ebook img

Health-Care Telematics in Germany: Design and Application of a Security Analysis Method PDF

288 Pages·2011·1.938 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Health-Care Telematics in Germany: Design and Application of a Security Analysis Method

Ali Sunyaev Health-Care Telematics in Germany GABLER RESEARCH Informationsmanagement und Computer Aided Team Herausgegeben von Professor Dr. Helmut Krcmar Die Schriftenreihe präsentiert Ergebnisse der betriebswirtschaftl ichen Forschung im Themenfeld der Wirtschaftsinformatik. Das Zusammenwirken von Informations- und Kommunikationstechnologien mit Wettbewerb, Organisation und Menschen wird von umfassenden Änderungen gekennzeichnet. Die Schriftenreihe greift diese Fragen auf und stellt neue Erkenntnisse aus Theorie und Praxis sowie anwen- dungsorientierte Konzepte und Modelle zur Diskussion. Ali Sunyaev Health-Care Telematics in Germany Design and Application of a Security Analysis Method RESEARCH Bibliographic information published by the Deutsche Nationalbibliothek The Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliografi e; detailed bibliographic data are available in the Internet at http://dnb.d-nb.de. Dissertation Technische Universität München, 2010 1st Edition 2011 All rights reserved © Gabler Verlag | Springer Fachmedien Wiesbaden GmbH 2011 Editorial Offi ce: Stefanie Brich | Anita Wilke Gabler Verlag is a brand of Springer Fachmedien. Springer Fachmedien is part of Springer Science+Business Media. www.gabler.de No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photo- copying, recording, or otherwise, without the prior written permission of the copyright holder. Registered and/or industrial names, trade names, trade descriptions etc. cited in this publica- tion are part of the law for trade-mark protection and may not be used free in any form or by any means even if this is not specifi cally marked. Coverdesign: KünkelLopka Medienentwicklung, Heidelberg Printed on acid-free paper Printed in Germany ISBN 978-3-8349-2442-1 Foreword The importance of security management in the development and operation of information systems (IS) has been growing with the ubiquity of information system use. Along with this growth and technological advances IS security has changed tremendously over the past dec- ades and so have its scope, complexity, and the variety of analyzed security aspects. To meet these challenges IS security methodologies should become more industry specific and at the same time integrate organizational and technical aspects. Securing the privacy of health information on systems is a major challenge to the widespread adoption of new healthcare information systems like the forthcoming German electronic health information infrastructure. Encouraged by the lack of healthcare IS research with re- spect to security, this work presents the design and development of an IS security methodolo- gy for the organizational and technical analysis of security issues in health care. Grounded on the research literature on IS security and healthcare IS, and a variety of current theories in the fields of information systems, business administration, and computer science, it develops a security analysis method for healthcare information systems. This security analysis method builds the foundation to practically examine the current status of the German healthcare telematics, its constitutive elements, and process management in order to identify possible vulnerabilities. Based on these insights, the work proposes appropriate solution mechanisms for the security management of the German healthcare telematics including recommendations for future IS developments in the health care sector. Ali Sunyaev‘s work shows that IS security should be linked to the needs of an application area, both on the organizational and technical side. He clearly depicts the current security sit- uation of German health information infrastructure and so facilitates a broader understanding of analyzing healthcare IS security. This work is an important contribution to the research field of managing information systems. In a methodological way it gives valuable impulses for combining different security approaches and research methods depending on the context of a security arrangement. The work appeals by its broad scope of theory, method engineering background, and its comprehensive argumentation. Researchers of information systems will gain new insights on which practical security analysis methods and theories are applicable given for healthcare information systems. For practitioners, it provides recommendations for orchestrating the development of secure healthcare IS and presents the identification of secu- rity problems in the current concept of German healthcare telematics. vi Foreword I recommend this book as a valuable reading and resource. It provides new and promising insights into an IS security research field and inspires different kinds of readers to adopt a new perspective on healthcare information systems. I hope this work will find the broad dissemination and attention it deserves. Prof. Dr. Helmut Krcmar Abstract Purpose: The objective of this thesis is to develop a method for the organizational and tech- nical analysis of security issues in health care (using tools, methods and processes in a struc- tured and traceable way). Using this method the current security status of health care telemat- ics in Germany is evaluated and recommendations for future developments in the health care sector are derived. Methodology: This work is based on the methodological foundation of design-oriented arti- fact construction in Information Systems (IS) research, in particular method engineering. This research project creates a method to analyze healthcare telematics and also