conclusion: According to the results, among three types of security safeguards, the administrative safeguards were assessed at the medium level. To improve it, developing security policies, implementing access control models and training users are recommended.
Information Security Standards in Healthcare Activities
International journal of reliable and quality e-healthcare, 2016
Information is mandatory in healthcare activities and in all that are related to it. In this same sense, people that deal with those information requires attention because patient´s information could be exposed. The use of directions stated by information security standards might allow a proactive attitude in the face of the diversity of threats that as the potential to explore the vulnerabilities of organizational assets. This article intends to recognize information threats and vulnerabilities that could be explored, using information security international standards to support the activities needed to assume information safeguard. Another intention is the establishment of a basis of references in information security to define a level of risk classification to build a referential to the potential that a given threat has to exploit the vulnerabilities of informational assets, preventing damages to personal and organizational property, and also activity continuity, assuming information as the main resource.
Development of a Security Information System in a Hospital
Proceedings of the Proceedings of the 1st International Conference on Informatics, Engineering, Science and Technology, INCITEST 2019, 18 July 2019, Bandung, Indonesia, 2019
The purpose of this study was to identify technological developments in information security systems in hospitals. The method used in this study was a review method with techniques for reviewing and analyzing several papers related to the topic of discussion about the safety of hospital information systems. The results of the study are that the highest threat to the security of hospital information systems is the threat of hackers. The development of technology makes it easy for people, especially in business. In general, this research is in accordance with the expected objectives, namely, to know the security of the health information system network.
Risk evaluation and security analysis of the clinical area within the German electronic health information system
2012
Germany is currently introducing a nation-wide health information infrastructure. This infrastructure connects existing information systems of various service providers and health insurances via a common network. An essential step towards the implementation of this system will be the introduction of an electronic health care smart card (eHC) for patients and a counterpart health professional card (HPC) for care providers. This article provides a risk analysis on the handling of these cards by both patients and physicians from an organizational point of view. On the basis of the information security audit methodology of the Federal Office for Information Security (BSI), the current security status of German healthcare telematics on the clinical side is evaluated. For this purpose, an appropriate framework specifically designed for the clinical area is first developed and explained in detail.Based on these perceptions it is possible to precisely check the workflows “patient admission”, “accessing emergency data” and “prescription of medicine” for inherent organizational threats. As a result, we pro-posed appropriate steps to mitigate potential risks and derived valuable hints for future process re-engineering by the introduction of the new smart cards in hospitals.
The Effect of Information Systems in the Information Security in Medical Organization of Shaharekord
Today`s spread of sciences and emergence of modern technologies necessitates information exchange. As a result security of information systems should be considered more seriously. The purpose of the present study is to determine the effect of information systems in organizational information system. Accessibility, privacy, authentication, undeniability, and comprehensiveness are the five effective dimensions of information security that have been analyzed using a researcher made questionnaire and were analyzed in a statistical population of 165 personnel of medical organization of shahrekord and sample of 115 people using a simple randomization method. The validity of the questionnaire was analyzed by face validity and the reliability was analyzed by internal consistency (=0.92). The data were analyzed using SPSS 19 and the results showed that information systems influence all dimensions of information security i.e. accessibility, privacy, comprehensiveness, undeniability and authentication more than average and in general the role of information systems in information security of medical organization of Shahrekord is more than average.
Research Toward the Practical Application of a Risk Evaluation Framework: Security Analysis of the Clinical Area within the German Electronic Health Information System
Proceedings of the 24th International Bled eConference (Bled 2011), 2011
The following study provides a risk analysis of the forthcoming nationwide healthcare information system in Germany. Based on the information security audit methodology of the Federal Office for Information Security (BSI), we evaluated the introduction of the new system in hospitals with respect to security. Conceptually, the study focuses explicitly on an organizational level; specifically the use of healthcare telematics components such as electronic health card and health professional card. A dual approach of both security process and risk analysis thereby established an adequate level of information security. For this purpose, an appropriate framework specifically designed for the clinical area is first developed and explained in detail. Based on these perceptions it is possible to precisely check the workflows “patient admission” and “prescription of medicine” for inherent organizational threats. The aim of this paper is to propose appropriate steps to mitigate potential risks before German healthcare telematics comes into use.
