Abstract
Objectives
The information security management systems (ISMS) of 5 hospitals with more than 500 beds were evaluated with regards to the level of information security, management, and physical and technical aspects so that we might make recommendations on information security and security countermeasures which meet both international standards and the needs of individual hospitals.
Methods
The ISMS check-list derived from international/domestic standards was distributed to each hospital to complete and the staff of each hospital was interviewed. Information Security Indicator and Information Security Values were used to estimate the present security levels and evaluate the application of each hospital's current system.
Results
With regard to the moderate clause of the ISMS, the hospitals were determined to be in compliance. The most vulnerable clause was asset management, in particular, information asset classification guidelines. The clauses of information security incident management and business continuity management were deemed necessary for the establishment of successful ISMS.
Conclusions
The level of current ISMS in the hospitals evaluated was determined to be insufficient. Establishment of adequate ISMS is necessary to ensure patient privacy and the safe use of medical records for various purposes. Implementation of ISMS which meet international standards with a long-term and comprehensive perspective is of prime importance. To reflect the requirements of the varied interests of medical staff, consumers, and institutions, the establishment of political support is essential to create suitable hospital ISMS.
With the processing of social information management, information collection, analysis and applications are becoming the important assets which determine the competition of individuals and institutes. There are much public investments on human resource training and research and development based on enhancement in order to control the side effects of social information management [1]. As hospitals collect, use, and store personal information and health information related an individual's privacy directly, the risks of information leakage, forgery, and falsification are more serious than any other institutions [2]. The actions for personal health information protection are very important to both hospitals and patients. To ensure the confidentiality of medical information is a fundamental condition for continuity of medical practice. So, hospitals should show reliability to patients that hospitals collect, use, disclose, and store personal health information safely according to the rules, regulations and medical laws [3]. Domestic hospitals protect personal health information through the 'Medical Service Act', 'The Act on the Protection of Personal Information Maintained by Public Institutions', and 'The Act on Promotion of Information and Communications Network Utilization and Information Protection', etc. However it is applicable only for some medical service staffs and it does not cover all staffs using medical information systems in hospitals. Also, it is not sufficient to meet the public requests of information protection.
To meet requirements of information security, hospitals should build up and implement the Information Security Management System (ISMS). It ensures the stability and reliability of information assets in hospitals and guarantees confidentiality, integrity and availability of medical information [4-7]. However, there is an absence of standardized ISMS which reflects the characteristics of medical service, so it is difficult to apply existed ISMS to medical information system. There could be serious risks related to information security and damage to both medical centers and patients. Therefore standards in a national level related to personal health information protection and security is needed to establish security in hospitals immediately.
In this paper, we recommend the standards on personal health information protection and security countermeasures which is fit for international standards and the needs of hospitals after investigating the ISMS of 5 hospitals which contain over 500 beds, based on present laws and guidelines for information security management in physical and technical aspects.
For the study, five hospitals which contained over 500 beds were investigated, that is, two public hospitals and three private hospitals. Three of them used electronic medical record systems, and the other two hospitals used hybrid medical record systems.
Check-lists to investigate the ISMS were designed according to international standards ISO/IEC 27001; 17799, JIS Q 15001 in Japan and the ISMS presented by the Korean Internet & Security Agency in Korea [4-7].
The check-lists were distributed to each hospitals to fill in, we interviewed the staffs directly according to the check-list terms.
Each check list term and category assessed 3 answers which were 'Yes', 'Partial', and 'No' to estimate the Information Security Indicator (ISI) and Information Security Values (ISV) (Table 1). Weight such as 'High', 'Medium', or 'Low' shows the importance of a detailed category, and 'Yes', 'Partial', or 'No' show how much they keep a detailed category. To understand realistic and practical views on information security, the plan for application was checked in applicability, application schedule (Yes/No) and expenditure terms (Figure 1).
