699
Views
7
CrossRef citations to date
0
Altmetric
Original Research

Information security risk management for computerized health information systems in hospitals: a case study of Iran

&
Pages 75-85 | Published online: 27 May 2016

Abstract

Background

In recent years, hospitals in Iran – similar to those in other countries – have experienced growing use of computerized health information systems (CHISs), which play a significant role in the operations of hospitals. But, the major challenge of CHIS use is information security. This study attempts to evaluate CHIS information security risk management at hospitals of Iran.

Materials and methods

This applied study is a descriptive and cross-sectional research that has been conducted in 2015. The data were collected from 551 hospitals of Iran. Based on literature review, experts’ opinion, and observations at five hospitals, our intensive questionnaire was designed to assess security risk management for CHISs at the concerned hospitals, which was then sent to all hospitals in Iran by the Ministry of Health.

Results

Sixty-nine percent of the studied hospitals pursue information security policies and procedures in conformity with Iran Hospitals Accreditation Standards. At some hospitals, risk identification, risk evaluation, and risk estimation, as well as risk treatment, are unstructured without any specified approach or methodology. There is no significant structured approach to risk management at the studied hospitals.

Conclusion

Information security risk management is not followed by Iran’s hospitals and their information security policies. This problem can cause a large number of challenges for their CHIS security in future. Therefore, Iran’s Ministry of Health should develop practical policies to improve information security risk management in the hospitals of Iran.

Background

In recent years, rapid growth of information and communication technologies and increasing pressures for reducing health care costs, improving health care quality, ensuring patient safety, and reducing medical mistakes have led to increasing use of computerized health information systems (CHISs) in health care organizations.Citation1Citation3 Currently, use of CHIS is a basic requirement for any health care organization such as hospitals.Citation4 CHIS refers to any computer system capturing, storing, managing, and transmitting personal or organizational health information in health care sectors.Citation5 One of the major challenges of CHIS use is information security.Citation6Citation8 Patients’ personal health information contained in the CHIS is considered the most confidential personal information that should be protected.Citation9 Electronic health information recording increases the risk of unauthorized access and disclosure of information. In case of unauthorized disclosure of information, patients, practitioners, and hospitals run into serious problems.Citation10

Computerized information systems of organizations are faced with a variety of internal and external threats, which can cause different types of damages.Citation11 They can have adverse effects on organizational operations, information assets, individuals, organizations, and national areas of studies.Citation12 Therefore, information security is crucial for organizational survival, minimization of threats endangering organizational operations, and protection of confidentiality, integrity, and availability of information.Citation13,Citation14 The main objective of “information security” is implementing appropriate control measures for eliminating or minimizing the impacts of different organizational security-related threats and organizational vulnerabilities.Citation15 The main question is how information security can be effectively and economically implemented in organizations. The answer is Information Security Risk Management (ISRM).Citation16

ISRM is a structured and continuous process with the purpose of identifying, evaluating, and minimizing some types of risks, as well as achieving appropriate acceptability.Citation17 ISRM is very important for organizational successful information security programs for the following reasons.Citation18 First, information security risks are not constant over time and vary depending on the conditions of the organizations, development and changes in the information system, new users, and so on.Citation19 ISRM is one of the ways to reduce the negative impact of risks on the organization.Citation20 Second, through risk management, organizations can concentrate on resources of high-risk areas and can manage them by using appropriate and measurable ways while limiting risks reasonably.Citation21 Third, one of the characteristics of a successful security program is cost–benefit analysis of the implementation of information security controls. This accurate analysis is performed by the risk management process.Citation16,Citation19

In Iran, a hospital is the main health care organization.Citation22 Thus, one of the major pieces of health information is recorded at hospitals. In the past decade, CHIS has been increasingly used by Iran’s hospitals. Accordingly, clinical, financial, and administrative activities of hospitals are increasingly dependent on the performance of the CHIS, as compared with the past.Citation23 Therefore, ensuring information security in these systems is of crucial importance for the hospitals. However, in recent years, CHIS security at Iran’s hospitals has faced greater challenges. In 2014, for the purpose of reducing public costs of health care, a health reform plan was implemented as one of the major policies of the new government.Citation24 Accordingly, hospitals are required to connect their hospital information system programs to the Iranian system of electronic health records (SEPAS system) through the Internet. Connection through public Internet network considerably increases the risks of unauthorized access to information; meanwhile, some findings reveal lack of specified rules on confidentiality of patient information in electronic health systems of hospitals.Citation25 Moreover, in recent years, due to the disputes concerning Iran’s nuclear program and Iran’s disagreements with Western countries and some of the Middle East countries, Iran’s computer information system has been exposed to cyber threats, such as the Internet viruses Stuxnet and Flame.Citation26Citation28 These viruses, according to many information security experts in the world, are very complex and cannot easily be confronted.Citation27,Citation29 In 2014, the information security firms Kaspersky Lab and Symantec reported an advanced espionage malware (Regin), one of whose target countries was Iran.Citation30,Citation31

