Modeling Access Control in Healthcare Organizations

IT Policy and Ethics ◽

10.4018/978-1-4666-2919-6.ch038 ◽

2013 ◽

pp. 835-856

Author(s):

Efstratia Mourtou

Keyword(s):

Information Security ◽

Access Control ◽

Security Policy ◽

Healthcare Professionals ◽

Vital Role ◽

Sensitive Information ◽

Healthcare Organizations ◽

Security Issues ◽

Efficiency And Effectiveness ◽

The Status

Since Hospital Information Systems (HIS) are designed to support doctors and healthcare professionals in their daily activities, information security plays a vital role in managing access control. Efficiency and effectiveness of information security policy is crucial, especially when dealing with situations that affect the status and life-history of the patient. In addition, the rules and procedures to follow, in order to provide confidentiality of sensitive information, have to focus on management of events on any table of the HIS. On the other hand, control and statement constraints, as well as events and security auditing techniques, play also an important role, due to the heterogeneity of healthcare professionals’ roles, actions and physical locations, as well as to the specific characteristics and needs of the healthcare organizations. This chapter will first explore issues in managing access control and security of healthcare information by reviewing the possible threats and vulnerabilities as well as the basic attributes of the hospital’s security plan. The authors will then present a hierarchical access model that, from a security policy perspective, refers to data ownership and access control issues. The authors conclude the chapter with discussions of upcoming security issues.

Download Full-text

Modeling Access Control in Healthcare Organizations

Certification and Security in Health-Related Web Applications ◽

10.4018/978-1-61692-895-7.ch002 ◽

2011 ◽

pp. 23-44

Author(s):

Efstratia Mourtou

Keyword(s):

Information Security ◽

Access Control ◽

Security Policy ◽

Healthcare Professionals ◽

Vital Role ◽

Sensitive Information ◽

Healthcare Organizations ◽

Security Issues ◽

Efficiency And Effectiveness ◽

The Status

Download Full-text

VIRTUAL REALITY: U.S. INFORMATION SECURITY THREATS CONCEPT AND ITS INTERNATIONAL DIMENSION

MGIMO Review of International Relations ◽

10.24833/2071-8160-2014-3-36-128-136 ◽

2014 ◽

pp. 128-136

Author(s):

E. V. Batueva

Keyword(s):

United States ◽

Information Security ◽

Cyber Security ◽

Security Policy ◽

The United States ◽

Main Task ◽

Security Issues ◽

Cyber Space ◽

National Information ◽

The U.S

The development of ICT and the formation of the global information space changed the agenda of national and international security. Such key characteristics of cyberspace as openness, accessibility, anonymity, and identification complexity determined the rise of actors in cyber space and increased the level of cyber threats. Based on the analyses of the U.S. agencies' approach, the author defines three major groups of threats: use of ICT by states, criminals and terrorists. This concept is shared by the majority of the countries involved in the international dialogue on information security issues and is fundamental for providing cyber security policy on both national and international levels. The United States is developing a complex strategy for cyber space that includes maximization of ICT's advantages in all strategically important fields as well as improvement of national information systems and networks security. On the international level the main task for the American diplomacy is to guarantee the U.S. information dominance. The United States is the only country that takes part practically in all international and regional fora dealing with cyber security issues. However process of the development of a global cyber security regime is not going to be fast due to countries' different approaches to key definitions and lack of joint understanding of cyber security issues as well as due to the position of the countries, among all the United States, that are not interested in any new obligatory international norms and principles. Such American policy aims at saving the possibility of using cyberspace capacity in reaching political and military goals, thus keeping the global leadership.

Download Full-text

Analysis of Healthcare Workflows in Accordance with Access Control Policies

International Journal of Healthcare Information Systems and Informatics ◽

10.4018/ijhisi.2016010101 ◽

2016 ◽

Vol 11 (1) ◽

pp. 1-20 ◽

Cited By ~ 1

Author(s):

Sandeep Lakaraju ◽

Dianxiang Xu ◽

Yong Wang

Keyword(s):

Access Control ◽

Sensitive Information ◽

Control Mechanisms ◽

Healthcare Organizations ◽

Sensitive Data ◽

Healthcare Information ◽

Control Policies ◽

Crucial Element ◽

Access Control Policies ◽

Context Element

Healthcare information systems deal with sensitive data across complex workflows. They often allow various stakeholders from different environments to access data across organizational boundaries. This elevates the risk of exposing sensitive healthcare information to unauthorized personnel, leading ‘controlling access to resources' a major concern. To prevent unwanted access to sensitive information, healthcare organizations need to adopt effective workflows and access control mechanisms. Many healthcare organizations are not yet considering or do not know how to accommodate the ‘context' element as a crucial element in their workflows and access control policies. The authors envision the future of healthcare where ‘context' will be considered as a crucial element. They can accommodate context through a new element ‘environment' in workflows, and can accommodate context in policies through well-known attribute based access control mechanism (ABAC). This research mainly addresses these problems by proposing a model to integrate workflows and access control policies and thereby identifying workflow activities that are not being protected by access control policies and improving the workflow activities and/or existing access control policies using SARE (Subject, Action, Resource, and environment) elements.

