A Tree Model for Identification of Threats as the First Stage of Risk Assessment in HIS

Ahmad Bakhtiyari Shahri; Zuraini Ismail

doi:10.4236/jis.2012.32020

Journal of Information Security > Vol.3 No.2, April 2012

A Tree Model for Identification of Threats as the First Stage of Risk Assessment in HIS

Ahmad Bakhtiyari Shahri, Zuraini Ismail
Advanced Informatics School, Universiti Teknologi Malaysia, Johor Bahru, Malaysia.
Faculty of Computer Science and Information Systems, Universiti Teknologi Malaysia, Johor Bahru, Malaysia.
DOI: 10.4236/jis.2012.32020 PDF HTML XML 8,299 Downloads 12,699 Views Citations

Abstract

Security remains to be a critical issue in the safe operation of Information Systems (IS). Identifying the threats to IS may lead to an effective method for measuring security as the initial stage for risk management. Despite many attempts to classify threats to IS, new threats to Health Information Systems (HIS) remains a continual concern for system developers. The main aim of this paper is to present a research agenda of threats to HIS. A cohesive completeness study on the identification of possible threats on HIS was conducted. This study reveals more than 70 threats for HIS. They are classified into 30 common criteria. The abstraction was carried out using secondary data from various research databases. This work-in-progress study will proceed to the next stage of ranking the security threats for assessing risk in HIS. This classification of threats may provide some insights to both researchers and professionals, who are interested in conducting research in risk management of HIS security.

Keywords

Health Information System; Threat; Security

Share and Cite:

A. Bakhtiyari Shahri and Z. Ismail, "A Tree Model for Identification of Threats as the First Stage of Risk Assessment in HIS," Journal of Information Security, Vol. 3 No. 2, 2012, pp. 169-176. doi: 10.4236/jis.2012.32020.

1. Introduction

As the European Union has acknowledged, “innovation is important in today’s society, but it should not go at the expense of people’s fundamental right to privacy” [1]. An effective information security program includes a combination of human and technological controls to prevent loss of data, accidental or deliberate unauthorized activity, and illegal access to data [2].

However use of information and communication technology (ICT) in healthcare has created the electronic health environment and electronic health information is the core of an electronic health system that is managed by ICTs [3]. In addition because healthcare information technology has different potential to improve the quality of care and efficiency and it can also reduce medical costs and save lives so, it is currently one of the important factors for major innovations and is used in widespread around the world [4]. Therefore, if an E-health system guarantees privacy and security of patients it will succeed [5].

In recent years number of threats in health information systems (HIS) area has increased dramatically and lack of adequate security measures has caused in numerous data breaches, leaving patients vulnerable to economic threats, mental anguish and maybe social stigma. [6]. For example, between the years of 2006 to 2007 in hospitals alone, occurred exposing of more than 1.5 million names during data breaches [7]. In addition, result of 2010 Healthcare Information and Management Systems Society Security Survey suggests that the reports of more than 110 healthcare organizations have shown the loss of sensitive Protected Health Information or Personal Identifying Information affected over 5,306,000 individuals since January 2008. They were received as theft (stolen laptops, computers, or media), loss or negligence by employees or third parties, malicious insiders, system hacks, web exposure, and virus attacks [8]. So, storage information in electronic format increases the concerns about the security and privacy of patients [9]. Another study has shown that healthcare information systems of accidental events and deliberate action threats are two parameters that can severely damage HIS reliability and have negative effects on HIS [10]. However, poor organization of security measures, lack of an integrated security assessment architecture and framework and low awareness of risk analysis practices also need particular attention. As in developed countries standards of framework use in place. For example, using ISO/IEC 27002 (ISO 27799:2008) or the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare environment in protecting computerized information assets [11].

By understanding the threats to health information security, the organization can better protect its information assets and strengthen the level of protection of information in health information system. Therefore management of E-Health information needs to identify the threats for an effective framework by considering the comprehensive incorporation of confidentiality, integrity and availability to be the core principles of information security. This raises major challenges that require new exhaustively attitudes such as a wide variety of policies, ethical, psychological, information and security procedures [5,12]. Hence the objective of this paper attempt to provide an up-to-date categorize of threats to healthcare assets.

2. Review and Role of Identification of Threats in Information Security Risk Management

Risk assessment requires an understanding of the threat sources, threat action and how that sources can be exploited vulnerability in a health information asset [4]. Although identifying of threats in information system is crucial stage in risk management [13] and discussion about privacy and security [12] has long been a major subject in the social science and business press, there has been controversy about lacking a systematic investigation to identify and categorize various sources of threats of information security and privacy in academic literature [6].

Figure 1 shows a conceptual framework for implementing of information security in HIS. This figure was adopted from works of Z. Ismail, et al. [14] and A. Yasinsac, et al. [15]. It was further adapted to include inputs, output, and also process of some steps. Based on ISO/IEC27002 [16] risk assessment is a critical strategy and identification

