Generic security cases for information system security in healthcare systems

He, Y. and Johnson, C. (2012) Generic security cases for information system security in healthcare systems. In: 7th IET International Conference on System Safety, Incorporating the Cyber Security Conference, Edinburgh, UK, 15-18 Oct 2012, pp. 1-6. (doi:10.1049/cp.2012.1507)

Full text not currently available from Enlighten.

Publisher's URL: http://dx.doi.org/10.1049/cp.2012.1507

Abstract

Numerous data breach incidents have been reported in recent years and there is a continuing requirement to protect patient and clinician confidentiality. However, the diversity of security products, tools and techniques in the market place make it very hard for management to ensure that they have implemented coherent countermeasures to meet organisations higher-level objectives. This paper focuses on the problems that arise in implementing and maintaining cyber-security policies in large, complex healthcare organisations. We address these problems by the use of graphical argumentation techniques. In particular, we show how the Goal Structuring Notations (GSN) can be extended from applications in safetycritical systems. Security arguments presented with GSN can help managers to reason about cyber-security policies and procedures by bringing together claims and the evidence that supports them in a structured and coherent way. A further objective of this paper is to show how GSN can be used to construct security arguments that are informed by the analysis of previous security incidents in healthcare organisations. In particular, we present two generic security cases that embody the recommendations from incidents involving the United States' Veterans' Affairs (VA) administration and Shenzhen Hospital in China. These case studies were deliberately chosen to show how lessons learned in one country might inform security management in other healthcare systems. We also show that security cases can be created at a level of abstraction that support reuses and at the same time capture detailed recommendations from security incidents.

Item Type:Conference Proceedings
Keywords:Generic Security Case, Healthcare System, Security Incidents, System Security.
Status:Published
Refereed:Yes
Glasgow Author(s) Enlighten ID:He, Miss Ying and Johnson, Professor Chris
Authors: He, Y., and Johnson, C.
Subjects:Q Science > QA Mathematics > QA75 Electronic computers. Computer science
College/School:College of Science and Engineering > School of Computing Science
Copyright Holders:IEEE

University Staff: Request a correction | Enlighten Editors: Update this record