Information security risk management for computerized health information systems in hospitals: a case study of Iran
Risk Management and Healthcare Policy, 2016
Background: In recent years, hospitals in Iran-similar to those in other countries-have experienced growing use of computerized health information systems (CHISs), which play a significant role in the operations of hospitals. But, the major challenge of CHIS use is information security. This study attempts to evaluate CHIS information security risk management at hospitals of Iran. Materials and methods: This applied study is a descriptive and cross-sectional research that has been conducted in 2015. The data were collected from 551 hospitals of Iran. Based on literature review, experts' opinion, and observations at five hospitals, our intensive questionnaire was designed to assess security risk management for CHISs at the concerned hospitals, which was then sent to all hospitals in Iran by the Ministry of Health. Results: Sixty-nine percent of the studied hospitals pursue information security policies and procedures in conformity with Iran Hospitals Accreditation Standards. At some hospitals, risk identification, risk evaluation, and risk estimation, as well as risk treatment, are unstructured without any specified approach or methodology. There is no significant structured approach to risk management at the studied hospitals. Conclusion: Information security risk management is not followed by Iran's hospitals and their information security policies. This problem can cause a large number of challenges for their CHIS security in future. Therefore, Iran's Ministry of Health should develop practical policies to improve information security risk management in the hospitals of Iran.
Managing the Information Security Issues of Electronic Medical Records
International Journal of Security, Privacy and Trust Management, 2018
All healthcare providers should have enough knowledge and sufficient information to understand the potential risk, which can lead to a breach in the Jordanian health information system (Hakeem program). This study aims to emphasise the importance of sharing sensitive health information among healthcare providers, create laws and regulations to keep the electronic medical records secure, and increase the awareness about health information security among healthcare providers. The study conducted seven interviews with medical staff and an information technology technician. The study results showed that sharing sensitive information in a secure environment, creating laws and regulations, and increasing the awareness about health information security render the electronic medical records of patients more secure and safe.
Security of electronic personal health information in a public hospital in South Africa
Information Security Journal: A Global Perspective, 2021
The adoption of digital health technologies has dramatically changed the healthcare sector landscape and thus generates new opportunities to collect, capture, store, access and retrieve electronic personal health information (ePHI). With the introduction of digital health technologies and the digitisation of health data, an increasing number of hospitals and peripheral health facilities across the globe are transitioning from a paper-based environment to an electronic or paper-light environment. However, the growing use of digital health technologies within healthcare facilities has caused ePHI to be exposed to a variety of threats such as cyber security threats, human-related threats, technological threats and environmental threats. These threats have the potential to cause harm to hospital systems and severely compromise the integrity and confidentiality of ePHI. Because of the growing number of security threats, many hospitals, both private and public, are struggling to secure ePHI due to a lack of robust data security plans, systems and security control measures. The purpose of this study was to explore the security of electronic personal health information in a public hospital in South Africa. The study was underpinned by the interpretivism paradigm with qualitative data collected through semi-structured interviews with purposively selected IT technicians, network controllers', administrative clerks and records management clerks, and triangulated with document and system analysis. Audio-recorded interviews were transcribed verbatim. Data was coded and analysed using ATLAS.ti, version 8 software, to generate themes and codes within the data, from which findings were derived. The key results revealed that the public hospital is witnessing a deluge of sophisticated cyber threats such as worm viruses, Trojan horses and shortcut viruses. This is compounded by technological threats such as power and system failure, network connection failure, obsolete computers and operating systems, and outdated hospital systems. However, defensive security measures such as data encryption, windows firewall, antivirus software and security audit log system exist in the public hospital for securing and protecting ePHI against threats and breaches. The study recommended the need to implement Intrusion Protection System (IPS), and constantly update the Windows firewall and antivirus program to protect hospital computers and networks against newly released viruses and other malicious codes. In addition to the use of password and username to control access to ePHI in the public hospital, the study recommends that the hospital should put in place authentication mechanisms such as biometric system and Radio Frequency Identification (RFID) system restrict access to ePHI, as well as to upgrade hospital computers and the Patient Administration and Billing ii (PAAB) System. In the absence of security policy, there is a need for the hospital to put in place a clear written security policy aimed at protecting ePHI. The study concluded that healthcare organisations should upgrade the security of their information systems to protect ePHI stored in databases against unauthorised access, malicious codes and other cyber-attacks.
