2014 IEEE 27th International Symposium on Computer-Based Medical Systems
Improving the Information Security Management: An Industrial Study in the Privacy of Electronic Patient Records ∗
Ying He∗ , Chris Johnson∗ , Yu Lu∗ and Yixia Lin†
School of Computing Science, University of Glasgow, Glasgow, UK
[email protected],
[email protected],
[email protected] † Premium Technology Inc., the United States
[email protected] Abstract—Adverse incidents in the privacy of patients’ medical records can result in multiple negative impacts. Effective mechanisms are needed to communicate the lessons from the incidents into the Information Security Management Systems (ISMS) so as to prevent similar incidents. The Generic Security Template (G.S.T.) has been developed to enhance current mechanism and has demonstrated significant benefits in communicating the lessons compared to the more conventional use of text-based incident reports. This paper extends the work to evaluate the G.S.T. in healthcare. A case study with healthcare professionals working in a China healthcare organization shows that, the G.S.T. can enhance the current mechanism in communicating the lessons with the ISMS.
I.
in information security management in the healthcare organizations in China and their support enabled us to evaluate the G.S.T. in an industrial settings. A. Study Objectives This study aims to find out the general views of the potential users of the G.S.T., who are the stakeholders and have the responsibilities to protect patient data. Within this study, we are able to reach both healthcare professionals and IT professionals in a healthcare organization in China. The study objectives are outlined below,
I NTRODUCTION
Security incidents have affected healthcare organizations across the world. A Symantec Report shows that the healthcare industry accounts for 36% of the total security incident breaches across 2013 and was responsible for the largest percentage of disclosed data breaches [1]. There is a need for the organizations to learn from those incidents and prevent them from re-occurring. The Generic Security Template (G.S.T.) [2] has been developed to enhance the existing techniques used to share lessons from security incidents. In particular, it captures the lessons learned identified from the security incidents by using graphical notations, the Goal Structuring Notations (GSN) [3]. An initial study into the use of G.S.T. has showed significant benefits from the use of a graphical technique in communicating the learning from the security incident when compared to the more conventional use of text-based incident reports and this work did yield important insights into the difficulties that engineers face when trying to understand the implications that previous security incident reports have for their own organizations. This paper extends the work in healthcare industry to obtain an in-depth understanding about their context and the feasibility of the G.S.T. II.
Study the current information security management in the host healthcare organization.
●
Study the current mechanisms to feedback the lessons learned from the security incidents to ISMS in the host healthcare organization.
●
Identify the scenario where the G.S.T. can be used to improve the existing mechanisms to feedback the lessons learned to ISMS.
B. The Study Process To conduct research involving human participants, this experiment adhered to the BPS ethical guidelines, and has been approved by the FIMS ethics committee of the University of Glasgow (ref: CSE01243). The participants were firstly invited to fill in the background questionnaire. It collects the participants’ demographic information including job position, gender, education background, years of working experience and experience with security incident handling. We then conducted semi-structured interviews in this study. The objectives of the study were transformed into the interview questions. After the study, a summary based on the transcribed interview was sent to the informants for confirmation and acceptance. This is to validate that the information is accurate and complete. All interviews are conducted in the normal working hours and noted. It is not allowed to use the tapes due to the sensitive nature of the study. For data analysis, the findings are grouped according to the research objectives. The sub-categories are identified using the grounded theory and content analysis. The data was further cross-referenced with the collected document for triangulation [4].
S TUDY D ESIGN
An internship was accepted from October 2013 through Feb 2014, with a China healthcare organization. It is a tertiary level hospital in China and has the highest level of maturity in terms of the healthcare information system (HIS). This internship provides the opportunity to obtain more knowledge 1063-7125/14 $31.00 © 2014 IEEE DOI 10.1109/CBMS.2014.121
●
525
III.
D. Attitude Towards the G.S.T.
P RELIMINARY R ESULTS
The participants were presented with a G.S.T. and were invited to comment on whether the G.S.T. has the potential to enhance the existing mechanisms to feedback the lessons learned to ISMS compared to the existing methods.
A. Result Analysis - Background Questionnaire The healthcare professionals participating in this study, include four doctors (males) and six nurses (females). Five IT professionals participated in this study, four of them are IT engineers and one of them is an IT manager. The educational background ranges from honoured bachelors to masters. All of the IT engineers have experience with security incident handling. Among the healthcare professional, two nurses and one doctor have involved in the security incident handling process, and the rest of the them have no such experience.
