SlideShare a Scribd company logo

The adoption of it security standards in a healthcare environment

Rui Gomes
Rui Gomes

This document summarizes a study on the adoption of IT security standards in a Portuguese hospital, Hospital S. Sebastião (HSS). It discusses how the hospital implemented several controls from the ISO 27002 security standard to improve its datacenter infrastructure security. The Chief Information Officer (CIO) led the project to assess security risks and prioritize implementing standards to address high risks areas first. An external auditor conducted a gap analysis and vulnerability scanning. Implementing standards helped structure the hospital's security management practices and increased confidence of patients and partners.

1 of 6
Download to read offline
eHealth Beyond the Horizon – Get IT There 765 S.K. Andersen et al. (Eds.) IOS Press, 2008 © 2008 Organizing Committee of MIE 2008. All rights reserved. The Adoption of IT Security Standards in a Healthcare Environment Rui GOMESa c and Luís Velez LAPÃO b,c 1 a Hospital S. Sebastião – Sta. Maria da Feira, Portugal, b Healthcare Systems Group, Instituto Nacional de Administração, Portugal, c CINTESIS-Faculdade de Medicina, Universidade do Porto, Portugal Abstract. Security is a vital part of daily life to Hospitals that need to ensure that the information is adequately secured. In Portugal, more CIOs are seeking that their hospital IS departments are properly protecting information assets from security threats. It is imperative to take necessary measures to ensure risk management and business continuity. Security management certification provides just such a guarantee, increasing patient and partner confidence. This paper introduces one best practice for implementing four security controls in a hospital datacenter infrastructure (ISO27002), and describes the security assessment for implementing such controls. Keywords: ISO 27002, Security standards, CIO, Healthcare Information Management. Introduction Healthcare services aims at serving people well. In this regard, the need for IS standards is recurrent since every year thousands of people died as the result of clinical errors caused by fatigue or inaccuracy that could have been prevented with proper technology [1]. Most of the problems have to do with lack of coordination between systems due to the use of different standards [2]. Anybody waiting for the standards bodies before implementing IS will be waiting such long time, but information security must stay manageable and able to let preventing threats, reduce vulnerabilities and risks. Hospital S. Sebastião (HSS) is aware of the significance of information security issues and the relevance of standards and frameworks such as Committee Of Sponsoring Organizations of the Treadway Commission (COSO) [3] for financial processes control, COBIT [4] for information technology (IT) control, “Health Insurance Portability and Accountability Act” (HIPAA) [5] to insurance protection and promoting communications standards and ISO 27002 [6] to manage the information security. Our approach here will focus on healthcare IT security issues. The COSO is a group of standards that includes different financial and auditing institutions’ functions, while COBIT, Control Objectives for Information and related Technology is a good 1 Corresponding Author: Prof. Luís Velez Lapão, Healthcare Systems Group, Instituto Nacional de Administração, Palácio dos Marqueses do Pombal, 2784-540 Oeiras, Portugal, email: luis.lapao@ina.pt.
766 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment framework for assessing, managing and reducing IT risks. We aim at applying the ISO27002 standards to HSS taking advantage of its comprehensiveness in implementation details. One must recognise that each framework has their own weaknesses and strengthens; e.g. ISO27002 has a complete level of security, but does not contain product-oriented measures, such as those used on COBIT [4]. 1. The IT Security Standards in the Healthcare Environment The use of standards can be viewed from legal and IT architecture perspectives [7]. From the legal perspective, there are ranges of standards that either recommends general or specific scenarios in healthcare. In the USA, HIPAA is a legal requisite and comprehensive health information protection policy, which promotes the development of electronic healthcare transactions and specifically addresses the issues of privacy and security for health related information [5]. The security element specifically distinguish the innate problems in using electronic forms of records keeping and the changing nature of the technology upon which such records are recorded, used and stored. HIPAA has suffered many delays but it had a clear impact on services feasibility [8]. From IT standards perspective, we refer to ISO27002 (former British Standard Institute (BSI) 7799-1:1999) to assist in the development of security plans. It is a “Code of Practice” purposeful on high-level security management, revised in 2005 to cover current technology and business practices. ISO 27002 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices based on 11 main sections. As a code of practice it cannot be used for certification, so another standard has been developed ISO 27001 (information security management system requirements) which is certifiable [9]. This standard specifies the requirements for security implementation that is customizable for individual organizations. ISO standards are only a starting point, as they do not contain widespread information on how security measures should be implemented or maintained. Other standards exist for specific proposes of health information, particularly for use in e-health information exchange, like HL7 [10] developed as a standard for clinical information exchange and based predominantly on the HIPAA guiding principles. In addition, the CEN (European Committee for Standardization) is putting significant effort into development of healthcare information systems security in Europe. However, this has resulted in an assorted range of standards being developed for specific instances of technology use. Many standards do not include sufficient security-related provision and given the complex nature of standards, it has resulted in a large number of providers selling security management solutions for interpretation of the standards and also to explore its implementation. 2. The Process of Adoption of IT Security Standards: The role of the CIO It is now accepted that healthcare is one of the most complex businesses with a large diversity of types of interactions [11, 12]. The possibility of using IS to support the services delivery also opens new opportunities. Smith [13] and others [14] have proposed that only Information Systems (IS) could bridge the information “chasm”. Interoperability of healthcare systems can play a critical role in this process. The Institute Of Medicine reports [14, 15] identified weaknesses in the design and safety of
R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 767 healthcare IS whereas interoperability rules’ utilization can provide additional pressure to help the proper use of technology in that regard [16]. Both technical and semantic interoperability require a wide organizational agreement on standards. Both represent huge tasks to be accomplished and require people in the organization to deal with it. Specialized groups such as IHE are pushing the debate and developing interoperability profiles to tighten areas of ambiguity en route to stronger interoperability. The HL7’s Electronic Health Record (EHR) group has produced many reports and other materials to guide technology managers towards interoperability. But before going into this sophisticated processes there are many other basic areas that need to be properly covered, being security issues one of them. The human and organizational side of the interoperability has been mostly forgotten [17, 18]. For a long time healthcare process engineering was also not taken very seriously [19]. In order to take advantage of an IS it is necessary a leadership to promote the alignment of business with IS. In this complex environment the role of the Chief Information Officer (CIO) is critical to ensure good focus on organizational specificities. It was recognized that best performing HIS departments were related with department heads that matched CIO attributes [12], like openness to suggestions and excellent relationship with other healthcare professionals; leadership skills, which help them to address challenges; meaningful negotiation skills which are used in their relationships with the vendors, openness to bolder projects with new technologies; etc. Healthcare CIOs are a kind of “special people” that push the organization further through an innovative use of technology [18, 20]. They know that pushing for interoperability will allow the organization to be more productive and less inefficient. Interoperability in an organization can also mean data access safety and security. 3. The Hospital S. Sebastião Information Security Case HSS is integrated in the National Health Service providing tertiary health care services for all citizens of its geographical area. Built in 1999, it covers an area with 367 000 inhabitants. HSS was chosen to become involved in an innovative management framework, supported by the Ministry of Health, to show the evidence of the improving efficiency of the new framework. 3.1 HSS Information System Architecture Hospital owns today a unified IS platform that aims to serve not only administrative and management purposes but mainly patients needs, helping professionals doing their job correctly. This middle management application provides approximately 320 physicians and 510 nurses with an integrated view of all clinical information related with the patients, from exams to surgery reports. Since 1999, those physicians create and stores medical records through the hospital’s datacenter storage bank. The IS architecture is showed below (Figure 1.), where all the exclusively solutions contribute to grow the datacenter databases on consolidate and concentred ness philosophy.
