|
|
ORIGINAL ARTICLE |
|
Year : 2014 | Volume
: 2
| Issue : 3 | Page : 175-179 |
|
Information Security Management in Isfahan University of Medical Sciences'Academic Hospitals in 2014
Nahid Tavakoli1, Asghar Ehteshami2, Akbar Hassanzadeh3, Fatemeh Amini4
1 PhD Candidate, Health Management and Economics Research Center, Isfahan University of Medical Sciences, Isfahan, Iran 2 Department of Health Information Technology, School of Health Management and Information Sciences, Isfahan University of Medical Sciences, Isfahan, Iran 3 Department of Epidemiology and Biostatistics, School of Health, Isfahan University of Medical Sciences, Isfahan, Iran 4 M.Sc Student of Health Information Technology, Students Research Committee of School of Health Management and Information Sciences, Isfahan University of Medical Sciences, Isfahan, Iran
Date of Web Publication | 4-Oct-2014 |
Correspondence Address: Fatemeh Amini M.Sc Student of Health Information Technology, Students Research Committee of School of Health Management and Information Sciences, Isfahan University of Medical Sciences, Isfahan Iran
Source of Support: None, Conflict of Interest: None | Check |
DOI: 10.4103/2347-9019.142205
Introduction: Health care organizations, particularly hospitals should follow a special strategy and implement their security system based on it in order to protect their data. Information security will be provided through performing a series of appropriate controls. ISO/IEC 27002 standard provides guidelines and general principles for starting, running, monitoring and improving information security management. This article aimed to determine the extent of compliance with information security management requirements in academic hospitals of Isfahan University of Medical Sciences. Materials and Methods: This applied study was a cross-sectional research which was performed in 2014. The research population included academic hospitals of Isfahan. The data collection tool was ISO/IEC 27002 standard checklist. The extent of compliance with information security management was examined in six hospital wards, including informatics, admission and discharge, income, laboratory, radiology, and pharmacy. Data was analyzed using SPSS. Results: Mean score of compliance with information security management requirements was estimated 68.1% in Isfahan academic hospitals. The highest level of requirements was related to security policies (76.7%) and requirements of acquisition, development, and maintenance of information systems (76.1%). However, the lowest level was associated with security of human resources (56.7%). Conclusions: Despite the efforts in hospital information system (HIS), hospitals still need more awareness toward principles of information security and management. In addition to investments on technical strategies, more attention is needed concerning non-technical and human factors such as the promotion of employees' knowledge of information security components in order to maintain information security. Keywords: Academic hospitals, information security management, ISO/IEC 27002 standard
How to cite this article: Tavakoli N, Ehteshami A, Hassanzadeh A, Amini F. Information Security Management in Isfahan University of Medical Sciences'Academic Hospitals in 2014. Int J Health Syst Disaster Manage 2014;2:175-9 |
How to cite this URL: Tavakoli N, Ehteshami A, Hassanzadeh A, Amini F. Information Security Management in Isfahan University of Medical Sciences'Academic Hospitals in 2014. Int J Health Syst Disaster Manage [serial online] 2014 [cited 2024 Mar 29];2:175-9. Available from: https://www.ijhsdm.org/text.asp?2014/2/3/175/142205 |
Introduction | | |
Security is a critical and well-known concept in today's real world [1] and information has a specific status in this regard. [2] Before the advent of network era, information was archived in paper documents. Although this procedure is still common, easy access to internet enable information process and exchange so that a great amount of information is saved and restored digitally while it can spread with a higher speed and accuracy. [3] Nowadays, information plays a central role in every organization and the development of communication media has led to high volumes of data exchange in computer networks. This phenomenon, which is known as information burst, has faced organizations with a great revolution in the field of multi-media information security. [4],[5] Nowadays, information systems security against security attacks is a constant challenge with which many organizations faces. [6]
Information security means protecting information technology (IT) infrastructure and ensuring its availability [7] as well as access to processes and procedures that are used in order to protect electronic and paper forms which contain confidential, private and sensitive information. As a result, information will be protected against access, disclosure, alteration, or interference by unauthorized people. [8] However, IT security refers to the safe use of these technologies and ensuring free from any kind of threat. [9]
Organizations are often exposed to different threats such as reference data manipulation or data theft; therefore, development and implementation of security measures is inevitable against these widespread threats. [7]
The hospital is one of the organizations whose information security is a basic and critical principle. Today, with development of automation and the use of electronic medical records, data security, audit and control procedures should be considered necessary. [10] Increasing use of information technology emphasizes on the importance of security threats and the ways to deal with them. [9]