The results show that, they believe the G.S.T. provides an effective and unified way to communicate lessons learned. An IT professional stated “this will be especially helpful to discuss security issues; easier to navigate between different notations” and that “easier to demonstrate the security incident in weekly meeting, it summarizes the security incidents”. An healthcare professional stated, “previously, different IT professional presents security incident using different ways of their own, but I like this structured way, that makes everything easy to follow”. The participants consider the G.S.T. to be an effective way to inform the implementation of the security standards. An IT professional stated “It can let us know how well we have implemented the security standards and which part needs to be improved”. There are also weaknesses found towards the G.S.T. The participants have complained about the scalability of the graphical diagram, the comprehension of some specific technical terms such as ”access control”, and the reasoning of the relationships between the lessons learned and the security requirements of the security standards.
B. Information Security Management The participants were asked to describe the general security management in terms of management support, security culture, security awareness, compliance of security standards, and security effectiveness. The information collected is to gain a general understanding of the current information security management within the host organization. The results show that the organization has a culture to protect security information since they have started using HIS. Security management is important to the managers and they are willing to improve their current situation through some initiatives such as a recently initiated Security Strengthening Program (SSP). However, it is not a priority compared to the systems business functions. As is stated by one of the IT professionals “The management focuses more on the business function of the healthcare information systems, compared to security”. Their healthcare professionals have a basic understanding of information security. According to the IT team, they have established security controls according to the security standards and the staff found them to be effective. However, since they rarely conduct risk analysis, this might place the system under threats from future attacks.
Opinion was generated about the use of the G.S.T. based on the those findings. The supporters of the G.S.T. helped identified the scenarios where it can be applied, including (1) communicate security incidents in department meeting and (2) inform the implementation of the security standards. IV.
C ONCLUSIONS AND C ONTRIBUTIONS
A case study with a representative healthcare organization in China shows that the organization has a culture to protect security information since they have started using HIS. The managers support the security management and have tried to improve their current situation through some initiatives. The healthcare professionals have basic understanding of information security. The host organization has a relatively mature incident handling procedure, however, the learnings from the incidents were not effectively informing the improvement of the ISMS. Strengths and weaknesses of the G.S.T. have been identified as well as the scenarios to apply the G.S.T. This study provided very important insights into the application of our approach and provides the directions for future work on more direct evidence about whether or not security lessons can be communicated into the information security management systems.
C. Security Incident Learning The results show that, they have a relatively mature incident handling procedure including the definition of different levels and incident response teams. Learning from security incident can improve the awareness of the employee and improve policy management, however, it’s not effectively informing the improvement of the ISMS. As is stated by one of the IT professionals, “the real causes might be in the security procedure itself, that a procedure makes people to cause error”. The aim of the post incident analysis is to get the in-depth causes, which is often a security management issue (e.g. not having a policy for configuring firewalls) rather than a technical problem (e.g. firewalls not properly configured) [5]. There are some further weaknesses: (1) Throughout the incident handling process, for low-level incidents, they lack of a formal way to generate knowledge. They mainly focus on solving issues to recover the system. There is little in-depth analysis of the causal factor that may lead to a procedure issue rather than a technical concern. (2) For high severity issues, they document the business impact, and remedial recommendations, etc. However, the post-incident reports, are for administration only and do not consider the improvements of security procedures. Moreover, knowledge in the form of a post-incident report is usually presened as a lengthy freetext report. Previous studies have argued text does not along facilitate the communication of security lessons [2] .
R EFERENCES [1] [2]
[3]
[4] [5]
526
Symantec, Internet security threat report 2013, Vol. 18, 2013. Y. He, C. W. Johnson, Generic security cases for information system security in healthcare systems, in: Proceedings of the 7th IET International Conference on System Safety, IET, 2012. T. P. Kelly, Arguing safety - a systematic approach to safety case management, Ph.D. thesis, Department of Computer Science, University of York (1998). B. J. Oates, Researching information systems and computing, SAGE Publications, 2005. A. Ahmad, J. Hadgkiss, A. B. Ruighaver, Incident response teams challenges in supporting the organisational security function, Computers & Security 31 (5) (2012) 643–652.
