Information Security Management in Healthcare: ISO, NIST & SABSA

Introduction

Information is one of the most sensitive assets that organizations own (Kljucnikov, Mura, and Sklenar, 2019). Due to the sensitivity linked to information, the security and protection of personal information is critical to all organizations, individuals, governments, and institutions. However, special requirements exist for information security management in the health sector to ensure the integrity, confidentiality, availability, and auditability of personal health information (Hamidovic, 2011). Data breaches agitate medical institutions, data subjects, and the policies of the nations involved because they have adverse impacts on not only the affected healthcare facility but also the data subjects (Moffit & Steffen, 2017). For instance, in Germany, a healthcare facility suffered with ransomware that led to the death of a patient because the hospital’s healthcare systems were not available at the time (Yeng et al., 2022). Therefore, information security management is critical in healthcare data protection as it assists institutions in the identification of appropriate controls, lowering risks, and managing risks properly (Al-sofi et al., 2021). To implement information security management in the healthcare sector, healthcare institutions adhere to standards like SABSA (Sansurooah, 2015), ISO 2700 Series (Bozic, 2020), and NIST SP 800 series (Youssef, 2022) to avoid data breaches. The aim of this literature review is to analyse and discuss the use of information security standards, such as SABSA, ISO 2700 Series, and NIST SP 800 Series, in data breach risk assessment and mitigation, the strengths and weaknesses of each standard, and the merging of standards for more comprehensive data risk management.

Literature Review

According to Bozic (2020), today, organizations the healthcare sectors included rely on communication information technology. However, the health sector dependency on IT also carries with it risks and threats, and these can be either an impediment or a driver for a business depending on an organizations response to the situation. He goes on to argue that in the context of smart healthcare, risk factors include financial factors (lack of a common cost management, uncontrolled payment and borrowing, and poor financial management), medical factors (like nosocomial infections and medical errors), and regulatory factors (disrespect of regulations, policies, and directives). In his study, he asserts that medical institutions are at high risk of data unavailability, unauthorized alteration of data, and unauthorized access to data. He proposes that to reduce all these risks to a manageable level, three basic risk management mechanisms ought to be adopted: the balanced scorecard for the strategic level, COIT 4.1 + IT Risk (COBIT 5.0) for the tactical level and ISO 27799:2008 for the operational level. However, although the researcher explores the strengths and weaknesses of the proposed risk management frameworks, he does not compare data findings from healthcare institutions that have actually implemented the frameworks in healthcare information risk security. Nonetheless, the study makes a good attempt at highlighting the complexity of information health risk management.

Similarly, Zarei and Sadoughi (2016) agree that healthcare institutions in Iran, similar to those in other nations, have witnessed a rising use of computerized health information systems (CHIS) because they have a substantial role in hospital operations. However, they identify that the challenge healthcare institutions face in their use of CHIS is information security. The researcher attempts to examine the information security risk management used by hospitals in Iran. The study conducted in 2015, and  used a cross-sectional and descriptive research design. Data was corrected from 551 healthcare institutions, and the questionnaire was used based on experts’ opinions, literature review, and observations from five hospitals. The results of the study show that, based on information security procedures and policies in hospitals, only 69% of hospitals had them. Moreover, in this 69%, only 1.4% of the procedures and policies were based on specific information security standards like ISO.IEC 27001. Therefore, there is a significant distance between activities undertaken in Iran for information security risk management (ISRM) and the standard and common ISRM activities in practice. Although there is no standard or appropriate approach to enhance information security, the study proposes that hospitals use specific information security standards like ISO 2700X Series. The researchers used scientific data and hence offer more reliable data, though it is still limited in its scope, as it does not compare findings from other researchers who examined similar aspects in the country or other countries to clearly show that healthcare institutions are lagging behind in safeguarding their information.

Information Security Management Frameworks in the Health Sector

ISO 27000 Series

ISO/IEC 27002 is being applies extensively in health informatics IT security management through the agency of regional or national guidelines in Canada, Australia, the Netherlands, France, the United Kingdom, and South Africa. ISO/IEC 27002 is complex and broad, and its guidelines are not specifically tailored for the health sector (Hamidovic, 2011). However, ISO 27799 allows ISO/IEC 27002 to be implemented in healthcare environments consistently and with attention to the unique challenges posed by the health sector (Parmeggiani et al., 2023). ISO/IEC 27002 offers a list of control objectives that are commonly accepted and best practice controls to serve as a guide in the selection and implementation of controls for achieving information security (Hamidovic, 2011). The ISO/IEC 27001 offers normative requirements for the development and implementation of an information security management system (ISMS), which includes a set of controls for the mitigation and control of risks linked with information assets that an organization is interested in protecting (Hamidovic, 2011). Therefore, the ISO/IEC framework provides procedures and policies to implement a holistic approach to the establishment, monitoring, and enhancement of IT security in accordance with general organisational management of risk.