Currently, information exchange is experiencing undesirable conditions, particularly in hospitals. A significant reason of these unfavorable conditions is the lack of secure executive and technical infrastructures along with ineffective actions regarding secure information exchange environment in government institutes. Lack of infrastructures such as security assessment systems, security and risk management analysis, disaster prevention systems regarding incidents in information exchange, a system to deal with crimes of information exchange, and other infrastructures has led to the present challenges. In addition, present situation affect the hospital performance and its accreditation, and lead to waste of national assets. Therefore, attention to secure information exchange in hospitals seems essential. [11]
In general, information security will be achieved through a series of appropriate controls, including policies, procedures, organizational structures, and software. This control will ensure addressing security objectives of organizations. [12] One of these controls is ISO/IEC 27002 standard, which provides guidelines and general principles for starting, running, maintaining, and improving of information security management. [13]
Controls present in ISO/IEC 27002 standard are the best applicable practices in most organizations and are easily adaptable to different sizes and complexities of organizations. The standard emphasizes on implementation with general certification. [13],[14],[15] It aims to provide overall guidance on generally accepted goals of information security management. Control objectives are used in risk assessment in order to address identified needs. [13],[16]
This study aimed to evaluate the information security status in academic hospitals of Isfahan University of Medical Sciences.
Materials and Methods | | |
This is an applied cross-sectional study which was conducted in 2014. Research sample included 11 academic hospitals in Isfahan, Iran. Data collection tool included ISO/IEC 27002 standard checklist which consisted of 11 control areas: Security policy, organization of infrastructure security, assets management, human resources management, physical and environmental security, communications and operations management, access control, information systems acquisition, development, and maintenance, information security incident management, business continuity management, and compliance. Data was collected through observation and checklist completion. Data validity was confirmed by professors of health information technology as well as specialists of IT in Isfahan University of Medical Sciences.
Investigations were performed in six main hospital wards, including computer unit, admission and discharge, income, radiology, laboratory, and pharmacy in order to evaluate the amount of compliance with information security management requirements. Eventually, data were analyzed using analysis of variance (ANOVA) method and SPSS.
Results | | |
The mean score of compliance with security policies in Isfahan academic hospitals was 76.7% with standard deviation (SD) of 15.4% whereas three hospitals obtained a maximum score (100%).
Concerning compliance with information security organization, the mean score of 65.5% and SD of 15.4 were obtained.
Results regarding compliance with asset management requirements are presented in [Table 1] based on separate control fields. | Table 1: Mean score of compliance with asset management requirements in Isfahan academic hospitals
Click here to view |
Mean score of compliance with human resources security was 56.77% and SD was reported 9.3% while the highest mean score belonged to 4 hospitals with a common score of 66.7%.
The results of compliance with physical and environmental security requirements are presented in [Table 2] based on the separate control subfields.
The fifth field which is related to communication and operations management has gained the score of 74% and data dispersion has been between 35.7 and 92.3%. Regarding sixth6 th , seventh and eight fields, the mean score of access control has been 64.2; mean score of compliance with information systems acquisition, development, and maintenance, 76.1; and a mean score of compliance with information security incident management was 60%. | Table 2: Mean scores if compliance with physical and environmental security requirements in Isfahan academic hospitals
Click here to view |
The mean score of compliance with information security incident management was 60% with SD of 18.8% while data dispersion was between 20 and 100% in this field. Mean score of compliance with business continuity management was 65% with SD of 16.7%.
The results of compliance with regulations are presented in [Table 3] according to separate subfields. | Table 3: Mean score of compliance with regulations in Isfahan academic hospitals
Click here to view |
Discussion | | |
Information is the most important asset and the key to the growth and success of any organization. If we fail to protect this important asset from unauthorized access and other kinds of threat, we will experience serious outcomes. [17] Various studies have shown that a large number of attacks to data sources have occurred frequently. [18],[19],[20],[21]
The purpose of information security management is to protect organizational assets (software, hardware, information and communication, and human resources) against any threat (including unauthorized access to information systems, environmental risks, and risks caused by users). However, achieving this objective needs a comprehensive and integrated program. [22]
A series of ISO/IEC 27000 standard, which is a part of a growing family of standards called "information security management systems" (ISMS) has played an important role in organizations' information security systems. [23]
Given the extent of compliance with information security management, in Isfahan academic hospitals (68.1%) and using Likert 3-point scale, information security management was assessed as good; in other words, through more exact compliance with control objectives of ISO/IEC 27002 standard, we can maximize this score. Other findings suggested that the most vulnerable security area based on 11 ISO/IEC 27002 standard fields was "human resources security" and the strongest field was associated with "compliance with security policies."
