• Users Online: 213
  • Home
  • Print this page
  • Email this page
Home About us Editorial board Search Ahead of print Current issue Archives Submit article Instructions Subscribe Contacts Login 


 
 Table of Contents  
ORIGINAL ARTICLE
Year : 2014  |  Volume : 2  |  Issue : 3  |  Page : 175-179

Information Security Management in Isfahan University of Medical Sciences'Academic Hospitals in 2014


1 PhD Candidate, Health Management and Economics Research Center, Isfahan University of Medical Sciences, Isfahan, Iran
2 Department of Health Information Technology, School of Health Management and Information Sciences, Isfahan University of Medical Sciences, Isfahan, Iran
3 Department of Epidemiology and Biostatistics, School of Health, Isfahan University of Medical Sciences, Isfahan, Iran
4 M.Sc Student of Health Information Technology, Students Research Committee of School of Health Management and Information Sciences, Isfahan University of Medical Sciences, Isfahan, Iran

Date of Web Publication4-Oct-2014

Correspondence Address:
Fatemeh Amini
M.Sc Student of Health Information Technology, Students Research Committee of School of Health Management and Information Sciences, Isfahan University of Medical Sciences, Isfahan
Iran
Login to access the Email id

Source of Support: None, Conflict of Interest: None


DOI: 10.4103/2347-9019.142205

Rights and Permissions
  Abstract 

Introduction: Health care organizations, particularly hospitals should follow a special strategy and implement their security system based on it in order to protect their data. Information security will be provided through performing a series of appropriate controls. ISO/IEC 27002 standard provides guidelines and general principles for starting, running, monitoring and improving information security management. This article aimed to determine the extent of compliance with information security management requirements in academic hospitals of Isfahan University of Medical Sciences. Materials and Methods: This applied study was a cross-sectional research which was performed in 2014. The research population included academic hospitals of Isfahan. The data collection tool was ISO/IEC 27002 standard checklist. The extent of compliance with information security management was examined in six hospital wards, including informatics, admission and discharge, income, laboratory, radiology, and pharmacy. Data was analyzed using SPSS. Results: Mean score of compliance with information security management requirements was estimated 68.1% in Isfahan academic hospitals. The highest level of requirements was related to security policies (76.7%) and requirements of acquisition, development, and maintenance of information systems (76.1%). However, the lowest level was associated with security of human resources (56.7%). Conclusions: Despite the efforts in hospital information system (HIS), hospitals still need more awareness toward principles of information security and management. In addition to investments on technical strategies, more attention is needed concerning non-technical and human factors such as the promotion of employees' knowledge of information security components in order to maintain information security.

Keywords: Academic hospitals, information security management, ISO/IEC 27002 standard


How to cite this article:
Tavakoli N, Ehteshami A, Hassanzadeh A, Amini F. Information Security Management in Isfahan University of Medical Sciences'Academic Hospitals in 2014. Int J Health Syst Disaster Manage 2014;2:175-9

How to cite this URL:
Tavakoli N, Ehteshami A, Hassanzadeh A, Amini F. Information Security Management in Isfahan University of Medical Sciences'Academic Hospitals in 2014. Int J Health Syst Disaster Manage [serial online] 2014 [cited 2024 Mar 28];2:175-9. Available from: https://www.ijhsdm.org/text.asp?2014/2/3/175/142205


  Introduction Top


Security is a critical and well-known concept in today's real world [1] and information has a specific status in this regard. [2] Before the advent of network era, information was archived in paper documents. Although this procedure is still common, easy access to internet enable information process and exchange so that a great amount of information is saved and restored digitally while it can spread with a higher speed and accuracy. [3] Nowadays, information plays a central role in every organization and the development of communication media has led to high volumes of data exchange in computer networks. This phenomenon, which is known as information burst, has faced organizations with a great revolution in the field of multi-media information security. [4],[5] Nowadays, information systems security against security attacks is a constant challenge with which many organizations faces. [6]