NIST SP 800 Series

To manage the ever-rising attacks on healthcare’s critical infrastructure, NIST provides a model that is based on incident management (Parmeggiani et al., 2023). The framework is built on the foundations of threat intelligence, threat modelling, and collaboration. Using such a framework in health care enables institutions to proactively address emerging and active threats, undertake proper risk analysis, and collaborate with several entities to address information threats (Parmeggiani et al., 2023). Moreover, Williams (2021) asserts that the NIST offers two complementary frameworks that address privacy concerns and cybersecurity and facilitate the identification of the necessary results for a program that is effective. The core functions of the NIST Privacy framework include identify, govern, control, communicate, and protect, while the core functions of the NIST Risk Management framework are enabling institutions to develop effective procedures, policies, and standard operating procedures to respond to the security and privacy risk in an integrated way. Hence, the NIST framework not only provides policies and procedures, but it also enables institutions to develop management frameworks to respond to a distinct threat.

 SABSA

Healthcare institutions face difficult obstacles when addressing the security of patients’ medical devices (Sansurooah, 2015). Often, the institutions possess limited knowledge on current threats, and to effectively assess the threats and risks linked to medical devices, institutions should use a comprehensive risk assessment framework like SABSA (Sansurooah, 2015). SABSA provides the user with the possibility of describing probable threats through the use of Agents and Domains (Pohn et al., 2023). In SABSA, domains include processes, people, external events like the legitimate actions of third parties and systems) while agents are examples of the domains (Sansurooah, 2015). An extensive assessment of risks helps healthcare institutions to develop in-depth policies and countermeasures.

Cyber Attack – The UVM Healthcare Breach

A cyberattack disrupted the University of Vermont Health Network on 28th October 2020 (Namoca, 2021). The attack conducted by a Russian Group of Hackers “Ryuk”. Ransomware was involved in the attack, and the medical professionals in the institutions could not access patient data (Reddy et al., 2022). However, there was an anonymous file left in the system by hackers informing the medical practitioners to contact them. In response, the UVM reported the incident to the FBI, and seven days after an initial report on the attack, the National Guard cyber security unit arrived to assist the hospital’s recovery rate (Namoca, 2021). The institution managed to recover 80% of its functions and applications. Also, due to recommended protection of data storage and use, UVM is confident that no personal data for patients was stolen (Reddy et al., 2022). However, UVM lost revenue totalling up to $63 million during the attack, and patients were not offered services as the institution continually shut down its IT systems to lower the spread of the ransomware (Namoca, 2021).

Impact if the NIST SP 800 Series and ISO 27000 Series guidelines were implemented

If UVM had implemented the recommended NIST and ISO information security frameworks, the impact of the ransomware would have been different since NIST offers an ideal framework in cybersecurity (Pan & Tomlinson, 2016). The NIST SP 800 Series and the ISO 27000 Series recommend that organizations conduct yearly penetration tests. The tests subject the information security defences to external, internal, and application attacks modelled to emulate real cyber attacks (Pan & Tomlinson, 2016). The security reviews and regular penetration tests should be done by skilled third-party testers.

Conclusion

This literature review primarily focuses on information security standards and how they can be implemented in the healthcare sector to improve the sector’s information risk assessment and management. In the introduction, the article explains information security in the healthcare sector and compares the views of ten articles on the issue. The views of distinct authors increase the readers’ awareness of the need for information security in the healthcare sector and offer standards and guidelines on how to assess and manage the risk. Further, the article has explains three security standards that may be implemented in the health sector to provide information security assessment and management. Additionally, the article discusses the UVM cyber-attacks and explores information security frameworks (NIST and ISO) that would have been explored to minimise the impact caused by the attack.

References

A.Kljucnikov, Mura, L., & Sklenar, D. (2019). Information security management in SMEs: factors of Success. Entrepreneurship and Sustainability Issues, 2081 – 2094.

Al-sofi, T. A., Al-Shaibany, N. A., Al-Khulaidi, A. A., & Almekhlafi, Y. M. (2021). Analysis of Information Security Management Systems Frameworks in Organizations. International Research Journal of Modernization in Engineering Technology and Science, 661 – 673.

Bozic, V. (2020). Managing information security in healthcare. Smart Cities and Regional Development Journal, 63 – 83.

Hamidovic, H. (2011). An Introduction to Information SecurityManagement in Health Care Organizations. ISACA Journal, 1 – 5.

Moffit, R., & Steffen, B. (2017). Health Care Data Breaches: A Changing Landscape. Maryland Health Care Commission.

Namoca, E. (2021, March 2021). Ransomware Attack on the University of Vermont Health Network. Retrieved November 11, 2023, from University of Hawaii: https://westoahu.hawaii.edu/cyber/ics-cybersecurity/ics-weekly-summaries/ransomware-attack-on-the-university-of-vermont-health-network/

Pan, L., & Tomlinson, A. (2016). A Systematic Review of Information Security Assessment. International Journal of Safety and Security, 270 – 281.