Considering the information security risks at Iran’s hospitals and importance of ISRM in reducing and minimizing adverse effects of information security risks, as well as the effectiveness of the information security programs in hospitals, this study investigates the ISRM status at hospitals of Iran. Findings of this study can provide a comprehensive view of the ISRM situation and its place in health information security policies of hospitals and can help researchers and policy makers interested in ISRM in health care.

Materials and methods

This applied research is a descriptive cross-sectional study conducted in 2015. All active hospitals in Iran (until August 2014) were studied. In the first step, the research instrument for the assessment of ISRM situation in the hospitals of Iran was designed. To design the instrument, key processes of ISRM were identified by using the literature review in related information sources. The gathered data included guidelines, frameworks, standards, and methodologies for information security risk assessment and risk management, previous studies on ISRM in the hospitals, and other documents related to ISRM.

Several search engines and databases such as Google Scholar, Institute of Electrical and Electronics Engineers Digital Library, Association for Computing Machinery Digital Library, and PubMed were searched to find the relevant documents. Documents were identified by the following keywords: “Information security risk management” and “Information security risk assessment”, combined with the terms “Standard”, “Method”, “Model”, “Framework”, “Guideline”, and “Best practice” or “Hospital”, and “Health” in English language. We confined our search to documents published from 2000 to 2014. Inclusion criteria for selecting resources included the following: 1) availability of documents in English language and 2) free access to full-text documents. Non-full-text articles and documents were excluded. Literature was reviewed to data saturation level. When at least a risk assessment and management process principle appears in five retrieved sources, including articles, books, standards, guidelines, and methodologies, it was considered data saturation level. The data saturation level was determined based on three experts’ judgment (specialist in information security risk management). Sampling was not performed, and all the relevant literature, retrieved based on inclusion criteria, were evaluated.

A checklist was used to extract content from retrieved documents. In total, the specific guidelines, standards, and methodologies for information security risk assessment and risk management were as follows: International Standard Organization/International Electrotechnical Commission (ISO/IEC) 27005,Citation32 National Institute of Standards and Technology Special Publication 800-30 (NIST SP 800-30),Citation12 Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) allegro,Citation33 Method for Harmonized Analysis of Risk (MEHARI),Citation34,Citation35 Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion (MAGRIT),Citation36 information technology (IT)-Grundschutz,Citation37 Information Technology Security Guidance- IT security risk management: a lifecycle approach-33 (ITSG-33),Citation38 Security Officers Management & Analysis Project (SOMAP),Citation39 Threat Agent Risk Assessment (TARA),Citation40 CORAS,Citation41 Threat Vulnerability and Risk Analysis (TVRA),Citation42 Factor Analysis of Information Risk (FAIR) Analysis (O-RA),Citation43 and Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS)Citation44; and international standards of information security management (ISM), including ISO/IEC 17799Citation45 and ISO 27799,Citation46 were identified and surveyed. Moreover, eight studies related to information security risk assessment and risk management in hospital,Citation47Citation54 one report,Citation55 and one bookCitation56 were retrieved and reviewed. In the second step, key processes of ISRM were extracted from the retrieved literatures. shows these stages.

Figure 1 Key process of information security risk management.

Figure 1 Key process of information security risk management.

