Advanced search
Publication Cover
Informatics for Health and Social Care Volume 42, 2017 - Issue 4
Submit an article Journal homepage
499
Views
16
CrossRef citations to date
0
Altmetric
Original Articles

Challenges of information security incident learning: An industrial case study in a Chinese healthcare organization

Ying HeSchool of Computer Science and Informatics, De Montfort University, Leicester, UKCorrespondence[email protected]
&
Chris JohnsonSchool of Computing Science, University of Glasgow, Glasgow, UK
Pages 393-408 | Published online: 09 Jan 2017

References

  • U. V. A. Administration. Review of issues related to the loss of VA information involving the identity of millions of veterans. Vol. Report No. 06-02238-163, 2006.
  • U.V.A. Administration. Administrative investigation loss of VA information VA medical center Birmingham, AL. Vol. Report No. 07-01083-157, 2007.
  • I. C. Office. ICO fines NHS Surrey for failing to check the destruction of old computers. 2013 [ cited 2013 Nov 18]. Available from: http://www.ico. org.uk/news/latest_news/2013/ico-issues-nhs-surrey-monetary-penalty-of-200000.
  • C. E. Healthcare. Shenzhen Hospital Dataloss Incident. 2008 [ cited 2013 Nov 18]. Available from: http://www.chinaehc.cn/index.php?option= com_content&view=article&id=1937:2010-04-01-09-38-35&catid=15:medical-reforming& Itemid=15.
  • Symantec. Internet Security Threat Report 2013. Vol.18 Symantec Corporation 2013; .
  • Symantec. Internet Security Threat Report 2014. Vol.19, Symantec Corporation; 2014.
  • R. T. Mercuri. The HIPAA-potamus in health care data security. Communications of the ACM 2004;47(7):25–8.
  • Appari A, Johnson ME. Information security and privacy in healthcare: current state of research. International Journal of Internet and Enterprise Management 2010;6(4):279–314.
  • Baskaran V, Davis K, Bali RK, Naguib RN, Wickramasinghe N. Managing information and knowledge within maternity services: privacy and consent issues. Informatics for Health and Social Care 2013;38(3);196–210.
  • Ebad SA, Jaha ES, Al-Qadhi MA. Analyzing privacy requirements: a case study of healthcare in saudi arabia. Informatics for Health and Social Care 2014;41(1):1–17.
  • Kuzma J. Web vulnerability study of online pharmacy sites. Informatics for Health and Social Care 2011;36(1):20–34.
  • Porteous T, Bond C, Robertson R, Hannaford P, Reiter E. Electronic transfer of prescription-related information: comparing views of patients, general practitioners, and pharmacists. The British Journal of General Practice 2003;53(488):204.
  • Gadd CS, Penrod LE. Dichotomy between physicians’ and patients’ attitudes regarding EMR use during outpatient encounters. In: Proceedings of the AMIA Symposium, American Medical Informatics Association; 2000. p275p.
  • Wardman L. Patients knowledge and expectations of confidentiality in primary healthcare: a quantitative study. British Journal of General Practice 2000;50(460):901–902.
  • Chhanabhai P, Holt A. Consumers are ready to accept the transition to online and electronic records if they can be assured of the security measures. Medscape General Medicine 2007;9(1):8.
  • Perera G, Holbrook A, Thabane L, Foster G, Willison DJ. Views on health information sharing and privacy from primary care practices using electronic medical records. International journal of Medical Informatics 2011;80(2):94–101.
  • Waegemann CP. IT security: developing a response to increasing risks. International Journal of Bio-Medical Computing 1996;43(1):5–8.
  • I. C. Office. Belfast trust fined £225,000 following data breach. 2012 [ cited 2013 Nov 18]. Available from: http://www.ico.org.uk/news/latest_ news/2012/belfast-trust-fined-225000-after-leaving-thousands-of-patient-records-in_ disused-hospital-19062012.
  • I. C. OfficeNHS trust fined £325,000 following data breach. 2013 [ cited 2013 Nov 18]. Available from: http://ico.org.uk/news/latest_news/2012/nhs-trust-fined-325000-following-data-breach-affecting-thousands-of-patients/-and-staff-01062012.
