A comparative review of information security risk assessment methodologies for health care.

Abstract

Health care organizations face major compliance challenges as they need to secure patient information. An important compliance requirement is the performance of regular risk assessments and the implementation of controls to secure data. In theory, any state of the art risk assessment technique could be employed to facilitate the prevention and/or management of potential information risks. Health care environments are, however, quite unique when compared to other automated environments and different sectors do not experience similar kinds of information security attacks. Where security issues have been researched in health care, there is a strong emphasis on the development of technological measures for data protection but the ‘human’ or professional side of ensuring data security is equally important in everyday practice. In this paper, seven methodologies for risk assessment are compared in a framework with specific health care requirements. It is concluded that improvements could be made in comparative frameworks to support the selection process for a suitable risk assessment approach. Furthermore, the available methods show several weaknesses in their ability to quantify risks or to include human risk factors. The presentation of threat events and their interaction is often oversimplified. Data aggregation is not possible in order to allow regulators to gain insight in trends and high level security threats. An integration of existing techniques is proposed to facilitate reliable and repeatable risk assessments that contribute to compliance to governance codes, and costs savings by making informed -sector wide- decisions to invest in the development of new systems and security controls.