768 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment Figure 1. HSS information System Architecture Overview. The architecture definition was a long working process. The hospital board have recognized that a huge effort was carried out to minimise risks concerning the information management, data privacy and protection. This level of maturity was achieved in 2003, though these good principles are still not enough. These first successes encouraged the CIO, the IT personnel and top managers to be more focused on the improvement of the information security management. 3.2 CIO Role in the HSS IT Security Approach The CIO created a team to address the IT security at the HSS. After relevant literature and practices review, it was selected the ISO27002 rather then COBIT. COBIT’s entirety would make implementation onerous and if one compared it with ISO27002, it is easy to see that it focuses more on efficiency and effectiveness of IT environment rather than information security linked to business issues. It was recognized that ISO27002 represents a good mix of international acceptance level and full comprehensiveness, as well as it is dedicated most exclusively for information security practices built around policy and process management. However, in the future it could be necessary to implement some COBIT measures to accomplish ISO27002 good practices. The applications servers and databases are all concentrated and beneath a controlled physical habitat, and what concerns securing and managing information, the prerequisites surround ISO27002 were recognized as an excellent point of reference to starting managing the information security. Some of controls of this standard have been implemented over a hospital datacenter infrastructure area and the focus has been IT and security policies as a best practice for information security management in the daily basis procedures operation. ISO27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. 11 main sections border physical and logical preservation of confidentiality, integrity and availability properties. Making analogy with ISO quality standards and their way of managing and improving hospital made process of ISO27002 implementation as easy as possible. Analogically to quality manager, information security manager observes situation, gives regular assessments, and then recommendations for improvement, afterwards business managers determine to what issues investments should be put in as well as their priority. All 11 ISO27002’s control chapters have subset elements. To
R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 769 provide performance measurement HSS rated the 39 main security categories, based on ISO27002 structures and according to a simple level of risk scale H-M-L (High- Medium/Moderate-Low/Tolerable). The following table 1., concisely shows the risk levels for each control area helping the CIO to rapidly overview the whole picture of information security and to identify priority actions. Table 1. Risk Levels in the ISO 27002 Risk Level # ISO 27002 Section (control objective) H M L 1 Security Policy 0 1 0 2 Organizing Information Security 0 1 1 3 Asset Management 2 0 0 4 Human Resources Security 0 1 2 5 Physical and Environmental Security 1 1 0 6 Communications & Operations Management 8 2 0 7 Access Control 5 2 0 8 Information Systems Acquisition, Development and Maintenance 0 4 2 9 Information Security Incident Management 0 2 0 10 Business Continuity Management 0 0 1 11 Compliance 0 1 2 The application of this framework has been quite successful at HSS. For instance, section 3, 5, 6 and 7 were well accomplished in the datacenter infrastructure whereas the security assessment sections were based on the most relevant high-risk level control objective. 3.3 IT Security Project Issues CEO and CIO have assumed the project and the relevance of a security auditing and it’s implications: for instance, the obligation to up-grade, both physically and logically, the datacenter, and to change the daily modus operandi. The hospital board decided to hire an auditor (named by SINFIC, a BSI certificated partner). The auditor applied a Gap Analysis with five major steps: 1. Project planning, to ensure that expectations, timelines and deliverables are appropriately managed. 2. During the Information- gathering phase many players were interviewed to determine the business environment and current security management and system administration processes through in-depth discussions with key players in the organization. 3. At the Review and Analysis stage Security Policies, Procedures and Practices were addressed to evaluate the existing security policies, procedures and practices, and compare it with the ISO27002 international security standard and industry best practices. 4. The Review and Analysis stage results help to write down a concise, detailed technical and ISO27002 Security Assessment Executive Summary Report. 5. External and Internal vulnerability scanning to discover all devices and applications across the datacenter, and to identify and eliminate the security threats that make datacenter infrastructure attacks possible.
770 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 4. Conclusions From the case presented one should conclude that rules code of practice or standards are essential to ensure the delivery of benefits to the patient and healthcare providers in information interoperability. This is only part of a bigger effort to implement a comprehensive strategy that allows consistency of information collection and sharing within the healthcare sector. This effort will establish a secure infrastructure between organizations over which to share patient secure information. It is required a comprehensive set of standards that define practical guidelines for the healthcare community, for which ISO27002 is a good benchmarking. Its area of application is a set of diverse and heterogeneous organizations like public hospitals, private, specialists and general practitioners. It means that specific targeted standards should be developed or established for the protection of sensitive information, and not left to individual interested parties to build up. It also means that we are facing a rather new field yet to be proven, implying that the CIO responsible for the implementation of an IS security framework will have to deal with its many variables and barriers. The CIO role and understanding of the organization’s environment is key to deliver real interoperability potential to the organization to patients’ benefit. References [1] Thompson T. US Former secretary of Health and Human Services Keynote Speech at the 2007 CDHC Expo, Business Wire, Nov. 13, 2006. [2] Bell K. “HIT and Pay for Performance”. Acting Deputy, US Office of the National Coordinator for Health Information Technology Keynote Speech at the HIT Symposium at MIT, July 17, 2006. [3] COSO. "Committee Of Sponsoring Organizations of the Treadway Commission" controls financial processes. [4] COBIT. Control Objectives for Information and related Technology”, control focuses on IT. [5] HIPAA. “Health Insurance Portability and Accountability Act”, to insurance protection and promoting communications standards in healthcare, HHS Report 1997. [6] ISO/IEC 27002:2005 Information technology -Security techniques - Code of practice for information security management, International Standards Organization, 2005. [7] The Role of Standards in Medical Information Security: An Opportunity for Improvement. P. A. H. Williams , School of Computer and Information Science Edith Cowan University Joondalup, Western Australia [8] HHS (2007), Health Information Privacy Act (HIPAA). http://www.hhs.gov/ocr/ (accessed on the 21st October 2007). [9] ISO/IEC 27001:2005 Information technology Security techniques - Information security management systems - Requirements, International Standards Organization, ISO/IEC 2005. [10] Health Level 7 - ANSI - application layer 7 in the OSI model accredited standards for electronically defining clinical and administrative data in the healthcare industry: www.hl7.org, accessed on the 3rd November 2007. [11] Plsek P and Wilson T. Complexity Sciences: Complexity, leadership, and management in healthcare organisations. BMJ 2001; 323: 746-9. [12] Lapão LV. Survey on the Status of the Hospital Information Systems in Portugal, Methods of Information in Medicine, 2007 46 4: 493-499. [13] Smith R. The future of health care systems. BMJ, 314:1495 (24 May) 1997. [14] IOM Report, Crossing the Quality Chasm: A New Health System for the 21st Century, Institute of Medicine, 2001. [15] IOM Report, To Err is Human. Institute of Medicine, 1999. [16] Lenz, R and Kuhn, KA. Integration of Heterogeneous and Autonomous Systems in Hospitals, Data Management & Storage Technology 2002. [17] Lorenzi N and Riley R. Organizational Aspects of Health Informatics, Springer-Verlag, 1995. [18] Ash JS, Stavri PZ, Kuperman GJ. A Consensus Statement on Considerations for a Successful CPOE Implementation. J Am Med Inform Assoc. 2003 May-Jun;10(3):229-34. [19] Mango PD, Shapiro LA. Hospitals get serious about operations, The McKinsey Quarterly 2001 No.2. [20] Broadbent M, Kitzis E. The New CIO Leader: Setting the Agenda and Delivering Results. Harvard Business School Press (December 2004).