Security Requirements and Solutions in Electronic Health Records: Lessons Learned from a Comparative Study
Journal of Medical Systems, 2010
A growing capacity of information technologies in collection, storage and transmission of information in unprecedented amounts has produced significant problems about the availability of wide limit of the consumers of Electronic Health Records of Patients. With regard to the existence of many approaches to developing Electronic Health Records, the basic question is what kind of Model is suitable for the guarantee of the security of Electronic Health Records? The present study is a descriptive-comparative investigation conducted in Iran in 2007, along with comparisons made Electronic health records information security requirements of Australia, Canada, England and U.S.A with. The research was based on the study of texts such as articles, library's books and journals and reliable websites from 1992 to 2006. Based on the collected data, a primary Model was designed. The Delphi Technique was offered to evaluate the questionnaire and final Model was designed and proposed.
Security Control Requirements for Electronic Health Records
2019
Health Information System is fundamental in provision of dependable information in support of delivery of healthcare services. The adoption of Electronic Health Records (EHR) provides improved patient care and a more efficient practice management. However the use of EHR raises concerns over protection of patient’s information in terms of security of patient’s information. This study established security control requirements for electronic health records to ensure the Electronic Health Records is secure from any threat that will compromise the safety of patient’s information at the Moi Teaching and Referral Hospital. The investigation embraced an arbitrary testing system to choose an example of 97 out of 133 health records members of staff and and questionnaires designed for data collection. The information gathered from the research instrument was coded and examined utilizing Statistical Package for Social Sciences (SPSS) adaptation
Information Governance: A Model for Security in Medical Practice
Information governance is becoming an important aspect of organisational accountability. In consideration that information is an integral asset of most organisations, the protection of this asset will increasingly rely on organisational capabilities in security. In the medical arena this information is primarily sensitive patient-based information. Previous research has shown that application of security measures is a low priority for primary care medical practice and that awareness of the risks are seriously underestimated. Consequently, information security governance will be a key issue for medical practice in the future. Information security governance is a relatively new term and there is little existing research into how to meet governance requirements. The limited research that exists describes information security governance frameworks at a strategic level. However, since medical practice is already lagging in the implementation of appropriate security, such definition may not be practical although it is obviously desirable. This paper describes an ongoing action research project undertaken in the area of medical information security, and presents a tactical approach model aimed at addressing information security governance and the protection of medical data.
A literature review: Security Aspects in the Implementation of Electronic Medical Records in Hospitals
MEDIA ILMU KESEHATAN
Backgrounds: Electronic Medical Records have complete and integrated patient health data, and are up to date because RME combines clinical and genomic data, this poses a great risk to data disclosure The priority of privacy is data security (security) so that data will not leak to other parties. That way cyber attacks can be suppressed by increasing cybersecurity, namely conducting regular evaluation and testing of security levels.Objectives: To determine the security technique that maintains privacy of electronic medical records.Methods: This type of research uses a literature review methodResults: Data security techniques are determined from each type of health service. Data security techniques that can be applied are cryptographic methods, firewalls, access control, and other security techniques. This method has proven to be a very promising and successful technique for safeguarding the privacy and security of RMEConclusion: Patient medical records or medical records are very pri...
