Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records

Ying He; Chris Johnson; Yu Lyu; Arniyati Ahmad

doi:10.1007/978-3-662-43813-8_8

Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records

Ying He, Chris Johnson, Yu Lyu, Arniyati Ahmad

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Citations (Scopus)

Abstract

The increasing use of Electronic Health Records has been mirrored by a similar rise in the number of security incidents where confidential information has inadvertently been disclosed to third parties. These problems have been compounded by an apparent inability to learn from previous violations; similar security incidents have been observed across Europe, North America and Asia. This paper presents the results of an empirical study that evaluates the utility and usability of conventional text-based security incident reports with a graphical formalism based on the Goal Structuring Notation. The two methods were compared in term of the users’ ability to identify a number of lessons learned from investigations into previous incidents involving the disclosure of healthcare records. These lessons included both the causes of the incident but also the participants’ ability to understand the reasons why particular recommendations were proposed as ways of avoiding future violations. Even using a relatively small sample, we were able to obtain statistically significant differences between the two approaches. The study showed that the graphical approach resulted in higher accuracy in terms of number of correct answers generated by participants. However, subjective feedback raised further questions about the usability of both approaches as the readers of security incident reports try to interpret the lessons that can increase the security of patient data.

Original language	English
Title of host publication	Trust Management VIII - 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Proceedings
Editors	Jianying Zhou, Jianying Zhou, Nurit Gal-Oz, Nurit Gal-Oz, Jie Zhang, Jie Zhang, Ehud Gudes, Ehud Gudes
Publisher	Springer New York LLC
Pages	109-124
Number of pages	16
ISBN (Electronic)	9783662438121, 9783662438121
DOIs	https://doi.org/10.1007/978-3-662-43813-8_8
Publication status	Published - 2014
Externally published	Yes
Event	8th IFIP WG 11.11 International Conference on Trust Management, IFIPTM 2014 - Singapore, Singapore Duration: 7 Jul 2014 → 10 Jul 2014

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	430
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	8th IFIP WG 11.11 International Conference on Trust Management, IFIPTM 2014
Country/Territory	Singapore
City	Singapore
Period	7/07/14 → 10/07/14

Access to Document

10.1007/978-3-662-43813-8_8

Cite this

He, Y., Johnson, C., Lyu, Y., & Ahmad, A. (2014). Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records. In J. Zhou, J. Zhou, N. Gal-Oz, N. Gal-Oz, J. Zhang, J. Zhang, E. Gudes, & E. Gudes (Eds.), Trust Management VIII - 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Proceedings (pp. 109-124). (IFIP Advances in Information and Communication Technology; Vol. 430). Springer New York LLC. https://doi.org/10.1007/978-3-662-43813-8_8

He, Ying ; Johnson, Chris ; Lyu, Yu et al. / Improving the exchange of lessons learned in security incident reports : Case studies in the privacy of electronic patient records. Trust Management VIII - 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Proceedings. editor / Jianying Zhou ; Jianying Zhou ; Nurit Gal-Oz ; Nurit Gal-Oz ; Jie Zhang ; Jie Zhang ; Ehud Gudes ; Ehud Gudes. Springer New York LLC, 2014. pp. 109-124 (IFIP Advances in Information and Communication Technology).

@inproceedings{94048d32332447bf8e44ba9706dd8366,

title = "Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records",

abstract = "The increasing use of Electronic Health Records has been mirrored by a similar rise in the number of security incidents where confidential information has inadvertently been disclosed to third parties. These problems have been compounded by an apparent inability to learn from previous violations; similar security incidents have been observed across Europe, North America and Asia. This paper presents the results of an empirical study that evaluates the utility and usability of conventional text-based security incident reports with a graphical formalism based on the Goal Structuring Notation. The two methods were compared in term of the users{\textquoteright} ability to identify a number of lessons learned from investigations into previous incidents involving the disclosure of healthcare records. These lessons included both the causes of the incident but also the participants{\textquoteright} ability to understand the reasons why particular recommendations were proposed as ways of avoiding future violations. Even using a relatively small sample, we were able to obtain statistically significant differences between the two approaches. The study showed that the graphical approach resulted in higher accuracy in terms of number of correct answers generated by participants. However, subjective feedback raised further questions about the usability of both approaches as the readers of security incident reports try to interpret the lessons that can increase the security of patient data.",

keywords = "Electronic patient record, Empirical study, Generic security template, Lessons learned, Security incident",

author = "Ying He and Chris Johnson and Yu Lyu and Arniyati Ahmad",

note = "Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2014.; 8th IFIP WG 11.11 International Conference on Trust Management, IFIPTM 2014 ; Conference date: 07-07-2014 Through 10-07-2014",

year = "2014",

doi = "10.1007/978-3-662-43813-8_8",

language = "English",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer New York LLC",

pages = "109--124",

editor = "Jianying Zhou and Jianying Zhou and Nurit Gal-Oz and Nurit Gal-Oz and Jie Zhang and Jie Zhang and Ehud Gudes and Ehud Gudes",

booktitle = "Trust Management VIII - 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Proceedings",