Recommended

4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
anilchip
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
intellisenseit
 
Certified Health Informatics Systems Professional offered by American Societ...
Certified Health Informatics Systems Professional offered by American Societ...Certified Health Informatics Systems Professional offered by American Societ...
Certified Health Informatics Systems Professional offered by American Societ...
SioConsulting
 
The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)John Wang
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 

Recommended

4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
anilchip
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
intellisenseit
 
Certified Health Informatics Systems Professional offered by American Societ...
Certified Health Informatics Systems Professional offered by American Societ...Certified Health Informatics Systems Professional offered by American Societ...
Certified Health Informatics Systems Professional offered by American Societ...
SioConsulting
 
The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)John Wang
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1
Lennart Bredberg
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaDiscover JKUAT
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
Akshay Mittal
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
Introduction to Information System Security
Introduction to Information System SecurityIntroduction to Information System Security
Introduction to Information System Security
chauhankapil
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
Hakem Filiz
 
Survey of open source health information systems
Survey of open source health information systemsSurvey of open source health information systems
Survey of open source health information systems
hiij
 
Security White Paper From Paychex
Security White Paper From PaychexSecurity White Paper From Paychex
Security White Paper From Paychex
cboston
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Paper pxe 23 03 20004
Paper pxe 23 03 20004Paper pxe 23 03 20004
Paper pxe 23 03 20004Rui Gomes
 
Ruigomes thesis
Ruigomes thesisRuigomes thesis
Ruigomes thesisRui Gomes
 
Heroes happen here book 2008
Heroes happen here book 2008Heroes happen here book 2008
Heroes happen here book 2008Rui Gomes
 

