Identifying Information Security Risk Components in Military Hospitals in Iran

Document Type : Original Research

Authors

Ershad Damavand Institute of Higher Education, Tehran, Iran

Abstract

Background and Aim: Information systems are always at risk of information theft, information change, and interruptions in service delivery. Therefore, the present study was conducted to develop a model for identifying information security risk in military hospitals in Iran.
Methods: This study was a qualitative content analysis conducted in military hospitals in Iran in 2019. The sample consisted of 8 experts in the field of health information. Data were collected through semi-structured interviews. Data were analyzed using framework analysis and MAXQDA 12 software.
Results: Data analysis resulted in the extraction of 78 codes and 16 categories in 7 themes (management in information security, patient information security, information security in organizational resources, organize in information security, communication in information security, monitoring, and control, equipment security). Information security in organizational resources has the highest number of codes and the management in information security and communication in information security have the least number of codes.
Conclusion: Health care organization's security programs, especially in military hospitals faced with many challenges, the first step of which is to identify potential risks and threats. Then develop policies, guidelines, and programs to eliminate or reduce these threats.

Keywords


1. Cavalli E, Mattasoglio A, Pinciroli F, Spaggiari P. Information security concepts and practices: the case of a provincial multi-specialty hospital. International Journal of Medical Informatics. 2004;73(3):297-303. doi:10.1016/j.ijmedinf.2003.12.008 2. Mehraeen E, Ayatollahi H, Ahmadi M. Health information security in hospitals: The application of security safeguards. Acta informatica medica. 2016;24(1):47. doi:10.5455/aim.2016.24.47-50 3. Claude BJ, Hansson H, Ben R. Integrated computer-based management information systems: The complexity and diffusion in Rwandan higher education institutions. International Journal of Education and Development using ICT. 2019;15(1). doi:10.1007/978-94-017-9553-1_531-1 4. Hickle RS, Allen CK, Derouen JP. Computer assisted patient navigation and information systems and methods. Google Patents; 2019. 5. Meskarpour-Amiri M, Dopeykar N, Mehdizadeh P, Ayoubian A, Motaghed Z. A study on the factors affecting the prescription of injection medicines in Iran: a policy making approach. Global Journal of Health Science. 2015;7(3):291. doi:10.5539/gjhs.v7n3p291 6. Faroukhzad M, Farokhzad N, Dehghani M. The role of electronic records on the delivery of health information. Univ Learn J. 2011;2:28-36. 7. Susanto H, bin Muhaya F, editors. Multimedia information security architecture framework. 2010 5th International Conference on Future Information Technology; 2010: IEEE. doi:10.1109/FUTURETECH.2010.5482696 8. Fernando J. Factors that have contributed to a lack of integration in health information system security. The Journal on Information Technology in Healthcare. 2004;2(5):313-28. 9. Heeks R. Health information systems: Failure, success and improvisation. International journal of medical informatics. 2006;75(2):125-37. doi:10.1016/j.ijmedinf.2005.07.024 10. Ismail W, Alwi NHM, Ismail R, Bahari M, Zakaria O. Readiness of Information Security Management Systems (ISMS) Policy on Hospital Staff Using e-Patuh System. Journal of Telecommunication, Electronic and Computer Engineering (JTEC). 2018;10(1-11):47-52. 11. Fenz S, Ekelhart A, Neubauer T. Information security risk management: In which security solutions is it worth investing? Communications of the Association for Information Systems. 2011; 28 (1): 22. doi:10.17705/1CAIS.02822 12. Ghahremani E, Parandeh A, Vafadar Z, Ebadi A. Survey of the occupational hazards and related factors in health care workers in military hospitals during 2016-2017. Journal of Military Medicine. 2018; 20(1):56-64. 13. Foroughi F, editor. Information asset valuation method for information technology security risk assessment. Proceedings of the World Congress on Engineering; 2008. 