In the third step, based on results of the previous stage, health information management and computer experts’ opinions, and observations of the five selected hospitals, a comprehensive form was designed to assess the status of ISRM for computerized health information systems, including four distinct parts encompassing general information about hospitals, specifications of computerized health information systems, information security incidences, and self-assessment checklist of ISRM. Its content validity was confirmed by 12 experts of health information management, medical informatics, information technology (IT), and computer engineering (three professionals per area of study). These scholars were selected on the basis of their previous work experience in the hospital’s IT departments or their familiarity with the structure of the IT department in the hospitals of Iran. For data collection, this questionnaire and its guideline were sent to all 908 active hospitals in Iran by the Ministry of Health of Iran. To remove any possible ambiguity, an instruction sheet was attached to this questionnaire, explaining all sections. The hospitals were selected with regard to their CHIS application, such as hospital information system, Electronic Medical Record, Patient’s Admission and Discharge Systems, and so on. Hospitals that did not use CHIS at the time of this research were excluded. To facilitate and expedite the collection of data, this form was placed electronically in the official Web site (portal) of the Ministry of Health of Iran and hospitals were asked to register the relevant information in the aforementioned Web site.

After data collection, primary analysis was conducted in order to fix the defects and correct the information. Then, hospitals were asked through a second formal letter to take action to correct the defect. The collected data were analyzed by using descriptive statistics (frequency) in Excel 2003 software.

Ethical issues

The study was approved by the Deputy of Research and Technology of the Iran University of Medical Sciences, Tehran, Iran.

Results

Information related to the studied hospitals

Out of 908 active hospitals in Iran, 551 hospitals (60.7%) participated in the study. Two hospitals were setting up CHIS at the time of this research. Therefore, they were excluded from the study and 549 hospitals (60.5%) were studied. The highest percentage of participation in the study was related to the hospitals affiliated to the Medical Sciences Universities ().

Table 1 Distribution of hospitals in Iran that participated in the study

IT personnel in the studied hospitals

Most of the hospitals (540 instances, 98.5%) had IT personnel. Conversely, they had Chief Information Security Officers (CISOs). On average, one IT personnel existed per 77 computer systems and also per 84 bed counts in the hospital.

Information security policies and procedures in hospitals

There were some policies and procedures for information security in 379 hospitals (69%). Only in eight hospitals (1.4%), these policies and procedures were provided based on specific information security standards such as ISO/IEC 27001. Additionally, all of these hospitals had a framework for ISM. Other hospitals pursued Iranian Hospitals Accreditation Standards. Only eight hospitals had a framework for ISRM, of which seven hospitals implemented security policies and procedures of specific information security standards. None of the hospitals had a systematic approach for ISRM ().

Table 2 Policies and procedures for information security in hospitals

Process of information security risk identification at hospitals

Among the main activities of information security risk identification, only identification of assets, identification of threats, and control analysis were performed systematically in a few hospitals; these hospitals took ISM into consideration. At some hospitals, there was no sequence among the subactivities related to information security risk identification, ie, the activities were performed unrelated to their previous and subsequent activities. Altogether, the obtained findings indicated the lack of a systematic approach for risk identification. Among the subactivities related to information security risk identification, the highest frequency was related to information assets identification (415 instances; ).

Table 3 Information security risk identification in hospitals

Process of information security risk analysis and evaluation at hospitals

None of the subactivities related to the process of information security risk analysis and evaluation was performed systematically at the selected hospitals. Although risk evaluation was not carried out in hospitals, 124 hospitals attempted to prioritize the information security risks ().

Table 4 Information security risk analysis and evaluation in hospitals

Processes of information security risk treatment and risk acceptance at hospitals

No comprehensive plan was conducted for reducing information security risks. The main approach of hospitals to risk treatment was risk reduction, along with implementation of basic information security safeguards. None of the subactivities related to the processes of information security risk treatment and acceptance in hospitals was performed systematically ().

Table 5 Information security risk treatment and risk acceptance in hospitals

Residual risk acceptance and mitigation occurred only in six hospitals, which established ISM policies and procedures based on specific information security standards.

Communicating and sharing risk management results at hospitals

Communicating and sharing of risk management results were not observed in any of the hospitals.

ISRM monitoring and reviewing at hospitals

Information security policies and procedures, as well as implementation of control measures, were continuously monitored and reviewed at 146 hospitals and 142 hospitals, respectively, though it was not done systematically ().