More Related Content

What's hot

Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1
Lennart Bredberg
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaDiscover JKUAT
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
Akshay Mittal
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
Introduction to Information System Security
Introduction to Information System SecurityIntroduction to Information System Security
Introduction to Information System Security
chauhankapil
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
Hakem Filiz
 
Survey of open source health information systems
Survey of open source health information systemsSurvey of open source health information systems
Survey of open source health information systems
hiij
 
Security White Paper From Paychex
Security White Paper From PaychexSecurity White Paper From Paychex
Security White Paper From Paychex
cboston
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 

What's hot (19)

Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr Wafula
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
 
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
 
Introduction to Information System Security
Introduction to Information System SecurityIntroduction to Information System Security
Introduction to Information System Security
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
 
Survey of open source health information systems
Survey of open source health information systemsSurvey of open source health information systems
Survey of open source health information systems
 
Security White Paper From Paychex
Security White Paper From PaychexSecurity White Paper From Paychex
Security White Paper From Paychex
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 

Viewers also liked

Paper pxe 23 03 20004
Paper pxe 23 03 20004Paper pxe 23 03 20004
Paper pxe 23 03 20004Rui Gomes
 
Ruigomes thesis
Ruigomes thesisRuigomes thesis
Ruigomes thesisRui Gomes
 
Heroes happen here book 2008
Heroes happen here book 2008Heroes happen here book 2008
Heroes happen here book 2008Rui Gomes
 
Itil assessment in a healthcare environment the role of it governance at hosp...
Itil assessment in a healthcare environment the role of it governance at hosp...Itil assessment in a healthcare environment the role of it governance at hosp...
Itil assessment in a healthcare environment the role of it governance at hosp...Rui Gomes
 
Herzig preview
Herzig previewHerzig preview
Herzig previewRui Gomes
 
Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006Rui Gomes
 
Compliance poster
Compliance posterCompliance poster
Compliance posterRui Gomes
 
Heroes happen
Heroes happenHeroes happen
Heroes happenRui Gomes
 
Si deconomico
Si deconomicoSi deconomico
Si deconomicoRui Gomes
 
Louvor n 178 2015
Louvor n 178 2015 Louvor n 178 2015
Louvor n 178 2015
Rui Gomes
 
Louvor n 178 2015
Louvor n 178 2015 Louvor n 178 2015
Louvor n 178 2015
Rui Gomes
 
Nota biográfica rg up
Nota biográfica rg upNota biográfica rg up
Nota biográfica rg upRui Gomes
 

Viewers also liked (12)

Paper pxe 23 03 20004
Paper pxe 23 03 20004Paper pxe 23 03 20004
Paper pxe 23 03 20004
 
Ruigomes thesis
Ruigomes thesisRuigomes thesis
Ruigomes thesis
 
Heroes happen here book 2008
Heroes happen here book 2008Heroes happen here book 2008
Heroes happen here book 2008
 
Itil assessment in a healthcare environment the role of it governance at hosp...
Itil assessment in a healthcare environment the role of it governance at hosp...Itil assessment in a healthcare environment the role of it governance at hosp...
Itil assessment in a healthcare environment the role of it governance at hosp...
 
Herzig preview
Herzig previewHerzig preview
Herzig preview
 
Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006
 
Compliance poster
Compliance posterCompliance poster
Compliance poster
 
Heroes happen
Heroes happenHeroes happen
Heroes happen
 
Si deconomico
Si deconomicoSi deconomico
Si deconomico
 
Louvor n 178 2015
Louvor n 178 2015 Louvor n 178 2015
Louvor n 178 2015
 
Louvor n 178 2015
Louvor n 178 2015 Louvor n 178 2015
Louvor n 178 2015
 
Nota biográfica rg up
Nota biográfica rg upNota biográfica rg up
Nota biográfica rg up
 

Similar to The adoption of it security standards in a healthcare environment

Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...
International Journal of Modern Research in Engineering and Technology
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx
jesusamckone
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx
RAJU852744
 
Electronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare OrganizationsElectronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare Organizations
ijtsrd
 
2014 IEEE JAVA CLOUD COMPUTING PROJECT A review on the state of-the-art priva...
2014 IEEE JAVA CLOUD COMPUTING PROJECT A review on the state of-the-art priva...2014 IEEE JAVA CLOUD COMPUTING PROJECT A review on the state of-the-art priva...
2014 IEEE JAVA CLOUD COMPUTING PROJECT A review on the state of-the-art priva...
IEEEFINALSEMSTUDENTPROJECTS
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET Journal
 
Securing the e health cloud
Securing the e health cloudSecuring the e health cloud
Securing the e health cloud
Bong Young Sung
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeTrend Micro
 
Clinical information system-final copy
Clinical information system-final copyClinical information system-final copy
Clinical information system-final copy
CISgroup
 
Clinical information system-final copy
Clinical information system-final copyClinical information system-final copy
Clinical information system-final copyCISgroup
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
IJNSA Journal
 
Him500 Milestone 3Precious Teasley Southern New
Him500 Milestone 3Precious Teasley Southern New Him500 Milestone 3Precious Teasley Southern New
Him500 Milestone 3Precious Teasley Southern New
SusanaFurman449
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityKym Canty
 
Overview of HIMSS AsiaPac 2014
Overview of HIMSS AsiaPac 2014Overview of HIMSS AsiaPac 2014
Overview of HIMSS AsiaPac 2014Chandra Murugan
 
Healthcare Communication Technologies: A Short Note on Opportunities and Chal...
Healthcare Communication Technologies: A Short Note on Opportunities and Chal...Healthcare Communication Technologies: A Short Note on Opportunities and Chal...
Healthcare Communication Technologies: A Short Note on Opportunities and Chal...
IRJET Journal
 
