INSPIRING FUTURES

A comparative review of information security risk assessment methodologies for health care.

Hazelhoff Roelfzema, Nicole (2011) A comparative review of information security risk assessment methodologies for health care. In: IADIS e-Society, 2011 March, Avilla, Spain. (Unpublished)

Full text not available from this repository. (Request a copy)

Abstract/Description

Health care organizations face major compliance challenges as they need to secure patient information. An important compliance requirement is the performance of regular risk assessments and the implementation of controls to secure data. In theory, any state of the art risk assessment technique could be employed to facilitate the prevention and/or management of potential information risks. Health care environments are, however, quite unique when compared to other automated environments and different sectors do not experience similar kinds of information security attacks. Where security issues have been researched in health care, there is a strong emphasis on the development of technological measures for data protection but the ‘human’ or professional side of ensuring data security is equally important in everyday practice. In this paper, seven methodologies for risk assessment are compared in a framework with specific health care requirements. It is concluded that improvements could be made in comparative frameworks to support the selection process for a suitable risk assessment approach. Furthermore, the available methods show several weaknesses in their ability to quantify risks or to include human risk factors. The presentation of threat events and their interaction is often oversimplified. Data aggregation is not possible in order to allow regulators to gain insight in trends and high level security threats. An integration of existing techniques is proposed to facilitate reliable and repeatable risk assessments that contribute to compliance to governance codes, and costs savings by making informed -sector wide- decisions to invest in the development of new systems and security controls.

Item Type: Conference or Workshop Item (Paper)
Uncontrolled Keywords: Risk assessment; information security; health care; governance;
University Divisions/Research Centres: Edinburgh Napier University, Institute for Informatics and Digital Innovation
Dewey Decimal Subjects: 000 Computer science, information & general works > 000 Computer science, knowledge & systems > 005 Computer programming, programs & data > 005.8 Data security
Library of Congress Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Item ID: 4183
Depositing User: Computing Research
Date Deposited: 21 Mar 2011 16:04
Last Modified: 21 Mar 2011 16:04
URI: http://researchrepository.napier.ac.uk/id/eprint/4183

Actions (login required)

View Item

Edinburgh Napier University is a registered Scottish charity. Registration number SC018373