Information security means protecting information technology (IT) infrastructure and ensuring its availability [7] as well as access to processes and procedures that are used in order to protect electronic and paper forms which contain confidential, private and sensitive information. As a result, information will be protected against access, disclosure, alteration, or interference by unauthorized people. [8] However, IT security refers to the safe use of these technologies and ensuring free from any kind of threat. [9]

Organizations are often exposed to different threats such as reference data manipulation or data theft; therefore, development and implementation of security measures is inevitable against these widespread threats. [7]

The hospital is one of the organizations whose information security is a basic and critical principle. Today, with development of automation and the use of electronic medical records, data security, audit and control procedures should be considered necessary. [10] Increasing use of information technology emphasizes on the importance of security threats and the ways to deal with them. [9]

Currently, information exchange is experiencing undesirable conditions, particularly in hospitals. A significant reason of these unfavorable conditions is the lack of secure executive and technical infrastructures along with ineffective actions regarding secure information exchange environment in government institutes. Lack of infrastructures such as security assessment systems, security and risk management analysis, disaster prevention systems regarding incidents in information exchange, a system to deal with crimes of information exchange, and other infrastructures has led to the present challenges. In addition, present situation affect the hospital performance and its accreditation, and lead to waste of national assets. Therefore, attention to secure information exchange in hospitals seems essential. [11]

In general, information security will be achieved through a series of appropriate controls, including policies, procedures, organizational structures, and software. This control will ensure addressing security objectives of organizations. [12] One of these controls is ISO/IEC 27002 standard, which provides guidelines and general principles for starting, running, maintaining, and improving of information security management. [13]

Controls present in ISO/IEC 27002 standard are the best applicable practices in most organizations and are easily adaptable to different sizes and complexities of organizations. The standard emphasizes on implementation with general certification. [13],[14],[15] It aims to provide overall guidance on generally accepted goals of information security management. Control objectives are used in risk assessment in order to address identified needs. [13],[16]

This study aimed to evaluate the information security status in academic hospitals of Isfahan University of Medical Sciences.


  Materials and Methods Top


This is an applied cross-sectional study which was conducted in 2014. Research sample included 11 academic hospitals in Isfahan, Iran. Data collection tool included ISO/IEC 27002 standard checklist which consisted of 11 control areas: Security policy, organization of infrastructure security, assets management, human resources management, physical and environmental security, communications and operations management, access control, information systems acquisition, development, and maintenance, information security incident management, business continuity management, and compliance. Data was collected through observation and checklist completion. Data validity was confirmed by professors of health information technology as well as specialists of IT in Isfahan University of Medical Sciences.

Investigations were performed in six main hospital wards, including computer unit, admission and discharge, income, radiology, laboratory, and pharmacy in order to evaluate the amount of compliance with information security management requirements. Eventually, data were analyzed using analysis of variance (ANOVA) method and SPSS.


  Results Top


The mean score of compliance with security policies in Isfahan academic hospitals was 76.7% with standard deviation (SD) of 15.4% whereas three hospitals obtained a maximum score (100%).

Concerning compliance with information security organization, the mean score of 65.5% and SD of 15.4 were obtained.

Results regarding compliance with asset management requirements are presented in [Table 1] based on separate control fields.
Table 1: Mean score of compliance with asset management requirements in Isfahan academic hospitals

Click here to view


Mean score of compliance with human resources security was 56.77% and SD was reported 9.3% while the highest mean score belonged to 4 hospitals with a common score of 66.7%.

The results of compliance with physical and environmental security requirements are presented in [Table 2] based on the separate control subfields.