Table 6 Continuous monitoring and reviewing of ISRM in hospitals

Discussion

The results show lack of a systematic and comprehensive approach to ISRM at the studied hospitals. Although some activities are conducted for risk identification, risk evaluation, and risk treatment, they are not systematically structured, ie, the hospitals do not use the specialized methodologies or standards for ISRM. Therefore, there is no coherence between the activities related to ISRM at most hospitals. ISRM is a systematic, structured, and continuous process, through which various interdependent steps are taken, and the activities of each step are affected by the results of the previous stage.Citation55 Without following a systematic and structured method, accurate risk assessment and management is not possible. Hence, various standards, methodologies, and tools are developed all over the world by public and private organizations, agencies, and different companies for information security risk assessment and management.Citation55Citation57

Only a small number of hospitals pursue ISRM framework; yet, they are not systematically structured. Defining a framework for risk management is one of the initial steps of implementation of the ISRM process.Citation55 The framework development specifies scopes of risk management activity, required resources, key stakeholders, and limitations and boundaries of the risk management process and also makes a contribution to the ISRM process.Citation32 Lack of risk management framework at Iran’s hospitals indicates weakness of information security policies and procedures. Information security policies are developed in conformity with Iranian Hospitals Accreditation Standards. Accordingly, hospitals are obliged to formulate policies and procedures for key processes in each department.Citation58 But these standards are very limited, vague, and incomplete, as compared with specific standards, rules, or guidelines for information security, and do not cover many of the important details and processes of information security.

Only in a small number of hospitals, this policy was formulated based on special standards of information security, such as ISO/IEC 27001. All these hospitals had a framework for ISRM. Information security standards such as the ISO 2700X series provide an appropriate framework for organizational ISM.Citation59 Using standard methods for ISM and ISRM is of great importance. Although Iran is a member of the ISO and ISO 2700X standards have been accepted as the national standards of Iran, hospitals do not use these standards due to the lack of specific national laws on health information security. One of the reasons for this problem is weakness of major policies and rules associated with the health information security of Iran. Some studies reveal that rules of health information in Iran have some defects.Citation60 In many developed countries such as AustraliaCitation61 and the US,Citation62 there are national regulations, standards, and guidelines for health information security, especially in the electronic environment. These rules provide health care organizations and other stakeholders with a comprehensive and consistent point of view regarding information security. In addition, these rules act as a comprehensive guideline for implementing information security programs in health care organizations.Citation48 In addition, IT governance and the IT department structure of Iran’s hospitals affect upon this problem. The research carried out by ShahiCitation63 at ten hospitals of Iran demonstrates no framework for IT governance and IT department structure at the studied hospitals. Additionally, the findings reveal that there are problems with the IT department personnel, information security procedures, and IT policy making.Citation63 IT governance has a great impact on the information security policies of the organization. The main advantage of existing information governance in an organization is creation of an organizational point of view toward information security.Citation64 According to ISO 27799 standards, there should be an organizational point of view toward information security at hospitals. Information security needs to be an organizational activity with the participation of all employees. Information governance should be unified with clinical governance.Citation46 In their risk analysis model for hospital, Sunyaev and PflugCitation65 also emphasize on the responsibility of the hospital management in the information security process. The main problem of the IT department structure at Iran’s hospitals is the IT personnel. In none of the hospitals is the title of CISO practically specified in the organizational structure of the IT department. CISO has a key role in ISM in an organization.Citation66 Risk management, vulnerability assessment, and management of information security are all CISO skills.Citation67 Furthermore, ISRM is a complex and specialized process and therefore, for applying the major information security risk assessment and management methodologies, specialized knowledge of the executive team, including the IT personnel, is required.Citation55 Tavakoli et alCitation68 reveal that the hospitals selected by them were not familiar with specific information security standards.

The success of ISRM depends on identification of all risks and, most importantly, analysis and determination of each risk level. Depending on the risk model used, risks are identified by determining risk factors such as assets, threats, vulnerability, likelihood of occurrence, and consequences.Citation52 This study shows that determining the likelihood of occurrence and analysis of impact are carried out in less than one-third of the hospitals. Moreover, risk analysis and evaluation are not actually carried out in the hospitals. Determining likelihood of occurrence and analysis of impact have an important role in constructing the scenario for risk incidence and risk determination.Citation37 Risk analysis and evaluation form the basis for risk prioritizationas well as decision making about risk treatment.Citation69 In addition, determining likelihood of occurrence, impact analysis, and risk analysis and evaluation require the use of precise quantitative or qualitative methods because it is more complicated, as compared with other stages of risk management. Accordingly, a variety of tools, examples, and methods are usually provided in risk assessment and management standards and methodologies for their accurate measurement.Citation55 One reason for this weakness at the studied hospitals could be lack of specific methodologies and standards for risk assessment and management. Some other studies also indicate a weakness in ISRM in hospitals.Citation54,Citation70

The main approach of hospitals for risk reduction is implementation of basic control measures of information security, which includes a set of management, technical, and physical conservation for information security protection. Some of the studies also indicate the implementation of basic control measures of information security.Citation68

Conclusion

There is a great distance between activities carried out in Iran for ISRM and the common and standard activities of ISRM in practice. There is no appropriate and standard approach to ISRM at Iran’s hospitals. This study suggests using specific information security standards such as ISO 2700x series as an effective method in the case of ISRM implementation. Considering the lack of specific national laws for health information protection in Iran, ISRM should be addressed comprehensively in a review of Iranian Hospitals Accreditation Standards. For a better performance of these cases, they should comply as much as possible with the standards of ISO 2700x series such as ISO 27799.

