The healthcare sector is currently becoming one of the paramount targets for cyberattacks. The utilization of information technology in the healthcare sector triggers the emergence of its varied vulnerabilities. Information security risk management is considered one of obligatory jobs for healthcare sector organizations. This study aims at constructing an information security risk management framework in the healthcare sector based on a study of its existing risk profile. This research employed qualitative method. Based on risk profiling results, the healthcare sector had two critical assets, namely electronic health records and connected medical devices or Internet of Medical Things. These assets had high sensitivity, however, had numerous vulnerabilities that were prone to exploitations. In order to overcome this, an information security risk management framework consisting of four stages is proposed, namely Risk Profiling, Risk Level Assessment, Risk Treatment, and Monitoring. Risk Profiling is a vital stage in the risk management process. At this stage, an analysis is performed to produce an overview of the information security risk profile resulted from critical assets owned by the organization and the condition of cyberspace in the information security in the healthcare sector. The proposed framework is cyclical as the risk profile in the healthcare sector is dynamic. Thus, monitoring changes in the organization's risk profile is imperative.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
- T. Yaqoob, H. Abbas, and N. Shafqat, “Integrated Security, Safety, and Privacy Risk Assessment Framework for Medical Devices,” IEEE Journal of Biomedical and Health Informatics, vol. 24, no. 6, pp. 1752–1761, Jun. 2020, doi: 10.1109/JBHI.2019.2952906.
- A. Umejiaku and T. Dang, “Visualising Developing Nations Health Records: Opportunities, Challenges and Research Agenda,” Jun. 2021. doi: 10.1145/3468784.3471607.
- IBM Security, “Cost of a Data Breach Report 2021,” 2021.
- FireEye and Mandiant, “M-Trends 2021 Fireeye Mandiant Service Special Report,” 2021.
- McAfee, “McAfee Labs Threat Report 06.2021,” 2021.
- M. Muthuppalaniappan and K. Stevenson, “Healthcare cyber-attacks and the COVID-19 pandemic: An urgent threat to global health,” International Journal for Quality in Health Care, vol. 33, no. 1, 2021, doi: 10.1093/intqhc/mzaa117.
- E. Wheeler, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Waltham USA: Elsevier Inc., 2011.
- A. D. Prajanti and K. Ramli, “A Proposed Framework for Ranking Critical Information Assets in Information Security Risk Assessment Using the OCTAVE Allegro Method with Decision Support System Methods.”
- J. Meszaros and A. Buchalcevova, “Introducing OSSF: A framework for online service cybersecurity risk management,” Computers and Security, vol. 65, pp. 300–313, Mar. 2017, doi: 10.1016/j.cose.2016.12.008.
- C. Joshi and U. K. Singh, “Information security risks management framework – A step towards mitigating security risks in university network,” Journal of Information Security and Applications, vol. 35, pp. 128–137, Aug. 2017, doi: 10.1016/j.jisa.2017.06.006.
- I. Baehaki, “Desain Kerangka Kerja Manajemen Risiko Keamanan Informasi Berdasarkan Integrasi ISO/IEC 27005:2018, NIST SP 800-39, OCTAVE Allegro, dan COBIT 2019 (Studi Penerapan Awal di Pusat Pendidikan dan Pelatihan Badan XYZ),” Universitas Indonesia, Jakarta, 2020.
- I. Lee, “Cybersecurity: Risk management framework and investment cost analysis,” Business Horizons, vol. 64, no. 5, pp. 659–671, Sep. 2021, doi: 10.1016/j.bushor.2021.02.022.
- Direktorat Proteksi Infrastruktur Informasi Kritikal Nasional BSSN, “Buku Putih Keamanan SIber Sektor Kesehatan,” Jakarta, 2020.
- Sugiyono, Metode Penelitian Kuantitatif Kualitatif dan R&D, 3rd ed. Bandung: Alfabeta, 2021.
- ISO/IEC 27005: Information technology - Security techniques - Information security risk management. 2018.
- National Institute of Standards and Technology, NIST SP 800-30 Revision 1: Guide for Conducting Risk Assessments. U.S., 2012.
- H. Alami, M. P. Gagnon, M. A. Ag Ahmed, and J. P. Fortin, “Digital health: Cybersecurity is a value creation lever, not only a source of expenditure,” Health Policy and Technology, vol. 8, no. 4, pp. 319–321, Dec. 2019, doi: 10.1016/j.hlpt.2019.09.002.
- S. Tarikere, I. Donner, and D. Woods, “Diagnosing a healthcare cybersecurity crisis: The impact of IoMT advancements and 5G,” Business Horizons, vol. 64, no. 6, pp. 799–807, Nov. 2021, doi: 10.1016/j.bushor.2021.07.015.
- I. Lee, “An analysis of data breaches in the U.S. healthcare industry: diversity, trends, and risk profiling,” Information Security Journal, 2021, doi: 10.1080/19393555.2021.2017522.
- N. A. Khan, S. N. Brohi, and N. Zaman, “Ten Deadly Cyber Security Threats Amid COVID-19 Pandemic,” 2020.
- N. M. Thomasian and E. Y. Adashi, “Cybersecurity in the Internet of Medical Things,” Health Policy and Technology, vol. 10, no. 3, Sep. 2021, doi: 10.1016/j.hlpt.2021.100549.
- D. v Dimitrov, “Medical Internet of Things and Big Data in Healthcare,” Healthc Inform Res, vol. 22, no. 3, pp. 156–163, Jul. 2016, doi: 10.4258/hir.2016.22.3.156.
- K. S. Bhosale, M. Nenova, and G. Iliev, “A study of cyber attacks: In the healthcare sector,” 2021. doi: 10.1109/Lighting49406.2021.9598947.
- N. Thamer and R. Alubady, “A Survey of Ransomware Attacks for Healthcare Systems: Risks, Challenges, Solutions and Opportunity of Research,” in 1st Babylon International Conference on Information Technology and Science 2021, BICITS 2021, 2021, pp. 210–216. doi: 10.1109/BICITS51482.2021.9509877.
- T. Yaqoob, H. Abbas, and M. Atiquzzaman, “Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical Devices-A Review,” IEEE Communications Surveys and Tutorials, vol. 21, no. 4, pp. 3723–3768, Oct. 2019, doi: 10.1109/COMST.2019.2914094.
- P. Deshanta Ibnugraha, L. E. Nugroho, and P. I. Santosa, “Metrics analysis of risk profile: A perspective on business aspects,” in 2018 International Conference on Information and Communications Technology, ICOIACT 2018, Apr. 2018, vol. 2018-January, pp. 275–279. doi: 10.1109/ICOIACT.2018.8350675.
- T. R. Peltier, Information Security Risk Analysis Third Edition, 3rd ed. Florida: Auerbach Publications Tayor & Francis Group, 2010.