Segurança da informação e a área da saúde: a convergência dos temas e a intensidade das publicações científicas
DOI:
https://doi.org/10.5585/rgss.v8i2.14139Keywords:
Segurança da Informação, Administração em Saúde, Privacidade, Revisão Sistemática, Dano ao pacienteAbstract
Entende-se que a segurança da informação é um problema crítico na área da saúde pois está relacionada à sistemas de informação que contém dados críticos de pacientes e seus tratamentos. Neste contexto, buscou-se responder ao seguinte problema: Quais são os principais frameworks de segurança da informação utilizados na área de saúde? O objetivo deste artigo consiste em revisar sistematicamente artigos que abordam estudos sobre a segurança da informação na saúde e identificar os principais frameworks e focos de discussão de segurança da informação citados na literatura. Como resultado, observa-se que somente 16 estudos citaram frameworks com enfoque na gestão da segurança da informação. Destes, somente 12 citaram a norma ISO/IEC 27799 e a norma HIPAA, específicas para a área de saúde. Conclui-se, assim, que poucos estudos foram produzidos nos últimos 10 anos, deixando uma lacuna no contexto de países em desenvolvimento ou hospitais de pequeno porte.
Downloads
References
Adesina, Ademola O., Agbele, Kehinde K., Februarie, Ronald, Abidoye, Ademola P., & Nyongesa, Henry O.. (2011). Ensuring the security and privacy of information in mobile health-care communication systems. South African Journal of Science, 107(9-10), 27-33. Retrieved March 25, 2018, from http://www.scielo.org.za/scielo.php?script=sci_arttext&pid=S0038-23532011000500012&lng=en&tlng=en.
Abbas, H., Maennel, O., & Assar, S. (2017). Security and privacy issues in cloud computing. https://doi.org/10.1007/s12243-017-0578-3
Agaku, I. T., Adisa, A. O., Ayo-Yusuf, O. A., & Connolly, G. N. (2013). Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. Journal of the American Medical Informatics Association, 21(2), 374-378. https://doi.org/10.1136/amiajnl-2013-002079
Agbele, K. K., Oriogun, P. K., Seluwa, A. G., & Aruleba, K. D. (2015, November). Towards a model for enhancing ICT4 development and information security in healthcare system. In Technology and Society (ISTAS), 2015 IEEE International Symposium on (pp. 1-6). IEEE. https://doi.org/10.1109/ISTAS.2015.7439404
Alsalamah, S., Gray, W. A., Hilton, J. C., & Alsalamah, H. (2013). Information security requirements in patient-centred healthcare supporting systems. http://dx.doi.org/10.3233/978-1-61499-289-9-812
Andreeva, E. (2013). Information security of healthcare systems: using a biometric approach. Modelling in Medicine and Biology X, 17, 109.
Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International journal of Internet and enterprise management, 6(4), 279-314.