The fifth field which is related to communication and operations management has gained the score of 74% and data dispersion has been between 35.7 and 92.3%. Regarding sixth6 th , seventh and eight fields, the mean score of access control has been 64.2; mean score of compliance with information systems acquisition, development, and maintenance, 76.1; and a mean score of compliance with information security incident management was 60%.
Table 2: Mean scores if compliance with physical and environmental security requirements in Isfahan academic hospitals

Click here to view


The mean score of compliance with information security incident management was 60% with SD of 18.8% while data dispersion was between 20 and 100% in this field. Mean score of compliance with business continuity management was 65% with SD of 16.7%.

The results of compliance with regulations are presented in [Table 3] according to separate subfields.
Table 3: Mean score of compliance with regulations in Isfahan academic hospitals

Click here to view



  Discussion Top


Information is the most important asset and the key to the growth and success of any organization. If we fail to protect this important asset from unauthorized access and other kinds of threat, we will experience serious outcomes. [17] Various studies have shown that a large number of attacks to data sources have occurred frequently. [18],[19],[20],[21]

The purpose of information security management is to protect organizational assets (software, hardware, information and communication, and human resources) against any threat (including unauthorized access to information systems, environmental risks, and risks caused by users). However, achieving this objective needs a comprehensive and integrated program. [22]

A series of ISO/IEC 27000 standard, which is a part of a growing family of standards called "information security management systems" (ISMS) has played an important role in organizations' information security systems. [23]

Given the extent of compliance with information security management, in Isfahan academic hospitals (68.1%) and using Likert 3-point scale, information security management was assessed as good; in other words, through more exact compliance with control objectives of ISO/IEC 27002 standard, we can maximize this score. Other findings suggested that the most vulnerable security area based on 11 ISO/IEC 27002 standard fields was "human resources security" and the strongest field was associated with "compliance with security policies."

Research Studies done on the influencing factors in information security by Hariri and Nazari, Mahmudzadeh and Rajab Radi as well as Elahi et al., showed that human resources can be the highest threat to computer systems' information security. [7],[17],[21] The results of this study are consistent with mentioned studies.

The results of Arman's study in 2008 represent a higher influence of human resources from IT specialist's point of view. After that, there were placed other issues such as management, technical and financial factors. The results of the present study are consistent with some parts of the mentioned study. [24]

In Hariri and Nazari study, the lowest mean of compliance with security requirements was related to "security policy" which was %63. However, in the present study, this field was considered as the strongest security field and therefore, the results are partly inconsistent. [7]

The second field which had the highest mean score after security policy was "information systems acquisition, development, and maintenance." Using programs against harmful codes in order to protect databases along with firewalls for protection of network systems, regular back up from system, and information coding will promote and strengthen this field. [11] If security procedures are considered when designing information systems, it will cost much less than when an existing system's security is desired. [25]
"Communications and operations management" field was in the third position of the strongest control areas. In Iran in spite of the lack of security requirements for communications and operations management and dispersed hospital information systems in some health centers, some procedures have been used for information security. However, continuous logging systems, as well as, comprehensive guidelines for those in charge are needed to maintain information security. [11]
"Management of information security incidents" with a mean score of 60% was one of the most vulnerable security areas after human resources security. Given that incidents are inevitable, it is necessary to identify incidences and weaknesses of information security in hospital information systems through appropriate methods and using previous experiences in order to perform improvements and decrease security risks. Hariri and Nazari stated that adoption of proper strategies could minimize the risk of incidence or decrease the loss due to incidents. Such security strategies would increase quick and effective reactions and enable organizations to use predetermined strategies to restore damaged, increase productivity and information security, and continue business in a more reliable way. [7]

The third field which had the lowest score according to the findings was "access control". Given the importance of this index manager should pay special attention in order to unauthorized access. Apart from special user identification for every user, media access control layer is also necessary as a protection layer so that ID and Password are not disclosed. Habibifar and colleagues also emphasize on creating a user access control system regarding health information. According to them, all organizations need to have control over access to clinical systems through ID and password. [11]

