A Survey of Security Standards Applicable to Health Information Systems

A Survey of Security Standards Applicable to Health Information Systems

Francis Akowuah (Department of Computer Science, North Carolina A&T State University, Greensboro, NC, USA), Xiaohong Yuan (Department of Computer Science, Center for Cyber Defense (a CAE/IAE), North Carolina A&T State University, Greensboro, NC, USA), Jinsheng Xu (Department of Computer Science, North Carolina A&T State University, Greensboro, NC, USA) and Hong Wang (Department of Management, North Carolina A&T State University, Greensboro, NC, USA)
Copyright: © 2013 |Pages: 15
DOI: 10.4018/ijisp.2013100103
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

The information maintained by Health Information Systems (HIS) is often faced with security threats from a wide range of sources. Some government's regulations require healthcare organizations and custodians of personal health information to take practical steps to address the security and privacy needs of personal health information. Standards help to ensure an adequate level of security is attained, resources are used efficiently and the best security practices are adopted. In this paper, the authors survey security standards applicable to healthcare industry including Control OBjective for Information and related Technology (COBIT), ISO/IEC 27002:2005, ISO/IEC 27001:2005, NIST Special Publication 800-53, ISO 27799:2008, HITRUST Common Security Framework (CSF), ISO 17090:2008, ISO/TS 25237:2008, etc. This survey informs the audience currently available standards that can guide the implementation of information security programs in healthcare organizations, and provides a starting point for IT management in healthcare organizations to select a standard suitable for their organizations.
Article Preview

Introduction

National Institute of Standards and Technology (NIST) defines Health Information System (HIS) as a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of health information (NIST, 2009). Usually, HIS is made up of one central main hospital information system, which covers basic Enterprise Resource Planning (ERP)-like functionality, such as patient registration, billing, documentation, inventory, and other functions required at the corporate level. Also, ancillary systems such as laboratory, pharmacy and x-ray components may be included or connected. Administrative personnel and clinicians (physicians and nurses) use or access HIS by workstations and mobile devices running several applications to view or collect medical and/or administrative information (Luethi & Knolmayer, 2009).

Health information systems improve the quality of healthcare delivery by increasing the timeliness and accuracy of records and administrative information. The information maintained by these systems is often faced with security threats from a wide range of sources including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Security incidents such as computer hacking, malicious code and denial of service attacks have not only become common but also increasingly sophisticated. Organizations, especially healthcare organizations, should devote adequate resources to ensure the protection of their information assets. Many governments demand certain security requirements from healthcare organizations and custodians of personal health information by enacting laws and other regulations (Akowuah, Yuan, Xu, & Wang, 2012). These security requirements levied on healthcare organizations can be achieved by implementing one or more information security standards.

Standards help to ensure an adequate level of security is attained, resources are used efficiently and the best security practices are adopted (HKSAR, 2008). Standard is defined as a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose (ISO, 2013). Information security standards specify security controls that help organizations to attain acceptable level of security. “Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information” (NIST, 2009). In this paper, we survey current security standards applicable to the healthcare industry. For each standard, a brief description of the standard, the background and challenges in applying the standard are discussed. This survey informs the audience currently available standards that can guide the implementation of information security programs in healthcare organizations, and provides a starting point for IT management in healthcare organizations to select a standard suitable for their organizations.

We describe the standards that are generic in nature first and move on to standards that are geared toward the healthcare industry. The standards described include: COBIT, ISO/IEC 27002:2005, ISO/IEC 27001:2005, NIST Special Publication 800-53, ISO 27799:2008, HITRUST Common Security Framework (CSF), ISO 17090:2008, and ISO/TS 25237:2008. The applicability of these standards, and issues related to the implementation of a security standard are also discussed.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 12: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing