Assessing staff attitudes towards information security in a European healthcare establishment.

Information security is now recognized as an important consideration in modern healthcare establishments (HCEs), with a variety of guidelines and standards currently available to enable the environments to be properly protected. However, financial and operational constraints often exist which influence the practicality of these recommendations. This paper establishes that the staff culture of the organization is of particular importance in determining the level and types of security that will be accepted. This culture will be based upon staff awareness of and attitudes towards security and it is, therefore, important to have a clear idea of what these attitudes are. To this end, two surveys have been conducted within a reference environment to establish the attitudes of general users and technical staff, allowing the results to be fed back to HCE management to enable security policy to be appropriately defined. These results indicated that, although the establishment had participated in a European healthcare security initiative, staff attitudes and awareness were still weak in some areas.

The SEISMED guidelines for host systems security.

The increasing use of and reliance upon information technology within modern healthcare establishments underlines a need for adequate security controls to protect the confidentiality, integrity and availability of systems and data. Whilst the consideration of security is now generally accepted as part of the design and implementation of new systems, many systems are already in operation in which these needs have not been adequately addressed. This paper presents a summary of the recommendations arising from the AIM SEISMED (Secure Environment for Information Systems in MEDicine) project relating to the addition and enhancement of security in existing healthcare systems. The paper is based upon material originally presented at the SEISMED Workshop "Security and Legal Aspects of Advanced Health Telematics", Brussels, 11 July 1994. The content has been revised in light of the workshop discussion and the further development of the guidelines since that time.

Development of security guidelines for existing healthcare systems.

As modern healthcare establishments become increasingly dependent upon information systems it is vital to ensure that adequate security is present to safeguard the confidentiality and integrity of data and the availability of systems. Whilst this is now generally recognized in the design of new systems, many existing operational systems have been implemented without security in mind. This paper describes the need for a standardized approach in the protection of existing healthcare systems within Europe and presents an overview of a new set of information security guidelines that have been developed specifically for the medical community. The guidelines discussed have been produced as a deliverable of the Commission of European Communities (CEC) SEISMED (Secure Environment for Information Systems in Medicine) project, under the Advanced Informatics in Medicine (AIM) programme.

Security management in the healthcare environment.

Modern health care establishments increasingly rely on information systems in all aspects of work; any compromise of their security may represent a significant threat to both the organization and the patient. This paper discusses the increasing need for standardized levels of protection in health care computing systems and networks, outlining steps that have been taken to achieve this within European establishments. The paper then considers specific technical concepts that may be applied to improve security in health care at both local and international levels.

A generic methodology for health care data security.

The aim is to outline the framework of a generic methodology for specifying countermeasures in health care environments. The method is specifically aimed at the enhancement of security in existing health care systems, and a key element is the use of predetermined 'profiles' by which these may be classified. Example scenarios are presented to illustrate how the concept could be applied in practice. The paper is based upon work that was initially carried out as part of the Commission of European Communities SEISMED (Secure Environment for Information Systems in MEDicine) project, the aim of which is to provide security recommendations for European health care establishments (HCEs).