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1]	National Science Foundation, “Changing the Conduct of Science in the Information Age,” 2011.
[2]	H. Jahankhani, et al., “Security Risk Management Strategy: Handbook of Electronic Security and Digital Forensics,” World Scientific, New Jersey, London and Singapore, 2009, p. 237.
[3]	K. M. Albert, “Integrating Knowledge-Based Resources into the Electronic Health Record: History, Current Status, and Role of Librarians,” Medical Reference Services Quarterly, Vol. 26, No. 3, 2007, pp. 1-19. doi:10.1300/J115v26n03_01
[4]	J. P. Landry, et al., “A Threat Tree for Health Information Security and Privacy,” Proceedings of the 17th American Conference on Information Systems, Detroit, 4-8 August 2011.
[5]	C. A. Shoniregun, et al., “Introduction to e-Healthcare Information Security,” Electronic Healthcare Information Security, Vol. 53, 2010, pp. 1-27. doi:10.1007/978-0-387-84919-5_1
[6]	A. Appari and M. E. Johnson, “Information Security and Privacy in Healthcare: Current State of Research,” International Journal of Internet and Enterprise Management, Vol. 6, No. 4, 2010, pp. 279-314. doi:10.1504/IJIEM.2010.035624
[7]	HIMSS, “Kroll-HIMSS Analytics 2010 Report on Security of Patient Data,” 2008.
[8]	HIMSS, “Kroll-HIMSS Analytics 2010 Report on Security of Patient Data,” 2010.
[9]	G. N. Samy, et al., “Threats to Health Information Security,” Proceedings of the 5th International Conference on Information Assurance and Security of the IEEE IAS, Xi’an, 8-20 August 2009, pp. 540-543. doi:10.1109/IAS.2009.312
[10]	S. Kahn and V. Sheshadri, “Medical Record Privacy and Security in a Digital Environment,” IT Professional, Vol. 10, No. 2, 2008, pp. 46-52. doi:10.1109/MITP.2008.34
[11]	G. N. Samy, et al., “Security Threats Categories in Healthcare Information Systems,” Health Informatics Journal, Vol. 16, No. 3, 2010, pp. 201-209. doi:10.1177/1460458210377468
[12]	S. Samsuri, et al., “User-Centered Evaluation of Privacy Models for Protecting Personal Medical Information,” Informatics Engineering and Information Science, Vol. 251, 2010, pp. 301-309. doi:10.1007/978-3-642-25327-0_26
[13]	A. Ekelhart, et al., “AURUM: A Framework for Information Security Risk Management,” Proceedings of the 42nd Hawaii International Conference on System Sciences, Hawaii, 5-8 January 2009, pp. 1-10. doi:10.1109/HICSS.2009.595
[14]	Z. Ismail, et al., “Framework to Manage Information Security for Malaysian Academic Environment,” Information Assurance & Cybersecurity, Vol. 2010, 2010, 16 p. doi:10.5171/2010.305412
[15]	A. Yasinsac and J. H. Pardue, “A Process for Assessing Voting System Risk Using Threat Trees,” Journal of Information Systems Applied Research, Vol. 4, No. 1, 2010, pp. 4-16.
[16]	R. Gomes and L. V. Lap?o, “The Adoption of IT Security Standards in a Healthcare Environment,” Studies in Health Technology and Informatics, Vol. 136, 2008, pp. 765-770.
[17]	M. Sumner, “Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness,” Information Systems Management, Vol. 26, No. 1, 2009, pp. 2-12. doi:10.1080/10580530802384639
[18]	W. H. Maisel and T. Kohno, “Improving the Security and Privacy of Implantable Medical Devices,” New England Journal of Medicine, Vol. 362, 2010, pp. 1164-1166. doi:10.1056/NEJMp1000745
[19]	D. Kotz, “A Threat Taxonomy for mHealth Privacy,” Proceedings of the 3rd International Conference on Communication Systems and Networks of the IEEE COMSNETS, Bangalore, 4-8 January 2011, pp. 1-6. doi:10.1109/COMSNETS.2011.5716518
[20]	J. H. Pardue and P. Patidar, “Thrats to Healthcare Date: A Threat Tree for Risk Assessment,” Issues in Information Systems, 5-8 October 2011.
[21]	R. Power, “CSI/FBI Computer Crime and Security Survey: Computer Security Institute,” SCI & FBI, 2002.
[22]	T. C. Rindfleisch, “Privacy, Information Technology, and Health Care,” Communications of the ACM, Vol. 40, No. 8, 1997, pp. 92-100. doi:10.1145/257874.257896
[23]	G. Stonebumer, et al., “Risk Management Guide for Information Technology Systems,” National Institute of Standards and Technology, 2002.
[24]	M. E. Whitman, “Enemy at the Gate: Threats to Information Security,” Communications of the ACM, Vol. 46, 2003, No. 8, pp. 91-95. doi:10.1145/859670.859675
[25]	M. E. Whitman, “In Defense of the Realm: Understanding the Threats to Information Security,” International Journal of Information Management, Vol. 24, No. 1, 2004, pp. 43-57. doi:10.1016/j.ijinfomgt.2003.12.003
[26]	M. E. Whitman and H. J. Mattord, “The Enemy Is still at the Gates: Threats to Information Security Revisited,” Proceedings of the 2010 Information Security Curriculum Development Conference, Kennesaw, 1-3 October 2010, pp. 95-96. doi:10.1145/1940941.1940963
[27]	M. E. Whitman and H. J. Mattord, “Principles of Information Security,” Course Technology Ptr, Boston, 2011.
[28]	R. Richardson, “CSI Computer Crime and Security Survey,” Computer Security Institute, 2008, pp. 1-30.
[29]	G. N. Samy, et al., “Health Information Security Guidelines for Healthcare Information Systems,” Zurich, 8-9 September 2011, p. 10.

Journals Menu

Follow SCIRP

	+1 323-425-8868
	customer@scirp.org
	+86 18163351462(WhatsApp)
	1655362766

	Paper Publishing WeChat

Journals Menu

Home

About SCIRP

Service

Policies