The field of "business continuity management" and "compliance with regulations" had the lowest mean score after the above three fields. The issue of data and databases back up along with creating a planning framework for business continuity can be considered among the most critical elements of business continuity followed by information security in a hospital. Quirchmayr stated that proper organizational behavior and business associated with security and business continuity management is the first and most important step toward improvement of the organizational security status. [26]

A specific guideline to ensure systems compliance with policies and security standards along with creating an efficient audit system will help organizational performance in the field of "compliance with regulations". Nakhai has also considered standardization in information security, provision of infrastructures such as security assessment systems in information exchange, and certification system as basic needs for maintaining information confidentiality and security. [27] Ifinedostated that every organization should provide required plans and security programs as well as necessary requirements for creation, continuity and evaluation of information security. [28]

The findings of the present study indicate that ISO/IEC 27002 standard is not well-known in Isfahan academic hospitals and many weaknesses of information security systems must be addressed through standard guidelines. It should be noted that lack of a same operational standard or guideline regarding information security in Isfahan academic hospitals has led to different understandings among managers related to information security implementation. In some cases, decision-making faces challenges due to interference with university or HIS provider policies which eventually leads to improper decision-making.


  Recommendations Top


  • Providing and developing written policies for information security management
  • Creating a formal disciplinary process for employees who commits security violations
  • Regularly back up from users, supervisors, and operators' logs in order to track operations
  • Creating security fences in order to protect areas that contain information and information processing facilities
  • Closing inactive communication layers in computers after a specific time period
  • To be closed system ports
  • Installation of control software regarding program installation on systems such as Deep Freeze
  • Classification of information according to value, legal requirements, sensitivity, and criticality.



  Acknowledgements Top


This Article was part of a master thesis supported by Isfahan University of Medical Sciences (Grant No. 393092). We extend our sincere thanks to the hospitals managers and information technology directors.

 
  References Top

1.Sadowsky G, Dempsey JX, Greenberg A, Mack BJ, Schwartz A. IT Security Handbook: Gol Vajheh; 2003.  Back to cited text no. 1
    
2.Bakhshi MR. Analytical science and technology foresight in the field of information and communication technology (comparative study of Japanese and Chinese). J Library Inf 2007;11:205-24.  Back to cited text no. 2
    
3.Hasanzadeh M, Karimzadeganemoghadam D, Jahangiri N. Provide a conceptual framework for evaluating the enrichment and education of information security awareness of users. Syst Inf Serv 2012;2:1-16.  Back to cited text no. 3
    
4.Mirghadri A, Jolfaii AR. The new design Image encryption using chaotic maps. Passive Def Sci Technol 2010;2:111-24.  Back to cited text no. 4
    
5.Schou CD, Trimmer KJ. Information assurance and security. J Organ End User Comput 2004;16:1.  Back to cited text no. 5
    
6.Karyda M, Kiountouzis E, Kokolakis S. Information systems security policies: A contextual perspective. Comput Secur 2005;24:246-60.  Back to cited text no. 6
    
7.Hariri N, Nazari Z. Security in digital libraries Iran. J Library Inf 2012;15(2).Available from : http://www.aqlibrary.ir">http://www.aqlibrary.ir [Last accessed on 2014 Aug 18].  Back to cited text no. 7
    
8.SANA. Information security Resources. 2013; Available from: http://www.sana.org/security-resources/[Last">http://www.sana.org/security-resources/[Last accessed on 2013 Feb 4].  Back to cited text no. 8
    
9.Fathiyan M, Mahdavinor SH. Principles of Management and Information Technology: Iran University of Science and Technology; 2007.  Back to cited text no. 9
    
10.Torabi M, Safdari R, Shahmoradi L. Management Health Information Technology. Tehran: Jaafari; 2009.  Back to cited text no. 10
    
11.Habibifar V, Rabii M, Bahaodini K. Provide a model for the establishment of an information security system in the teaching hospitals of Kerman University of Medical Sciences Based on information security management system. Application of Information Technology in Health Congress; Iran-Sari 2010.  Back to cited text no. 11
    
