Information Governance: A Model for Security in Medical Practice

Information governance is becoming an important aspect of organisational accountability. In consideration that information is an integral asset of most organisations, the protection of this asset will increasingly rely on organisational capabilities in security.  In the medical arena this information is primarily sensitive patient-based information. Previous research has shown that application of security measures is a low priority for primary care medical practice and that awareness of the risks are seriously underestimated. Consequently, information security governance will be a key issue for medical practice in the future. Information security governance is a relatively new term and there is little existing research into how to meet governance requirements. The limited research that exists describes information security governance frameworks at a strategic level. However, since medical practice is already lagging in the implementation of appropriate security, such definition may not be practical although it is obviously desirable. This paper describes an on-going action research project undertaken in the area of medical information security, and presents a tactical approach model aimed at addressing information security governance and the protection of medical data.

[1]  Patricia A. H. Williams The underestimation of threats to patient data in clinical practice , 2005, AISM.

[2]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[3]  Patricia A. H. Williams,et al.  Shared Electronic Health Records: A changing landscape for security in medical practice , 2006 .

[4]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[5]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[6]  Stephen Hinde Privacy legislation: a comparison of the US and European approaches , 2003, Comput. Secur..

[7]  Thiagarajan Ravichandran,et al.  An innovation diffusion model of TQM implementation , 2001, IEEE Trans. Engineering Management.

[8]  Patricia Williams Apprasing information security rituals in primary care medical practice , 2006 .

[9]  J. Whitehead,et al.  Action Research: Living Theory , 2006 .

[10]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[11]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[12]  Rolf Moulton,et al.  Applying information security governance , 2003, Comput. Secur..

[13]  Patricia A. H. Williams Security Immunization Using Basic Countermeasures , 2006, Security and Management.

[14]  Patricia A. H. Williams The Role of Standards in Medical Information Security: An Opportunity for Improvement , 2006, Security and Management.

[15]  Trevor Wood-Harper,et al.  A critical perspective on action research as a method for information systems research , 1996, J. Inf. Technol..

[16]  Richard Baskerville,et al.  Investigating Information Systems with Action Research , 1999, Commun. Assoc. Inf. Syst..

[17]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[18]  C. Jaye,et al.  Doing qualitative research in general practice: methodological utility and engagement. , 2002, Family practice.

[19]  R. Pill,et al.  Qualitative research interviewing by general practitioners. A personal view of the opportunities and pitfalls. , 1997, Family practice.

[20]  Patricia A. H. Williams Medical data security: Are you informed or afraid? , 2007, Int. J. Inf. Comput. Secur..

[21]  Sebastiaan H. von Solms,et al.  Information Security Governance - Compliance management vs operational management , 2005, Comput. Secur..

[22]  P. Sarbanes,et al.  Sarbanes-Oxley Act of 2002 , 2002 .

[23]  James R. Zetka,et al.  Beyond Method: Strategies for Social Research. , 1985 .