Like other information systems in banking and commercial companies, information security is also an important issue in the health care industry. It is a common problem to have security incidences in an information system. Such security incidences include physical attacks, viruses, intrusions, and hacking. For instance, in the USA, more than 10 million security incidences occurred in the year 2003. The total loss was over $2 billion. In the health care industry, damages caused by security incidences could not be measured only by monetary cost. The trouble with inaccurate information in health care systems is that it is possible that someone might believe it and do something that might damage the patient. In a security event in which an unauthorized modification to the drug regime system at Arrowe Park Hospital proved to be a deliberate modification, the perpetrator received a jail sentence under the Computer Misuse Act of 1990. In another security event (The Institute of Physics and Engineering in Medicine, 2003), six patients received severe overdoses of radiation while being treated for cancer on a computerized medical linear accelerator between June 1985 and January 1987. Owing to the misuse of untested software in the control, the patients received radiation doses of about 25,000 rads while the normal therapeutic dose is 200 rads. Some of the patients reported immediate symptoms of burning and electric shock. Two died shortly afterward and others suffered scarring and permanent disability. BS7799 is an information security management standard developed by the British Standards Institution (BSI) for an information security management system (ISMS). The first part of BS7799, which is the code of practice for information security, was later adopted by the International Organization for Standardization (ISO) as ISO17799. The ISO 27002 standard is the rename of the existing ISO 17799 standard. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented. The second part of BS7799 states the specification for ISMS which was replaced by The ISO 27001 standard published in October 2005. The Picture Archiving and Communication System (PACS; Huang, 2004) is a clinical information system tailored for the management of radiological and other medical images for patient care in hospitals and clinics. It was the first time in the world to implement both standards to a clinical information system for the improvement of data security.
Information security is the prevention of, and recovery from, unauthorized or undesirable destruction, modification, disclosure, or use of information and information resources, whether accidental or intentional. A more proactive definition is the preservation of the confidentiality, integrity, and availability (CIA) of information and information resources. Confidentiality means that the information should only be disclosed to a selected group, either because of its sensitivity or its technical nature. Information integrity is defined as the assurance that the information used in making business decisions is created and maintained with appropriate controls to ensure that the information is correct, auditable, and reproducible. As far as information availability is concerned, information is said to be available when employees who are authorized access, and whose jobs require access, to the information can do so in a cost effective manner that does not jeopardize the value of the information. Also, information must be consistently available to conduct business smoothly. Business continuity planning (BCP) includes provisions for assuring the availability of the key resources (information, people, physical assets, tools, etc.) necessary to support the business function.
Key Terms in this Chapter
Picture Archiving and Communication System (PACS): A picture archiving and communication system is a system used for managing, storing, and retrieving medical image data.
Controls: These are the countermeasures for vulnerabilities.
Availability: Prevention of unauthorized withholding of information or resources.
Integrity: Prevention of unauthorized modification of information.
Confidentiality: Prevention of unauthorized disclosure of information.
Threats: These are things that can go wrong or that can attack the system. Examples might include fire or fraud. Threats are ever present for every system.
Digital Imaging and Communications in Medicine (DICOM): Digital Imaging and Communications in Medicine is a medical image standard developed by the American College of Radiology and the National Electrical Manufacturers’ Association.
Statement of Applicability: Statement of applicability describes the control objectives and controls that are relevant and applicable to the organization’s ISMS scope based on the results and conclusions of the risk assessment and treatment process.
Information Security Management System (ISMS): An information security management system is part of the overall management system, based on a business risk approach, to develop, implement, achieve, review, and maintain information security. The management system includes organizational structure, policies, the planning of activities, responsibilities, practices, procedures, processes, and resources.
Business Continuity Planning: The objective of business continuity planning is to counteract interruptions to business activities and critical business processes from the effects of major failures or disasters.
Vulnerabilities: These make a system more prone to attack by a threat, or make an attack more likely to have some success or impact. For example, for fire, a vulnerability would be the presence of inflammable materials (e.g., paper).