Development of Information Security Baselines for Healthcare Information Systems in New Zealand

Development of Information Security Baselines for Healthcare Information Systems in New Zealand Lech Janczewski1 and Frank Xinli Shi2 Department of Management Science and Information Systems Business School, University of Auckland, Auckland, New Zealand [email protected] [email protected]

Abstract In 1996 New Zealand had introduced security standard AS/NZCS 4444 based on the British Standard BS 7799, which has recently been accepted as an international standard ISO 17799. This standard is very often referred to as the ‘baseline lane approach’ to the issue of managing information security. On the other hand the health information systems (HIS) are undergoing rapid development both in the number of installed systems as in the law and regulations governing HIS developments and deployment. The project was aimed at reviewing the AS/NZCS 4444 standard from the HIS requirements point of view. In this paper, we began with an overview of healthcare information systems (HIS) infrastructure in New Zealand and associated security issues around privacy and confidentiality, followed by a general review of the security baseline approach. We analyzed each clause of the AS/NZS 4444 with the information collected about technical and nontechnical approaches to protecting HIS, consisting of a series of multi-case studies of healthcare organizations that collect, process, store and transmit electronic medical records. Finally, we proposed a new set of information security baselines based on the research to build an information security model for healthcare organizations. Keywords: healthcare information systems, electronic medical records, information privacy, information security baselines, security model.

Background Computers & Security Vol. 21, No. 2, 2002, pp.172-192 Copyright ©2002 Elsevier Science Ltd Printed in Great Britain All rights reserved 0167-4048/02US$22.00

172

Modern developments in medicine, information technology and telecommunications are transforming healthcare, and support the

objectives of timely access to quality, costeffective healthcare for all people. The healthcare industry has begun to implement electronic patient records, and has upgraded clinical information systems for managing and sharing information among related healthcare providers, and also makes use of intranets to distribute health-related information [Smith and Eloff 1999]. Healthcare information systems (HIS) are thus becoming an integral part of all aspects of healthcare. However, the computerization of health information, while offering new opportunities to improve and streamline the healthcare delivery system, also presents new challenges to security problems and individual privacy interests in personal healthcare data [OTA 1997]. Technical capabilities to secure and maintain confidentiality in data must work along with legislation to preserve those privacy interests, while making appropriate information available for approved uses. In the past there were numerous research projects aimed at solving the issue of security of HIS. One of the first attempts to set up a security framework was the European project Secure Environment for Information Systems in Medicine [SEISMED 2001]. The project was the forerunner of Implementing Secure Health Telematics Applications in Europe (ISHTAR 2001) and was conducted as part of the Commission of European Communities Advanced Informatics in Medicine (AIM) programme. Work commenced at the beginning of 1992 and lasted around four years. The SEISMED Project was set-up to conduct detailed risk analyses within Europe and to develop security guidelines for healthcare establishments. It was the first effective identification, at an European level, of the issues arising from the increasing clinical use of Health Telematics in direct patient care. It was not directly related to the British Standard

L. Janczewski & F.X. Shi Development of Information Security Baselines

7799 as the standard was developed later (in the mid 90s). An example of a similar project from the Southern Hemisphere could be a project described in [Janczewski 2000].

Overview of Healthcare Information Systems in New Zealand The current healthcare industry in New Zealand is characterized by a large number of separate service organizations (e.g. public, private and voluntary healthcare providers), which are commercially separate but functionally dependent in providing an integrated service to all New Zealanders. In the past three decades, there has been a continuing drive for improvements in the quality and costeffectiveness of healthcare industry, to which information infrastructure is poised to make a major contribution. By nature, healthcare organizational structure in New Zealand is distributed (being a geographical spread of centres at different levels of complexity) from the general hospitals down to individual general practitioners (GP). Therefore, from a national perspective, healthcare information systems for patient information have been traditionally associated with medical centres, hospitals, or government agencies [NZHIS 1997]. Currently however, the healthcare sector is moving toward linking these institutions through a proposed information network and communications networks. Architecturally, this national information network ressembles the World Wide Web, where a set of discrete and autonomous HIS interact to provide access to patient information. Its objective is to make all information (which in many cases already exists in today’s HIS) readily available, in order to provide coordinated and integrated care and treatment for New Zealanders. Results from the 1998 IMS/New Zealand Doctor poll show 84% of surveyed GPs believe that the latest developments like hospital and sector-wide intranets, centralized databases, and

government data collection, could threaten patient privacy [Hill 1998]. Privacy and security assurances from hospitals and government health agencies are not enough to satisfy 61% of surveyed doctors. Because of the special features of health information (e.g. confidentiality of collection, sensitivity of information, multiple users, duration of retention), New Zealanders accord a high priority to the confidentiality and privacy of their personal health information [Tan and Gunasekara 2000]. New Zealand has issued a code of practice, the Health Information Privacy Code 1994, specifically to protect the privacy of personal health information. The essential elements for protecting the privacy of personal health information are contained in the Code in 12 health information privacy rules, outlined in Appendix A. There are many offshoots of the worldwide acceptance of the BS 7799 standard. One of the best-known projects is the development of an Information Security Toolbox at PE Technikom, Port Elisabeth, South Africa [von Solms 1999 and 2001]. The Toolbox is a system tool that helps IS managers assess their installation from the viewpoint of adherence to the BS 7799 standard.

Information Security Baseline Approach The accepted solution to introduce security in an IT environment is to identify, introduce and maintain an effective set of security controls in the organization [Barnard and Solms, 2000]. Identifying the most effective controls has always been a problem and many approaches and techniques have been developed over time to work on it in the most objective way as possible. Risk analysis is probably the most well known approach in this regard, even though it is usually a very complex and resource intensive process. Baseline approach has gained a lot of support in New Zealand and some of the baseline manuals, for example the Code of

173

L. Janczewski & F.X. Shi Development of Information Security Baselines

Practive for Information Security Management (AS/NZS 4444), have appeared as standards in many sectors lately. Information security baselines are defined as the minimal set of laws, rules and practices that are essential to protect the vital information assets of an organization [Moule 1995]. Similarly, a set of security controls can be described (which are generally accepted by experienced large organizations) as good security practice for all situations except where environmental or technological constraints exist. These are the baseline security controls [Fitzgerald 1995], different from risk assessment, which have always been recognized as the most effective approach. It has a set of effective controls that provide an acceptable level of protection and can be seen as a bottom-up approach and is a well-established concept. It has gained a lot of support in many countries and some of baseline manuals have appeared as standards in various industries lately. Various information security baselines have been developed, e.g. the Code of Practice for Information Security Management (British Standard 7799) from UK, and the IT Baseline Protection Manual from Germany. In New Zealand, the Code of Practice for Information Security Management (AS/NZS 4444) is probably the best known and most widespread. The Australian/New Zealand Standard of Information Security Management (AS/NZS 4444) was prepared by the Joint Standards Australia/Standards New Zealand Committee IT/12, first published in 1996 and revised in 1999. This Joint Standard is based on and identical to BS 7799, and aims to provide: “a comprehensive reference document for information security management identifying the range of controls needed in industrial and commercial applications” [AS/NZS 4444:1999]. Like other security baselines, AS/NZS 4444 has many advantages in the implementation of

