Medical Personal Data in Secure Information Systems

2009 ◽  
pp. 340-345
Author(s):  
Tatjana Welzer ◽  
Marko Hölbl ◽  
Marjan Družovec ◽  
Brane Klopčič ◽  
Boštjan Brumen ◽  
...  
Keyword(s):  
Information Systems ◽  
Personal Data ◽  
Secure Information

A security study in Portuguese Public Hospitals - GDPR perspective (Preprint)

2020 ◽  
Author(s):  
Cátia Santos-Pereira
Keyword(s):  
Information Systems ◽  
Identity Management ◽  
Personal Data ◽  
Public Hospitals ◽  
Hospital Environment ◽  
Security Measures ◽  
Eu Member States ◽  
Security Issues ◽  
Management Processes ◽  
Authentication Security

BACKGROUND GDPR was scheduled to be formally adopted in 2016 with EU member states being given two years to implement it (May 2018). Given the sensitive nature of the personal data that healthcare organization process on a 24/7 basis, it is critical that the protection of that data in a hospital environment is given the high priority that data protection legislation (GDPR) requires. OBJECTIVE This study addresses the state of Public Portuguese hospitals regarding GDPR compliance in the moment of GDPR preparation period (2016-2018) before the enforcement in 25 May 2018, and what activities have started since then. The study focuses in three GDPR articles namely 5, 25 and 32, concerning authentication security, identity management processes and audit trail themes. METHODS The study was conducted between 2017 and 2019 in five Portuguese Public Hospitals (each different in complexity). In each hospital, six categories of information systems critical to health institutions were included in the study, trying to cover the main health information systems available and common to hospitals (ADT, EPR, PMS, RIS, LIS and DSS). It was conducted interviews in two phases (before and after GDPR enforcement) with the objective to identify the maturity of information systems of each hospital regarding authentication security, identity management processes and traceability and efforts in progress to avoid security issues. RESULTS A total of 5 hospitals were included in this study and the results of this study highlight the hospitals privacy maturity, in general, the hospitals studied where very far from complying with the security measures selected (before May 2018). Session account lock and password history policy were the poorest issues, and, on the other hand, store encrypted passwords was the best issue. With the enforcement of GDPR these hospitals started a set of initiatives to fill this gap, this is made specifically for means of making the whole process as transparent and trustworthy as possible and trying to avoid the huge fines. CONCLUSIONS We are still very far from having GDPR compliant systems and Institutions efforts are being done. The first step to align an organization with GDPR should be an initial audit of all system. This work collaborates with the initial security audit of the hospitals that belong to this study.

scholarly journals The use of digital technology in the public administration

2021 ◽  
Vol 21 (4) ◽  
pp. 419-428
Author(s):  
Sergey E. Channov ◽  
Keyword(s):  
Information Systems ◽  
Public Administration ◽  
Russian Federation ◽  
Public Information ◽  
Personal Data ◽  
Digital Technologies ◽  
Specific Area ◽  
Negative Consequences ◽  
The Public ◽  
The Russian Federation

Introduction. The article is devoted to the use of digital technologies in the field of public administration using the example of state and municipal information systems. Currently, two types of such systems can be distinguished in the Russian Federation: 1) allowing direct enforcement activities; 2) used to capture certain information. Theoretical analysis. Information systems of the first type acquire the properties of an object of complex legal relations, in which suppliers and consumers of information, government bodies, as well as other persons become participants. This entails the fact that in the implementation of public administration, the source of regulation of public relations to a certain extent becomes the program code of these information systems. Accordingly, any failures and errors in the public information system become facts of legal importance. Empirical analysis. The main risks of using information systems of the second type in public administration relate to the illegal access (or use) of information stored in their databases. The consolidation of databases containing different types of information is a serious threat. In this regard, the creation of the Unified Federal Information Register containing information about the population of the Russian Federation, provided for by the Federal Law No. 168-FZ of 08.06.2020, may lead to a large number of socially negative consequences and comes into obvious conflict with the legislation on personal data. Results. State and municipal information systems themselves can improve public administration, including reducing corruption in the country. At the same time, their reduced discretion in management decisions is not always appropriate. Accordingly, their implementation should be preceded by the analysis of the characteristics of a specific area of management, as well as the proposed use of digital technologies.