IRJET- A Core Medical Treatment System forEmergency Management using Cloud
IRJET- A Core Medical Treatment System forEmergency Management using CloudIRJET- A Core Medical Treatment System forEmergency Management using Cloud
IRJET- A Core Medical Treatment System forEmergency Management using Cloud
IRJET Journal
 
Healthcare Data Breaches: Biometric Technology to the Rescue
Healthcare Data Breaches: Biometric Technology to the RescueHealthcare Data Breaches: Biometric Technology to the Rescue
Healthcare Data Breaches: Biometric Technology to the Rescue
IRJET Journal
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergHealthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart Bredberg
Lennart Bredberg
 
Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...
Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...
Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...
The Lifesciences Magazine
 

Similar to The adoption of it security standards in a healthcare environment (20)

Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx
 
Electronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare OrganizationsElectronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare Organizations
 
2014 IEEE JAVA CLOUD COMPUTING PROJECT A review on the state of-the-art priva...
2014 IEEE JAVA CLOUD COMPUTING PROJECT A review on the state of-the-art priva...2014 IEEE JAVA CLOUD COMPUTING PROJECT A review on the state of-the-art priva...
2014 IEEE JAVA CLOUD COMPUTING PROJECT A review on the state of-the-art priva...
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
 
Securing the e health cloud
Securing the e health cloudSecuring the e health cloud
Securing the e health cloud
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information Exchange
 
Clinical information system-final copy
Clinical information system-final copyClinical information system-final copy
Clinical information system-final copy
 
Clinical information system-final copy
Clinical information system-final copyClinical information system-final copy
Clinical information system-final copy
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
 
Him500 Milestone 3Precious Teasley Southern New
Him500 Milestone 3Precious Teasley Southern New Him500 Milestone 3Precious Teasley Southern New
Him500 Milestone 3Precious Teasley Southern New
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
Overview of HIMSS AsiaPac 2014
Overview of HIMSS AsiaPac 2014Overview of HIMSS AsiaPac 2014
Overview of HIMSS AsiaPac 2014
 
Healthcare Communication Technologies: A Short Note on Opportunities and Chal...
Healthcare Communication Technologies: A Short Note on Opportunities and Chal...Healthcare Communication Technologies: A Short Note on Opportunities and Chal...
Healthcare Communication Technologies: A Short Note on Opportunities and Chal...
 
IRJET- A Core Medical Treatment System forEmergency Management using Cloud
IRJET- A Core Medical Treatment System forEmergency Management using CloudIRJET- A Core Medical Treatment System forEmergency Management using Cloud
IRJET- A Core Medical Treatment System forEmergency Management using Cloud
 
CIS Project
CIS ProjectCIS Project
CIS Project
 
Healthcare Data Breaches: Biometric Technology to the Rescue
Healthcare Data Breaches: Biometric Technology to the RescueHealthcare Data Breaches: Biometric Technology to the Rescue
Healthcare Data Breaches: Biometric Technology to the Rescue
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergHealthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart Bredberg
 
Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...
Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...
Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...
 

More from Rui Gomes

Hff 1e psos_visit
Hff 1e psos_visitHff 1e psos_visit
Hff 1e psos_visit
Rui Gomes
 
Healthcare IT Governance
Healthcare IT GovernanceHealthcare IT Governance
Healthcare IT GovernanceRui Gomes
 
Sacyl symposium 2013_30092013
Sacyl symposium 2013_30092013Sacyl symposium 2013_30092013
Sacyl symposium 2013_30092013Rui Gomes
 
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGESIDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGESRui Gomes
 
Presentation barroso european council 25 october 2013
Presentation barroso european council 25 october 2013Presentation barroso european council 25 october 2013
Presentation barroso european council 25 october 2013Rui Gomes
 
Pr ieee f ed rg-iechair
Pr ieee f ed rg-iechairPr ieee f ed rg-iechair
Pr ieee f ed rg-iechairRui Gomes
 
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13Rui Gomes
 
Healthcom 2013 invite_s
Healthcom 2013 invite_sHealthcom 2013 invite_s
Healthcom 2013 invite_sRui Gomes
 
Healthcom 2013 invite_s
Healthcom 2013 invite_sHealthcom 2013 invite_s
Healthcom 2013 invite_sRui Gomes
 
iscte_palestra_SI
iscte_palestra_SIiscte_palestra_SI
iscte_palestra_SIRui Gomes
 
Apdsi gestao equipamentos_moveis_2
Apdsi gestao equipamentos_moveis_2Apdsi gestao equipamentos_moveis_2
Apdsi gestao equipamentos_moveis_2Rui Gomes
 
Apdsi gestao equipamentos_moveis_vf
Apdsi gestao equipamentos_moveis_vfApdsi gestao equipamentos_moveis_vf
Apdsi gestao equipamentos_moveis_vfRui Gomes
 
Hff oracle vdi
Hff oracle vdiHff oracle vdi
Hff oracle vdiRui Gomes
 
Hff eif energy_saving_final
Hff eif energy_saving_finalHff eif energy_saving_final
Hff eif energy_saving_finalRui Gomes
 
Dis defesa abordagem relacional modelo seguranca
Dis defesa abordagem relacional modelo segurancaDis defesa abordagem relacional modelo seguranca
Dis defesa abordagem relacional modelo segurancaRui Gomes
 
Apdsi gestao risco
Apdsi gestao riscoApdsi gestao risco
Apdsi gestao riscoRui Gomes
 
Saude governance rg
Saude governance rgSaude governance rg
Saude governance rgRui Gomes
 

More from Rui Gomes (18)