174

information security management in an organization, such as being simple to deploy and using baseline controls, easy to establish policies, maintain security consistency, etc. However, such a set of baseline controls addresses the full information systems environment, from physical security to personnel and network security. And not all controls listed in AS/NZS 4444 will be applicable to every IT environment, because an organization may not operate in certain areas. As a set of universal security baselines, one of the limitations associated with AS/NZS 4444 is that it cannot take account of the local technological constraints, or be present in a form that suits every potential user in an organization. It lacks the guidance on how to choose the applicable controls from the listed ones that will provide an acceptable level of security for the specific organization as well. This can create an insecurity as an organization might decide to ignore some controls that were actually required. Finally, it is hard for the standard to always catch up with the recent developments and issues of IT and security technologies. Another criticism often levelled at AS/NZS 4444 is that it cannot take account of environmental constraints and select, apart from the obligatory key controls, the security controls which would be most likely to be relevant to a particular industry, for e.g. the healthcare sector and its IT environment. Obviously, the healthcare sector has some unique characteristics in the information security, which includes sensitivity of electronic medical record (EMR), large number of small organizations, multiple providers and multiple locations, relaying health information, datadependent access, status of privacy legislation, etc. For example, unlike many other sectors where availability and integrity seem to dominate in healthcare, confidentiality, integrity, availability, privacy, and accountability all occupy major positions of concern but not necessarily in the same

L. Janczewski & F.X. Shi Development of Information Security Baselines

environment. Consequently, both the inherent deficiencies with the existing standards and the unique features of healthcare environment necessitate an amendment of the standards when applied to healthcare organizations. These were the foundation of the research presented in this paper. Value of BS 7799 has been confirmed by the fact that recently the standard has been recognized as an international standard ISO 17799 by the International Standards Organization. As a result, during 2000, the AS/NZS 4444 has been upgraded and rebranded as AS/NZS ISO/IEC 17799 Information Security Management Standard [Mason 2001]. However, to maintain consistency with the original research, in this text the old name of the standard (AS/NZ 4444) is retained.

Research methodology To conduct the research, a search of academic and practical periodicals and Internet materials was carried out in an attempt to locate any research into the healthcare information systems security, health privacy legislation and AS/NZS 4444. The implementation side of this study is done through a comprehensive questionnaire that addresses issues in 10 security areas based on the clauses of the Standard. The primary mechanism for gathering information about technical and organizational approaches to protecting electronic healthcare information consisted of a series of site visits to five healthcare organizations at Auckland, New Zealand, which run extensive HIS. The sites were selected on the basis of their reputed leadership in the development of electronic medical records, networked clinical systems, and privacy and security policies. The selected sites include three general public hospitals and two diagnostic laboratories, which, on the whole are fairly representative of the large and medium-sized care-providers in New Zealand.

To encourage personnel at the various sites to share their experiences candidly, the study decided to keep the identities of the sites confidential by naming them Hospitals A, B, C, and Labs D and E in the paper. During the site visits all types of employees were interviewed, including HIS staff, and others such as workers of healthcare information management (i.e., medical records), human resources, public relations, and where possible, doctors and other system users. Additionally, contacts have also been made with the officials from the New Zealand Health Information Service (a department of the Ministry of Health responsible for the development and maintenance of nation-wide health information network and standards) and Health Funding Authority (a New Zealand Government’s unit responsible for distribution of funds for research and development projects in the healthcare domain). The study was conducted through relatively formal interviews, informal correspondence, telephone interviews, and email exchanges, in order to collect comprehensive information. Then, the collected original data were processed and used in reviewing and amending the criterions of AS/NZS 4444, based on which the information security baselines applicable to the healthcare sector are developed. We need to explain the reasons why our study was limited to visiting only three hospitals and two diagnostic labs. Despite its size (New Zealand: 270 0002 km v UK: 244 0002 km) the population of New Zealand is small (3.9 million), and concentrated in major towns. Well over 1 million people live in Auckland and its surrounding regions. By visiting three of the biggest public hospitals in the region, we practically covered almost a third of the population of the country. Private hospitals do exist in Auckland but their size is (with only one exception) small in comparison with the public hospitals. On the other hand, all the

175

L. Janczewski & F.X. Shi Development of Information Security Baselines

diagnostic labs form a huge government-owned organization, centrally founded and directed. Hence most of the labs are equipped similarly (within their specialisation) and visiting a couple of them would give a good knowledge of the problems they are facing. Implementation of information technology at doctors’ clinics in most cases is limited to the administrative matters. Some GPs and specialists run LANs within their premises but do not have access to the hospitals’ networks. Only overall patient statistics could be forwarded electronically to the centrally located databases. However, there are a number of doctors’ clinics, which cooperate closely with major hospitals of the region and which have facilities to send and receive patients’ and other data electronically. The health providers evaluated during the study (public hospitals and diagnostic labs) will be the foundation stones of the future nation-wide health information network, which was recently launched. All the other healthcare industry could be connected to the network, subject to stringent verification of their quality criteria. Hence, we believe that their opinions would have a marginal influence on this research.

Establishing the Information Security Baselines for HIS The information security baselines being developed must reflect the unique aspects of New Zealand healthcare IT environment and be a response to the needs of healthcare organizations and their patients. The following part overviews the major criteria of AS/NZS 4444, examines the current security practices of the five HCO, summarizes the research findings, identifies the vulnerabilities in the existing criteria of AS/NZS 4444, and finally makes recommendations for the modification and establishment of new baseline standards.

