This project demonstrates use of OCTAVE, an information security risk assessment method, as an approach to the safe design and planning of a teleradiology system. By adopting this approach to project planning, we intended to provide evidence that including information security as an intrinsic component of project planning improves information assurance and that using information assurance as a planning tool produces and improves the general system management plan. Several considerations justify this approach to planning a safe teleradiology system. First, because OCTAVE was designed as a method for retrospectively assessing and proposing enhancements for the security of existing information management systems, it should function well as a guide to prospectively designing and deploying a secure information system such as teleradiology. Second, because OCTAVE provides assessment and planning tools for use primarily by interdisciplinary teams from user organizations, not consultants, it should enhance the ability of such teams at the local level to plan safe information systems. Third, from the perspective of sociological theory, OCTAVE explicitly attempts to enhance organizational conditions identified as necessary to safely manage complex technologies. Approaching information system design from the perspective of information security risk management proactively integrates health information assurance into a project’s core. This contrasts with typical approaches that perceive “security” as a secondary attribute to be “added” after designing the system and with approaches that identify information assurance only with security devices and user training. The perspective of health information assurance embraces so many dimensions of a computerized health information system’s design that one may successfully deploy a method for retrospectively assessing information security risk as a prospective planning tool. From a sociological perspective, this approach enhances the general conditions as well as establishes specific policies and procedures for reliable performance of health information assurance.
[1]
Christopher J. Alberts,et al.
OCTAVE Method Implementation Guide Version 2.0. Volume 2: Preliminary Activities
,
2001
.
[2]
Dennis M. Seymour,et al.
Security and interconnection of medical devices to healthcare networks
,
2004,
CARS.
[3]
Johnathan Coleman.
Assessing information security risk in healthcare organizations of different scale
,
2004,
CARS.
[4]
Christopher J. Alberts,et al.
Managing Information Security Risks: The OCTAVE Approach
,
2002
.
[5]
Scott D. Sagan.
The Limits of Safety: Organizations, Accidents, and Nuclear Weapons
,
1993
.
[6]
Scott A. Snook,et al.
Friendly Fire: The Accidental Shootdown of U.S. Black Hawks over Northern Iraq
,
2001
.
[7]
Ted Cooper,et al.
Beyond good practice: why HIPAA only addresses part of the data security problem
,
2004,
CARS.
[8]
K. Weick.
FROM SENSEMAKING IN ORGANIZATIONS
,
2021,
The New Economic Sociology.
[9]
Jeff Collmann,et al.
Organizing safety: conditions for successful information assurance programs.
,
2004,
Telemedicine journal and e-health : the official journal of the American Telemedicine Association.
[10]
Jeff Collmann,et al.
Developing and theoretically justifying innovative organizational practices in health information assurance
,
2003,
SPIE Medical Imaging.
[11]
G. Rochlin.
Trapped in the Net
,
1997
.
[12]
M. O'hare,et al.
Searching for Safety
,
1990
.