Parmeggiani, D., Siciliano, M., Moccia, G., & Luongo, P. (2023). The adoption of a cybersecurity framework in a healthcare, surgical, and oncological environment: “synergy-net” a campania fesrpor (European fund of regional development – regional operative program) research project. Clinical Practice, 83 – 89.

Pohn, D., Seeber, S., & Hommel, W. (2023). Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT Infrastructures. Appl. Sci., 2349.

Reddy, J., Elsayed, N., ElSayed, Z., & Ozer, M. (2022). Data Breaches in Healthcare Security Systems. Arxiv, 1 – 7.

Sansurooah, K. (2015). Security risks of medical devices in wireless environments . Australian eHealth Informatics and Security Conference (pp. 1 – 10). Perth: Edith Cowan University.

Stevanovic, B. (2011). Maturity Models in Information Security. International Journal of Information, 2.

Williams, J. L. (2021). Security and Privacy of the Integrated Clinical Environment Part III. Journal of Healthcare Finance, 1 – 9.

Yeng, P. K., Fauzi, M. A., Sun, L., & Yang, B. (2022). Assessing the Legal Aspects of Information Security Requirements for Health Care in 3 Countries: Scoping Review and Framework Development. JMIR Hum. Factors.

Youssef, A. (2022). A Framework for a Medical Device Security Program at a Healthcare Delivery Organization. Biomed Instrum Technol, 92 – 97.

Zarei, J., & Sadoughi, F. (2016). Information security risk management for computerized health information systems in hospitals: a case study of Iran. Risk Management and Healthcare Policy, 75 – 85.

 

 

 

Edusson Writers
Calculate your paper price
Pages (550 words)
Approximate price: -

Why Edusson Writers?

Well-Researched Papers

Our team of experienced writers is dedicated to conducting thorough research on your topic to ensure that the paper they write is well-informed and meets the highest standards of quality. We use reliable sources of information, such as academic journals, books, and reputable websites, to gather information that is relevant to your topic.

Best Academic Writers

We have a team of the best academic writers experienced in various academic disciplines and have the necessary skills and knowledge to conduct thorough research. We select our writers based on their academic qualifications, writing skills, and experience, and only hire those who have a proven track record of producing high-quality papers. We also provide our writers with ongoing training and support to ensure that they stay up-to-date with the latest trends in academic writing.

Free Revisions

Revisions may be necessary to ensure that your paper meets all of your requirements and expectations. That is why we offer free unlimited revisions for all papers that we deliver. We want to ensure that you are completely satisfied with your paper, and we are committed to making any necessary changes to achieve this goal.

Timely Delivery

We understand the importance of timely delivery when it comes to academic writing. Our team of writers works efficiently to ensure that your paper is completed within the deadline that you specify when placing your order. We also provide you with regular updates on the progress of your paper, so you can rest assured that your paper will be completed on time.

Original & Confidential

We take pride in providing our clients with original and confidential academic writing services. We understand that plagiarism can have serious consequences, both academically and legally, and that is why we guarantee that all papers are 100% original and written from scratch.

24/7 Customer Support

Our customer support team is available 24/7 to answer any questions you may have and to provide you with the assistance you need. Whether you have a question about our services, need help placing an order, or have an issue with your paper, our team is always here to help.

Try it now!

Calculate the price of your order

Total price:
$0.00

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

Don't let academic writing stress you out or compromise your grades. Trust our expert team of writers to help you achieve academic excellence.

WRITING HELP

Academic Writing Services

Our team of experienced writers has the knowledge and expertise to help you with all aspects of academic writing, from research and outlining to polishing and refining your work. We offer a range of services, including essay writing, research paper writing, and dissertation writing, all of which are tailored to your unique needs. With our 24/7 customer support, you can rest assured that you'll receive timely assistance whenever you need it.

Admissions

Admission Essay Writing Help

Admission essays are a crucial component of the college application process, as they offer students the opportunity to showcase their unique experiences, perspectives, and aspirations to admissions committees. At Edusson Writers, we offer expert admission essay writing services designed to help students stand out from the crowd and secure a place at their dream school.

Editing Support

Editing and Format Support

We offer expert academic editing and format support services designed to help you polish your work and ensure that it meets the highest standards of academic excellence. Our team of experienced editors has the knowledge and expertise to help you with all aspects of academic writing, including grammar, punctuation, syntax, and formatting. We offer a range of editing services, including proofreading, line editing, and substantive editing. Whether you need help with APA, MLA, Chicago, or any other citation style, our team of experts can help you ensure that your work meets the highest standards of academic excellence.

Revisions

Revision Support

We offer students the opportunity to refine and improve their work until it meets the highest standards of academic excellence through our expert revision services. We offer a range of revision services, including proofreading, line editing, and substantive editing, all of which are tailored to your unique needs. Whether you need help with grammar, punctuation, syntax, or content, we can help you take your work to the next level.

See all services