176

Security policy The foundation for a successful information security programme is comprehensive information security policies. These policies should define the organization’s philosophy and direction for the protection of information. As the site visits attest, each of the interviewed HCO has developed a number of formal policies regarding the confidentiality of patient information and most of the policies typically cover classified data in any form, be it paperbased or electronic. It is found that the organization’s structure, unique mission, culture, and management style significantly influence the policies adopted by a specific HCO to protect the security of both patient and administrative information. Therefore, the content of the security policies will vary, but in general a HCO will consider the following areas as a minimum in its policy: a statement of organizational philosophy and goals regarding privacy and security; a classification of information assets by type; standards for administering, controlling, and monitoring information use by type; standards for information system design, implementation, and operation; a definition of procedure for detecting and handling abuses etc. Nevertheless, there are also a couple of current state problems found in this area during the investigation, which include a lack of minimum policy standard that every HCO should comply with; minimal or no linkage of security policies; the need for more detailed security policies for specified information systems and security procedures; the need for clear scope of security policy in HCO; lack of the regular review, and promulgation of security policy; loosely enforced and communicated sanction policies etc. Therefore, some recommendations for modifying the existing criteria of AS/NZS 4444 are presented as follows: • More detailed security polices to meet basic requirements. Every HCO should develop a range of formal policies to meet the

L. Janczewski & F.X. Shi Development of Information Security Baselines

minimum requirements with regard to information security and patient privacy set by public policy, accreditation and privacy law. These policies should be an open statement covering the major points of information security in a brief and readable form and should be updated as needs arise and displayed in a prominent position. • More comprehensive policy scope. While the majority of the information maintained by HCO consists of patient records, the organization also maintains sensitive and valuable business records. The confidentiality, integrity, and availability of these business records must be protected, to enable the continued successful functioning of the organization. • Distribution and promulgation of security policies. Security policy must be documented and promulgated throughout the entire HCO. All persons being granted access to the HCO’s patient and business information should formally acknowledge an understanding of the policies and make a formal written commitment to comply with those policies prior to being entrusted with access to the information. Once formulated, security policies should receive broad review and endorsement by governing bodies.

Security Organization The organization of information security management in healthcare facilities should be clarified by creation, in each healthcare facility, of information security groups and users who should be given specific responsibilities for the security and privacy of health information. For example, a formal management information security forum, which is needed to review, approve and enforce policies regarding privacy and security, takes on a variety of forms, depending largely on the nature and culture of the HCO in which it operates, and serves as a focal point for both management and technical issues related to the safeguarding of privacy and security in paper and electronic health records.

It is the opinion of one interviewee from hospital C that the role of the IT department is to coordinate the implementation of security controls in the HCO. It should support the organization-wide information security initiatives, e.g. security awareness programme, and coordinate the methodologies and processes for information security, e.g. risk assessment. Meanwhile, the respective departments, such as the laboratory, radiology, patient administration and finance, are responsible for authorizing their users and to enforce the information security policies at their own level. In the site visits, most HCOs (hospitals A, B, C, and lab E) have a security policy in place to provide general guidance on the allocation of security roles and responsibilities within the organizations. Authorization always comes along with allocation of responsibility. The authorization of IT facilities in many HCOs which were interviewed (hospitals A and B, lab D) contains two steps: business approval and technical approval. Many HCOs (hospitals A, C and lab D) do employ external security specialists to offer advice and to conduct independent review of organizational information security. Generally, there is a need for third parties to access HCO’s IT facilities for different purposes. One of them (hospital A) has linked up with more than 400 GPs throughout Auckland to provide electronic discharge and referral information with Health Level 7 (HL7) standards. The HL7 standard is a telecommunication protocol developed specially for the health sector, based on the 7-layer Open System Interconnection Reference Model. While the HIS and EMR are being developed and implemented quickly nowadays, more access from the outside will be expected. All this access, however, should be controlled. The controls are usually agreed and defined in a contract with the third party. Nevertheless, some current state problems found in the area of security organization during the site visits include: lack of support from top

177

L. Janczewski & F.X. Shi Development of Information Security Baselines

management to commit to information security forum, need of coordination of information security efforts from all the divisions of the HCO, need of clearly defined responsibility of security and information ownership, lack of external security advice, cooperation and review to the HCO, and weaknesses in security of third party access and outsourcing. According to all these problems found in the research, some recommendations for modifying the criteria in the section of Security Organization in the Standard are made as follows: • Getting support from senior executives for information security forum. One of the most critical components of an effective management information security forum is ongoing support from senior executives in the HCO. This support translates into organizational commitment for almost everything, from effective security policy, budget development, to personnel training time. • Clearly define responsibility of security and information ownership. The security of the HIS and EMR should be the responsibility of the owner of that system and information. It is essential to clearly define the ownership of health information and the local responsibilities for both physical and information assets. Owners of HIS and EMR, e.g. HCOs and patients, may delegate the security authority to individual users; e.g. doctors and nurses, managers, and IT experts. Nevertheless, they remain ultimately accountable for protecting Figure 1

the security of systems and the privacy of health information. • More external security advice, cooperation and review. Contacts with external security specialists should be developed in the HCO to work along with in-house IT personnel in order to keep up with industrial trends, monitor standards and assessment methods, and provide suitable liaison points when dealing with security incidents. Meanwhile, the cooperation on the security issues between different HCOs should be encouraged and strengthened. • Establish the chain of Trust Partner Agreements. If data are processed through a third party, the parties are required to enter into a chain of trust partner agreements. Ensuring that the same level of security will be maintained across the continuum of EMR transmission, a chain of trust partner agreements should be instituted between HCOs and those third parties with whom electronic health information is exchanged. Such contracts will provide the legal basis for maintaining consistent levels of data integrity and confidentiality. • Careful identification of risks from third party access and outsourcing. While there are many reasons (administrative, research, and business ones) for granting a third party the right to access IT facilities and patient records in a HCO, a risk analysis should be carried out to identify any requirements for specific security measures. The analysis should take into account the types and reasons of the access, the classification of accessible information, the controls employed by the third party and implications of this access to the information security of the HCO.