}

He, Y, Johnson, C, Lyu, Y & Ahmad, A 2014, Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records. in J Zhou, J Zhou, N Gal-Oz, N Gal-Oz, J Zhang, J Zhang, E Gudes & E Gudes (eds), Trust Management VIII - 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Proceedings. IFIP Advances in Information and Communication Technology, vol. 430, Springer New York LLC, pp. 109-124, 8th IFIP WG 11.11 International Conference on Trust Management, IFIPTM 2014, Singapore, Singapore, 7/07/14. https://doi.org/10.1007/978-3-662-43813-8_8

Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records. / He, Ying; Johnson, Chris; Lyu, Yu et al.
Trust Management VIII - 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Proceedings. ed. / Jianying Zhou; Jianying Zhou; Nurit Gal-Oz; Nurit Gal-Oz; Jie Zhang; Jie Zhang; Ehud Gudes; Ehud Gudes. Springer New York LLC, 2014. p. 109-124 (IFIP Advances in Information and Communication Technology; Vol. 430).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Improving the exchange of lessons learned in security incident reports

T2 - 8th IFIP WG 11.11 International Conference on Trust Management, IFIPTM 2014

AU - He, Ying

AU - Johnson, Chris

AU - Lyu, Yu

AU - Ahmad, Arniyati

N1 - Publisher Copyright: © IFIP International Federation for Information Processing 2014.

PY - 2014

Y1 - 2014

N2 - The increasing use of Electronic Health Records has been mirrored by a similar rise in the number of security incidents where confidential information has inadvertently been disclosed to third parties. These problems have been compounded by an apparent inability to learn from previous violations; similar security incidents have been observed across Europe, North America and Asia. This paper presents the results of an empirical study that evaluates the utility and usability of conventional text-based security incident reports with a graphical formalism based on the Goal Structuring Notation. The two methods were compared in term of the users’ ability to identify a number of lessons learned from investigations into previous incidents involving the disclosure of healthcare records. These lessons included both the causes of the incident but also the participants’ ability to understand the reasons why particular recommendations were proposed as ways of avoiding future violations. Even using a relatively small sample, we were able to obtain statistically significant differences between the two approaches. The study showed that the graphical approach resulted in higher accuracy in terms of number of correct answers generated by participants. However, subjective feedback raised further questions about the usability of both approaches as the readers of security incident reports try to interpret the lessons that can increase the security of patient data.

AB - The increasing use of Electronic Health Records has been mirrored by a similar rise in the number of security incidents where confidential information has inadvertently been disclosed to third parties. These problems have been compounded by an apparent inability to learn from previous violations; similar security incidents have been observed across Europe, North America and Asia. This paper presents the results of an empirical study that evaluates the utility and usability of conventional text-based security incident reports with a graphical formalism based on the Goal Structuring Notation. The two methods were compared in term of the users’ ability to identify a number of lessons learned from investigations into previous incidents involving the disclosure of healthcare records. These lessons included both the causes of the incident but also the participants’ ability to understand the reasons why particular recommendations were proposed as ways of avoiding future violations. Even using a relatively small sample, we were able to obtain statistically significant differences between the two approaches. The study showed that the graphical approach resulted in higher accuracy in terms of number of correct answers generated by participants. However, subjective feedback raised further questions about the usability of both approaches as the readers of security incident reports try to interpret the lessons that can increase the security of patient data.

KW - Electronic patient record

KW - Empirical study

KW - Generic security template

KW - Lessons learned

KW - Security incident

UR - http://www.scopus.com/inward/record.url?scp=84927632792&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-43813-8_8

DO - 10.1007/978-3-662-43813-8_8

M3 - Conference contribution

AN - SCOPUS:84927632792

T3 - IFIP Advances in Information and Communication Technology

SP - 109

EP - 124

BT - Trust Management VIII - 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Proceedings

A2 - Zhou, Jianying

A2 - Gal-Oz, Nurit

A2 - Zhang, Jie

A2 - Gudes, Ehud

PB - Springer New York LLC

Y2 - 7 July 2014 through 10 July 2014

ER -

He Y, Johnson C, Lyu Y, Ahmad A. Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records. In Zhou J, Zhou J, Gal-Oz N, Gal-Oz N, Zhang J, Zhang J, Gudes E, Gudes E, editors, Trust Management VIII - 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Proceedings. Springer New York LLC. 2014. p. 109-124. (IFIP Advances in Information and Communication Technology). doi: 10.1007/978-3-662-43813-8_8

Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this