In a 'trusting' environment, everyone is responsible for information security

Information security is important in any organisation and particularly where personal and medical information is routinely recorded. Further, where the organisational culture revolves around trust, as in the medical environment, insider threats, both malicious and non-malicious, are difficult to manage. International research has shown that changing security culture and increasing awareness is necessary as technical resolutions are not sufficient to control insider threats. This area of information security is both important and topical in view of the recently publicised breaches of patient health information. Ensuring that all staff assumes responsibility for information security, particularly as part of an information security governance framework, is one practical solution to the problem of insider threats.

[1]  Dane K. Peterson Computer ethics: the influence of guidelines and universal moral beliefs , 2002, Inf. Technol. People.

[2]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[3]  Steven Furnell,et al.  Why users cannot use security , 2005, Comput. Secur..

[4]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[5]  Patricia A. H. Williams Medical data security: Are you informed or afraid? , 2007, Int. J. Inf. Comput. Secur..

[6]  JILL PICKERING BACHMAN,et al.  Developing a Common Nursing Practice Model , 1998, Nursing management.

[7]  Robert Willison,et al.  Understanding the offender/environment dynamic for computer crimes , 2005, Inf. Technol. People.

[8]  Rebecca T. Mercuri The HIPAA-potamus in health care data security , 2004, CACM.

[9]  Enrico W. Coiera,et al.  Communication behaviours in a hospital setting: an observational study , 1998, BMJ.

[10]  G Miller,et al.  A relationship between computerisation and quality in general practice. , 1999, Australian family physician.

[11]  Merrill Warkentin,et al.  Information privacy compliance in the healthcare industry , 2008, Inf. Manag. Comput. Secur..

[12]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[13]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[14]  Robert H. Anderson Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems. , 1999 .

[15]  Thomas Bozek,et al.  Research on Mitigating the Insider Threat to Information Systems - #2 , 2000 .

[16]  Amy Butros,et al.  Research Paper: Giving Patients Access to Their Medical Records via the Internet: The PCASSO Experience , 2002, J. Am. Medical Informatics Assoc..

[17]  Barbara Fox,et al.  "Cooperative security": a model for the new enterprise , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[18]  L. Ferrell,et al.  A Review of Empirical Studies Assessing Ethical Decision Making in Business , 2000 .

[19]  Sebastiaan H. von Solms,et al.  Information Security Governance - Compliance management vs operational management , 2005, Comput. Secur..

[20]  Moritz Y. Becker Information governance in NHS's NPfIT: A case for policy specification , 2007, Int. J. Medical Informatics.

[21]  Patricia A. H. Williams Information Governance: A Model for Security in Medical Practice , 2007, J. Digit. Forensics Secur. Law.

[22]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[23]  Patricia A. H. Williams When trust defies common security sense , 2008, Health Informatics J..

[24]  Gerrit Bleumer,et al.  An Overview of SEISMED , 1996, Towards Security in Medical Telematics.

[25]  Marc Vanmeerbeek Exploitation of electronic medical records data in primary health care. Resistances and solutions. Study in eight Walloon health care centres. , 2004, Studies in health technology and informatics.

[26]  Stewart Hamilton,et al.  Greed and Corporate Failure: The Lessons from Recent Disasters , 2006 .

[27]  Steven Furnell,et al.  A preliminary model of end user sophistication for insider threat prediction in IT systems , 2005, Comput. Secur..

[28]  E C Mulligan,et al.  Confidentiality in health records: evidence of current performance from a population survey in South Australia , 2001, The Medical journal of Australia.

[29]  Barbara Meredith,et al.  Data protection and freedom of information , 2005, BMJ : British Medical Journal.

[30]  Ton A. M. Spil,et al.  Business intelligence in healthcare organizations , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[31]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[32]  Joseph E. Scott,et al.  Controversial issues in crime and justice , 1988 .

[33]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[34]  Douglas M. Stetson Achieving Effective Medical Information Security: Understanding the Culture , 2005 .

[35]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[36]  Trish Williams,et al.  How addressing implementation issues can assist in medical information security governance , 2008, HAISA.