To help in risk calculation, based on the methodologies and specialized tools of information security risk assessment and risk management, a computer program should be designed by the Ministry of Health of Iran to calculate the risk and this should be made available to the hospitals. Moreover, hospitals should be asked to plan their ISM based on professional standards of information security such as ISO 2700x series.

Author contributions

FS supervised the group, contributed to the first and the final drafts, and supervised the analysis of data. JZ designed the study, wrote the first draft and contributed to the final draft, collected data, and conducted the analysis.

Acknowledgments

This study was part of a PhD dissertation supported by the Iran University of Medical Sciences (grant number IUMS/SHMIS-1391/489). The authors thank the Office of Hospital Management and Clinical Service Excellence, Vice-Chancellor for Treatment, and the Ministry of Health of Iran for contributions to the study.

Disclosure

The authors report no conflicts of interest in this work.

References

  • MeierCAFitzgeraldMCSmithJMeHealth: extending, enhancing, and evolving health careAnnu Rev Biomed Eng20131535938223683088
  • BloomrosenMStarrenJLorenziNMAshJSPatelVLShortliffeEHAnticipating and addressing the unintended consequences of health IT and policy: a report from the AMIA 2009 Health Policy MeetingJ Am Med Inform Assoc2011181829021169620
  • FichmanRGKohliRKrishnanREditorial overview-the role of information systems in healthcare: current research and future trendsInform Syst Res2011223419428
  • AghazadehSAliyevAEbrahimnezhadMReview the role of hospital information systems in medical services developmentInt J Comput Theory Eng201246866
  • AghajariPEHassankhaniHShaykhalipourZHealthcare information system: The levels of computerizationIntl. Res. J. Appl. Basic. Sci201379536540
  • MeingastMRoostaTSastrySSecurity and privacy issues with health care information technologyEngineering in Medicine and Biology Society, 2006 EMBS’06 28th Annual International Conference of the IEEENew York, NYIEEE2006
  • SamyGNAhmadRIsmailZThreats to health information securityInformation Assurance and Security, 2009 IAS’09 Fifth International Conference onXi’anIEEE2009
  • HoffmanSPodgurskiAIn sickness, health, and cyberspace: protecting the security of electronic private health informationBoston Coll Law Rev20074820615
  • Fernández-AlemánJLSeñorICLozoyaPATovalASecurity and privacy in electronic health records: a systematic literature reviewJ Biomed Inform201346354156223305810
  • New Zealand Ministry of HealthHealth Information Security Framework Essentials and Recommendations HISO 100291WellingtonNew Zealand Ministry of Health2009
  • JouiniMRabaiLBAAissaABClassification of security threats in information systemsProcedia Comput Sci201432489496
  • NISTSpecial Publication 800-30-Revision 1 Guide for Conducting Risk AssessmentsGaithersburgNIST2012
  • MylerEBroadbentGISO 17799: standard for securityInf Manage200640643
  • WhitmanMMattordHManagement of Information Security4 edBostonCengage Learning2013576
  • enisa [webpage on the Internet]Risk Management/Risk Assessment European Union Agency for Network and Information Security (ENISA)2005–2014 [cited May 11, 2014]. Available from: https://www.enisa.europa.eu/topics/threat-risk-management/risk-managementAccessed March 11, 2014
  • FenzSEkelhartANeubauerTInformation security risk management: in which security solutions is it worth investing?Commun Assoc Inform Syst2011281329356
  • HumphreysTInformation Security Risk Management Handbook: Handbook for ISO/IEC 27001LondonBritish Standard Institution2010
  • DuboisÉHeymansPMayerNMatulevicˇiusRA systematic approach to define the domain of information system security risk managementNurcanSSalinesiCSouveyetCRalytéJIntentional Perspectives on Information Systems EngineeringBerlinSpringer2010289306
  • SilvaMMde GusmãoAPHPoletoTe SilvaLCCostaAPCSA multidimensional approach to information security risk management using FMEA and fuzzy theoryInt J Inform Manag2014346733740