Hff 1e psos_visit
Hff 1e psos_visitHff 1e psos_visit
Hff 1e psos_visit
 
Healthcare IT Governance
Healthcare IT GovernanceHealthcare IT Governance
Healthcare IT Governance
 
Articulate
ArticulateArticulate
Articulate
 
Sacyl symposium 2013_30092013
Sacyl symposium 2013_30092013Sacyl symposium 2013_30092013
Sacyl symposium 2013_30092013
 
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGESIDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
 
Presentation barroso european council 25 october 2013
Presentation barroso european council 25 october 2013Presentation barroso european council 25 october 2013
Presentation barroso european council 25 october 2013
 
Pr ieee f ed rg-iechair
Pr ieee f ed rg-iechairPr ieee f ed rg-iechair
Pr ieee f ed rg-iechair
 
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
 
Healthcom 2013 invite_s
Healthcom 2013 invite_sHealthcom 2013 invite_s
Healthcom 2013 invite_s
 
Healthcom 2013 invite_s
Healthcom 2013 invite_sHealthcom 2013 invite_s
Healthcom 2013 invite_s
 
iscte_palestra_SI
iscte_palestra_SIiscte_palestra_SI
iscte_palestra_SI
 
Apdsi gestao equipamentos_moveis_2
Apdsi gestao equipamentos_moveis_2Apdsi gestao equipamentos_moveis_2
Apdsi gestao equipamentos_moveis_2
 
Apdsi gestao equipamentos_moveis_vf
Apdsi gestao equipamentos_moveis_vfApdsi gestao equipamentos_moveis_vf
Apdsi gestao equipamentos_moveis_vf
 
Hff oracle vdi
Hff oracle vdiHff oracle vdi
Hff oracle vdi
 
Hff eif energy_saving_final
Hff eif energy_saving_finalHff eif energy_saving_final
Hff eif energy_saving_final
 
Dis defesa abordagem relacional modelo seguranca
Dis defesa abordagem relacional modelo segurancaDis defesa abordagem relacional modelo seguranca
Dis defesa abordagem relacional modelo seguranca
 