Hospitals should equip detailed information security policy and review it regularly to support for information security. As shown in Table 2, the average percentage of scores for the medical information security policy, control for information security policy documents, and information security policy maintenance and management was 53.5%, 60.0%, and 35.6% respectively. Though there were basic policy documents of information security policies required by assessments of medical institutions, there were not detailed information security policy documents.
To manage ISMS in hospitals, the organizations with assigned roles and responsibilities are needed for information security and co-ordinate each other. Table 3 showed the average percentage of scores for the organization of information security, control for internal organizations, and external parties which were 63.0%, 57.7%, and 69.2% respectively. The level of sub-control for contact with special interest groups and independent review of information security was low (40.0%). Only 1 hospital had organization and personnel in charge of information security. Though there was a dual role for information security without exclusive charge, there were no regulations for responsibilities and roles in hospitals. In matters of the external parties' security, sub-control for third party security management and identification of risks related to external parties. It was found to be insufficient. 1 hospital did not address security with customers.
To control and maintain protection of the information asset, information asset classification which is a basic for identifying information assets and evaluating risks is needed. The average percentage of scores for asset management, control for responsibility for assets, and information classification were 32.7%, 31.6%, and 34.3% respectively. Asset management was analyzed to be the most vulnerable clause in the ISMS. There were little classification guidelines which was a base for establishment of countermeasures for information security management in hospitals. It was insufficient in making and managing the inventory of assets in hospitals. Ownerships of assets were the most inadequate among sub-controls in asset management, 4 hospitals got 0 points out of 4 in the ownership of assets clause. There were no designated asset managers. Only 1 hospital had ownership of assets. The level of classification guidelines, information labeling and handling was insufficient as shown in Table 4.
People involved in hospitals such as employees, contractors and third party user should understand the responsibilities of information protection, and hospitals should set up procedures of termination or change of employment, and the education and evaluation schedules to train all staff. The average percentage of scores for human resources security was 61.8% as shown in Table 5, among the controls, 'prior to employment' received the lowest score (52.8%). Checking consideration prior to employment, screening policy was implemented moderately (77.1%), but sub-control for roles and responsibilities, terms and conditions for employment were not at a high level. In case of termination or change of employment, 4 hospitals fulfilled the sub-control for return of assets and removal of access rights, but there were few standard procedures of termination or change of employment. Information security education and training plans were established in 4 hospitals, but no detailed target and contents. Some hospitals implemented information security education and training, which was not based on a specific plan.
To avoid inappropriate physical access, secure areas should be defined and specified, and disposal and re-use of equipment, removal of property, and security of equipment off-premises should be prescribed. The average percentage of score for physical and environmental security, control for secure areas, and equipment security was 69.1%, 52.8%, and 82.2% respectively as shown in Table 6. The Sub-control for physical security perimeter and physical entry controls received under half score (50%). There were no entry logs of offices, even in the data processing department with concentrated information assets. Public access, and delivery showed to be the most vulnerable among sub-controls (23.3%). The level of equipment security was relatively higher than other controls and cabling security was managed well in the 5 hospitals. But equipment that could contain personal health information was disposed and re-used inappropriately.
To ensure secure operation of medical information system, countermeasures and operating procedure should be established in accordance to information technology trends such as mobile codes. The average percentage of scores for the communications and operations management was 62.1% as shown in Table 7. The most vulnerable control was the third party service delivery which showed 35.8%. Information back-up was at a moderate level, but monitoring, media handling protection against malicious and mobile codes were insufficient. In operational procedures and responsibility, the network security management of medical information system which contains very important information was not controlled. There was a lack of awareness on security vulnerability about mobile codes such as Active-X and media handling. Especially the management of removable media was not managed properly. For monitoring, clock synchronization was managed well, but the level of administrator and operator logs and protection of log information was low.
