Improving the Exchange of Lessons Learned in Security Incident Reports: Case Studies in the Privacy of Electronic Patient Records

Abstract: The increasing use of Electronic Health Records has been mirrored by a similar rise in the number of security incidents where confidential information has inadvertently been disclosed to third parties. These problems have been compounded by an apparent inability to learn from previous violations; similar security incidents have been observed across Europe, North America and Asia. This has resulted in the loss of confidence and trust of the public towards the organisations' ability to protect the patients' priv… Show more

“…Previous research showed that GSTs can be used to represent and share lessons from previous security incidents [25,43,45]. In contrast, this paper has presented empirical studies that evaluate its acceptance in an industry setting.…”

“…A previous study had already provided evidence that GSTs can improve the communication of security lessons compared to traditional text based approaches [45]. The next section, therefore, expands on Scenario II to find out how the GST can be used to redistribute security lessons into security management procedures.…”

“…Usually it presents concepts clarification introduced in the claim/strategy [42]. Examples of the application of GSTs can be found in [25,[43][44][45].…”

Improving the redistribution of the security lessons in healthcare: An evaluation of the Generic Security Template

“…Previous research showed that GSTs can be used to represent and share lessons from previous security incidents [25,43,45]. In contrast, this paper has presented empirical studies that evaluate its acceptance in an industry setting.…”

“…A previous study had already provided evidence that GSTs can improve the communication of security lessons compared to traditional text based approaches [45]. The next section, therefore, expands on Scenario II to find out how the GST can be used to redistribute security lessons into security management procedures.…”

“…Usually it presents concepts clarification introduced in the claim/strategy [42]. Examples of the application of GSTs can be found in [25,[43][44][45].…”

Improving the redistribution of the security lessons in healthcare: An evaluation of the Generic Security Template

“…This finding was also share by Ahmad [24,25] and Tondel [31] This indicated poor communication between incident response teams and other stakeholders. Previous researches [53,54] argued text alone does not facilitate the communication of security lessons. There is a need for the conversion of post-incident reports into learning documents, which can be easily understood by people in the organisation.…”

“…There a need of an effective way to present incident knowledge that can facilitate incident knowledge dissemination. Security assurance modelling framework can serve this purpose as it was found to be able to effectively communicate security incidents [37,54]. It can be applied to convert incident reports and represent lessons learned in a structured manner.…”

Challenges of information security incident learning: An industrial case study in a Chinese healthcare organization

Electronic medical records and risk management in hospitals of Saudi Arabia