  • I. C. Office. Sensitive details of NHS staff published by trust in Devon. 2013 [ cited 2013 Nov 18]. Available from: http://ico.org.uk/news/latest_ news/2012/sensitive-details-of-nhs-staff-published-by-devon-trust-06082012.
  • Hadgkiss J. Computer security incident handling, step-by-step. Bethesda, MD: The SANS Institute; 1997.
  • Scarfone K, Grance T, Masone K. Computer security incident handling guide, NIST Special Publication 2008;800(61):38.
  • Shedden P, Ahmad A, Ruighaver A. Organisational learning and incident response: promoting effective learning through the incident response process. In: School of Computer and Information Science. Perth, Western Australia: Edith Cowan University; 2010.
  • Ahmad A, Hadgkiss J, Ruighaver AB. Incident response teams–challenges in supporting the organisational security function. Computers & Security 2012;31(5):643–52.
  • Ahmad A, Maynard SB, Shanks G. A case analysis of information systems and security incident responses. International Journal of Information Management 2015;35(6);717–23.
  • Grance T, Kent K, Kim B. Computer security incident handling guide. NIST Special Publication 2004:800:61.
  • Mei L, Ling Y. A study on issues and strategies concerning the IT-based security system for whole people health. China Science & Technology Resources Review 2010;4:009.
  • Wang C-D, Yang W-B, Ju S-G. Research and implementation of electronic health record signature system based on ces. Computer Engineering 2010;16:103.
  • Von Solms, Rossouw, “Information security management (3): the code of practice for information security management (BS 7799).” Information Management & Computer Security 6.5 (1998): 224–225.
  • Mitropoulos S, Patsos D, Douligeris C. On incident handling and response: a state-of-the-art approach. Computers & Security 2006;25(5):351–70.
  • Tøndel IA, Line MB, Jaatun MG. Information security incident management: current practice as reported in the literature. Computers & Security 2014;45:42–57.
  • Hove C, Tårnes M. Information security incident management: an empirical study of current practice. Institutt for Telematikk; 2013.
  • Northcutt S. Computer security incident handling: step by step, a survival guide for computer security incident handling. Sans Institute; 2001.
  • Direct N. National framework for reporting and learning from serious incidents requiring investigation. 2010 [ cited 2013 Nov 18]. Available from: http://www.nrls.npsa.nhs.uk/resources/?entryid45=75173.
  • I.C.Office. NHSSurreyc/odepartmentofhealthregionallegacymanagementteam. Data Protection Act 1998 monetary penalty notice. 2013 [ cited 2013 Nov 18]. Available from: http://ico.org.uk/enforcement/~/media/documents/library/Data_
Protection/Notices/nhs-surrey-monetary-penalty-notice.pdf.
  • West-Brown MJ, Stikvoort D, Kossakowski K-P, Killcrece G, Ruefle R. Handbook for computer security incident response teams (csirts). Technical Report DTIC Document 2003.
  • He Y, Johnson C. Generic security cases for information system security in healthcare systems. In System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference; IET 2012. 1–6 pp.
  • Greenough A, Graham H. Protecting and using patient information: the role of the caldicott guardian. Clinical Medicine 2004;4(3):246–49.
  • Wei M, Xue-guo X. Discussion of patients’ confidentiality in sharing electric medical records. Soft Science of Health 2009;3:034.
  • Xian-shan J. Security control of computer-based patient record. Information of Medical Equipment 2006;2:008.
  • Shen P, Hu X-Y, Zhang S-G, Du D-J. Informationalized characteristics of medical records management and risk prevention. Journal of Medical Postgraduates 2009;10:21.
  • Cangzhou Y, Zhongkan L, Qishan Z. A security scheme for electronic medical record systems. Computer Engineering 2004;9:50.
  • Gao X, Xu J, Sorwar G, Croll P. Implementationofe-healthrecordsystemsande-medicalrecordsystemsin China. The International Technology Management Review 2013;3(2):127–39.
