A security study in Portuguese Public Hospitals - GDPR perspective (Preprint)

2020 ◽  
Author(s):  
Cátia Santos-Pereira
Keyword(s):  
Information Systems ◽  
Identity Management ◽  
Personal Data ◽  
Public Hospitals ◽  
Hospital Environment ◽  
Security Measures ◽  
Eu Member States ◽  
Security Issues ◽  
Management Processes ◽  
Authentication Security

BACKGROUND GDPR was scheduled to be formally adopted in 2016 with EU member states being given two years to implement it (May 2018). Given the sensitive nature of the personal data that healthcare organization process on a 24/7 basis, it is critical that the protection of that data in a hospital environment is given the high priority that data protection legislation (GDPR) requires. OBJECTIVE This study addresses the state of Public Portuguese hospitals regarding GDPR compliance in the moment of GDPR preparation period (2016-2018) before the enforcement in 25 May 2018, and what activities have started since then. The study focuses in three GDPR articles namely 5, 25 and 32, concerning authentication security, identity management processes and audit trail themes. METHODS The study was conducted between 2017 and 2019 in five Portuguese Public Hospitals (each different in complexity). In each hospital, six categories of information systems critical to health institutions were included in the study, trying to cover the main health information systems available and common to hospitals (ADT, EPR, PMS, RIS, LIS and DSS). It was conducted interviews in two phases (before and after GDPR enforcement) with the objective to identify the maturity of information systems of each hospital regarding authentication security, identity management processes and traceability and efforts in progress to avoid security issues. RESULTS A total of 5 hospitals were included in this study and the results of this study highlight the hospitals privacy maturity, in general, the hospitals studied where very far from complying with the security measures selected (before May 2018). Session account lock and password history policy were the poorest issues, and, on the other hand, store encrypted passwords was the best issue. With the enforcement of GDPR these hospitals started a set of initiatives to fill this gap, this is made specifically for means of making the whole process as transparent and trustworthy as possible and trying to avoid the huge fines. CONCLUSIONS We are still very far from having GDPR compliant systems and Institutions efforts are being done. The first step to align an organization with GDPR should be an initial audit of all system. This work collaborates with the initial security audit of the hospitals that belong to this study.

Information Systems Security Policy Compliance

2015 ◽  
Vol 6 (2) ◽  
pp. 12-39
Author(s):  
Michael Warah Nsoh ◽  
Kathleen Hargiss ◽  
Caroline Howard
Keyword(s):  
Information Systems ◽  
Security Policy ◽  
Weak Link ◽  
Empirical Studies ◽  
Security Measures ◽  
Information Systems Security ◽  
Theoretical Frameworks ◽  
Security Issues ◽  
Systems Security ◽  
The Impact

The article describes research conducted to assess and address some key security issues surrounding the use of information technology from employee behavioral standpoint. The aim of the study was to determine additional security measures to reduce security incidents and maximize effective use of information systems. The research is an extension of several recent empirical studies in information systems security policy behavioral compliance, which have generally found people to be a weak link in information security. A mix of theoretical frameworks resulted in a model based on the Theory of Planned Behavior (TPB), which was used to test the impact that management and employee relationship has on deterrence. Results indicate that management has a significant stake in influencing the behavior of their employees, and that the issue of employee disgruntlement nevertheless is not paramount of top management's Information systems security challenges.

scholarly journals Improving security in NoSQL document databases through model-driven modernization

2021 ◽  
Author(s):  
Alejandro Maté ◽  
Jesús Peral ◽  
Juan Trujillo ◽  
Carlos Blanco ◽  
Diego García-Saiz ◽  
...  
Keyword(s):  
Information Systems ◽  
Access Control ◽  
Personal Data ◽  
Sensitive Information ◽  
Medical Database ◽  
Security Issue ◽  
Common Component ◽  
Model Driven ◽  
Security Issues ◽  
Modernization Process

AbstractNoSQL technologies have become a common component in many information systems and software applications. These technologies are focused on performance, enabling scalable processing of large volumes of structured and unstructured data. Unfortunately, most developments over NoSQL technologies consider security as an afterthought, putting at risk personal data of individuals and potentially causing severe economic loses as well as reputation crisis. In order to avoid these situations, companies require an approach that introduces security mechanisms into their systems without scrapping already in-place solutions to restart all over again the design process. Therefore, in this paper we propose the first modernization approach for introducing security in NoSQL databases, focusing on access control and thereby improving the security of their associated information systems and applications. Our approach analyzes the existing NoSQL solution of the organization, using a domain ontology to detect sensitive information and creating a conceptual model of the database. Together with this model, a series of security issues related to access control are listed, allowing database designers to identify the security mechanisms that must be incorporated into their existing solution. For each security issue, our approach automatically generates a proposed solution, consisting of a combination of privilege modifications, new roles and views to improve access control. In order to test our approach, we apply our process to a medical database implemented using the popular document-oriented NoSQL database, MongoDB. The great advantages of our approach are that: (1) it takes into account the context of the system thanks to the introduction of domain ontologies, (2) it helps to avoid missing critical access control issues since the analysis is performed automatically, (3) it reduces the effort and costs of the modernization process thanks to the automated steps in the process, (4) it can be used with different NoSQL document-based technologies in a successful way by adjusting the metamodel, and (5) it is lined up with known standards, hence allowing the application of guidelines and best practices.