Security of ICTs Supporting Healthcare Activities
2013
Healthcare activities and all that are related with it are conducted by people. This single fact has brought up many precautions about patients and about information related with their health. Using information and communication technologies to support this kind of information requires particular attention about what happens, namely about who can use it and for what it can be used. This chapter intends to identify the vulnerabilities that could be explored, using an international security standard to support a proactive attitude in face of potential threats that explore the identified vulnerabilities, damaging organizational information assets. Another intention is the establishment of a basis of references in information security to define a level of risk classification to build a referential to the potential that a given threat has to exploit the vulnerabilities of an asset, preventing damages to personal and organizational property, including information, and also activity continuity.
Security threats categories in healthcare information systems
Health Informatics Journal, 2010
This article attempts to investigate the various types of threats that exist in healthcare information systems (HIS). A study has been carried out in one of the government-supported hospitals in Malaysia. The hospital has been equipped with a Total Hospital Information System (THIS). The data collected were from three different departments, namely the Information Technology Department (ITD), the Medical Record Department (MRD), and the X-Ray Department, using in-depth structured interviews. The study identified 22 types of threats according to major threat categories based on ISO/IEC 27002 (ISO 27799:2008). The results show that the most critical threat for the THIS is power failure followed by acts of human error or failure and other technological factors. This research holds significant value in terms of providing a complete taxonomy of threat categories in HIS and also an important component in the risk analysis stage.
An Evaluation of Information Security from the Users' Perspective in Turkey
Journal of Health Informatics in Developing Countries, 2015
Information security is a critical issue for hospitals, and users play an active role in their security process. The aim of this study was to evaluate the information security in a hospital from the users’ perspective. In this cross-sectional study 424 hospital staff (medical: 258 / administrative: 166) were included. Face-to-face interviews were used to gather data in answer to a scaled questionnaire regarding information security. Items in the questionnaire were coded by a 5-point Likert scale (ranging from 1 point: strongly disagree to 5 points: strongly agree). After the factor analysis, it was possible to identify five subgroups relating to information security: Access and Authorisation, Security Applications, Service Delivery, Organisational Security and Security Policy. The items in the Service Delivery subgroup were scored lower by the medical staff than the administrative staff (p<0.05). Both the medical and administrative staff educated in HIMS gave higher scores to the...
The adoption of IT security standards in a healthcare environment
2008
Security matters have become a vital part of daily life to people and organizations, such as hospitals, needs to ensure that the information is adequately secured. While in Portugal legislature's remains hanging around to corporate and governance laws, more and more businesses are seeking assurance that their hospital providers and partners are properly protecting information assets from security risk. Is imperative to take necessary measures to ensure business continuity. Security management certification provides just such a guarantee, thereby increasing patient and partner confidence. This paper introduces one best practice for implementing four security controls in a hospital datacenter infrastructure (listed by the 11 security domains of ISO/IEC 17799), and describes the security assessment for implementing such controls while the health sector industry is expecting ISO 27799 recently reached has draft stage in development cycle by Technical Committee ISO/TC 215. It's publication is therefore well on track, with a proposed title of 'Health Informatics -Security management in health using ISO/IEC 17799'.
A Survey on Isfahan’s Hospital Information Systems Security
2020
Introduction: The aim of this study is to identify the security status of information on the managerial, technical, and physical dimensions in the information systems of the hospitals affiliated to Isfahan University of Medical Sciences. Methods: This is an applied descriptive study conducted in 2017-2018. The study population consisted of 35 Information Technology Department Managers (ITDM). The instrument for data collection was adopted and adapted from Mehrayin; this questionnaire consisted of three dimensions, namely managerial, technological, and physical, formatted into a Likert scale. The data were collected by ITDM census sampling and then by mean analysis using SPSS version 22. Results: From the viewpoint of ITDM, the information security at the hospital information systems was unsatisfactory, with the mean values of 1.37, 1.28, and 1.218 on managerial, technological, and physical dimensions respectively at the hospital information systems. Conclusion: In order to improve t...
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.