Abstract
Information security and assurance are an increasingly critical issue in health research. Whether health research be in genetics, new drugs, disease outbreaks, biochemistry, or effects of radiation, it deals with information that is highly sensitive and which could be targeted by rogue individuals or groups, corporations, national intelligence agencies, or terrorists, looking for financial, social, or political gains. The advents of the Internet and advances in recent information technologies have also dramatically increased opportunities for attackers to exploit sensitive and valuable information.
Government agencies have deployed legislative measures to protect the privacy of health information and developed information security guidelines for epidemiological studies. However, risks are grossly underestimated and little effort has been made to strategically and comprehensively protect health research information by institutions, governments and international communities.
There is a need to enforce a set of proactive measures to protect health research information locally and globally. Such measures should be deployed at all levels but will be successful only if research communities collaborate actively, governments enforce appropriate legislative measures at national level, and the international community develops quality standards, concluding treaties if necessary, at the global level.
Proactive measures for the best information security and assurance would be achieved through rigorous management process with a cycle of “plan, do, check, and act”. Each health research entity, such as hospitals, universities, institutions, or laboratories, should implement this cycle and establish an authoritative security and assurance organization, program and plan coordinated by a designatedChief Security Officer who will ensure implementation of the above process, putting appropriate security controls in place, with key focus areas such aspolicies and best practices, enforcement and certification, risk assessment and audit, monitoring and incident response, awareness and training, and modern protection method and architecture. Governments should enforce a comprehensive scheme, and international health research communities should adopt standardized innovative methods and approaches.
Key words: security and assurance, health research information, proactive measures, ISMS, CSO/CISO
References
- (1).British Standard Institute. BS7799-2:2002 Information Security Management Systems—Specification with Guidance for Use, ISBN 0-580-40250-9: September 2002 (To be superseded by ISO/IEC27001, November 2005).
- (2).Carnegie Mellon University Software Engineering Institute, Computer Emergency Response Team/Coordination Center (CERT/CC). Available at URL: http://www.cert.org/
- (3).International Standard Institute. ISO/IEC17799: 2005: Information Technology—Code of Practices for Information Security Management: 2005.
- (4).World Health Organization. WHO Global Information Security Policy and Implementing Guidelines: 2005.
- (5).Schneier B. Managed Security Monitoring: Network Security for the 21st Century: Available at URL: http://www.counterpane.com/msm.pdf
- (6).Akazawa Y, Akazawa S. WHO Strategy on ‘e-Health’ (and Information Security). Global Burdon of Impaired Glucose Tolerance—Present and Future Strategy. Nihon Rinsho. 2005: 63:600–602. [PubMed]