Asset classification and control Accountability for assets helps to ensure that appropriate protection is maintained. It is essential to a HCO to identify the owners of major IT facilities and health information as

178

L. Janczewski & F.X. Shi Development of Information Security Baselines

there are increasing uses of HIS and EMR both within and outside the organization in the recent years. All the interviewed HCOs did a pretty good job in the inventory of physical and software assets. Each department in the public hospitals is responsible for the usage and maintenance of its own hardware and software, while the relatively small diagnostic labs usually have the centralized inventory management of their assets. Health information, like other information assets in a HCO, has varying degrees of sensitivity and criticality. There are certainly many classification schemes of health information, one of which suggested by the authors may divide the information into four categories (see Figure 1) Obviously, specific security controls and guidance should be set for each of these categories respectively. For instance, the first category of health information covers the most sensitive information at the HCO and requests the greatest security safeguards at the user level. To the second and third category, a record of electronic access to patient-specific information should be logged. They should be protected against acts that are considered to be malicious and destructive. Finally, in the last category, the information could be used by researchers and other authorized personnel with the minimum of protection. To summarize the findings, in practice, the vulnerabilities in the area of asset classification and control may include lack of centralized control on the asset management across the organization; a need to clearly define the ownership of health information assets and custodian responsibilities for these assets; lack of unique standards for health information classification; the need of procedures for information labelling and handling in accordance with the classification scheme. To overcome these problems found in the research, some recommendations specific for HCOs in the criteria of asset classification and control are presented as follows:

• Establish centralized inventory management of assets. The HCO should establish centralized inventory management of all assets categorized by enhancing the cooperation and coordination of asset management across the organization. Adequate precaution against damage or unauthorized entry to places where health information is centrally stored is essential. • Develop scheme and policies for health information classification. The policies of the HCO with regard to the classification of health information on the basis of its sensitivity and patient-identifiably should be defined. The classification categories should also be consistent with legal requirements and sector standards. In addition, care must be taken to protect the anonymity of patients during software demonstrations to colleagues. Use fictitious names or nonidentifiable data for presentations. Patient records used for education and training should be de-identified.

Personnel security The major security weakness of most HISs is not the technology but the people involved. Many reports indicate that danger of an internal security attack (i.e. an attack initiated by their own employee from within the company) is very high, at present around 50% [CSI/FBI 2001]. All healthcare professionals and other employees in a HCO should be adequately screened at the recruitment stage, and their responsibilities on information security and patient privacy should be included in the job contracts and monitored during their employment. They should also be trained, through the HCO, in the principles and practices of healthcare information security, given the rapid development of EMR and HIS. During the site visits, all the HCOs interviewed claimed to have the strict verification checks on the potential recruits. The procedures are usually tougher than many other recruitments, because a HCO employee may get access to

179

L. Janczewski & F.X. Shi Development of Information Security Baselines

confidential health information and systems, and therefore have more responsibilities on information security and patient privacy. In addition to informing employees of the organization’s expectations with regard to keeping health information confidential, organizations need to hold them responsible for their behaviour. As to personnel security policy, however, only one out of all five HCOs interviewed (hospital B) has developed the formal documents in this area. And there was little implementation or use of termination security found in the HCO in practice. Information and system security can only be maintained if all personnel involved in their use know, understand and accept the necessary precautions. Most large HCOs (hospitals A, C, and lab D) claimed to have formal seminars or programmes to educate employees about patient privacy and system security. Many provide such training in an orientation session before they are given access to patient information. Similarly, refresher courses serve to remind long-time users about existing policies, update them on changes, and discuss strategies for reallife situations that they may encounter on the job. Mistakes and incidents in HCOs are killing 1500 people a year, according to a research paper dated 4 October 2000 by Martin Johnston, a health reporter of the New Zealand Herald [Johnston 2000]. Many of the incidents are IT-related, including errors in EMR, negligence by individuals or HIS failures. four of the five HCOs interviewed (hospitals A, B, C, and lab E) stated that they had implemented a formal process to deal with identification, reporting, and the ensuing response to real or potential violations of established security policy, including security incidents, weaknesses and malfunctions of IT facilities, even though the reporting and response procedures of security incidents in some organizations were still conducted on an ad hoc basis, with no formally documented and communicated steps to be followed.

180

According to the above problems found in the research, some recommendations for improving the area of personnel security in the HCO are presented as follows: • Establish a comprehensive set of personnel security policy. According to the experiences of other industries, for e.g. banking, a formal personnel security policy that support privacy and confidentiality is also a critical component of the HCO’s information security infrastructure. The major contents may include: a statement of purpose; references to relevant institutional policies concerning access to personal health information and general information security; a definition of confidential information, including patient, business, and employee data; responsibilities of employees; responsibility and procedures for reporting security incidents and violations; investigation and appeal processes; and consequences and penalties for inappropriate access, release, modification, or removal of patient health information. • Develop the appropriate termination procedures. Each HCO is required to implement termination procedures, which are formal, documented instructions (including appropriate security measures) for the ending of an employee’s employment or an internal/external user’s access. Included in the termination procedures should be provisions for: changing locks or combinations to protect IT facilities or HIS; removal from access lists; removal of user accounts granting access privileges to patient information, services and sensitive systems for which they currently have clearance; and turning in of keys, tokens or cards that allow access to buildings or equipment, preferably prior to termination; • Develop the organization-wide security training programme. A security training programme should be established in the HCO for all employees and third parties

L. Janczewski & F.X. Shi Development of Information Security Baselines

with access to health information. Such training should include: awareness education covering the organizational security policy, password maintenance, incident reporting, and viruses; periodic security reminders conducted as updates to the basic security education; user education concerning virus protection, including identification, reporting and prevention measures. • Make use of multiple training tools. Innovative training methods have been evaluated in studies dealing with changing clinical practice behaviours and may be of use for training in confidentiality and security as well. A variety of tools may be developed to support or enhance formal training programmes. These include attractive pamphlets, enhancements to computer systems, self-study modules available for use in the computer training centre which they can take home, and posted reminders in elevators and cafeterias. • Develop the patient education based on legal requirements. Based on the requirements of the Privacy Code, the patient must be at the centre of the decision-making process regarding access to, storage and disclosure of his or her own identifiable healthcare information. The HCO should provide a full explanation to the patient of both the health information or medical record and his/her privileges in dealing with the information.

Physical and environmental security The generally open nature of HCOs and their high degree of public access dictate that physical security measures are the very first stage of protection to prevent unauthorized access to computing equipment and facilities. The information systems must also be safeguarded against a variety of environmental hazards that may adversely affect the operation and management of these systems. All of the HCOs visited were found to have moderate physical security in place for their information systems; two of them had somewhat stronger

security practices. The machines that provide centrally controlled services — mainframes and other production servers — were identified, located in very secure settings, and well controlled at the sites visited. Most of the organizations put much effort in the protection of their IT facilities in order to reduce the risk of unauthorized access to sensitive health data and to safeguard against loss or damage. Servers, routers, network cable and some support equipment are usually key targets under security protection. Many protective measures, such as fire and smoke detectors, gutters and down pipes, UPS and multiple electrical power suppliers, have become the standard associated facilities for computing sites of more and more HCOs. Compared to large organizations, the smaller ones may face even more challenges in physical security. Police statistics show that more than 10% of GPs in New Zealand have had their computers stolen and other hazards include excessive heat, dust, fire and lightning [Hill 1998]. To summarize the findings in the practices, the vulnerabilities in the area of physical and environmental security could include lack of formal physical security policy, the need of scientific decision-making procedure of physical security, inadequate coordination in the implementation of physical controls, the weaknesses in logical access controls and equipment disposal. Some recommendations for optimizing the physical security in a health IT environment are made as follows: • Establish appropriate physical security policies. Management should establish rules and procedures to ensure that all staff maintain a secure work area; i.e., one in which physical security helps to protect the confidentiality and privacy of health information. For instance, computer screens on the consultation desk should not display patient information from previous consultation. The use of screen savers and