demonstrates the practical application of the designed artifact, based on the integral parts of the design science research framework. Findings: During the planning stage of designing a healthcare specific IS security analysis method, it is advisable to base the design procedure on established standards and best practice approaches. The resulting method therefore relies heavily on previously approved frame- works. Based on the PDCA (Plan/Do/Check/Act) model the HealthcAre Telematics SEC- urity-HatSec-analysis method is constructed in a compositional manner. Hence, the HatSec method was designed from existing IS security analysis approaches (like ISO 27001 and IT- Grundschutzhandbuch), which were previously selected according to their suitability for healthcare and subdivided into method fragments. Applying the concept of method engi- neering, these method fragments were used to design the HatSec security analysis method. The identified method fragments of the selected IS security analysis approaches were metho- dically composed into seven steps: (1) scope identification, (2) asset identification, (3) basic security check, (4) threat identification, (5) vulnerability identification, (6) security assess- ment and (7) security measures. The application of the HatSec method identified 24 deficien- cies in the current state of German health care telematics (including weaknesses, inconsistent and conflicting development documents and violation of security demands). Solutions for the uncovered vulnerabilities were also provided during the practical application of the method. Practical Implications: The outcome of this research project facilitates a broader understan- ding of analyzing healthcare IS security. The HatSec method is designed for chief information security officers (CISO) to analyze healthcare information systems currently in use or under development. A further contribution to practice is the identification of security problems in the current concept of German healthcare telematics. Contents List of Figures xvii List of Tables xix 1 Introduction 1 1.1 Motivation .................................................................................................................. 3 1.2 Objectives of the Thesis ............................................................................................. 6 1.3 Research Methodology ............................................................................................... 9 1.3.1 Design Science .................................................................................................. 10 1.3.2 Research Design ................................................................................................ 11 1.3.3 Design Theory ................................................................................................... 13 1.3.4 Theoretical Contribution and Research Outcome ............................................. 14 1.4 Practical Implications, Users, and Beneficiaries ...................................................... 15 2 Healthcare Telematics in Germany with Respect to Security Issues 17 2.1 German Healthcare ................................................................................................... 17 2.1.1 Structure of German Healthcare ........................................................................ 18 2.1.2 Characteristics of the German Healthcare Sector .............................................. 19 2.1.2.1 Information Exchange and Distributed Information Flows in German Healthcare System ......................................................................... 19 2.1.2.2 Current Problems ........................................................................................ 20 2.1.2.3 Specifics of the German Healthcare Domain .............................................. 21 2.2 Information Systems in Healthcare .......................................................................... 22 2.2.1 Seamless Healthcare .......................................................................................... 24 2.2.2 Interoperability, Standards and Standardization Approaches in Healthcare .......................................................................................................... 24 2.2.2.1 Communication Standards .......................................................................... 27 2.2.2.2 Documentations Standards and Standardization Approaches ..................... 31 2.2.3 Healthcare IS Architecture Types ...................................................................... 33 2.2.3.1 Monolithic System ...................................................................................... 34 2.2.3.2 Heterogeneous System ................................................................................ 35 2.2.3.3 Service-Oriented IS Architecture ................................................................ 35 x Contents 2.2.4 Implications for Security Issues of Healthcare Information Systems ............... 36 2.3 Healthcare Telematics .............................................................................................. 39 2.3.1 Definitions and Objectives of Healthcare Telematics ....................................... 39 2.3.2 German Healthcare Telematics ......................................................................... 42 2.3.2.1 Healthcare Telematics Infrastructure .......................................................... 42 2.3.2.2 Electronic Health Card ................................................................................ 44 2.3.3 Risk and Security Issues of Healthcare Telematics ........................................... 46 2.4 Summary .................................................................................................................. 