To avoid control unauthorized access and control access authority to information, access control should be equipped. The average percentage of scores for access control, control for mobile computing, teleworking and user responsibilities were 68.6%, 47.0%, and 52.0% respectively which was not at a sufficient level compared to other the controls category (Table 8). Access control should be set up with identifying information and risks about business programs and analyzing security requirements. However the hospitals did not prepare the regulations and guidelines for these things. Medical information system including important personal health information should be separated from the internet, but some hospital did not separate personal medical records from networks either physically or logically. In matters of mobile computing and teleworking, there were many demands for telemedicine, but it was not allowed because of security even now.
Security is the integral part of information system, so security requirements should be verified each step like information system acquisition, development and maintenance. As shown in Table 9, the average percentage of scores for information systems acquisition, development and maintenance, control for cryptographic controls, and security requirements of information systems were 65.8%, 49.5%, and 53.3% respectively. Technical vulnerability management percentage was 55.0%. Only 2 hospitals reviewed security requirements in case of information systems acquisition and development. Network encryption was not applicable. Test data containing patient`s personal health information were used for information systems acquisition, development and change, and it was not reviewed appropriately.
Management of information security is need for managing information security event and problems related to information system. The average percentage of scores for information security incident management, control for Establishment of security incident action system, security incident action and follow-ups were 34.4%, 27.7%, and 38.3% respectively. For the cases of information security incident, organization systems or procedures, no actions were set up. Reporting security weaknesses was implemented in 4 hospitals, the collection of evidence and recovery and follow-up security events were at a very low level (10 to 12%) as shown in Table 10.
To protect interruptions to business activities, hospitals should manage business continuity. The average percentage of scores for business continuity management was 45.4%. Some hospitals had disastrous recovery systems, but developing and implementing continuity plans including information security, Business continuity planning framework and Testing, maintaining and reassessing business continuity plans were not established properly to face the disasters (Table 11).
For compliance, hospital should review the exited law and regulation on information security. The average percentage of scores for compliance, control for compliance with legal requirements, compliance with security policies and standards, and technical compliance, and Information systems audit considerations were 70.0%, 76.3%, 57.1% and 56.4% respectively as shown in Table 12. The compliance with legal requirements, sub-control identification of applicable legislations, protection of organizational records, data protection and privacy of personal information were at moderate levels, but intellectual property rights (IPR) especially, IPR management of software was inadequate. Compliance with security policies and standards should be reviewed regularly, but regulations or guidelines for checking technical compliance did not exist. Information systems audit results and follow-ups were implemented, but the information systems audit plan was at a low level.
The aim of the study is to analyze the ISMS in 5 hospitals which contain more than 500 beds and to find out the level of personal health information security in compliance with international standards on information security such as ISO/IEC 27001; 17799, JIS Q 15001 in Japan and ISMS presented by Korean Internet & Security Agency in Korea. Also, the purpose is to recommend the standards on information security and security countermeasures which are fit for international standards and the needs of hospitals concerning information security, management, physical aspects, and technical aspects.
As analyzed, the conditions of the ISMS in 5 hospitals in Korea showed that the level of the ISMS in hospitals were rather low compared to the financial, manufacturing, and public institutions [8]. The lowest standards were found in the clauses of information asset management, information security incident management and continuity controls among the 11 clauses suggested by the ISMS. To establish security countermeasures, the following are required.
In terms of management, hospitals should review existing policies and be equiped with detailed policy documents including statements, regulations, guidance etc. in accordance with internal and external changes [9,10]. Also, it is required to organize an information security team with clear roles and responsibilities for security of information. Employment contract documents for new employees should contain the responsibilities of information protection, and hospitals should set up procedures for termination or changes of employment. As well as ensure education and evaluation schedules to train all staff. With the increase of outsourcing for business efficiency and cost-effectiveness in hospitals, security requirements should be suggested in third party agreements. For compliance, restrictions on IPR are reinforced strictly. Considering secure auditing, a new check list is required for internal and external security auditing.
In the physical and environmental aspects, secure areas should be defined and specified, and physical entry controls for the security of information assets are required. The disposal and re-use of equipment, removal of property, and security of equipment off-premises should be prescribed as well.