181

L. Janczewski & F.X. Shi Development of Information Security Baselines

automatic time logout can assist with protection of privacy. • Optimize the decision and implementation of physical security. A good physical security management also needs a scientific decisionmaking mechanism. The level of physical access control for any area containing confidential or restricted health data and facilities must be consistent with the level of risk and exposure. Meanwhile, the implementation of physical security controls should depend on the coordination of all divisions of the HCO, including the security, IT and clinical departments. • Strengthen the security of computing equipment. Servers, routers, and other equipment, which contain or communicate patient information, must be protected from damage, theft, and misuse — and not only because of their monetary worth. There are many ways to provide equipment control. These may include assignment of liability, property pass, desktop lock, and property alarm device. Facility security may include access cards, cipher locks or just a lock on the door. • Carefully deal with information and equipment disposal. Physical security also requires that outdated IT facilities, which contain sensitive personal health information, be disposed of properly. Paper records are best disposed of by shredding. This applies to copies of test results and brief notes. Electronic records disposal may be either done through physical methods, e.g. CD-ROM destruction, or electronically through magnetic erasure (floppy and hard disks).

Computer and network management The computers and networks implemented in the surveyed HCOs are of different models from different companies. But their architecture and management in the same types of care-provider are quite similar. For example, in the three public hospitals interviewed, they all make use of the client/server architecture with a variety

182

of systems applications. All have local area networks as well as wide area networks that span different buildings at the same location as well as those over different geographic locations. These hospitals operate a wide variety of hardware, running multiple operating systems such as Unix and Windows NT as servers. Servers form the backbone of the network system, providing files and database access. Each server may provide one or more services, such as patient information, payroll, billing, test results, and administration. Meanwhile, a variety of communication technologies like X.25, ISDN, microwave and optical fibre have been deployed. These technologies enable internal network connection within the organization as well as allowing other organizations, e.g. diagnostic laboratories, GPs, and government agencies, to exchange information. Concerns about computer and network security have been voiced for decades in the healthcare sector, like most other sectors, and the procedural and technological solutions have been worked out for all but the most assiduous kinds of attacks. More recently, with the growth of the Internet and distributed computing, these issues have been felt more widely, and a whole new class of problems centred on powerful new means of remote access to HIS, and their networks of all kinds, has raised additional security challenges. Again procedural and technological solutions have been devised that offer prudent protection but recognize that concerted, directed, professional attacks on almost any computer and network facilities are likely to succeed, despite the most rigorous protection. However, these ‘prudent practice’ solutions have not been adopted uniformly, partly because the number of affected computers and networks in HCOs have grown exponentially and partly because people responsible for these systems are not trained to select and apply these solutions, or are unable to enforce workable solutions within the organization. To summarize the findings in the

L. Janczewski & F.X. Shi Development of Information Security Baselines

practices, the current state problems in the area of computer and network management during the research include unclear segregation of duties in IT professions, lack of integrated system planning management, the need of comprehensive software disciplines, issue of software availability, ignorance of data backup in a network environment, lack of the formal policies for health data handling process, and the security weaknesses of the applications of email, HL7 and Value Added Networks, Internet, etc. in a health environment. In fact, many of the above problems have not been described clearly in the criteria of the Standard. Therefore, some suggestions for modifying the criteria in the section of Computer and Network Management in AS/NZS 4444 are made as follows: • Establish integrated system planning management. The planning policies and procedures for system development should be established in HCOs to reduce the risk of system failures due to the problems of system capacity, integration, interconnection, feasibility and growth. • Comprehensive software disciplines for security. HCOs should exercise and enforce comprehensive disciplines over user software. At a minimum, they should immediately install virus-checking programs on all servers and limit the ability of users to download or install their own software. Census software or regular audits can be used to ensure compliance with such policies. • Availability of software services. The availability of the software services in the HIS ensures that accurate and up-to-date health information services are available to end user (e.g. doctors and nurses), when needed, at appropriate places. There are four main components which support the software availability, namely, application software, network systems, client computers and server computers. [Sakamoto 1998] suggested a prototype to structure these four components so as to provide the minimum

•

•

•

•

•

requested software services in a healthcare environment. Data backup in a network environment. Some of the issues for making the data backup work well in a HCO network environment should be considered. Backup data should be stored in a secure location other than the HCO. Paper records should not be kept in a public area but in a lockable area when the staff is away. Establish the mechanism of network management. The network management in the HCO should be an integrated process including at least the following steps: risk analysis, identification of security requirements, establishing security mechanisms regulations, selecting network security controls, and installation and maintenance. Develop a formal health data handling process. HCOs should maintain a formal mechanism for processing records, that is, documented policies for the routine and non-routine receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information, according to the rules of Privacy Code. Develop security policy on email. HCOs should draw up a clear policy regarding the use of electronic mail, which may cover the guidelines on the sensitive contents (e.g. personal health information) in the messages, the protection and check of email attachments, the knowledge of attacks on email, the use, storage and disposal of email, etc. Health Level 7 (HL7) and value added network (VAN). The issues of Health Level 7 and value added network should be studied and implemented by each HCO, which has health data exchange with outside parties. All the sensitive healthcare messages sent should be encrypted or scrambled at one end, decrypted at the other and receipt acknowledged — this is achieved by using a VAN.

183

L. Janczewski & F.X. Shi Development of Information Security Baselines

• Build Internet and E-commerce security solutions. Internet services, as well as Ecommerce, in health provision is vulnerable to a number of network threats which may result in fraudulent activity, contract dispute and disclosure or modification of sensitive personal health information. The appropriate security solutions should be applied to protect Internet services from such threats.