Research Studies done on the influencing factors in information security by Hariri and Nazari, Mahmudzadeh and Rajab Radi as well as Elahi et al., showed that human resources can be the highest threat to computer systems' information security. [7],[17],[21] The results of this study are consistent with mentioned studies.
The results of Arman's study in 2008 represent a higher influence of human resources from IT specialist's point of view. After that, there were placed other issues such as management, technical and financial factors. The results of the present study are consistent with some parts of the mentioned study. [24]
In Hariri and Nazari study, the lowest mean of compliance with security requirements was related to "security policy" which was %63. However, in the present study, this field was considered as the strongest security field and therefore, the results are partly inconsistent. [7]
The second field which had the highest mean score after security policy was "information systems acquisition, development, and maintenance." Using programs against harmful codes in order to protect databases along with firewalls for protection of network systems, regular back up from system, and information coding will promote and strengthen this field. [11] If security procedures are considered when designing information systems, it will cost much less than when an existing system's security is desired. [25] "Communications and operations management" field was in the third position of the strongest control areas. In Iran in spite of the lack of security requirements for communications and operations management and dispersed hospital information systems in some health centers, some procedures have been used for information security. However, continuous logging systems, as well as, comprehensive guidelines for those in charge are needed to maintain information security. [11] "Management of information security incidents" with a mean score of 60% was one of the most vulnerable security areas after human resources security. Given that incidents are inevitable, it is necessary to identify incidences and weaknesses of information security in hospital information systems through appropriate methods and using previous experiences in order to perform improvements and decrease security risks. Hariri and Nazari stated that adoption of proper strategies could minimize the risk of incidence or decrease the loss due to incidents. Such security strategies would increase quick and effective reactions and enable organizations to use predetermined strategies to restore damaged, increase productivity and information security, and continue business in a more reliable way. [7]
The third field which had the lowest score according to the findings was "access control". Given the importance of this index manager should pay special attention in order to unauthorized access. Apart from special user identification for every user, media access control layer is also necessary as a protection layer so that ID and Password are not disclosed. Habibifar and colleagues also emphasize on creating a user access control system regarding health information. According to them, all organizations need to have control over access to clinical systems through ID and password. [11]
The field of "business continuity management" and "compliance with regulations" had the lowest mean score after the above three fields. The issue of data and databases back up along with creating a planning framework for business continuity can be considered among the most critical elements of business continuity followed by information security in a hospital. Quirchmayr stated that proper organizational behavior and business associated with security and business continuity management is the first and most important step toward improvement of the organizational security status. [26]
A specific guideline to ensure systems compliance with policies and security standards along with creating an efficient audit system will help organizational performance in the field of "compliance with regulations". Nakhai has also considered standardization in information security, provision of infrastructures such as security assessment systems in information exchange, and certification system as basic needs for maintaining information confidentiality and security. [27] Ifinedostated that every organization should provide required plans and security programs as well as necessary requirements for creation, continuity and evaluation of information security. [28]
The findings of the present study indicate that ISO/IEC 27002 standard is not well-known in Isfahan academic hospitals and many weaknesses of information security systems must be addressed through standard guidelines. It should be noted that lack of a same operational standard or guideline regarding information security in Isfahan academic hospitals has led to different understandings among managers related to information security implementation. In some cases, decision-making faces challenges due to interference with university or HIS provider policies which eventually leads to improper decision-making.
Recommendations | | |
- Providing and developing written policies for information security management
- Creating a formal disciplinary process for employees who commits security violations
- Regularly back up from users, supervisors, and operators' logs in order to track operations
- Creating security fences in order to protect areas that contain information and information processing facilities
- Closing inactive communication layers in computers after a specific time period
- To be closed system ports
- Installation of control software regarding program installation on systems such as Deep Freeze
- Classification of information according to value, legal requirements, sensitivity, and criticality.
Acknowledgements | | |
This Article was part of a master thesis supported by Isfahan University of Medical Sciences (Grant No. 393092). We extend our sincere thanks to the hospitals managers and information technology directors.