scholarly journals PaaS Platform Securityenhancement Using Fuzzy and Trust Based Signature

2021 ◽  
Author(s):  
PATHAKAMURI SRINIVAS ◽  
B.V. Ramana Reddy ◽  
A.P. Siva Kumar
Keyword(s):  
Access Control ◽  
Personal Data ◽  
Computing System ◽  
Security Requirements ◽  
Cloud Provider ◽  
Security Measures ◽  
Platform As A Service ◽  
Security Issues ◽  
Security Feature ◽  
Cloud Computing System

Abstract The study of PaaS platform security enhancement has occupied scholars from a number of disciplines, in previous works has so many security issues like Security problems can be a big barrier to cloud computing. System servers require trustworthy security measures to different data domains according to the system servers own operating mechanism. Problem is constructed by filtering out those cloud providers not conforming to high-level security requirements. By including low-level security requirements to be used for filtering the cloud provider space and formulating the optimisation function. To overcome all the above drawbacks our proposed work mainly focused on the security of Platform-as-a-Service (PaaS) as well as the most critical security issues that were documented regarding PaaS infrastructure. This work has two main aspects: First, suitable access control on user personal data, VMs and platform services and Second planning and adapting application deployments based on security requirements. In Fuzzy based access control to information sources is mainly realised by exploiting the CDO security feature. In Security feature code was modified to map the class and packet filter for any specific permission to our own class. If the Identity Provider (IdP) has included public security information on the two main parts in the small token on which Trust based Signature elements are placed, i.e., the whole token or the assertions included, this public key is used to validate the respective signature. The experimental results will show that our proposed method outperforms the traditional methods. Our proposed methodology was implemented in the platform of JAVA.

scholarly journals On Procedural Guidelines on the Procedure of Choosing the Organizational and Technical Measures for Personal Data Protection in Their Processing in Personal Data Information Systems

2020 ◽  
pp. 34-37
Author(s):  
Viktor Mikhailovich Bisiukov
Keyword(s):  
Information Systems ◽  
Data Protection ◽  
Personal Data ◽  
Security Measures ◽  
Federal Law ◽  
Security Systems ◽  
Personal Data Protection ◽  
Technical Measures

The urgency of the issue treated in this paper is determined by the fact that the federal law requires personal data operators to guarantee the safety of processed personal data by developing security systems based on a number of organizational and technical security measures, as well as their evaluation. When choosing the organisational and technical security measures, the problem of having to consider a large number of normative and procedural documents which regulate this process arises. The aim of this study is to develop the procedural guidelines for choosing and assessing the effectiveness of suggested organizational and technical security measures for data protection in personal data information systems.

scholarly journals An Autonomous Cybersecurity Framework for Next-generation Digital Service Chains

2021 ◽  
Vol 29 (4) ◽  
Author(s):  
Matteo Repetto ◽  
Domenico Striccoli ◽  
Giuseppe Piro ◽  
Alessandro Carrega ◽  
Gennaro Boggia ◽  
...  
Keyword(s):  
Business Models ◽  
Identity Management ◽  
Methodological Approach ◽  
Value Chains ◽  
Sensitive Data ◽  
Digital Service ◽  
Security Issues ◽  
Security Services ◽  
New Business ◽  
Access Control Management

AbstractToday, the digital economy is pushing new business models, based on the creation of value chains for data processing, through the interconnection of processes, products, services, software, and things across different domains and organizations. Despite the growing availability of communication infrastructures, computing paradigms, and software architectures that already effectively support the implementation of distributed multi-domain value chains, a comprehensive architecture is still missing that effectively fulfills all related security issues: mutual trustworthiness of entities in partially unknown topologies, identification and mitigation of advanced multi-vector threats, identity management and access control, management and propagation of sensitive data. In order to fill this gap, this work proposes a new methodological approach to design and implement heterogeneous security services for distributed systems that combine together digital resources and components from multiple domains. The framework is designed to support both existing and new security services, and focuses on three novel aspects: (i) full automation of the processes that manage the whole system, i.e., threat detection, collection of information and reaction to attacks and system anomalies; (ii) dynamic adaptation of operations and security tasks to newest attack patterns, and (iii) real-time adjustment of the level of detail of inspection and monitoring processes. The overall architecture as well as the functions and relationships of its logical components are described in detail, presenting also a concrete use case as an example of application of the proposed framework.

scholarly journals Securing Remote Access to Information Systems of Critical Infrastructure Using Two-Factor Authentication

