A Tree Model for Identification of Threats as the First Stage of Risk Assessment in HIS


Security remains to be a critical issue in the safe operation of Information Systems (IS). Identifying the threats to IS may lead to an effective method for measuring security as the initial stage for risk management. Despite many attempts to classify threats to IS, new threats to Health Information Systems (HIS) remains a continual concern for system developers. The main aim of this paper is to present a research agenda of threats to HIS. A cohesive completeness study on the identification of possible threats on HIS was conducted. This study reveals more than 70 threats for HIS. They are classified into 30 common criteria. The abstraction was carried out using secondary data from various research databases. This work-in-progress study will proceed to the next stage of ranking the security threats for assessing risk in HIS. This classification of threats may provide some insights to both researchers and professionals, who are interested in conducting research in risk management of HIS security.

Share and Cite:

A. Bakhtiyari Shahri and Z. Ismail, "A Tree Model for Identification of Threats as the First Stage of Risk Assessment in HIS," Journal of Information Security, Vol. 3 No. 2, 2012, pp. 169-176. doi: 10.4236/jis.2012.32020.

Conflicts of Interest

The authors declare no conflicts of interest.


[1] National Science Foundation, “Changing the Conduct of Science in the Information Age,” 2011.
[2] H. Jahankhani, et al., “Security Risk Management Strategy: Handbook of Electronic Security and Digital Forensics,” World Scientific, New Jersey, London and Singapore, 2009, p. 237.
[3] K. M. Albert, “Integrating Knowledge-Based Resources into the Electronic Health Record: History, Current Status, and Role of Librarians,” Medical Reference Services Quarterly, Vol. 26, No. 3, 2007, pp. 1-19. doi:10.1300/J115v26n03_01
[4] J. P. Landry, et al., “A Threat Tree for Health Information Security and Privacy,” Proceedings of the 17th American Conference on Information Systems, Detroit, 4-8 August 2011.
[5] C. A. Shoniregun, et al., “Introduction to e-Healthcare Information Security,” Electronic Healthcare Information Security, Vol. 53, 2010, pp. 1-27. doi:10.1007/978-0-387-84919-5_1
[6] A. Appari and M. E. Johnson, “Information Security and Privacy in Healthcare: Current State of Research,” International Journal of Internet and Enterprise Management, Vol. 6, No. 4, 2010, pp. 279-314. doi:10.1504/IJIEM.2010.035624
[7] HIMSS, “Kroll-HIMSS Analytics 2010 Report on Security of Patient Data,” 2008.
[8] HIMSS, “Kroll-HIMSS Analytics 2010 Report on Security of Patient Data,” 2010.
[9] G. N. Samy, et al., “Threats to Health Information Security,” Proceedings of the 5th International Conference on Information Assurance and Security of the IEEE IAS, Xi’an, 8-20 August 2009, pp. 540-543. doi:10.1109/IAS.2009.312
[10] S. Kahn and V. Sheshadri, “Medical Record Privacy and Security in a Digital Environment,” IT Professional, Vol. 10, No. 2, 2008, pp. 46-52. doi:10.1109/MITP.2008.34
[11] G. N. Samy, et al., “Security Threats Categories in Healthcare Information Systems,” Health Informatics Journal, Vol. 16, No. 3, 2010, pp. 201-209. doi:10.1177/1460458210377468
[12] S. Samsuri, et al., “User-Centered Evaluation of Privacy Models for Protecting Personal Medical Information,” Informatics Engineering and Information Science, Vol. 251, 2010, pp. 301-309. doi:10.1007/978-3-642-25327-0_26
[13] A. Ekelhart, et al., “AURUM: A Framework for Information Security Risk Management,” Proceedings of the 42nd Hawaii International Conference on System Sciences, Hawaii, 5-8 January 2009, pp. 1-10. doi:10.1109/HICSS.2009.595
[14] Z. Ismail, et al., “Framework to Manage Information Security for Malaysian Academic Environment,” Information Assurance & Cybersecurity, Vol. 2010, 2010, 16 p. doi:10.5171/2010.305412
[15] A. Yasinsac and J. H. Pardue, “A Process for Assessing Voting System Risk Using Threat Trees,” Journal of Information Systems Applied Research, Vol. 4, No. 1, 2010, pp. 4-16.
[16] R. Gomes and L. V. Lap?o, “The Adoption of IT Security Standards in a Healthcare Environment,” Studies in Health Technology and Informatics, Vol. 136, 2008, pp. 765-770.
[17] M. Sumner, “Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness,” Information Systems Management, Vol. 26, No. 1, 2009, pp. 2-12. doi:10.1080/10580530802384639
[18] W. H. Maisel and T. Kohno, “Improving the Security and Privacy of Implantable Medical Devices,” New England Journal of Medicine, Vol. 362, 2010, pp. 1164-1166. doi:10.1056/NEJMp1000745
[19] D. Kotz, “A Threat Taxonomy for mHealth Privacy,” Proceedings of the 3rd International Conference on Communication Systems and Networks of the IEEE COMSNETS, Bangalore, 4-8 January 2011, pp. 1-6. doi:10.1109/COMSNETS.2011.5716518
[20] J. H. Pardue and P. Patidar, “Thrats to Healthcare Date: A Threat Tree for Risk Assessment,” Issues in Information Systems, 5-8 October 2011.
[21] R. Power, “CSI/FBI Computer Crime and Security Survey: Computer Security Institute,” SCI & FBI, 2002.
[22] T. C. Rindfleisch, “Privacy, Information Technology, and Health Care,” Communications of the ACM, Vol. 40, No. 8, 1997, pp. 92-100. doi:10.1145/257874.257896
[23] G. Stonebumer, et al., “Risk Management Guide for Information Technology Systems,” National Institute of Standards and Technology, 2002.
[24] M. E. Whitman, “Enemy at the Gate: Threats to Information Security,” Communications of the ACM, Vol. 46, 2003, No. 8, pp. 91-95. doi:10.1145/859670.859675
[25] M. E. Whitman, “In Defense of the Realm: Understanding the Threats to Information Security,” International Journal of Information Management, Vol. 24, No. 1, 2004, pp. 43-57. doi:10.1016/j.ijinfomgt.2003.12.003
[26] M. E. Whitman and H. J. Mattord, “The Enemy Is still at the Gates: Threats to Information Security Revisited,” Proceedings of the 2010 Information Security Curriculum Development Conference, Kennesaw, 1-3 October 2010, pp. 95-96. doi:10.1145/1940941.1940963
[27] M. E. Whitman and H. J. Mattord, “Principles of Information Security,” Course Technology Ptr, Boston, 2011.
[28] R. Richardson, “CSI Computer Crime and Security Survey,” Computer Security Institute, 2008, pp. 1-30.
[29] G. N. Samy, et al., “Health Information Security Guidelines for Healthcare Information Systems,” Zurich, 8-9 September 2011, p. 10.

Copyright © 2023 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.