  • WagerKAWickham LeeFGlaserJPManaging Health Care Information System: A Practical Approach for Health Care ExecutivesHobokenJohn Wiley & Sons2005
  • StoneburnerGGoguenAFeringaARisk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and TechnologyGaithersburgBooz Allen Hamilton Inc2002
  • NikpajuhAKarimiAAHealth Promotion in Hospitals: Evidence and Quality ManagementTehranInstitute for modern Iranian Health Promotion and Disease Prevention2010 Persian
  • Ministry of Health and Medical EducationReport of Use of Hospital Information Systems in IranTehranMinistry of Health and Medical Education2014 In Persian
  • AkhondzadeRHealth system transformation project, an opportunity or a threat for doctors (Editorial)J Anesthesiol Pain20145112 (In Persian).
  • FarzandipourMSadoughiFAhmadiMKarimiISecurity requirements and solutions in electronic health records: lessons learned from a comparative studyJ Med Syst201034462964220703917
  • FildesJStuxnet Virus Targets and Spread Revealed: BBC News2152011 [cited February 18, 2014]. Available from: http://www.bbc.com/news/technology-12465688Accessed on February 18, 2014
  • MunroKDeconstructing flame: the limitations of traditional defencesComput Fraud Secur2012201210811
  • DemidovOSimonenkoMFlame in cyberspaceSecur Index20131916972
  • WangenGThe role of malware in reported cyber espionage: a review of the impact and mechanismInformation201562183211
  • GReATThe Regin Platform: Nation-State Ownage of GSM NetworksMoscowKaspersky Lab’s Global Research & Analysis Team (GReAT)2014
  • SymantecRegin: Top-Tier Espionage Tool Enables Stealthy SurveillanceCupertino, CASymantec Corporation2014
  • ISOISO/IEC 27005 Information Technology – Security Techniques – Information Security Risk Management (First Edition)GenevaInternational Organization for Standardization2008
  • CaralliRAStevensJFYoungLRWilsonWRIntroducing octave allegro: Improving the information security risk assessment processPittsburghSoftware Engineering Institute, Carnegie Mellon University2007 Contract No.: CMU/SEI-2007-TR-009
  • CLUSIFRisk Management-Concepts and MethodsParisCLUSIF2010
  • CLUSIFMEHARI 2010 Processing Guide for Risk Analysis and ManagementParisCLUSIF2011132
  • Ministry of Finance and Public AdministrationMAGERIT – Version 3.0. Methodology for Information Systems Risk Analysis and ManagementMadridMinistry of Finance and Public Administration-Technical Secretariat, Information, Documentation and Publications Unit Publications Center2014
  • Ferderal Office for Information Security BSupplement to BSI-Standard 100-3 Application of the Elementary Threats from the IT-Grundschutz Catalogues for Performing Risk AnalysesBonnFerderal Office for Information Security B2011
  • Communications Security Establishment CanadaOverview: IT Security Risk Management: A Lifecycle Approach (CSEC ITSG-33)CanadaCommunications Security Establishment Canada (CSEC)2012
  • SOMAP.orgOpen Information Security Risk Assessment guide, Version 10. The Security Officers Management and Analysis Project (SOMAP.org)2007135 Available from: http://download.matus.in/security/Open%20Information%20Security%20Risk%20Assessment%20Guide_v1.0.0.pdfAccessed February 8, 2014Accessed on February 26, 2014
  • CaseyTThreat Agent Library Helps Identify Information Security Risks Intel White Paper92007
  • LundMSSolhaugBStølenKModel-Driven Risk Analysis: The CORAS ApproachBerlinSpringer2010
  • ETSITelecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN): Methods and protocols. Part 1: Method and Proforma for Threat, Risk, Vulnerability Analysis(TVRA)FranceEuropean Telecommunications Standards Institute (ETSI)20061100
  • The Open GroupOpen Group Standard Risk Analysis (O-RA)BerkshireThe Open Group2013
  • ANSSIEBIOS 2010 – Expression of Needs and Identification of Security ObjectivesFranceANSSI2014 [cited October 1, 2014]. Available from: http://www.ssi.gouv.fr/uploads/2011/10/EBIOS-1-GuideMethodologique-2010-01-25.pdf. French
  • ISOISO/IEC 17799:2005Information Technology – Security Techniques – Code of Practice for Information Security ManagementGenevaInternational Organization for Standardization2005
