ABSTRACT
Security incidents can have negative impacts on healthcare organizations, and the security of medical records has become a primary concern of the public. However, previous studies showed that organizations had not effectively learned lessons from security incidents. Incident learning as an essential activity in the “follow-up” phase of security incident response lifecycle has long been addressed but not given enough attention. This paper conducted a case study in a healthcare organization in China to explore their current obstacles in the practice of incident learning. We interviewed both IT professionals and healthcare professionals. The results showed that the organization did not have a structured way to gather and redistribute incident knowledge. Incident response was ineffective in cycling incident knowledge back to inform security management. Incident reporting to multiple stakeholders faced a great challenge. In response to this case study, we suggest the security assurance modeling framework to address those obstacles.
Acknowledgements
The authors would like to thank the Scottish Informatics and Computer Science Alliance (SICSA) for funding this research. The authors would like to thank Professor Marie-Pierre Gagnon from Laval University for the advisory support of this article.
Declaration of interest
The authors declare no conflicts of interest.