Apdsi gestao risco
Apdsi gestao riscoApdsi gestao risco
Apdsi gestao risco
 
Saude governance rg
Saude governance rgSaude governance rg
Saude governance rg
 

Recently uploaded

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

The adoption of it security standards in a healthcare environment

  • 1. eHealth Beyond the Horizon – Get IT There 765 S.K. Andersen et al. (Eds.) IOS Press, 2008 © 2008 Organizing Committee of MIE 2008. All rights reserved. The Adoption of IT Security Standards in a Healthcare Environment Rui GOMESa c and Luís Velez LAPÃO b,c 1 a Hospital S. Sebastião – Sta. Maria da Feira, Portugal, b Healthcare Systems Group, Instituto Nacional de Administração, Portugal, c CINTESIS-Faculdade de Medicina, Universidade do Porto, Portugal Abstract. Security is a vital part of daily life to Hospitals that need to ensure that the information is adequately secured. In Portugal, more CIOs are seeking that their hospital IS departments are properly protecting information assets from security threats. It is imperative to take necessary measures to ensure risk management and business continuity. Security management certification provides just such a guarantee, increasing patient and partner confidence. This paper introduces one best practice for implementing four security controls in a hospital datacenter infrastructure (ISO27002), and describes the security assessment for implementing such controls. Keywords: ISO 27002, Security standards, CIO, Healthcare Information Management. Introduction Healthcare services aims at serving people well. In this regard, the need for IS standards is recurrent since every year thousands of people died as the result of clinical errors caused by fatigue or inaccuracy that could have been prevented with proper technology [1]. Most of the problems have to do with lack of coordination between systems due to the use of different standards [2]. Anybody waiting for the standards bodies before implementing IS will be waiting such long time, but information security must stay manageable and able to let preventing threats, reduce vulnerabilities and risks. Hospital S. Sebastião (HSS) is aware of the significance of information security issues and the relevance of standards and frameworks such as Committee Of Sponsoring Organizations of the Treadway Commission (COSO) [3] for financial processes control, COBIT [4] for information technology (IT) control, “Health Insurance Portability and Accountability Act” (HIPAA) [5] to insurance protection and promoting communications standards and ISO 27002 [6] to manage the information security. Our approach here will focus on healthcare IT security issues. The COSO is a group of standards that includes different financial and auditing institutions’ functions, while COBIT, Control Objectives for Information and related Technology is a good 1 Corresponding Author: Prof. Luís Velez Lapão, Healthcare Systems Group, Instituto Nacional de Administração, Palácio dos Marqueses do Pombal, 2784-540 Oeiras, Portugal, email: luis.lapao@ina.pt.
  • 2. 766 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment framework for assessing, managing and reducing IT risks. We aim at applying the ISO27002 standards to HSS taking advantage of its comprehensiveness in implementation details. One must recognise that each framework has their own weaknesses and strengthens; e.g. ISO27002 has a complete level of security, but does not contain product-oriented measures, such as those used on COBIT [4]. 1. The IT Security Standards in the Healthcare Environment The use of standards can be viewed from legal and IT architecture perspectives [7]. From the legal perspective, there are ranges of standards that either recommends general or specific scenarios in healthcare. In the USA, HIPAA is a legal requisite and comprehensive health information protection policy, which promotes the development of electronic healthcare transactions and specifically addresses the issues of privacy and security for health related information [5]. The security element specifically distinguish the innate problems in using electronic forms of records keeping and the changing nature of the technology upon which such records are recorded, used and stored. HIPAA has suffered many delays but it had a clear impact on services feasibility [8]. From IT standards perspective, we refer to ISO27002 (former British Standard Institute (BSI) 7799-1:1999) to assist in the development of security plans. It is a “Code of Practice” purposeful on high-level security management, revised in 2005 to cover current technology and business practices. ISO 27002 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices based on 11 main sections. As a code of practice it cannot be used for certification, so another standard has been developed ISO 27001 (information security management system requirements) which is certifiable [9]. This standard specifies the requirements for security implementation that is customizable for individual organizations. ISO standards are only a starting point, as they do not contain widespread information on how security measures should be implemented or maintained. Other standards exist for specific proposes of health information, particularly for use in e-health information exchange, like HL7 [10] developed as a standard for clinical information exchange and based predominantly on the HIPAA guiding principles. In addition, the CEN (European Committee for Standardization) is putting significant effort into development of healthcare information systems security in Europe. However, this has resulted in an assorted range of standards being developed for specific instances of technology use. Many standards do not include sufficient security-related provision and given the complex nature of standards, it has resulted in a large number of providers selling security management solutions for interpretation of the standards and also to explore its implementation. 2. The Process of Adoption of IT Security Standards: The role of the CIO It is now accepted that healthcare is one of the most complex businesses with a large diversity of types of interactions [11, 12]. The possibility of using IS to support the services delivery also opens new opportunities. Smith [13] and others [14] have proposed that only Information Systems (IS) could bridge the information “chasm”. Interoperability of healthcare systems can play a critical role in this process. The Institute Of Medicine reports [14, 15] identified weaknesses in the design and safety of
  • 3. R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 767 healthcare IS whereas interoperability rules’ utilization can provide additional pressure to help the proper use of technology in that regard [16]. Both technical and semantic interoperability require a wide organizational agreement on standards. Both represent huge tasks to be accomplished and require people in the organization to deal with it. Specialized groups such as IHE are pushing the debate and developing interoperability profiles to tighten areas of ambiguity en route to stronger interoperability. The HL7’s Electronic Health Record (EHR) group has produced many reports and other materials to guide technology managers towards interoperability. But before going into this sophisticated processes there are many other basic areas that need to be properly covered, being security issues one of them. The human and organizational side of the interoperability has been mostly forgotten [17, 18]. For a long time healthcare process engineering was also not taken very seriously [19]. In order to take advantage of an IS it is necessary a leadership to promote the alignment of business with IS. In this complex environment the role of the Chief Information Officer (CIO) is critical to ensure good focus on organizational specificities. It was recognized that best performing HIS departments were related with department heads that matched CIO attributes [12], like openness to suggestions and excellent relationship with other healthcare professionals; leadership skills, which help them to address challenges; meaningful negotiation skills which are used in their relationships with the vendors, openness to bolder projects with new technologies; etc. Healthcare CIOs are a kind of “special people” that push the organization further through an innovative use of technology [18, 20]. They know that pushing for interoperability will allow the organization to be more productive and less inefficient. Interoperability in an organization can also mean data access safety and security. 3. The Hospital S. Sebastião Information Security Case HSS is integrated in the National Health Service providing tertiary health care services for all citizens of its geographical area. Built in 1999, it covers an area with 367 000 inhabitants. HSS was chosen to become involved in an innovative management framework, supported by the Ministry of Health, to show the evidence of the improving efficiency of the new framework. 3.1 HSS Information System Architecture Hospital owns today a unified IS platform that aims to serve not only administrative and management purposes but mainly patients needs, helping professionals doing their job correctly. This middle management application provides approximately 320 physicians and 510 nurses with an integrated view of all clinical information related with the patients, from exams to surgery reports. Since 1999, those physicians create and stores medical records through the hospital’s datacenter storage bank. The IS architecture is showed below (Figure 1.), where all the exclusively solutions contribute to grow the datacenter databases on consolidate and concentred ness philosophy.