Bava, M., Cacciari, D., Sossa, E., Zotti, D., & Zangrando, R. (2009, July). Information security risk assessment in healthcare: the experience of an Italian Paediatric Hospital. In Computational Intelligence, Communication Systems and Networks, 2009. CICSYN'09. First International Conference on(pp. 321-326). IEEE. http://dx.doi.org/10.1109/CICSYN.2009.14
CANADÁ. The Personal Information Protection and Electronic Documents Act (PIPEDA) 2000. Retrieved March 25, 2018, from https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
Chen, Q., Lambright, J., & Abdelwahed, S. (2016, June). Towards Autonomic Security Management of Healthcare Information Systems. In Connected Health: Applications, Systems and Engineering Technologies (CHASE), 2016 IEEE First International Conference on (pp. 113-118). IEEE. http://dx.doi.org/10.1109/CHASE.2016.58
Chi, H., Jones, E. L., & Zhao, L. (2008, December). Implementation of a security access control model for inter-organizational healthcare information systems. In Asia-Pacific Services Computing Conference, 2008. APSCC'08. IEEE (pp. 692-696). IEEE. http://dx.doi.org/10.1109/APSCC.2008.256
Chiuchisan, I., Balan, D. G., Geman, O., Chiuchisan, I., & Gordin, I. (2017, June). A security approach for health care information systems. In E-Health and Bioengineering Conference (EHB), 2017 (pp. 721-724). IEEE. http://dx.doi.org/10.1109/EHB.2017.7995525
Drevin, L., Kruger, H., Bell, A. M., & Steyn, T. (2017, May). A Linguistic Approach to Information Security Awareness Education in a Healthcare Environment. In IFIP World Conference on Information Security Education (pp. 87-97). Springer, Cham. https://doi.org/10.1007/978-3-319-58553-6_8
EEUU. Health Insurance Portability and Accountability Act of 1996. Retrieved March 25, 2018, from https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf
EEUU. American Recovery and Reinvestment Act. 2009. Retrieved March 25, 2018, from http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf
EEUU. DEPARTMENT OF HEALTH AND HUMAN SERVICES et al. HITECH Act enforcement interim final rule. US Department of, 2009. Retrieved March 25, 2018, from https://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/index.html
Fatima, S. I., & Auti, R. A. (2017). Multi-Level Privacy-Preserving Patient Self-Controllable algorithm Healthcare in Cloud. INTERNATIONAL JOURNAL, 2(9).
Fernando, J. I., & Dawson, L. L. (2009). The health information system security threat lifecycle: An informatics theory. International Journal of Medical Informatics, 78(12), 815-826.
Ferreira, A., Antunes, L., Chadwick, D., & Correia, R. (2010). Grounding information security in healthcare. International Journal of Medical Informatics, 79(4), 268-283. https://doi.org/10.1016/j.ijmedinf.2010.01.009
Gbadeyan, A., Butakov, S., & Aghili, S. (2017). IT governance and risk mitigation approach for private cloud adoption: case study of provincial healthcare provider. Annals of Telecommunications, 72(5-6), 347-357. https://doi.org/10.1007/s12243-017-0568-5
Ghazvini, A., & Shukur, Z. (2016). Awareness Training Transfer and Information Security Content Development for Healthcare Industry. INTERNATIONAL JOURNAL OF ADVANCED COMPUTER SCIENCE AND APPLICATIONS, 7(5), 361-370.
Ghazvini, A., & Shukur, Z. (2017, November). Review of information security guidelines for awareness training program in healthcare industry. In Electrical Engineering and Informatics (ICEEI), 2017 6th International Conference on (pp. 1-6). IEEE. https://doi.org/10.1109/ICEEI.2017.8312399
Ghazvini, A., & Shukur, Z. A Framework for an Effective Information Security Awareness Program in Healthcare.
Gleni, S., Maple, C., & Yue, Y. (2009, April). Security issues of a biometrics health care information system: the case of the NHS. In Computing, Engineering and Information, 2009. ICC'09. International Conference on (pp. 279-284). IEEE. https://doi.org/10.1109/ICC.2009.64
Gottberg, H.; Pisa, I. T.; Leão, B. (2008) Dealing with the Complexities when Implementing Information Security Practices in Healthcare Organizations. In: HEALTHINF (1). (pp. 205-208).
Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N., & Müller, G. (2011). Aspects of privacy for electronic health records. International journal of medical informatics, 80(2), e26-e31. https://doi.org/10.1016/j.ijmedinf.2010.10.001
Hameed, S. A., & Yuchoh, H. (2012, November). Toward Managing Security Cost for Healthcare Information. In Advanced Computer Science Applications and Technologies (ACSAT), 2012 International Conference on (pp. 414-418). IEEE. https://doi.org/10.1109/ACSAT.2012.75
Hassan, N. H., & Ismail, Z. (2016). INFORMATION SECURITY CULTURE IN HEALTHCARE INFORMATICS: A PRELIMINARY INVESTIGATION. Journal of Theoretical & Applied Information Technology, 88(2).