Download Full-text

Building an awareness-centered information security policy compliance model

Industrial Management & Data Systems ◽

10.1108/imds-07-2019-0412 ◽

2019 ◽

Vol 120 (1) ◽

pp. 231-247 ◽

Cited By ~ 1

Author(s):

Alex Koohang ◽

Jonathan Anderson ◽

Jeretta Horn Nord ◽

Joanna Paliszkiewicz

Keyword(s):

Information Security ◽

Security Policy ◽

Path Modeling ◽

Information Security Policy ◽

Content Type ◽

Security Issues ◽

Compliance Model ◽

Security Compliance ◽

Trusting Beliefs ◽

Practical Implications

Purpose The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon several variables that influence successful ISP compliance. Design/methodology/approach The authors built a model with seven constructs, i.e., leadership, trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285 non-management employees was used from various organizations in the USA. The authors used path modeling to analyze the data. Findings The findings indicated that IS awareness depends on effective organizational leadership and elevated employees’ trusting beliefs. The understanding of resource vulnerability (URV) and SE are influenced by IS awareness resulting from effective leadership and elevated employees’ trusting beliefs which guide employees to comply with ISP requirements. Practical implications Practical implications were aimed at organizations embracing an awareness-centered information security compliance program to secure organizations’ assets against threats by implementing various security education and training awareness programs. Originality/value This paper asserts that awareness is central to ISP compliance. Leadership and trusting beliefs variables play significant roles in the information security awareness which in turn positively affect employees’ URV and SE variables leading employees to comply with the ISP requirements.

Download Full-text

Enterprise Information Security Management Based on Context-Aware RBAC and Communication Monitoring Technology

Mathematical Problems in Engineering ◽

10.1155/2013/569562 ◽

2013 ◽

Vol 2013 ◽

pp. 1-11 ◽

Cited By ~ 5

Author(s):

Mei-Yu Wu ◽

Ming-Hsien Yu

Keyword(s):

Information Security ◽

Security Policy ◽

Information Leakage ◽

Security Management ◽

Vital Role ◽

Management Approach ◽

Context Aware ◽

Enterprise Information ◽

Information Security Management ◽

Monitoring Technology

Information technology has an enormous influence in many enterprises. Computers have not only become important devices that people rely on in their daily lives and work, but have also become essential tools for enterprises. More and more enterprises have shifted their focus to how to prevent outer forces from invading and stealing from networks. However, many enterprises have disregarded the significance of internal leaking, which also plays a vital role in information management. This research proposes an information security management approach that is based on context-aware role-based access control (RBAC) and communication monitoring technology, in order to achieve enterprise information security management. In this work, it is suggested that an enterprise may, first, use an organizational chart to list job roles and corresponding permissions. RBAC is a model that focuses on different work tasks and duties. Subsequently, the enterprise may define a security policy to enforce the context-aware RBAC model. Finally, the enterprise may use communication monitoring technology in order to implement information security management. The main contribution of this work is the potential it provides to both reduce information security incidents, such as internal information leakage, and allow for effective cost control of information systems.

Download Full-text

A sensitive information protection scheme in wearable devices based on quantum entanglement

International Journal of Distributed Sensor Networks ◽

10.1177/1550147718808487 ◽

2018 ◽

Vol 14 (10) ◽

pp. 155014771880848

Author(s):

Yongzhi Chen ◽

Xiaojun Wen ◽

Zhiwei Sun ◽

Zoe L Jiang ◽

Junbin Fang

Keyword(s):

Information Security ◽

Quantum Entanglement ◽

Secure Communication ◽

Wearable Devices ◽

Sensitive Information ◽

Mathematical Algorithm ◽

Protection Scheme ◽

Security Issues ◽

Quantum Secure Communication ◽

Secure Transmission

At present, wearable devices are in the ascendant in the field of personal smart communication terminals across the globe, but their information security issues deserve attention. We hereby propose a secure transmission solution that addresses the special requirements of wearable devices in information security. It is based on the principle of quantum secure communication and works well to protect sensitive information on wearable devices. The solution utilizes the coherence properties of quantum entanglement and uses quantum information security techniques such as quantum key distribution and non-orthogonal base measurement to realize secure transmission of sensitive information on wearable devices. Unlike traditional encryption methods based on the complexity of the mathematical algorithm, the solution has unconditional security.

Download Full-text

It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs

Information and Computer Security ◽

10.1108/ics-01-2019-0010 ◽

2020 ◽

Vol 28 (3) ◽

pp. 467-483 ◽

Cited By ~ 1

Author(s):

Moufida Sadok ◽

Steven Alter ◽

Peter Bednar

Keyword(s):

Information Security ◽

Security Policy ◽

Small And Medium Enterprises ◽

Security Policies ◽

Sensitive Information ◽

Work Practices ◽

Content Type ◽

Empirical Results ◽

Corporate Security ◽

Security Practices

Purpose This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security. Design/methodology/approach This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view. Findings Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts. Research limitations/implications This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement. Practical implications The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security. Originality/value Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.

