Skip to main content

Research Repository

Advanced Search

A comparative review of information security risk assessment methodologies for health care.

Hazelhoff Roelfzema, Nicole


Nicole Hazelhoff Roelfzema


Health care organizations face major compliance challenges as they need to secure patient information. An important compliance requirement is the performance of regular risk assessments and the implementation of controls to secure data. In theory, any state of the art risk assessment technique could be employed to facilitate the prevention and/or management of potential information risks. Health care environments are, however, quite unique when compared to other automated environments and different sectors do not experience similar kinds of information security attacks. Where security issues have been researched in health care, there is a strong emphasis on the development of technological measures for data protection but the ‘human’ or professional side of ensuring data security is equally important in everyday practice. In this paper, seven methodologies for risk assessment are compared in a framework with specific health care requirements. It is concluded that improvements could be made in comparative frameworks to support the selection process for a suitable risk assessment approach. Furthermore, the available methods show several weaknesses in their ability to quantify risks or to include human risk factors. The presentation of threat events and their interaction is often oversimplified. Data aggregation is not possible in order to allow regulators to gain insight in trends and high level security threats. An integration of existing techniques is proposed to facilitate reliable and repeatable risk assessments that contribute to compliance to governance codes, and costs savings by making informed -sector wide- decisions to invest in the development of new systems and security controls.

Presentation Conference Type Conference Paper (unpublished)
Conference Name IADIS e-Society
Start Date Mar 1, 2011
End Date Mar 1, 2011
Deposit Date Mar 21, 2011
Publicly Available Date May 16, 2017
Peer Reviewed Not Peer Reviewed
Keywords Risk assessment; information security; health care; governance;
Public URL
Contract Date May 16, 2017