  • ISOISO 27799:2008(E) Health Informatics-Information Security Management in Health Using ISO/IEC 27002GenevaInternational Organization for Standardization2008
  • TritilanuntSTongsrisomboonARisk analysis and security management of IT information in hospitalInt J Comput Inform Technol20144319
  • MortazaMBRisk management for health information security and privacyAm J Health Sci201232125134
  • MacedoFNModels for assessing information security riskMSc thesisInstituto Superior Técnico da Universidade Técnica de Lisboa2009
  • Van DeursenNBuchananWJDuffAMonitoring information security risks within health careComput Secur2013373145
  • ShahriABIsmailZA tree model for identification of threats as the first stage of risk assessment in HISJ Inform Secur201232169
  • JansenAThe cyber security risk assessment maturity of hospitalsMSc thesisInstitute of Information and Computer Science, Utrecht University2014
  • BavaMCacciariDSossaEZottiDZangrandoRInformation security risk assessment in healthcare: the experience of an Italian Paediatric HospitalComputational Intelligence, Communication Systems and Networks, 2009 CICSYN’09 First International Conference onIndoreIEEE2009
  • TemesgenDKAnalysis of The Health Information Security Management Practices of Healthcare Organizations in Amhara Region, Ethiopia the Case of Felege Hiwot Regional ReferalMSc thesisThe School of Graduate Studies of Addis Ababa University2011
  • Technical Department of European Network and information Security Agency (ENISA)Section Risk ManagementRisk Management: Implementation Principles and Inventories for Risk Management/Risk Assessment Methods and ToolsGreeceTechnical Department of European Network and information Security Agency (ENISA), Section Risk Management2006
  • KounsJMinoliDInformation Technology Risk Management in Enterprise EnvironmentsHobokenJohn Wiley & Sons, Inc2010
  • PandeySKMustafaKA comparative study of risk assessment methodologies for information systemsBull Electr Eng Inform201212111122
  • RazaviHMohagheghMEmamiRazaviSHospital Accreditation Standards in IranTehranMinistery of Health & Education2011 In Persian
  • The ISO 27000 Directory [webpage on the Internet]An Introduction to ISO 27001, ISO 27002.ISO 27008. The ISO 27000 Directory2014 [cited May 25, 2014]. Available from: http://www.27000.org/index.htmAccessed May 25, 2014
  • MoghaddasiHHosseiniASSajjadiSNikookalamMReasons for deficiencies in health information laws in IranPerspect Health Inf Manag2014111b
  • FosterBLejinsYEhealth security Australia: the solution lies with frameworks and standards2nd Australian eHealth Informatics and Security Conference2013 2nd-4th DecemberEdith Cowan University, Perth, Western AustraliaPerthSRI Security Research Institute2013
  • GarnerJCFinal HIPAA security regulations: a reviewManag Care Q2003113152714983648
  • ShahiMProposed framework for information technology governance in hospitals affiliated to Iran University of Medical SciencesPHD ThesisTehranIran University of Medical Sciences2014 In Persian
  • PosthumusSVon SolmsRA framework for the governance of information securityComput Secur2004238638646
  • SunyaevAPflugJResearch toward the practical application of a risk evaluation framework: Security analysis of the clinical area within the German Electronic Health Information SystemProceeding in: 24th Bled e-Conference e-Future: Creating Solutions for the Individual, Organizations and SocietyJune 12–15; 2011Bled, SloveniaAssociation for Information Systems Electronic Library (AISeL)201115668
  • JohnsonMEGoetzEEmbedding information security into the organizationIEEE Secur Privacy2007531624
  • WhittenDThe chief information security officer: an analysis of the skills required for successJ Comput Inform Syst200848315
  • TavakoliNEhteshamiAHassanzadehAAminiFInformation security management in Isfahan University of Medical Sciences’ Academic Hospitals in 2014Int J Health Syst Disaster Manag201423175
  • BahtiHRegraguiBRisk management for ISO 27005 decision supportInt J Innov Res Sci Eng Technol201323530538
  • LandoltSHirschelJSchliengerTBusingerWZbindenAMAssessing and comparing information security in Swiss HospitalsInteract J Med Res201212e1123611956