TY - GEN
T1 - Generic security cases for information system security in healthcare systems
AU - He, Y.
AU - Johnson, C. W.
PY - 2012
Y1 - 2012
N2 - Numerous data breach incidents have been reported in recent years and there is a continuing requirement to protect patient and clinician confidentiality. However, the diversity of security products, tools and techniques in the market place make it very hard for management to ensure that they have implemented coherent countermeasures to meet organisations higher-level objectives. This paper focuses on the problems that arise in implementing and maintaining cyber-security policies in large, complex healthcare organisations. We address these problems by the use of graphical argumentation techniques. In particular, we show how the Goal Structuring Notations (GSN) can be extended from applications in safety-critical systems. Security arguments presented with GSN can help managers to reason about cyber-security policies and procedures by bringing together claims and the evidence that supports them in a structured and coherent way. A further objective of this paper is to show how GSN can be used to construct security arguments that are informed by the analysis of previous security incidents in healthcare organisations. In particular, we present two generic security cases that embody the recommendations from incidents involving the United States' Veterans' Affairs (VA) administration and Shenzhen Hospital in China. These case studies were deliberately chosen to show how lessons learned in one country might inform security management in other healthcare systems. We also show that security cases can be created at a level of abstraction that support reuses and at the same time capture detailed recommendations from security incidents.
AB - Numerous data breach incidents have been reported in recent years and there is a continuing requirement to protect patient and clinician confidentiality. However, the diversity of security products, tools and techniques in the market place make it very hard for management to ensure that they have implemented coherent countermeasures to meet organisations higher-level objectives. This paper focuses on the problems that arise in implementing and maintaining cyber-security policies in large, complex healthcare organisations. We address these problems by the use of graphical argumentation techniques. In particular, we show how the Goal Structuring Notations (GSN) can be extended from applications in safety-critical systems. Security arguments presented with GSN can help managers to reason about cyber-security policies and procedures by bringing together claims and the evidence that supports them in a structured and coherent way. A further objective of this paper is to show how GSN can be used to construct security arguments that are informed by the analysis of previous security incidents in healthcare organisations. In particular, we present two generic security cases that embody the recommendations from incidents involving the United States' Veterans' Affairs (VA) administration and Shenzhen Hospital in China. These case studies were deliberately chosen to show how lessons learned in one country might inform security management in other healthcare systems. We also show that security cases can be created at a level of abstraction that support reuses and at the same time capture detailed recommendations from security incidents.
KW - Generic security case
KW - Healthcare system
KW - Security incidents
KW - System security
UR - http://www.scopus.com/inward/record.url?scp=84877809700&partnerID=8YFLogxK
U2 - 10.1049/cp.2012.1507
DO - 10.1049/cp.2012.1507
M3 - Conference contribution
SN - 9781849196789
T3 - IET Conference Publications
BT - 7th IET International Conference on System Safety, Incorporating the Cyber Security Conference 2012
T2 - 7th IET International Conference on System Safety, Incorporating the Cyber Security Conference 2012
Y2 - 15 October 2012 through 18 October 2012
ER -