Information security risk management for computerized health information systems in hospitals: a case study of Iran

Zarei, Javad; Sadoughi, Farahnaz

doi:10.2147/rmhp.s99908

Cited by 17 publications

(17 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Similar vulnerabilities in hospitals are also observed in other countries [13][14][15][16]. Specifically, pressure from the board of directors appears to be essential in creating substantive cyber-resiliency, as research shows that hospital management support is essential for user compliance with information security policies, which in turn are written by healthcare IT security professionals [17,18].…”

Section: Introductionmentioning

confidence: 75%

Cybersecurity in Hospitals: A Systematic, Organizational Perspective (Preprint)

Jalali¹,

Kaiser²

2018

Preprint

View full text Add to dashboard Cite

Background: Cybersecurity incidents are a growing threat to the healthcare industry in general and hospitals in particular. The healthcare industry has lagged behind other industries in protecting its main stakeholder (i.e., patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done, because hospitals are extraordinarily technology-saturated, complex organizations with high endpoint complexity, internal politics, and regulatory pressures. Objective: The purpose of this study was to develop a systematic and organizational perspective for studying: 1) the dynamics of cybersecurity capability development at hospitals; and 2) how these internal organizational dynamics interact to form a system of hospital cybersecurity in the U.S. Methods: We conducted interviews with hospital CIOs, CISOs, and healthcare cybersecurity experts, analyzed the interview data, and developed a system dynamics model that unravels the mechanisms by which hospitals build cybersecurity capabilities. We then use simulation analysis to examine how changes to variables within the model affect the likelihood of successful cyberattacks across both individual hospitals and a system of hospitals. Results: From the interviews, we discover several key variables that hospitals use to reduce the likelihood of cyber-criminal activity, including internal stakeholder alignment, pressures to improve cybersecurity capabilities, and endpoint complexity. Our simulation results show that the variable with the most dramatic impact on reducing cyber-attack at hospitals is endpoint complexity, followed by internal stakeholder alignment. While resource availability was important in fueling efforts to close cybersecurity capability gaps, low levels of resources could be compensated against by setting a high target level of cybersecurity. Furthermore, high variabilities in resource availability and endpoint complexity across a system of hospitals made the whole system more vulnerable to cyber-attacks. Conclusions: In order to enhance cybersecurity capabilities at hospitals, the main focus of CIOs and CISOs should be on reducing endpoint complexity and improving internal stakeholder alignment. In a large system of hospitals, if variabilities in endpoint complexity and resource availability are reduced, then the whole system is made less vulnerable. This provides some support to decisions made by smaller hospitals to outsource information security functions to larger organizations, and suggests that policies should raise the target floor of capabilities to a point that reduces the variability across the entire healthcare system. This study assists health care leaders to better understand the range of outcomes resulting from strategic decisions of cybersecurity capability development, so that they can better reduce the vulnerabilities that hospitals have today.

show abstract

Section: Introductionmentioning

confidence: 75%

Cybersecurity in Hospitals: A Systematic, Organizational Perspective (Preprint)

Jalali¹,

Kaiser²

2018

Preprint

View full text Add to dashboard Cite

show abstract

“…Furthermore, significant variability in cybersecurity as a priority has been observed throughout the hospital industry-in the United States, 70% of hospital boards include cybersecurity in their risk management oversight, and only 37% of hospitals perform annual incident response exercises [12]. Similar vulnerabilities in hospitals are also observed in other countries [13][14][15][16]. Specifically, pressure from the board of directors appears to be essential in creating substantive cyber resiliency, as research shows that hospital management support is essential for user compliance with information security policies, which in turn are written by health care IT security professionals [17,18].…”

Section: Introductionmentioning

confidence: 95%

Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Jalali

Kaiser

2018

SSRN Journal

View full text Add to dashboard Cite

show abstract

“…Several studies has been performed to explore IS risk management in organization. Study [15] explores IS risk management for some hospitals in Iran. They found that only eight hospitals have framework for IS risk management, but lacks in systematic approach.…”

Section: Literature Reviewmentioning

confidence: 99%

Information Security Risk Management for BIDUK System

Kristianto*,

Alamas,

Suroso

2019

IJRTE

View full text Add to dashboard Cite

The use of digital technology nowadays makes data and information become vital part of any organization. Non-profit organization, such as Archdiocese of Jakarta, also relies on system to do their work and services for Catholic people under their jurisdiction. BIDUK system is used by Archdiocese of Jakarta as information system to administrate and provide service to people. Its information also used as tools for decision making. Currently, there is no proper information security risk management method used for BIDUK system, which is important system for Archdiocese of Jakarta. This study’s objective is to propose a IS risk management method that can be used to manage risks for BIDUK system. This study proposes OCTAVE Allegro method because of its simplicity and suitable for small organization. After following every IS risk management phases of OCTAVE Allegro, we found that this method is suitable to be used to manage risks of BIDUK system.

show abstract

Information security risk management for computerized health information systems in hospitals: a case study of Iran

Cited by 17 publications

References 23 publications

Cybersecurity in Hospitals: A Systematic, Organizational Perspective (Preprint)

Cybersecurity in Hospitals: A Systematic, Organizational Perspective (Preprint)

Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Information Security Risk Management for BIDUK System

Contact Info

Product

Resources

About