By Topic

Generic security cases for information system security in healthcare systems

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $33
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Y. He ; Univerisity of Glasgow, UK ; C. W. Johnson

Numerous data breach incidents have been reported in recent years and there is a continuing requirement to protect patient and clinician confidentiality. However, the diversity of security products, tools and techniques in the market place make it very hard for management to ensure that they have implemented coherent countermeasures to meet organisations higher-level objectives. This paper focuses on the problems that arise in implementing and maintaining cyber-security policies in large, complex healthcare organisations. We address these problems by the use of graphical argumentation techniques. In particular, we show how the Goal Structuring Notations (GSN) can be extended from applications in safetycritical systems. Security arguments presented with GSN can help managers to reason about cyber-security policies and procedures by bringing together claims and the evidence that supports them in a structured and coherent way. A further objective of this paper is to show how GSN can be used to construct security arguments that are informed by the analysis of previous security incidents in healthcare organisations. In particular, we present two generic security cases that embody the recommendations from incidents involving the United States' Veterans' Affairs (VA) administration and Shenzhen Hospital in China. These case studies were deliberately chosen to show how lessons learned in one country might inform security management in other healthcare systems. We also show that security cases can be created at a level of abstraction that support reuses and at the same time capture detailed recommendations from security incidents.

Published in:

System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference on

Date of Conference:

15-18 Oct. 2012