References | | |
1. | Sadowsky G, Dempsey JX, Greenberg A, Mack BJ, Schwartz A. IT Security Handbook: Gol Vajheh; 2003. |
2. | Bakhshi MR. Analytical science and technology foresight in the field of information and communication technology (comparative study of Japanese and Chinese). J Library Inf 2007;11:205-24. |
3. | Hasanzadeh M, Karimzadeganemoghadam D, Jahangiri N. Provide a conceptual framework for evaluating the enrichment and education of information security awareness of users. Syst Inf Serv 2012;2:1-16. |
4. | Mirghadri A, Jolfaii AR. The new design Image encryption using chaotic maps. Passive Def Sci Technol 2010;2:111-24. |
5. | Schou CD, Trimmer KJ. Information assurance and security. J Organ End User Comput 2004;16:1. |
6. | Karyda M, Kiountouzis E, Kokolakis S. Information systems security policies: A contextual perspective. Comput Secur 2005;24:246-60. |
7. | Hariri N, Nazari Z. Security in digital libraries Iran. J Library Inf 2012;15(2).Available from : http://www.aqlibrary.ir">http://www.aqlibrary.ir [Last accessed on 2014 Aug 18]. |
8. | SANA. Information security Resources. 2013; Available from: http://www.sana.org/security-resources/[Last">http://www.sana.org/security-resources/[Last accessed on 2013 Feb 4]. |
9. | Fathiyan M, Mahdavinor SH. Principles of Management and Information Technology: Iran University of Science and Technology; 2007. |
10. | Torabi M, Safdari R, Shahmoradi L. Management Health Information Technology. Tehran: Jaafari; 2009. |
11. | Habibifar V, Rabii M, Bahaodini K. Provide a model for the establishment of an information security system in the teaching hospitals of Kerman University of Medical Sciences Based on information security management system. Application of Information Technology in Health Congress; Iran-Sari 2010. |
12. | Keshmiri M. Information Security Management System. 2010. Available from: www.khorasan.ir [Last accessed on 2013 Feb 1]. |
13. | Standard ISO/IEC 27001:2005: ISO/IEC JTC 1; 2009. |
14. | ISIRI-ISO/IEC 27000: Institute of Standards and Industrial Research of Iran; 2009. |
15. | Introduction To ISO 27002 (ISO27002). 2013; Available from: http://www. 27000.org/iso-27002.htm. [Last accessed on 2013 Aug 15]. |
16. | What Is ISO 27002?; Available from: http://www.wisegeek.com/what-is-iso-27002.htm [Last accessed on 2013 Aug 15]. |
17. | Mahmodzadeh E, Radrajabi M. Security management in information systems. J Manag Sci 2006;1:78-112. |
18. | Bagchi K, Udo G. An analysis of the growth of computer and Internet security breaches. Commun Assoc Inf Syst 2003;12:684-700. |
19. | 2004 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Crime Research Center; Available from: www.crime-research.org/news/11.06.2004/423/ý. [Last accessed on 2013 Feb 4]. |
20. | Ammeter AP, Douglas C, Gardner WL, Hochwarter WA, Ferris GR. Toward a political theory of leadership. Leadersh Q 2002;13:751-96. |
21. | Elahi S, Taheri M, Hasanzadehkhoshtinat AR. Framework related to human factors in information systems security. Manag Res Iran 2008;13:1-22. |
22. | Asaadishali A. Management of Information Security System. Sci Commun Mon 2004;4:14-8. |
23. | Introduction To ISO27000:2012. Available from: http://www. 27000.org/iso-27000.htm [Last accessed on 2013 Feb 2]. |
24. | Aram MR. Evaluate and measure the components ofan effective information security management in IT companies in South Pars Gas. Iran-Tehran: Shahid Beheshti; 2008. |
25. | Bahrani P, Yazdi M. Importance and Necessity of Information Security Management System in electronic government. Second International Conference on Electronic Administrative System; Iran-Tehran: Center for Tapko Scientific Conferences 2009. |
26. | Quirchmayr G, editor. Survivability and business continuity management. Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation. Vol 32. Australian Computer Society, Inc. 2004. |
27. | Nakhaii H. Introduction to Information Security Management System (ISMS). Available from: http://vista.ir/article/355219 [Last accessed on 2013 Aug 15]. |
28. | Ifinedo P. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Comput Secur 2012;31:83-95. |
[Table 1], [Table 2], [Table 3]
|