52 3 Catalogue of IS Healthcare Security Characteristics 53 3.1 Legal Framework ..................................................................................................... 54 3.1.1 Privacy ............................................................................................................... 54 3.1.2 Legal Requirements ........................................................................................... 55 3.2 Protection Goals ....................................................................................................... 56 3.2.1 Dependable Healthcare Information Systems ................................................... 57 3.2.2 Controllability of Healthcare Information Systems........................................... 59 3.3 Characteristics of IS Security Approaches with Respect to Healthcare .................. 62 3.3.1 Literature Review .............................................................................................. 64 3.3.2 Overview of Healthcare IS Security Approach Characteristics ........................ 66 3.3.2.1 General IS Security Approach Characteristics............................................ 66 3.3.2.2 General IS Security Approach Characteristics with Reference to Healthcare ................................................................................................... 67 3.3.2.2.1 Type of the IS Security Approach ....................................................... 68 3.3.2.2.2 Common Characteristics ..................................................................... 69 3.3.2.2.3 Methodology ....................................................................................... 73 3.3.2.2.4 Surrounding Conditions ...................................................................... 76 3.3.2.3 Healthcare-Specific IS Security Approach Characteristics ........................ 77 3.4 Summary .................................................................................................................. 81 4 Analysis of IS Security Analysis Approaches 83 4.1 Overview .................................................................................................................. 83 4.2 Review of Literature ................................................................................................ 84 4.3 Existing Literature Reviews ..................................................................................... 87 Contents xi 4.4 Theoretical Background ........................................................................................... 91 4.5 Systematization of IS Security Analysis Approaches .............................................. 93 4.5.1 Checklists........................................................................................................... 95 4.5.2 Assessment Approaches .................................................................................... 96 4.5.2.1 Risk Assessment Approaches ..................................................................... 96 4.5.2.2 Security Control Assessment Approaches .................................................. 98 4.5.3 Risk Analysis Approaches ............................................................................... 101 4.5.4 IT Security Management Approaches ............................................................. 102 4.5.4.1 The Plan-Do-Check-Act Approach of ISO 27001 .................................... 104 4.5.4.2 Best Practice Models ................................................................................. 105 4.5.5 Legislation Accommodations .......................................................................... 106 4.6 Analysis of IS Security Analysis Approaches with Respect to Healthcare ........... 108 4.6.1 Examination of IS Security Approaches with Respect to General IS Security Approach Characteristics .................................................................. 110 4.6.2 Examination of IS Security Approaches with Respect to General IS Security Approach Characteristics with Reference to Healthcare ................... 111 4.6.3 Examination of IS Security Approaches with Respect to Healthcare Specific IS Security Approach Characteristics ................................................ 113 4.7 Summary ................................................................................................................ 114 5 Designing a Security Analysis Method for Healthcare Telematics in Germany 117 5.1 Introduction ............................................................................................................ 117 5.2 Research Approach ................................................................................................ 118 5.3 Method Engineering ............................................................................................... 120 5.4 Description of Method Elements ........................................................................... 121 5.4.1 Method Chains and Alliances .......................................................................... 121 5.4.2 Method Fragments ........................................................................................... 122 5.4.3 Method Chunks................................................................................................ 126 5.4.4 Method Components........................................................................................ 126 5.4.5 Theoretical Background .................................................................................. 127 5.5 Formal Description of the Concept of Method Engineering .................................. 128 5.6 HatSec Security Analysis Method ......................................................................... 132

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.