System access control It is essential that IT systems and health information be protected by comprehensive logical access controls implemented by the HCO. Access should be guaranteed for legitimate users (e.g. doctors and nurses) and denied to all others. All classes of users must be identified and authenticated before any access is granted and further mechanisms must control subsequent reading, writing, modification and deletion of applications and data. There should be no method for bypassing any authentication or access controls. HCO users are unlikely to be satisfied with controls that intrude upon working practices and the chosen schemes should be transparent and convenient in order to gain acceptance. However, we found in the site visits that a serious threat to the security and privacy of personal health information in HCOs is the poor design and lax administration of access control mechanisms. In many HCOs, all users may access all medical records; it is also common to find poor password management, or terminals permanently logged on for the use of everyone in a ward. This causes a breakdown of clinical and medico-legal accountability, and may lead to direct harm to patient’s privacy. Vulnerabilities found in this area include ad hoc practices, and/or incomplete policies and procedures for authorizing and establishing access to organizational systems; broken processes to address modification and revocation of user access following job changes or termination; failure to include smaller, departmental applications in access control

184

policies and practices; and lack of access controls to mobile computing and telemedicine. According to these problems found in the research, some recommendations for improving the area of system access controls in the health computing environments are presented as follows: • Establish the appropriate rules for access controls. The appropriate rules provide the basis for access control policy in an organization. Generally, the access rules in a HCO should be based on the principles of Privacy Code and the need-to-know principle. And access is restricted to healthcare professionals working within the HCO. EMR permit differential access to health information, which can be used as a tool to protect privacy. • Consistency between access control and information classification policies. All the HCOs are suggested to develop an appropriate classification scheme of health information (see the section of Asset Classification and Control) consistent with legal requirements and sector standards. E.g. access control lists should separate clinical users from administrative users. • Specifying Patient access in the access control policy. Patients’ access right to their electronic and paper health records are protected by the Privacy Code. The HCOs should include the patient access into their access control policy and specify its access process and procedure. Sharing information is integral to good communication in the doctor patient relationship and to high quality care. • Optimize the user authentication mechanism. The HCOs should optimize its user authentication mechanism by combining login-password authentication with the advanced authentication technologies. Some potential candidates may include biometric identifiers (e.g. fingerprint, hand geometry pattern, retinal scan,

L. Janczewski & F.X. Shi Development of Information Security Baselines

voiceprint, etc.) and smart card token. Specific policies within the organization should specify the disciplinary actions and penalties for sharing any unique identifier with other individuals. • Implement comprehensive network access controls. Effective access controls should be a prerequisite for the HCO’s networking. The network and system administers should pay attention to combining the technical controls, e.g. firewalls, limited links, strong authentication technologies and audit trails, with the non-technical approaches, e.g. security trainings and ethical considerations. • Establish network connection management in HCO. HCO should establish appropriate connection controls to manage not only the links to the external networks but also the contents of exchanging information. For example, the network should limit the transferring of sensitive patient health information without the protection of encryption.

an issue to be considered. Security aspects range from confidentiality, correctness and availability of information at the right time to the right person. Unauthorized or uncontrolled changes to any aspect of an operational system could potentially compromise security and, in some cases, endanger life. The system development and maintenance must, therefore, be carried out in accordance with well-defined procedures. The major problems found in the area of systems development and maintenance during the site visits include lack of documented process and policy of security requirement specification during the system development; the need of integration concerns of health system development; lack of system quality assurance and data integrity mechanism; the security weaknesses in system maintenance; and immaturity of the use of cryptographic technologies. We made some recommendations here for improving the current situation in the HCO and modifying the criteria in this area:

System development and maintenance

• Formalize the security requirements analysis and specification. The HCO should establish the standard of minimum level of security for the development of the information systems and applications. All security and privacy requirements should be identified at the requirement stage of the development and justified, agreed and documented as part of the overall business case for the systems. • Enhance the integration of system development. An enterprise-wide healthcare information system will require the integration of all these applications within a HCO and the systems of all the different HCOs that share patient health information securely with one another. The common security standards and controls for HIS should be agreed upon and documented across the health sector. • Establish system quality assurance mechanism. There should be a documented

The use of information systems and applications in HCOs is essential in providing proper treatment and care services to patients, and in managing the staff and the organizations. For example, hospital A is investing more than $20 million in new information systems as part of its overall $90 million redevelopment package. According to its management, the current paper-based patient information system is inadequate and it wants to give specialists instant access to complete information about a patient’s treatment. The new electronic patient records replace paper systems and clinicians will be able to view x-rays, scans and blood tests on terminals in the wards and clinics. System development and maintenance activities merit special consideration, given the opportunities that exist to affect the operation of the systems in the HCO. Apart from the pure functionality of these systems, the security of the systems is

185

L. Janczewski & F.X. Shi Development of Information Security Baselines

system for the quality assurance of system development in the HCO. Strong controls must be placed upon the developers of HIS to ensure high quality development, and compliance with the security and privacy requirements should be expected as a minimum. Effective software development tools must be used to design application systems. Maintaining separate hardware domains for the operating system and application programs is essential for protecting critical code and data structures from external interference. • Develop comprehensive data integrity measures for health application systems. The HCO should develop a data integrity control policy, which has at least the process and procedures of four essential components: security measures, procedural controls, assigned resonsibility, and audit trails [Anderson 1996]. For example, to ensure the integrity of information, unauthorized, deliberate or accidental modification or entry of data must be prevented. Moreover, the source, date, time and content of any alterations must be known. • Create security and privacy protection in system outsourcing. Outsourcing may lead to reduction in security and privacy protection. The HCO should carry out the rigorous contract management through a formal set of outsourcing security policy and contractual terms, which aim at extending privacy protection to patient information handled by contractors. The organizations also pay attention to any proposal involving off-shore processing as this may carry additional privacy risks.

Business continuity planning The continuous availability of information systems is essential to the operation of a modern HCO. Many health IT departments never experience a disaster. But should a disaster occur, a well-designed action plan would protect health information from

186

damage, minimize disruption, ensure stability, and provide for orderly recovery. It is essential that business contingency plan (BCP) be made to ensure the level of availability needed by the HCO be maintained in the event of any system outage or disaster. There should be a reporting structure and a team in place to ensure that the system outage is kept to a minimum. In the site visits, the majority of large HCOs (hospitals A and C) already have the documented plans and procedures of disaster recovery and data backup for physical disasters and systems failure. Compared with the large HCOs, the smaller ones (e.g. diagnostic labs and GP offices) were found to be generally more lax in the business continuity management. For example, only 5% of GPs have contingency plans to deal with any problems, according to a survey carried out by the Ministry of Health [NZHIS 1997]. Some other vulnerabilities in this area might include the need of risk analysis and business continuity and impact analysis during the development of BCP, lack of BCP in effect in the small organizations, or some disaster plan in effect covering only major enterprise systems; contingency plans left to the discretion of department managers to cover their departments, with no comprehensive plan in effect for the entire organization; or contingency plans in place that have not been updated recently and therefore fail to cover all parts of the organization, including remote sites, the need of built-in BCP-compliant measure. According to these problems found in the research, some recommendations for improving the area of business continuity management in the health computing environments are presented as follows: • Carry out business continuity and risk analysis. The HCO should begin the business continuity management by assessing the sensitivity, vulnerability and security of the key business operations and health information assets in the