14. Kwon J, Johnson ME. Security practices and regulatory compliance in the healthcare industry. Journal of the American Medical Informatics Association. 2013;20(1):44-51. doi:10.1136/amiajnl-2012-000906 15. Ray A, Newell S. Exploring information security risks in healthcare systems. Health Information Systems: Concepts, Methodologies, Tools, and Applications: IGI Global; 2010. p. 1713-9. doi:10.4018/978-1-60566-988-5.ch110 16. Henderson JC, Venkatraman H. Strategic alignment: Leveraging information technology for transforming organizations. IBM systems journal. 1999;38(2.3):472-84. doi:10.1147/SJ.1999.5387096 17. Zaboli R, Shokri M, Javadi MS, Teymourzadeh E, Ameryoun A. Factors Affecting Quality of Emergency Service in Iran's Military Hospitals: A Qualitative Study. Electronic physician. 2016;8(9): 2990. doi:10.19082/2990 18. Sharifian R, Nematollahi M, Monem H, Ebrahimi F. Evaluating the security safeguards in hospital information system according to the health insurance portability and accountability act of university hospitals in Shiraz University of Medical Sciences. 2013. 19. Danayi Fard H. Methodology of quantitative research in management. Tehran: Safar. 2004. 20. Teo TS, Liu J. Consumer trust in e-commerce in the United States, Singapore and China. Omega. 2007;35(1):22-38. doi:10.1016/j.omega.2005.02.001 21. Tabibi S, Farhangi A, Nasiripour A, Kazemzadeh R, Ebrahimi P. Association between harrison cultural typology and acceptance of hospital information system. Health Inf Manage. 2013;10(3):380-90. 22. Aloul FA. The need for effective information security awareness. Journal of Advances in Information Technology. 2012;3(3):176-83. doi:10.4304/jait.3.3.176-183 23. Van Niekerk J, Von Solms R. Information security culture: A management perspective. Computers & security. 2010;29(4):476-86. doi:10.1016/j.cose.2009.10.005 24. Fernando JI, Dawson LL. The health information system security threat lifecycle: An informatics theory. International Journal of Medical Informatics. 2009;78(12):815-26. doi:10.1016/j.ijmedinf.2009.08.006 25. Rezgui Y, Marks A. Information security awareness in higher education: An exploratory study. Computers & Security. 2008;27(7-8):241-53. doi:10.1016/j.cose.2008.07.008 26. Kritzinger E, Smith E. Information security management: An information security retrieval and awareness model for industry. Computers & Security. 2008;27(5-6):224-31. doi:10.1016/j.cose.2008.05.006 27. Kruger H, Steyn T, Drevin L, Medlin BD. How secure are passwords that will be used by future health care workers? Redefining an agenda for Information Security. 2008:2-3. 28. Saran M, Zavarsky P, editors. A Study of the Methods for Improving Internet Usage Policy Compliance. 2009 International Conference on Computational Science and Engineering; 2009: IEEE. doi:10.1109/CSE.2009.10 29. Fernández-Alemán JL, Sánchez-Henarejos A, Toval A, Sánchez-García AB, Hernández-Hernández I, Fernandez-Luque L. Analysis of health professional security behaviors in a real clinical setting: An empirical study. International journal of medical informatics. 2015;84(6):454-67. doi:10.1016/j.ijmedinf.2015.01.010 30. Datta G, Ambassador H, Entwistle M. HL7 Is Foundational To Achieving Meaningful Use. Learning OpenCV. 2012. 31. Narayana Samy G, Ahmad R, Ismail Z. Security threats categories in healthcare information systems. Health informatics journal. 2010;16(3):201-9. doi:10.1177/1460458210377468 32. Joubert P, editor. Minimum critical technical success factors for e-development projects: A maturity model. Proceedings of the 9th International Conference on Social Implications of Computers in Developing Countries, São Paulo, Brazil; 2007. 33. Daniel F. A portable approach to exception handling in workflow management systems. Politecnico di Milano-Dipartimento di Elettronica e Informazione, Tech Rep. 2006. 34. Zandesh Z. EHR architecture and standards infrastructure. Amirkabir University of Technology, School of Biomedical Engineering. Hospital Information Systems. Health Inf Manage. 2014;10 (6):788. 35. Safdari R, Sieyed Farsjalah S. Strategies to protect the rights of patients in EHR systems. J Med Purification. 2009;74:48-56. 36. Geum Y, Cho Y, Park Y. A systematic approach for diagnosing service failure: Service-specific FMEA and grey relational analysis approach. Mathematical and Computer Modelling. 2011;54(11-12):3126-42 doi:10.1016/j.mcm.2011.07.042