Electronics ◽  
2021 ◽  
Vol 10 (15) ◽  
pp. 1819
Author(s):  
Rasa Bruzgiene ◽  
Konstantinas Jurgilas
Keyword(s):  
Information Systems ◽  
Identity Management ◽  
Critical Infrastructure ◽  
User Authentication ◽  
Remote Access ◽  
Access To Information ◽  
Digital Space ◽  
Cyber Threats ◽  
The Core ◽  
Common Target

Information systems of critical infrastructure provide services on which the core functions of a state and its economy depend as well as welfare of society. Such systems are becoming an increasingly common target for crimes and attacks in cyberspace, as their vulnerabilities can be exploited for malicious activities seeking financial or political gain. One of the main reasons that threatens the security of these systems is the weak control of remote access, otherwise defined as management of a system’s user identity. Management of user identity depends on user authentication, authorization and the assignment of certain rights in the digital space. This paper provides the proposed two-factor (2FA) digital authentication method for remote access to an information system of a critical infrastructure. Results of testing the method’s usability and resilience to cyber threats have shown that the system, in which the method was implemented, is protected from dangerous HTTP requests and publicly available system’s endpoints are protected from threatening inputs that could cause malicious activities on the critical infrastructure. Additionally, the implementation of the authentication API application ensures the rapidity of the method for less than 500 ms for 100 users working in parallel with the system at the same time.

scholarly journals PRACTICAL IMPLEMENTATION OF THE MODEL OF FORMATION OF CADETS' READINESS TO ENSURE INFORMATION SECURITY IN PROFESSIONAL ACTIVITIES

2021 ◽  
Vol 1 ◽  
pp. 119-129
Author(s):  
Dmitry Dvoretsky ◽  
Natalia Kolesnikova ◽  
Oksana Makarkina ◽  
Kira Lagvilava
Keyword(s):  
Information Systems ◽  
Information Security ◽  
Information Technologies ◽  
The State ◽  
Practical Implementation ◽  
Positive Trend ◽  
Pedagogical Tools ◽  
Professional Activities ◽  
Security Issues ◽  
The Stability

The mass introduction of information technologies in the activities of state structures has made it possible to transfer the efficiency of their functioning to a qualitatively new level. Unfortunately, as a means of action, they have characteristic vulnerabilities and can be used not only for good, but also for harm. For the state, as a guarantor of the stability of a civilized society, the issue of ensuring the security of information processing is particularly important. Despite the automation of many information processes, the most vulnerable link in the work of information systems remains a person. A person acts as an operator of information systems and a consumer of information. The entire service process depends on the competence of the operator and the quality of his perception. There are areas of government activity where the cost of error is particularly high. These include ensuring the life and health of citizens, protecting public order and the state system, and ensuring territorial integrity. The specifics of the spheres must be taken into account when ensuring the security of information. This study concerns official activities that are provided by paramilitary groups. Currently, there is a discrepancy in the level of competence of new personnel in the first months of service. The author traces the shortcomings of general and special professional qualities in the field of information security. The purpose of the study is to substantiate certain pedagogical means of forming cadets ' readiness to ensure information security. As forms of theoretical knowledge, we will use the traditional hypothesis and model, as well as functionally distinguishable judgments – problem, assumption, idea and principle. Empirical forms of knowledge will be observation (experimental method) and fixation of facts. To evaluate the effectiveness of the developed pedagogical tools, we use statistical methods: observation (documented and interrogated) and calculation of generalizing indicators. To formulate conclusions, we will use logical methods: building conclusions and argumentation. The approbation of certain pedagogical tools described in this article showed a significant positive trend in terms of competence in information security issues.

scholarly journals Sensemaking and identity management amidst major organizational change

2021 ◽  
Author(s):  
◽  
Madeline Pringle
Keyword(s):  
Organizational Change ◽  
Graduate Students ◽  
Online Education ◽  
Student Teaching ◽  
Identity Management ◽  
Theoretical Work ◽  
Organizational Leaders ◽  
Structured Interviews ◽  
Making Sense ◽  
Management Processes

Organizational change is inevitable and its impacts will affect all members, albeit to different degrees. These changes also bring about uncertainty, especially as it pertains to one's organization-based identities. However, when studying change and identity, organizational communication scholars have often missed studying the interplay of one's many organization-based identities and how these are made sense of and managed amidst major organizational change. This thesis employs a phronetic-iterative methodology to analyze 16 semi-structured interviews with U.S. graduate students to understand how they have made sense of and managed their organization-based (i.e., graduate student, teaching assistant/instructor, department, university) identities after the COVID-19-induced transition to fully online education in Spring 2020. Analysis of this data suggested that participants used two types of ideal self discursive resources to make sense of and manage these identities, while also experiencing their sensemaking and identity management processes in two distinct stages. Additionally, participants revealed the importance of organizational places as it pertained to making sense of this change and its impacts. With these findings, this thesis extends theoretical work surrounding sensemaking, identity, and place, especially as it pertains to organizational change and providespractical recommendations for organizational leaders in academia to assist some of their highly impacted and identity-precarious populations--graduate students.

Sign in / Sign up

Export Citation Format

Share Document