In technical aspects, new security vulnerability could be detected continuously through the development of information technology. So, hospitals should build up counter-plans at the starting point of medical information systems. Countermeasures for secure medical information systems should be established in accordance to information technology trends such as mobile codes. The leakage of personal information not only happens on-line through networks, but also through removable media including USB, CD-ROM, and magnetic tapes. Especially with the increase of the USB, a security measures for USB is desperately needed. For the future on-line exchange of medical information between hospitals, security policies and procedures for exchange of information should be set up immediately. Forgery, alternation and access of unauthorized staffs to log data on medical information systems should be protected at a reasonable cost. User password management is most important for maintaining effective access control and to ensure the security of the information systems. To avoid unauthorized access, a clear desk and screen or log-out should be implemented when staffs leave their office or computers. In cases of information system acquisition and development, it is considered a business requirement statement which describes in detail concerning information protection. Generally, it requires a lot of extra costs and effort to reflect security requirements when operating the system more than 60 times. With increasing hacking of technology, the scope and level of technical vulnerability needs to be determined and reviewed regularly. Though there are no compulsive regulations for disaster recovery systems in hospitals for security incident actions and business continuity, a security incident action system is required. Also it is important to follow-up security incidents as well as to prevent them. Disaster recovery systems cost very much, therefore a proper measurement is studied with in its scale. It could be a big burden to hospitals in terms of cost and manpower for the improvement of insufficient clauses for information security to be verified. However it is necessary to establish the ISMS in hospitals in order to give trust to patients ensuring their privacy and to use medical records for various purposes in safety. The most important thing is the will to practice ISMS and try to meet the international standards for information security with long-term and comprehensive perspectives and review them regularly. Hospitals can approach information security from feasible security requirements such as policy and regulation making or supplementation of security faults. Also, it is necessary to reflect on the requirements of varied interests such as medical staff, medical consumers and other institutions for information security.
This study has limitations in that it analyzed ISMS for only 5 hospitals, so it could not represent the level of information security for all hospitals. However it is the first attempt to analyze the ISMS of the whole hospital including policies, organization, manpower, facilities and the information system. In addition, it suggests that the information security countermeasures based on international standards with reflecting the characteristics of hospitals. Suggested information security countermeasures could contribute to an improvement of information security in hospitals and may establish political support by setting up regulations and expenditure on ISMS in hospitals.
References
1. Jung BJ. Present situation and problems of U-healthcare service (Ubiquitous Society Research Series 10) [Internet]. 2005. cited at 2010 May 4. Seoul: National Information Security Agency;Available from: http://old.nia.or.kr/open_content/board/boardView.jsp?id=28795&tn=CV_0000224.
2. Kim HE, Kim JH. A survey on the attitude of social groups toward security, privacy, and confidentiality of health information: an original paper authors and affiliations. J Korean Soc Med Inform. 1999. 5:63–76.
3. Kim ON. Registration of medical information and effective data collecting of information for survey and personal information protection methods, registration of medical data and information control for survey. Proceedings of Korea Medical Record Association Annual Fall Conference. 2003. 2003 September 26-27; Gyeongju. Seoul: Korea Medical Record Association;32–35.
4. International Organization for Standardization. ISO/IEC 17799: Information technology--security techniques--code of practice for information security management. 2005. Geneva: International Organization for Standardization.
5. International Organization for Standardization. ISO/IEC 27001: Information technology--security techniques--information security management system--requirements, international standard. 2005. Geneva: International Organization for Standardization.
6. Japanese Industrial Standards Committee. JIS Q 15001: Personal information protection management systems: requirements. 2006. Tokyo: Japanese Standards Association.
7. Korea Internet & Security Agency. ISMS certification inspection standards. 2008. Seoul: Korea Internet & Security Agency.
8. Center for Interoperable EHR. Report of development of information protection and security system. 2009. Seoul: Center for Interoperable EHR.
9. Korea Health Industry Development Institute. Guidance for hospital evaluation program. 2007. Seoul: Korea Health Industry Development Institute.