Information security in the health information system has been technology-centric and no strategy has been put forward to meet the demands of the rapid adoption of e-Health in the health industry. The implementation of security requires a good understanding of the stake holders involved and requires the technical aspect of clinical information security, including security requirements, access control and disclosure control. However, since technology-centric security is prone to failure, a stringent strategic approach is quintessential. This chapter discusses the ways to safeguard medical information assets from the strategy point of view. This study shows that most of the existing clinical information security literature and practice has been focused on tactical prevention at a technical level. This understanding of the current status of clinical information security not only suggests the need for a shift from the technical approach to the strategic approach but also raises the necessity for the employment of multiple strategies working in a harmonised way.
TopIntroduction
With the computer becoming ubiquitous and with the increased use of cloud computing for dissemination of health information, there is an increased risk of various types of security threats (El Emam, Neri, & Jonker, 2007; Huston, 2001; Lorence & Churchill, 2005; Mercuri, 2004).
Some of the security threats to healthcare information are: private use by privileged insiders (Anderson, 1996a), illegal use of information by third parties such as social workers and insurance companies (Anderson, 1996a; Kumar & Lee, 2011), unauthorized use of resources (Win, Susilo, & Mu, 2006), unauthorized alteration of resources and information (Win et al., 2006), the loss, release or theft of items of equipment and digitised medical information (Bønes, Hasvold, Henriksen, & Strandenæs, 2007; Clayton et al., 1997), and disclosure at the communication channel between head surgeries/clinics and branch surgeries/clinics and at the devices participating in the communication (Bønes et al., 2007; Kumar & Lee, 2011), the repudiation of actions (Win et al., 2006), the unauthorized denial of service (Kumar & Lee, 2011), and the exposure of mobile healthcare devices to insecure zones (Bønes et al., 2007).
These threats target sensitive information such as fertility and abortions, emotional problems and psychiatric care, sexual behaviours, sexually transmitted diseases, physical abuse problems and genetic predispositions to diseases (Rindfleisch, 1997). Especially, the shift towards digitised and networked healthcare services via the Internet and/or mobile technologies, such as Health Bank (Ramsaroop & Ball, 2000), aggravates security concerns and, as a result, stimulates the development of relevant technologies (Dong & Dulay, 2006; Hung, 2005; Peyton, Hu, Doshi, & Seguin, 2007; Raman, 2007; Zheng, Chen, & Hung, 2007). More importantly, the probability of security breaches in the healthcare sector is steadily on the rise, from 8.14% in 2005 to 30.84% in 2010 (Collins, Sainato, & Khey, 2011).
The existing security measures are insufficient to provide a satisfactory level of protection to clinical information assets (Win et al., 2006) and for protecting genetic privacy (Erlich & Narayanan, 2014). There is a significant gap, regarding awareness of clinical information protection, between healthcare providers and patients. Medical practitioners and institutions are relatively less sensitive than patients regarding the breach of healthcare information (Collmann & Cooper, 2007; Emam, Moreau, & Jonker, 2011; Kruger & Anschutz, 2013; Likourezos et al., 2004; Stahl, Doherty, & Shaw, 2012). They exhibit a similar attitude even to the use of hand-held devices, which are known to be more vulnerable, in clinical practice (McAlearney, Schweikhart, & Medow, 2004). On the other hand, a significant percentage of patients are concerned about the possibility of medical information leakage from health websites that share information without their permission (Raman, 2007). Hence, the protection of clinical information assets is regarded as a major concern requiring long-term and continuing attention in the healthcare industry (Ammenwerth, Buchauer, Bludau, & Haux, 2000; Figg & Kam, 2011; Gritzalis & Lambrinoudakis, 2004; Kahn & Sheshadri, 2008; Win, 2005).