Improving the redistribution of the security lessons in healthcare: An evaluation of the Generic Security Template

He, Ying; Johnson, Chris

doi:10.1016/j.ijmedinf.2015.08.010

Cited by 19 publications

(30 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This should not be a challenge. This has been confirmed in the previous case studies [27,32,54,55]. If the organizations did not apply any security standards/guidelines, security requirements have to be retrieved from the case descriptive materials.…”

Section: Success Criteriasupporting

confidence: 62%

“…The data sources of case studies can be diversified such as the official security incident reports used in the analysis of the VA incidents [1,2], and the money penalty report used in the analysis of IT asset disposing incident [25]. Existing work suggests that the GST can be used to structure the security lessons identified from various data sources [27,32,54,55], However, the following requirements have to be met in order to be successful. Security requirements can be captured based on the existing security standards applied by the organization.…”

Section: Success Criteriamentioning

confidence: 99%

See 1 more Smart Citation

Security Assurance Modelling of Security Incident in Healthcare using the Generic Security Template (GST)

Luo

2020

Preprint

Self Cite

View full text Add to dashboard Cite

Background: The recent industry reports show that the number of security incidents in healthcare sector is still increasing, especially the high severity incident, such as data leakage incident and ransomware, which can lead to significant impact on healthcare services. It is imperative for the organizations to learn lessons from those incidents. Traditional ways to disseminate lessons learned are based on text approach, the linear format of which can obscure relationships among concepts and discourage readers from integrating information across ideas. Graphical diagrams can serve this purpose, as it can communicate both individual elements of information and relationships between them. Methods: The Generic Security Template (GST) has been proposed to support the exchange of lessons learned from security incidents. It utilises graphical notations to communicate both individual elements of information and relationships between them. This paper conducts a case study by adopting the GST to capture and structure the incident information of a data leakage incident in a UK healthcare organization in order to facilitate incident exchange. Results: The results show that, the GST was able to visualise and depict the key elements, including lessons learned, the associated security requirements and organizational contextual information identified from the selected data leakage incident case study from NHS. GST provides a unified way to communicate incident information. Conclusions: This research has significance for the healthcare organizations to improve their incident learning practices. It fosters an environment where different stakeholders can speak the same language while exchanging the lessons learned from the security incidents. Future work will consider apply the GST to analyse other complex security incidents such as the advanced persistent threats (APTs) in healthcare organizations and extend the use of the GST in other industries. Keywords: Security Assurance Modelling, Generic Security Template (GST), Security Incident, Healthcare Organization.

show abstract

Section: Success Criteriasupporting

confidence: 62%

Section: Success Criteriamentioning

confidence: 99%

Security Assurance Modelling of Security Incident in Healthcare using the Generic Security Template (GST)

Luo

2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…According to Williams (Williams, 2015) one of the last remaining hurdles to be overcome in the design of safe, reliable systems is the human being as recognised by safety and reliability engineers. Lacey (Lacey, 2010) suggests that Security Managers could benefit from studying the lessons learned in the safety field and He and Johnson (He and Johnson, 2015) presented in their research that the reoccurrence of past security incidents in healthcare showed that lessons had not been learned across healthcare organisations. With regard to risk analysis performed within IT security and the safety field the only main difference is the terminology so it is suggested that IT security is treated the same as systematic failures in the safety field (Braband and Schäbe, 2016).…”

Section: Related Workmentioning

confidence: 99%

“…The healthcare sector continues to be affected by the largest percentage of data breaches (He and Johnson, 2015) with almost two breaches per day being recorded in 2015, which is ten times the volume reported in 2009 presenting a position whereby preventing healthcare breaches is very difficult (McLeod and Dolezel, 2018). The reporting of incidents is core requirement for UK National Health Service (NHS) organisations (Rooksby, Gerry and Smith, 2007).…”

Section: Related Workmentioning

confidence: 99%

Published incidents and their proportions of human error

Evans

Yevseyeva

et al. 2019

ICS

Self Cite

View full text Add to dashboard Cite

Purpose This paper aims to provide an understanding of the proportions of incidents that relate to human error. The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time, the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error. Design/methodology/approach This paper analyses recent published incidents and breaches to establish the proportions of human error and where possible subsequently uses the HEART (human error assessment and reduction technique) human reliability analysis technique, which is established within the safety field. Findings This analysis provides an understanding of the proportions of incidents and breaches that relate to human error, as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field. Originality/value This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches to understand the proportions that relate to human error.

show abstract

“…Therefore, a virtual environment for testing is required. There is existing work demonstrating cyber-attacks towards healthcare system and proposing cyber security strategies to defend against such attacks [11][12][13][14][15], however, it is not against a realistic healthcare system.…”

Section: Introductionmentioning

confidence: 99%

Security Defense Strategy for Cardiac Medical Diagnosis System (CMDS)

He¹,

Suxo²,

Luo³

et al. 2019

2019 Computing in Cardiology Conference (CinC)

Self Cite

View full text Add to dashboard Cite

The medical systems have been targeted by the cyber attackers. This paper is motivated by the recent attacks that have resulted in the compromise of diagnosis results. This study was undertaken to show how the Cardiac Medical Diagnosis Systems (CMDS) can be hacked and propose security recommendations to prevent such attacks. We build a simulation platform by implementing an open source medical system. We feed the ECGs data from the PhysioNet/Computing in Cardiology (CinC) Challenge 2017 to the open source medical system. We then follow the OWASP pen-testing methodology to perform the ethical hacking. The hacking was successful and we have identified a major vulnerability of the system related to authentication. Finally, we are able to gain access to the sensitive ECG data. We then proposed cyber recommendations to prevent such attacks. Future work will consider using a mature CMDS, such as the arrhythmia detection and classification in ambulatory ECGs to investigate how the core of the algorithms can be attacked and protected.

show abstract

Improving the redistribution of the security lessons in healthcare: An evaluation of the Generic Security Template

Cited by 19 publications

References 25 publications

Security Assurance Modelling of Security Incident in Healthcare using the Generic Security Template (GST)

Security Assurance Modelling of Security Incident in Healthcare using the Generic Security Template (GST)

Published incidents and their proportions of human error

Security Defense Strategy for Cardiac Medical Diagnosis System (CMDS)

Contact Info

Product

Resources

About