12.Keshmiri M. Information Security Management System. 2010. Available from: www.khorasan.ir [Last accessed on 2013 Feb 1].  Back to cited text no. 12
    
13.Standard ISO/IEC 27001:2005: ISO/IEC JTC 1; 2009.  Back to cited text no. 13
    
14.ISIRI-ISO/IEC 27000: Institute of Standards and Industrial Research of Iran; 2009.  Back to cited text no. 14
    
15.Introduction To ISO 27002 (ISO27002). 2013; Available from: http://www. 27000.org/iso-27002.htm. [Last accessed on 2013 Aug 15].  Back to cited text no. 15
    
16.What Is ISO 27002?; Available from: http://www.wisegeek.com/what-is-iso-27002.htm [Last accessed on 2013 Aug 15].  Back to cited text no. 16
    
17.Mahmodzadeh E, Radrajabi M. Security management in information systems. J Manag Sci 2006;1:78-112.  Back to cited text no. 17
    
18.Bagchi K, Udo G. An analysis of the growth of computer and Internet security breaches. Commun Assoc Inf Syst 2003;12:684-700.  Back to cited text no. 18
    
19.2004 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Crime Research Center; Available from: www.crime-research.org/news/11.06.2004/423/ý. [Last accessed on 2013 Feb 4].  Back to cited text no. 19
    
20.Ammeter AP, Douglas C, Gardner WL, Hochwarter WA, Ferris GR. Toward a political theory of leadership. Leadersh Q 2002;13:751-96.  Back to cited text no. 20
    
21.Elahi S, Taheri M, Hasanzadehkhoshtinat AR. Framework related to human factors in information systems security. Manag Res Iran 2008;13:1-22.  Back to cited text no. 21
    
22.Asaadishali A. Management of Information Security System. Sci Commun Mon 2004;4:14-8.  Back to cited text no. 22
    
23.Introduction To ISO27000:2012. Available from: http://www. 27000.org/iso-27000.htm [Last accessed on 2013 Feb 2].  Back to cited text no. 23
    
24.Aram MR. Evaluate and measure the components ofan effective information security management in IT companies in South Pars Gas. Iran-Tehran: Shahid Beheshti; 2008.  Back to cited text no. 24
    
25.Bahrani P, Yazdi M. Importance and Necessity of Information Security Management System in electronic government. Second International Conference on Electronic Administrative System; Iran-Tehran: Center for Tapko Scientific Conferences 2009.  Back to cited text no. 25
    
26.Quirchmayr G, editor. Survivability and business continuity management. Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation. Vol 32. Australian Computer Society, Inc. 2004.  Back to cited text no. 26
    
27.Nakhaii H. Introduction to Information Security Management System (ISMS). Available from: http://vista.ir/article/355219 [Last accessed on 2013 Aug 15].  Back to cited text no. 27
    
28.Ifinedo P. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Comput Secur 2012;31:83-95.  Back to cited text no. 28
    



 
 
    Tables

  [Table 1], [Table 2], [Table 3]


This article has been cited by
1 The least secure places in the universe? A systematic literature review on information security management in higher education
Ivano Bongiovanni
Computers & Security. 2019; 86: 350
[Pubmed] | [DOI]



 

Top
 
 
  Search
 
Similar in PUBMED
   Search Pubmed for
   Search in Google Scholar for
 Related articles
Access Statistics
Email Alert *
Add to My List *
* Registration required (free)

 
  In this article
Abstract
Introduction
Materials and Me...
Results
Discussion
Recommendations
Acknowledgements
References
Article Tables

 Article Access Statistics
    Viewed4311    
    Printed287    
    Emailed0    
    PDF Downloaded354    
    Comments [Add]    
    Cited by others 1    

Recommend this journal


[TAG2]
[TAG3]
[TAG4]