Hassan, N. H., Ismail, Z., & Maarop, N. (2013, November). A conceptual model for knowledge sharing towards information security culture in healthcare organization. In Research and Innovation in Information Systems (ICRIIS), 2013 International Conference on (pp. 516-520). IEEE. https://doi.org/10.1109/ICRIIS.2013.6716762
He, Y., & Johnson, C. (2017). Challenges of information security incident learning: An industrial case study in a Chinese healthcare organization. Informatics for Health and Social Care, 42(4), 393-408. https://doi.org/10.1080/17538157.2016.1255629
He, Y., & Johnson, C. W. (2012). Generic security cases for information system security in healthcare systems. http://dx.doi.org/10.1049/cp.2012.1507
Hoyt, R. E., & Yoshihashi, A. K. (2014). Health informatics: practical guide for healthcare and information technology professionals. Lulu. com.
Huang, C. D., Behara, R. S., & Goo, J. (2014). Optimal information security investment in a Healthcare Information Exchange: An economic analysis. Decision Support Systems, 61, 1-11. https://doi.org/10.1016/j.dss.2013.10.011
ISO/TC 215 Health informatics. Retrieved March 25, 2018, from https://www.iso.org/committee/54960.html.
ISO 27001. Information Technology, Security Techniques, Information Security Management Systems, Requirements, International Organization for Standardization ISO, Geneve, 2005.
ISO 27002. Information Technology, Security Techniques, Code of Practice for Information Security Management, International Organization for Standardization ISO, Geneve, 2005.
ISO 27799. Information security management in health using ISO/IEC 27002, International Organization for Standardization ISO, Geneve, 2008.
Khansa, L., Cook, D. F., James, T., & Bruyaka, O. (2012). Impact of HIPAA provisions on the stock market value of healthcare institutions, and information security and other information technology firms. computers & security, 31(6), 750-770. https://doi.org/10.1016/j.cose.2012.06.007
Kimura, E., Kobayashi, S., Yoshikawa, T., & Ishihara, K. (2011, July). A framework for an authorization system with spatial reasoning capacity to improve risk management and information security in healthcare. In Applications and the Internet (SAINT), 2011 IEEE/IPSJ 11th International Symposium on (pp. 587-591). IEEE. https://doi.org/10.1109/SAINT.2011.109
Kitchenham, B. (2004). Procedures for performing systematic reviews. Keele, UK, Keele University, 33(2004), 1-26.
Krens, R., Spruit, M. R., & Urbanus-van Laar, N. (2011, January). Information Security in Health Care-Evaluation with Health Professionals. In HEALTHINF (pp. 61-69).
Krishna, B. C., Subrahmanyam, K., Anjaneyulu, S. S. N., & Kim, T. H. (2015). A novel Dr. KSM approach for information security and risk management in health care systems. International Journal of Bio-Science and Bio-Technology, 7(4), 11-16. http://dx.doi.org/10.1155/2015/852173
Langer, S. G. (2017). Cyber-Security Issues in Healthcare Information Technology. Journal of digital imaging, 30(1), 117-125. https://doi.org/10.1007/s10278-016-9913-x
Liu, C. H., Chung, Y. F., Chen, T. S., & Wang, S. D. (2012). The enhancement of security in healthcare information systems. Journal of medical systems, 36(3), 1673-1688. https://doi.org/10.1007/s10916-010-9628-3
Mahncke, R. J., & Williams, P. A. (2014). Developing and Validating a Healthcare Information Security Governance Framework.
Maseti, O. S. (2008). A model for role-based security education, training and awareness in the South African healthcare environment.
Mattei, T. A. (2017). Privacy, Confidentiality, and Security of Health Care Information: Lessons from the Recent WannaCry Cyberattack. World neurosurgery, 104, 972-974.
Meingast, M., Roosta, T., & Sastry, S. (2006, August). Security and privacy issues with health care information technology. In 2006 International Conference of the IEEE Engineering in Medicine and Biology Society (pp. 5453-5458). IEEE.
