Assessing and Comparing Information Security in Swiss Hospitals

Background Availability of information in hospitals is an important prerequisite for good service. Significant resources have been invested to improve the availability of information, but it is also vital that the security of this information can be guaranteed. Objective The goal of this study was to assess information security in hospitals through a questionnaire based on the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard ISO/IEC 27002, evaluating Information technology – Security techniques – Code of practice for information-security management, with a special focus on the effect of the hospitals’ size and type. Methods The survey, set up as a cross-sectional study, was conducted in January 2011. The chief information officers (CIOs) of 112 hospitals in German-speaking Switzerland were invited to participate. The online questionnaire was designed to be fast and easy to complete to maximize participation. To group the analyzed controls of the ISO/IEC standard 27002 in a meaningful way, a factor analysis was performed. A linear score from 0 (not implemented) to 3 (fully implemented) was introduced. The scores of the hospitals were then analyzed for significant differences in any of the factors with respect to size and type of hospital. The participating hospitals were offered a benchmark report about their status. Results The 51 participating hospitals had an average score of 51.1% (range 30.6% - 81.9%) out of a possible 100% where all items in the questionnaire were fully implemented. Room for improvement could be identified, especially for the factors covering “process and quality management” (average score 1.3 ± 0.8 out of a maximum of 3) and “organization and risk management” (average score 1.3 ± 0.7 out of a maximum of 3). Private hospitals scored significantly higher than university hospitals in the implementation of “security zones” and “backup” (P = .008). Conclusions Half (50.00%, 8588/17,177) of all assessed hospital beds in German-speaking Switzerland are in hospitals that have a score of 49% or less of the maximum possible score in information security. Patient data need to be better protected because of the data protection laws and because sensitive, personal data should be guaranteed confidentiality, integrity, and availability.

[1]  K. Tallbear The Genographic Project , 2013 .

[2]  G. Eysenbach Correction: Improving the Quality of Web Surveys: the Checklist for Reporting Results of Internet E-Surveys (CHERRIES) , 2012, Journal of Medical Internet Research.

[3]  Thomas M. Chen,et al.  Lessons from Stuxnet , 2011, Computer.

[4]  John Glaser,et al.  Healthcare IT trends raise bar for information security. , 2010, Healthcare financial management : journal of the Healthcare Financial Management Association.

[5]  James Bret Michael,et al.  Cyberpandemics: History, Inevitability, Response , 2009, IEEE Security & Privacy Magazine.

[6]  Timothy W. Finin,et al.  Security policies and trust in ubiquitous computing , 2008, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[7]  R. D. De Moor,et al.  Fraudulent use of digital radiography: methods to detect and protect digital radiographs. , 2008, Journal of endodontics.

[8]  Javier Lopez,et al.  The challenge for security and privacy services in distributed health settings. , 2008, Studies in health technology and informatics.

[9]  Luís Velez Lapão,et al.  The Adoption of IT Security Standards in a Healthcare Environment , 2008, MIE.

[10]  D. W. Bates,et al.  Section 1: Health and Clinical Management: Leveraging Information Technology to Improve Quality and Safety , 2007 .

[11]  Antoine Geissbühler,et al.  Comprehensive management of the access to the electronic patient record: Towards trans-institutional networks , 2007, Int. J. Medical Informatics.

[12]  D W Bates,et al.  Section 1: Health and Clinical Management: Leveraging Information Technology to Improve Quality and Safety , 2007, Yearbook of Medical Informatics.

[13]  Michael Dinh,et al.  Evolution of health information management and information technology in emergency medicine , 2006, Emergency medicine Australasia : EMA.

[14]  Russel L. Thompson,et al.  A Meta-Analysis of Response Rates in Web- or Internet-Based Surveys , 2000 .

[15]  A. J. Henry,et al.  National Geographic Society , 1902, Science.