Information security risk management for computerized health information systems in hospitals: a case study of Iran

Figures & data

Figure 1 Key process of information security risk management.

Table 1 Distribution of hospitals in Iran that participated in the study

Type of ownership	Active hospitals in Iran			Hospitals participating in the study			Participation percentage
	Teaching hospital	Nonteaching hospital	Total	Teaching hospital	Nonteaching hospital	Total
Universities of Medical	241	324	565	184	220	404	72.2
Sciences
Private	2	140	142	1	66	67	46.5
Military	6	45	51	2	6	8	15.7
Charity	1	29	30	0	12	12	40.0
Others	20	100	120	9	49	58	48.3
Total	270	638	908	196	353	549	60.5

Table 2 Policies and procedures for information security in hospitals

Type of ownership	Policies and procedures for information security		Framework for information security management		Framework for information security RA/RM		Number of hospitals
	Based on Iranian Hospital Accreditation Standard	Policy and procedures based on information security standards	Defining framework for ISM	Using a systematic approach to defining framework for ISM	Defining framework for information security RA/RM	Using a systematic approach to defining framework for information security RA/RM
	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency
Universities of Medical Sciences	245	3	4	2 Missing: 2	3	0	404
Private	65	2	3	0	3	0	67
Military	4	1	1 Missing: 1	0 Missing: 1	1 Missing: 1	0 Missing: 1	8
Charity	11	0	0	0	0	0	12
Other organizations	54	2	2	1	1	0	58
Total	379	8	10 Missing: 1	3 Missing: 3	8 Missing: 1	0 Missing: 2	549

Abbreviations: ISM, information security management; RA/RM, risk assessment/risk management.

Table 3 Information security risk identification in hospitals

Type of ownership	Asset identification			Threat identification			Vulnerability identification		Control analysis		Likelihood determination		Impact analysis		Number of hospitals
	Identification of assets	Evaluation and prioritization of assets	Using systematic approach to asset identification	Identification of threats: sources	Identification of threats: events	Using systematic approach to threat identification	Identification of vulnerability	Using systematic approach to vulnerability identification	Continuous analysis of control measures	Using systematic approach to control analysis	Likelihood determination	Using systematic approach to likelihood determination	Threat consequences determination	Using systematic approach to impact analysis
	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency
Universities of Medical Sciences	294	140 Missing: 2	2 Missing: 1	198	186	2 Missing: 1	101	0	105	1	75	0 Missing: 1	116	0	404
Private	55	26	2	38	25	2	21	0	21	0	19	0	23	0	67
Military	7	5	1	5	3	0	4	0	4	0	3	0	4	0	8
Charity	9	5	0	7	3	0	2	0	2	0	1	0	4	0	12
Other	50	18	2	32	27	2	21	0	32	1	19	0	20	0	58
organizations Total	415	194 Missing: 2	7	280	244	6 Missing: 1	149	0	164	2	117	0 Missing: 1	167	0	549

Table 4 Information security risk analysis and evaluation in hospitals

Type of ownership	Risk analysis						Risk evaluation				Number of hospitals
	Assessment of incidence scenarios	Using systematic approach to assessment of incidence scenarios	Impact estimation	Using systematic approach to impact estimation	Determination of the level of risk	Using systematic approach to determination of the level of risk	Risk evaluation	Using systematic approach to risk evaluation	Prioritization of risks	Using systematic approach to prioritization of risks
	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency
Universities of Medical Sciences	0	0	4	0	3	0	3	0	81	0	404
Private	0	0	1	0	1	0	1	0	18	0	67
Military	0	0	0	0	0	0	0	0	4	0	8
Charity	0	0	0	0	0	0	0	0	2	0	12
Other organizations	0	0	2	0	4	0	4	0	18	0	58
Total	0	0	8	0	0	0	8	0	124	0	549

Table 5 Information security risk treatment and risk acceptance in hospitals

Type of ownership	Define criteria for risk treatment and risk acceptance		Risk treatment			Residual risk Identification and acceptance			Number of hospitals
	Define criteria for risk treatment option and action plan	Define criteria for residual risk acceptance	Risk reduction by using comprehensive risk treatment action plan	Risk reduction by implementation of basic security control measures	Using systematic approach to risk treatment	Identification of residual risks	Residual risk acceptance and remedy	Using systematic approach to residual risk Identification and acceptance
	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency
Universities of Medical Sciences	0 Missing: 2	0		389 Missing: 2	0	4	3	0	404
Private	0	0	0	65	0	2	0	0	67
Military	0	0	0	8	0	2	0	0	8
Charity	0	0	0	7	0	0	0	0	12
Other organizations	1	0	0	51	0	4	3	0	58
Total	1 Missing: 2	0	0	520 Missing: 2	0	13	6	0	549

Table 6 Continuous monitoring and reviewing of ISRM in hospitals

Type of ownership	Information security policy and procedure	ISRM policy and procedure	Risk factors	Risk management process	Implementation of security control measures	Residual risks	Using systematic approach to ISRM monitor and review	Number of hospitals
	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency	Frequency
Universities of Medical Sciences	91 Missing: 2	2	0	2	89	2	0	404
Private	18	1	0	1	17	0	0	67
Military	5	0	0	0	5	0	0	8
Charity	5	0	0	0	5	0	0	12
Other organizations	27	1	0	1	26	3	0	58
Total	146 Missing: 2	4	0	3	142	5	0	549

Abbreviation: ISRM, Information Security Risk Management.