L. Janczewski & F.X. Shi Development of Information Security Baselines

Figure 2

organization. Security measures should be designed for each HCO based on the actual result of the risk analysis. One method that has been applied successfully in several areas of healthcare in Europe is the Risk Assessment and Management Method (CRAMM). • Develop a comprehensive BCP for the HCO. Every HCO should develop a comprehensive BCP for responding to a system emergency that will facilitate the assurance of continuity of key health information systems and operations. The BCP should include a set procedure for identifying problems, listing emergency contacts, and accessing backup medical data. • Awareness and training of BCP. The HCO should place great emphasis on ensuring its employees are made fully aware of and are trained in BCP that has been developed. The training should cover the responsibilities for developing, maintaining, and testing the BCP, as well as actual recovery operations. • Build BCP-compliant systems. Health information systems include all the elements that facilitate the capture, storage, processing, communication, security, and

presentation of computer-based patient record information. To ensure the safety and prevention of the potential loss of data, these systems and applications in a HCO need to support the organization’s detailed disaster recovery plan.

Compliance All relevant statutory, regulatory and contractual requirements should be explicitly defined and documented for each information system in a HCO. Principal among the legal requirements presented by the computerization of health data information is how to protect individual privacy interests in personal health information. Modern computer applications in the healthcare system threaten individual privacy although it offers significant benefits to patients and practitioners. With little more than basic information about a person, private or commercial actors through online networks, Internet, and retrieval services can quickly assemble detailed medical profiles of the same individual. Strong legal protection for personally identifiable health data is necessary to facilitate the processing of electronic data through health applications and networks. New Zealand is fortunate in having a developed and implemented Privacy Act and Health

187

L. Janczewski & F.X. Shi Development of Information Security Baselines

Figure 3

Information Privacy Code, which provide adequate guidance on such issues in the health sector. One of the most important legislations regarding health information privacy and security is the Health Information Privacy Code 1994 (see Figure 2). In summary, compliance with the Privacy Code and other relevant data protection legislation requires appropriate management structure and controls. Often this is best achieved by the development and implementation of privacy plan and codes of practice, based on the privacy principles and legislative rules, in the HCO. Privacy officers should be appointed to provide the guidance

188

and to spread the awareness of privacy issues and with the support of management and IT staff, facilitate the privacy plan and codes throughout the organization. One of the important tools to ensure compliance with legislative and operational requirements in an organization is the system audit trail. In a health IT environment, audit trail records contain identification of the user, data source (for automated devices), person about whom the health information is recorded, provider facility, and other participant users if applicable. Audit trail records also contain the date/time and location of the activity, and the nature of the activity

L. Janczewski & F.X. Shi Development of Information Security Baselines

(i.e., function performed and information accessed). Some vulnerabilities in system audit found in the site visits could include lack of internal audit capability in the organization (no internal audit department), constrained audit resources, or lack of skills to review audit logs generated from organizational systems; lack of follow-up once irregular activities are recognized; and lack of participation by the internal audit staff in the design and planning of systems that will comply with the security policy; and inadequate or non-existent audit logs from one or more applications that process health information. Some recommendations for improving the area of compliance in the health computing environments are presented as follows: • Develop the constructive privacy plan. Because there are so many dimensions of the patient privacy interest and so many competing interests of health information at so many levels of society, it is essential for a HCO to develop a constructive privacy plan based on the legislative requirements of the Health Information Privacy Code 1994. • Establish the general principles of health information privacy. Based on the 12 rules of Health Information Privacy Code 1994, the health sector in New Zealand should establish a set of general principles that provide the guideline of protections, which should be considered when implementing comprehensive patient policies and codes of practices. These principles should cover the issues such as recognizing the unique status of personal health information, providing privacy safeguards based on fair information practices, empowering patient with information and rights to consent, limiting the disclosure of health data, incorporating industry-wide protections, establishing a data privacy and security board, and providing a minimum level of national privacy protection.

• Develop the Code of Practice for the management of health information. The HCO should develop the Code of Practice for the management of health information, which aims to provide clear advice to all the internal users and other interested parties about the way in which health information, particularly personal health information, should be managed on an ethical and legal basis. While privacy concerns have been particularly highlighted by the advent of information technology and its capacity to facilitate information transfer, this Code should establish minimum safeguards and processes that must be followed by the users, if their use of manual and computerized records is to meet appropriate legal and ethical standards.

Developing a proposed Healthcare Information Security Framework based on baseline approach Although most key controls in the 10 aspects of the information security baselines described in the last section were observed in at least one site visited, no other HCO had implemented all, and some had paid only minimal attention to a few security measures. From our point of view, they could have made significantly more effective use of current technologies in practice. The HCOs that we interviewed often demonstrated a lack of clear leadership on the part of security management, thus employees were uncertain of what to do or where responsibility lay. Instances were observed in which managers had made isolated efforts to improve information security within their departments but without sufficient authority and management support these efforts remained limited in scope and had little impact on the overall organization. Therefore, as HCOs are becoming increasingly dependent on IT and expanding their boundaries, they need to develop a comprehensive framework to

189

L. Janczewski & F.X. Shi Development of Information Security Baselines

ensure that the message of commitment to patient privacy and information security is pervasive and implemented in policies, procedures, and everyday behaviour, both within their organizations and across the health sector. Such a framework should include an overall baseline assessment and risk analysis, specific policy development, measure implementation, and monitoring and reporting action. It enables the personnel involved in developing policies and procedures to understand the ultimate goal of their efforts, as well as how those efforts complement parallel efforts elsewhere within the organization. Through early, careful, and precise planning, information security management serving as a coordinator can help ensure that policies are not in conflict, lines of authority are clear, and gaps in security are avoided. If implemented appropriately, the framework can serve as an integrated management model for protecting patient privacy and health information security in the HCOs. Figure 3 shows the major modules, as well as the associated key steps of the proposed health information security framework. Generally speaking, the effectiveness of the development and implementation of the proposed health information security framework within an HCO is limited by the ineffectiveness of the security management and monitoring of the use of health information systems in the organization as a whole. All the HCOs should step up to the challenges of health information security through the establishment of their security management framework. With the exception of some GP offices and group practices, which do not have much IT applications, most HCOs should start with the baseline assessment and planning. Nevertheless, the information security framework of each HCO may vary greatly according to its own organizational structure, culture, technical and staff resources. And the

