Information system security in health information systems

Health care organizations have been slow adopters of information technology. Although the provision of medical services is fundamentally an information intense activity, its adoption has lagged behind other industries. At the same time, various reports of information security breaches, unintended disclosures of confidential patient information, and computer attacks have raised the awareness of organizations, government entities, and the general public. This dissertation explores the relation between information system adoption and information system security in the hospital industry. It analyzes market, institutional, technological, and regulatory factors as well as difficulties inherent to health care organizations such as patient safety concerns, the availability of vital and time-sensitive clinical information, as well as user acceptance by clinicians. Technical and organizational information security capabilities are discussed using case studies of two academic medical centers and two hospital groups in the United States and Switzerland. It is shown how the practicability of information security controls is limited by the heterogeneous and decentralized nature of their health information systems. Based on graph theory, a method is developed that allows improved information security management capabilities in a fragmented environment. Information security compliance can be quantified and shortcomings can be analyzed using several algorithms. This method provides a novel approach for analyzing and managing security in health information systems. A Java-based software tool is presented.