Download Full-text

Modification data attack inside computer systems: a critical review

Computer Science and Information Technologies ◽

10.11591/csit.v1i3.p98-105 ◽

2020 ◽

Vol 1 (3) ◽

pp. 98-105

Author(s):

Vahid Kaviani J ◽

Parvin Ahmadi Doval Amiri ◽

Farsad Zamani Brujeni ◽

Nima Akhlaghi

Keyword(s):

Information Security ◽

Computer Systems ◽

Security Analysis ◽

Sensitive Information ◽

Cyber Attack ◽

User Input ◽

Security Issues ◽

Data User ◽

Recent Developments ◽

Data Configuration

This paper is a review of types of modification data attack based on computer systems and it explores the vulnerabilities and mitigations. Altering information is a kind of cyber-attack during which intruders interfere, catch, alter, take or erase critical data on the PCs and applications through using network exploit or by running malicious executable codes on victim's system. One of the most difficult and trendy areas in information security is to protect the sensitive information and secure devices from any kind of threats. Latest advancements in information technology in the field of information security reveal huge amount of budget funded for and spent on developing and addressing security threats to mitigate them. This helps in a variety of settings such as military, business, science, and entertainment. Considering all concerns, the security issues almost always come at first as the most critical concerns in the modern time. As a matter of fact, there is no ultimate security solution; although recent developments in security analysis are finding daily vulnerabilities, there are many motivations to spend billions of dollars to ensure there are vulnerabilities waiting for any kind of breach or exploit to penetrate into the systems and networks and achieve particular interests. In terms of modifying data and information, from old-fashioned attacks to recent cyber ones, all of the attacks are using the same signature: either controlling data streams to easily breach system protections or using non-control-data attack approaches. Both methods can damage applications which work on decision-making data, user input data, configuration data, or user identity data to a large extent. In this review paper, we have tried to express trends of vulnerabilities in the network protocols’ applications.

Download Full-text

Getting the Right Balance: Information Security and Information Access

Legal Information Management ◽

10.1017/s1472669610000125 ◽

2010 ◽

Vol 10 (1) ◽

pp. 51-54 ◽

Cited By ~ 1

Author(s):

Jennifer Smith

Keyword(s):

Information Security ◽

Information Management ◽

Information Access ◽

Sensitive Information ◽

Practical Advice ◽

Security Issues ◽

Complex Information ◽

The Right

AbstractThis article by former law librarian, Jennifer Smith, highlights access and security issues to consider when handling sensitive information. Jennifer is a Director of the Information Management and IT consultancy, OneIS, which specialises in working with smaller organisations with complex information management requirements. The article provides practical advice and is particularly aimed at readers working in organisations without dedicated information security professionals.

Download Full-text

Improving security in NoSQL document databases through model-driven modernization

Knowledge and Information Systems ◽

10.1007/s10115-021-01589-x ◽

2021 ◽

Author(s):

Alejandro Maté ◽

Jesús Peral ◽

Juan Trujillo ◽

Carlos Blanco ◽

Diego García-Saiz ◽

...

Keyword(s):

Information Systems ◽

Access Control ◽

Personal Data ◽

Sensitive Information ◽

Medical Database ◽

Security Issue ◽

Common Component ◽

Model Driven ◽

Security Issues ◽

Modernization Process

AbstractNoSQL technologies have become a common component in many information systems and software applications. These technologies are focused on performance, enabling scalable processing of large volumes of structured and unstructured data. Unfortunately, most developments over NoSQL technologies consider security as an afterthought, putting at risk personal data of individuals and potentially causing severe economic loses as well as reputation crisis. In order to avoid these situations, companies require an approach that introduces security mechanisms into their systems without scrapping already in-place solutions to restart all over again the design process. Therefore, in this paper we propose the first modernization approach for introducing security in NoSQL databases, focusing on access control and thereby improving the security of their associated information systems and applications. Our approach analyzes the existing NoSQL solution of the organization, using a domain ontology to detect sensitive information and creating a conceptual model of the database. Together with this model, a series of security issues related to access control are listed, allowing database designers to identify the security mechanisms that must be incorporated into their existing solution. For each security issue, our approach automatically generates a proposed solution, consisting of a combination of privilege modifications, new roles and views to improve access control. In order to test our approach, we apply our process to a medical database implemented using the popular document-oriented NoSQL database, MongoDB. The great advantages of our approach are that: (1) it takes into account the context of the system thanks to the introduction of domain ontologies, (2) it helps to avoid missing critical access control issues since the analysis is performed automatically, (3) it reduces the effort and costs of the modernization process thanks to the automated steps in the process, (4) it can be used with different NoSQL document-based technologies in a successful way by adjusting the metamodel, and (5) it is lined up with known standards, hence allowing the application of guidelines and best practices.

Download Full-text