190

management, regarding the implementation of security requirements, should treat it as business decisions and involve a balance between securing health data against risks and the cost of doing so in a specified HCO’s environment. The lack of direction in the proposed recommendations is consistent with the (AS/NZS 4444) Standard’s intent that the rules be technology neutral and flexible, and to recognize the inherent risk/benefit trade-off in every decision. It is clear that each HCO must decide the methods it will use and the extent to which the requirements and development features are implemented. The proposed Healthcare Information Security Framework depicted in Figure 3 is not significantly different from a security framework for any organization relying heavily on their information resources. The framework was developed using the baseline approach and one may expect that general conclusions should be the same. The objective of the research was therefore not to suggest a drastically new Healthcare Information Security Framework but rather formulate possible adjustments of the baseline standards (particularly AS/NZ4444) to make the standard more applicable in HIS.

Summary Security baseline is an effective approach to introduce information security management to the organizations that have not addressed security at all, or more likely have not addressed it in a structured manner. AS/NZS 4444, as a security standard, is a comprehensive Code of Practice for IT security and has been implemented, supported and promoted in many organizations. This Standard will be very useful to healthcare organizations to place foundations under the surface security, which has already been in place. However, obviously its current contents, format and level of detail are not sufficient and suitable to a healthcare

L. Janczewski & F.X. Shi Development of Information Security Baselines

IT environment because of the inherent technological and environment constraints. Therefore, this research aims to develop a new set of security baselines specified for the protection of healthcare information in HCO. The health information security baselines presented in the paper provide a minimal set of rules or codes of practice that have been indicated to be essential so that the vital health information assets of a HCO are protected. In order to implement these rules and codes of practice and deploy the appropriate security measures in the HOC, it has to develop a security framework and take a series of critical steps based on the baseline approach. These baselines are not presented as a standard in this framework, but as guidelines for the individual HCO to utilize when designing and/or building upon their organization’s existing security environment.

Appendix A Summary of the basic privacy rules from the Privacy Act and Health Information Privacy Code: 1. Personal information is only to be collected for a lawful purpose connected with a function or activity of the agency. 2. Information should be collected directly from the individual concerned. 3. The individual concerned should be aware that information is being collected and should know: • the purpose for which the information is being collected; • who are the intended recipients of the information; • the consequences for the individual if the information is not provided; • the rights of access to and correction of personal information provided. 4. Personal information shall not be collected by unlawful or unfair or intrusive means.

5. Information is protected by security safeguards against loss, unauthorized access, use, disclosure or modification. 6. The individual concerned shall be entitled to obtain confirmation that information and access to information is held. 7. The individual concerned shall be entitled to request that correction be made to information held, or a statement that such a request for change has been made. 8. The holder of personal information must check its accuracy before use. 9. The holder of personal information may not keep that information for longer than necessary. 10. Information may only be used for the purpose for which it was originally intended. 11. The holder of personal information may not disclose that information to any other person or agency. 12. The holder of personal information may not assign a unique identity (key) unless it is necessary to carry out its function, nor may another holder use that identifier.

References Anderson, R., 1996. Security in Clinical Information Systems, work paper, Computer Laboratory, University of Cambridge, UK, 12 January 1996. AS/NZS 4444:1999, Australian/New Zealand Standard: Information Security Management, Standard Australia & Standard New Zealand, 1999. Barnard L. and von Solms, R. A., 2000. Formalized Approach to the Effective Selection and Evaluation of Information Security Controls, Computers & Security, Vol. 19, 2000, pp. 185-194. CSI/FBI, 2001. CSI/FBI Computer Crime and Security Survey 2001, Computer Security Institute, 2001. Fitzgerald, K.J., 1995. Information Security Baselines, Information Management & Computer Security, Vol. 3, No. 2, 1995, pp. 8-12. Hill, S., 1998. GPs Say Data Transfer a Threat to Patient Privacy, New Zealand Doctor, 19 August 1998. ISHTAR, 2001, B. Barber, K. Louwerse, J. Davey, White Paper on Health Care Information Security, http://ted.see.plym.ac.uk/ishtar/ Janczewski, L., 2000. Information Security Framework For Health Information Systems, in A. Armoni, A. (ed.) Health-care Information Systems: Challenges of the New Millennium, Harrisburg, PA, USA, IDEA Group Publishing,

191

L. Janczewski & F.X. Shi Development of Information Security Baselines

Johnston, M., 2000. Blunders kill hundreds in hospitals, The New Zealand Herald, 4 October 2000. Mason, A. and Tipping, L., 2001. Understanding & Implementing Security Standards into Your Business, Proceedings of the SECURE.NZ conference, Auckland, New Zealand, 2001. Moule, B. and Giavara, L., 1995. Policies, Procedures and Standards: an Approach for Implementation, Information Management & Computer Security, Vol. 3, No. 3, 1995, pp. 7-16. NZHIS 1997 NZHIS, Issues in Developing and Implementing a Health Information System, New Zealand Health Information Services, Ministry of Health, New Zealand, 1997. OTA 1997. Office of Technology Assessment, Protecting Privacy in Computerized Medical Information, report for US Congress, OTA-TCT-576, September 1997. Sakamoto, N., 1998. Availability of Software Services for a Hospital Information System, International Journal of Medical Informatics, Vol. 49, 1998, pp. 89-96.

192

Smith, E. and Eloff, J.P.H., 1999. Security in Health-care Information Systems, Current Trends, International Journal of Medical Informatics, Volume 54, Issue 1, April 1999, pp. 39-54. SEISMED, 2001, Secure Environment for Information Systems in Medicine Project, http://www.semper.org/sirene/ projects/seismed/ Tan, F.B. and Gunasekara, G., 2000. Health Information Management and Individual Privacy: Application of New Zealand’s Privacy Legislation, Chapter IV of Health Information Systems: Challenges of the New Millennium, edited by Adi Armoni, Ideal Group Publishing, 2000. Von Solms, R., 1999. The Information Security Toolbox, in Managing Information Technology Resources in Organizations in the Next Millenium, ed M. Khosrowpour, Idea Group Publishing, 1999. Von Solms, et al., 1999. The Information Security Management Toolbox, Proceedings of the 1st Annual Information Security four South Africa Conference, Rand Afrikaans University, August 2001.