Maturity in Health Organization Information Systems

2019 ◽  
pp. 294-314
Author(s):  
Alberto Carneiro
Keyword(s):  
Information Systems ◽  
Personal Data ◽  
Security Assessment ◽  
Sensitive Data ◽  
Practical Utilization ◽  
Maturity Models ◽  
Systems Security ◽  
It Managers ◽  
Improvement Measures ◽  
Health Organization

Adapting maturity models to healthcare organization's needs is an issue that researchers and technicians should consider and a valuable instrument for IT managers because these models allow the assessment of a present situation as well as the identification of useful improvement measures. This paper discusses the practical utilization of maturity models, including different manners of exploring model's usefulness. For a more complete understanding of maturity models, the selection of criteria and processes of measurement, called metrics, is briefly reviewed in terms of indicators and daily procedures. Some issues of management information systems security are briefly addressed, along with a note on measuring security assessment. Finally some considerations are presented about the need for privacy of personal data to ensure the strategies to be pursued to sensitive data in order to establish a level of effective privacy which is included in the concerns of security of information systems.

Extending Security in Agile Software Development Methods

2007 ◽  
pp. 143-159 ◽  
Author(s):  
M. Siponen ◽  
R. Baskerville ◽  
R. Kuivalainen
Keyword(s):  
Information Systems ◽  
Software Development ◽  
Agile Software Development ◽  
Agile Methods ◽  
Agile Method ◽  
Management Standards ◽  
Secure Information ◽  
Agile Software ◽  
Development Methods ◽  
Software Development Methods

Software developers can use agile software development methods to build secure information systems. Current agile methods have few (if any) explicit security fea-tures. While several discrete security methods (such as checklists and management standards) can supplement agile methods, few of these integrate seamlessly into other software development methods. Because of the severe constraints imposed by agile methods, these discrete security techniques integrate very poorly into agile approaches. This chapter demonstrates how the security features can be integrated into an agile method called feature driven development.

IT Security Policy in Public Organizations

2011 ◽  
pp. 1135-1141 ◽  
Author(s):  
P. Partow-Navid
Keyword(s):  
Information Technology ◽  
Information Systems ◽  
Information Security ◽  
Operating Systems ◽  
Evaluation Criteria ◽  
Public Information ◽  
Public Organizations ◽  
It Management ◽  
Secure Information ◽  
Public Information Systems

Today, information security is one of the highest priorities on the IT agenda. In 2003, Luftman and McLean (2004) conducted a survey of Society for Information Management members to identify the top 20 information technology (IT) issues for executives. Security and privacy issues were ranked third, after IT/ business alignment and IT strategic planning. Concept of information security applies to all the data stored in information systems or being communicated in information networks and encompasses measures applied on all layers of open system interconnect (OSI) model of international standards such as application, networking, and physical. Sophisticated technologies and methods have been developed to: • Control access to computer networks • Secure information systems with advanced cryptography and security models • Establish standards for operating systems with focus on confidentiality • Communication integrity and availability for securing different types of networks • Manage trustworthy networks and support business continuity planning, disaster recovery, and auditing The most widely recognized standards are: • In the United States: Trusted Computer System Evaluation Criteria (TCSEC). • In Canada: Canadian Trusted Computer Product Evaluation Criteria (CTCPEC). • In Europe: Information Technology Security Evaluation Criteria (ITSEC). All of theses standards have recently been aggregated into Common Criteria standards. And yet, the information systems continue to be penetrated internally and externally at a high rate by malicious code, attacks leading to loss of processing capability (like distributed denial-of-service attack), impersonation and session hijacking (like man-in-the-middle attack), sniffing, illegal data mining, spying, and others. The problem points to three areas: technology, law, and IT administration. Even prior to the drama of 9/11, several computer laws were enacted in the USA and yet more may come in the future. Still the fundamental threats to information security, whether they originated outside the network or by the company’s insiders, are based on fundamental vulnerabilities inherent to the most common communication protocols, operating systems, hardware, application systems, and operational procedures. Among all technologies, the Internet, which originally was created for communication where trust was not a characteristic, presents the greatest source of vulnerabilities for public information systems infrastructures. Here, a threat is a probable activity, which, if realized, can cause damage to a system or create a loss of confidentiality, integrity, or availability of data. Consequently, vulnerability is a weakness in a system that can be exploited by a threat. Although, some of these attacks may ultimately lead to an organization’s financial disaster, an all-out defense against these threats may not be economically feasible. The defense actions must be focused and measured to correspond to risk assessment analysis provided by the business and IT management. That puts IT management at the helm of the information security strategy in public organizations.

Sign in / Sign up

Export Citation Format

Share Document