  • 4. 768 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment Figure 1. HSS information System Architecture Overview. The architecture definition was a long working process. The hospital board have recognized that a huge effort was carried out to minimise risks concerning the information management, data privacy and protection. This level of maturity was achieved in 2003, though these good principles are still not enough. These first successes encouraged the CIO, the IT personnel and top managers to be more focused on the improvement of the information security management. 3.2 CIO Role in the HSS IT Security Approach The CIO created a team to address the IT security at the HSS. After relevant literature and practices review, it was selected the ISO27002 rather then COBIT. COBIT’s entirety would make implementation onerous and if one compared it with ISO27002, it is easy to see that it focuses more on efficiency and effectiveness of IT environment rather than information security linked to business issues. It was recognized that ISO27002 represents a good mix of international acceptance level and full comprehensiveness, as well as it is dedicated most exclusively for information security practices built around policy and process management. However, in the future it could be necessary to implement some COBIT measures to accomplish ISO27002 good practices. The applications servers and databases are all concentrated and beneath a controlled physical habitat, and what concerns securing and managing information, the prerequisites surround ISO27002 were recognized as an excellent point of reference to starting managing the information security. Some of controls of this standard have been implemented over a hospital datacenter infrastructure area and the focus has been IT and security policies as a best practice for information security management in the daily basis procedures operation. ISO27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. 11 main sections border physical and logical preservation of confidentiality, integrity and availability properties. Making analogy with ISO quality standards and their way of managing and improving hospital made process of ISO27002 implementation as easy as possible. Analogically to quality manager, information security manager observes situation, gives regular assessments, and then recommendations for improvement, afterwards business managers determine to what issues investments should be put in as well as their priority. All 11 ISO27002’s control chapters have subset elements. To
  • 5. R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 769 provide performance measurement HSS rated the 39 main security categories, based on ISO27002 structures and according to a simple level of risk scale H-M-L (High- Medium/Moderate-Low/Tolerable). The following table 1., concisely shows the risk levels for each control area helping the CIO to rapidly overview the whole picture of information security and to identify priority actions. Table 1. Risk Levels in the ISO 27002 Risk Level # ISO 27002 Section (control objective) H M L 1 Security Policy 0 1 0 2 Organizing Information Security 0 1 1 3 Asset Management 2 0 0 4 Human Resources Security 0 1 2 5 Physical and Environmental Security 1 1 0 6 Communications & Operations Management 8 2 0 7 Access Control 5 2 0 8 Information Systems Acquisition, Development and Maintenance 0 4 2 9 Information Security Incident Management 0 2 0 10 Business Continuity Management 0 0 1 11 Compliance 0 1 2 The application of this framework has been quite successful at HSS. For instance, section 3, 5, 6 and 7 were well accomplished in the datacenter infrastructure whereas the security assessment sections were based on the most relevant high-risk level control objective. 3.3 IT Security Project Issues CEO and CIO have assumed the project and the relevance of a security auditing and it’s implications: for instance, the obligation to up-grade, both physically and logically, the datacenter, and to change the daily modus operandi. The hospital board decided to hire an auditor (named by SINFIC, a BSI certificated partner). The auditor applied a Gap Analysis with five major steps: 1. Project planning, to ensure that expectations, timelines and deliverables are appropriately managed. 2. During the Information- gathering phase many players were interviewed to determine the business environment and current security management and system administration processes through in-depth discussions with key players in the organization. 3. At the Review and Analysis stage Security Policies, Procedures and Practices were addressed to evaluate the existing security policies, procedures and practices, and compare it with the ISO27002 international security standard and industry best practices. 4. The Review and Analysis stage results help to write down a concise, detailed technical and ISO27002 Security Assessment Executive Summary Report. 5. External and Internal vulnerability scanning to discover all devices and applications across the datacenter, and to identify and eliminate the security threats that make datacenter infrastructure attacks possible.
  • 6. 770 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 4. Conclusions From the case presented one should conclude that rules code of practice or standards are essential to ensure the delivery of benefits to the patient and healthcare providers in information interoperability. This is only part of a bigger effort to implement a comprehensive strategy that allows consistency of information collection and sharing within the healthcare sector. This effort will establish a secure infrastructure between organizations over which to share patient secure information. It is required a comprehensive set of standards that define practical guidelines for the healthcare community, for which ISO27002 is a good benchmarking. Its area of application is a set of diverse and heterogeneous organizations like public hospitals, private, specialists and general practitioners. It means that specific targeted standards should be developed or established for the protection of sensitive information, and not left to individual interested parties to build up. It also means that we are facing a rather new field yet to be proven, implying that the CIO responsible for the implementation of an IS security framework will have to deal with its many variables and barriers. The CIO role and understanding of the organization’s environment is key to deliver real interoperability potential to the organization to patients’ benefit. References [1] Thompson T. US Former secretary of Health and Human Services Keynote Speech at the 2007 CDHC Expo, Business Wire, Nov. 13, 2006. [2] Bell K. “HIT and Pay for Performance”. Acting Deputy, US Office of the National Coordinator for Health Information Technology Keynote Speech at the HIT Symposium at MIT, July 17, 2006. [3] COSO. "Committee Of Sponsoring Organizations of the Treadway Commission" controls financial processes. [4] COBIT. Control Objectives for Information and related Technology”, control focuses on IT. [5] HIPAA. “Health Insurance Portability and Accountability Act”, to insurance protection and promoting communications standards in healthcare, HHS Report 1997. [6] ISO/IEC 27002:2005 Information technology -Security techniques - Code of practice for information security management, International Standards Organization, 2005. [7] The Role of Standards in Medical Information Security: An Opportunity for Improvement. P. A. H. Williams , School of Computer and Information Science Edith Cowan University Joondalup, Western Australia [8] HHS (2007), Health Information Privacy Act (HIPAA). http://www.hhs.gov/ocr/ (accessed on the 21st October 2007). [9] ISO/IEC 27001:2005 Information technology Security techniques - Information security management systems - Requirements, International Standards Organization, ISO/IEC 2005. [10] Health Level 7 - ANSI - application layer 7 in the OSI model accredited standards for electronically defining clinical and administrative data in the healthcare industry: www.hl7.org, accessed on the 3rd November 2007. [11] Plsek P and Wilson T. Complexity Sciences: Complexity, leadership, and management in healthcare organisations. BMJ 2001; 323: 746-9. [12] Lapão LV. Survey on the Status of the Hospital Information Systems in Portugal, Methods of Information in Medicine, 2007 46 4: 493-499. [13] Smith R. The future of health care systems. BMJ, 314:1495 (24 May) 1997. [14] IOM Report, Crossing the Quality Chasm: A New Health System for the 21st Century, Institute of Medicine, 2001. [15] IOM Report, To Err is Human. Institute of Medicine, 1999. [16] Lenz, R and Kuhn, KA. Integration of Heterogeneous and Autonomous Systems in Hospitals, Data Management & Storage Technology 2002. [17] Lorenzi N and Riley R. Organizational Aspects of Health Informatics, Springer-Verlag, 1995. [18] Ash JS, Stavri PZ, Kuperman GJ. A Consensus Statement on Considerations for a Successful CPOE Implementation. J Am Med Inform Assoc. 2003 May-Jun;10(3):229-34. [19] Mango PD, Shapiro LA. Hospitals get serious about operations, The McKinsey Quarterly 2001 No.2. [20] Broadbent M, Kitzis E. The New CIO Leader: Setting the Agenda and Delivering Results. Harvard Business School Press (December 2004).