  • Alhaqbani BS. Privacy and trust management for electronic health records. Brisbane, Australia: Queensland University of Technology; 2010.
  • GB/T22239-2008 information security technology - base line for classified protection of information system. AQSIQ/SAC; Bejing, China: Chinese National Standard 2008.
  • M. of Health of People’s republic of China. Guidance on the classified protection of information system by ministry of health. 2011 [cited 2013 Nov 18]. Available from: http://www.gov.cn/gzdt/2011-12/09/content_2016113.htm
  • Vaast E. Dangeris in the eye of the beholders: Social representations of information systems security in healthcare. The Journal of Strategic Information Systems 2007;16(2): 130–52.
  • Leach J. Improving user security behaviour. Computers & Security 2003;22(8):685–92.
  • Stanton JM, Stam KR, Mastrangelo P, Jolton J. Analysis of end user security behaviors. Computers & Security 2005;24(2):124–133.
  • Oates BJ. Researching information systems and computing. Thousand Oaks, CA: Sage; 2005.
  • Cook DL, Rohleder TR., Learning from incidents: From normal accidents to high reliability. System Dynamics Review 2006; 22.3: 213–239.
  • Aksu PK, Kitapc NS, Atar IROC, ̈Koksal L, Mumcu G. An evaluation of information security from the users perspective in turkey. Journal of Health Informatics in Developing Countries 2015;9(2).
  • He Y, Johnson C, Renaud K, Lu Y, Jebriel S. An empirical study on the use of the generic security template for structuring the lessons from information security incidents. In: Proceedings of the 6th International Conference on Computer Science and Information Technology. Jordan, Israel; 2014. pp. 178–88.
  • He Y, Johnson C, Lu Y, Ahmad A. Improving the exchange of security arguments in security incident reports: case studies in the privacy of electronic patient records. In: The 8th IFIP WG 11.11 International Conference on Trust Management. Singapore; 2014.
  • Melara C, Sarriegui JM, Gonzalez JJ, Sawicka A, Cooke DL. A system dynamics model of an insider attack on an information system. In: Proceedings of the 21st International Conference of the System dynamics Society. New York, NY; 2003. pp. 20–4.
  • Govier T. A practical study of argument enhanced edition. Cengage Learning 2013,
  • Go ́rski J. Trust casea case for trustworthiness of IT infrastructures. In: Cyberspace Security and Defense: Research Issues. Netherlands: Springer;2005. pp. 125–41.
  • Goodger A, Caldwell N, Knowles J. What does the assurance case approach deliver for critical information infrastructure protection in cybersecurity? In: System Safety, incorporating the Cyber Security Conference 2012 7th IET International Conference on, IET. Edinburgh, UK; 2012, pp. 1–6.
  • Goodenough J, Lipson H, Weinstock C. Arguing security-creating security assurance cases, rapport en ligne (initiative build security-in du US CERT). Universite ́ Carnegie Mellon; 2007.
  • Vivas JL, Agudo I, Lo ́pez J. A methodology for security assurance-driven system development. Requirements Engineering 2011;16(1):55–73.
  • Weinstock CB, Goodenough JB. Towards an assurance case practice for medical devices. Technical Report DTIC Document 2009.
  • He Y, Johnson C, Renaud K, Lu Y, Jebriel S. An empirical study on the use of the generic security template for structuring the lessons from information security incidents In: Computer Science and Information Technology (CSIT), 2014 6th International Conference on, IEEE; 2014, pp. 178–88.
  • Graydon PJ, Kelly TP. Using argumentation to evaluate software assurance standards, Information and Software Technology 2013;55(9):1551–62.
  • Graydon P, Habli I, Hawkins R, Kelly T, Knight J. Arguing conformance. IEEE Software 2012;29(3):50–7.
  • GOV.UK. Government launches information sharing partnership on cyber security. 2013 [ cited 2013 Nov 18]. Available from: https://www.gov. 
uk/government/news/government-launches-information-sharing-partnership-on-cyber-security.
  • Dimitra Liveri DC; Dupr L. Technical guideline on reporting incidents article 13A . implementation European Network and Information Security Agency. Heraklion, Greece; 2011.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.