Naik, B. B., Singh, D., Samaddar, A. B., & Lee, H. J. (2017, February). Security attacks on information centric networking for healthcare system. In Advanced Communication Technology (ICACT), 2017 19th International Conference on(pp. 436-441). IEEE. https://doi.org/10.23919/ICACT.2017.7890126
Narayana Samy, G., Ahmad, R., & Ismail, Z. (2010). Security threats categories in healthcare information systems. Health informatics journal, 16(3), 201-209. https://doi.org/10.1177%2F1460458210377468
Nemati, H. R., & Church, M. (2009). A human centered framework for information security management: a healthcare perspective. AMCIS 2009 Proceedings, 591.
Orel, A., & Bernik, I. (2013). Implementing Healthcare Information Security: Standards Can Help. Data and Knowledge for Medical Decision Support. B. Blobel, A. Hasman and J. Zvarova. Amsterdam, European Federation for Medical Informatics, 195-199.
Papoutsi, C., Reed, J. E., Marston, C., Lewis, R., Majeed, A., & Bell, D. (2015). Patient and public views about the security and privacy of Electronic Health Records (EHRs) in the UK: results from a mixed methods study. BMC medical informatics and decision making, 15(1), 86. https://doi.org/10.1186/s12911-015-0202-2
Patel, V., Beckjord, E., Moser, R. P., Hughes, P., & Hesse, B. W. (2015). The role of health care experience and consumer information efficacy in shaping privacy and security perceptions of medical records: national consumer survey results. JMIR medical informatics, 3(2). https://dx.doi.org/10.2196%2Fmedinform.3238
PONEMON INSTITUTE. Data Breach: The Cloud Multiplier Effect. 2014. Retrieved March 25, 2018, from http://go.netskope.com/rs/665-KFP-612/images/Ponemon-DataBreach-CloudMultiplierEffect-June2014.pdf.
Ribas, C. E.; Burattini, M. N.; Massad, E.; Yamamoto, J. F. (2012). Information Security Management System-A Case Study in a Brazilian Healthcare Organization. In: HEALTHINF. (pp. 147-151).
Ribas, C. E., Francisco, A. J. F., Yamamoto, J. F., & Burattini, M. N. (2011). A New Approach to Information Security Assessment: a case study in a Brazilian healthcare organization.
Sahibudin, S., Sharifi, M., & Ayat, M. (2008, May). Combining ITIL, COBIT and ISO/IEC 27002 in order to design a comprehensive IT framework in organizations. In Modeling & Simulation, 2008. AICMS 08. Second Asia International Conference on (pp. 749-753). IEEE. https://doi.org/10.1109/AMS.2008.145
Sedlack, D. (2016). Understanding Cyber Security Perceptions Related to Information Risk in a Healthcare Setting.
Somani, G., Gaur, M. S., Sanghi, D., Conti, M., & Buyya, R. (2017). Service resizing for quick DDoS mitigation in cloud computing environment. Annals of Telecommunications, 72(5-6), 237-252. https://doi.org/10.1007/s1224
Söderström, E., Åhlfeldt, R. M., & Eriksson, N. (2009). Standards for information security and processes in healthcare. Journal of Systems and Information Technology, 11(3), 295-308. https://doi.org/10.1108/13287260910983650
Son, J., Kim, S., Park, G., Cha, J., & Park, K. (2013). Security requirements for the medical information used by U-Healthcare medical equipment. International Journal of Security and Its Applications, 7(1), 169-180.
Stahl, B. C., Doherty, N. F., & Shaw, M. (2012). Information security policies in the UK healthcare sector: a critical evaluation. Information Systems Journal, 22(1), 77-94. https://doi.org/10.1111/j.1365-2575.2011.00378.x
Sumner, J., Liberman, A., Rotarius, T., Wan, T. T., & Eaglin, R. (2009). Health Care Communication Networks: Disseminating Employee Information for Hospital Security. The health care manager, 28(4), 287-298. https://doi.org/10.1097/HCM.0b013e3181bdec73
Tipton, H. F. (2007). Official (ISC) 2 guide to the ISSMP CBK. CRC Press.
Tritilanunt, S., & Tongsrisomboon, A. (2014). Risk analysis and security management of IT information in hospital. Int J Comput Inform Technol, 4(3), 1-9.
Tyali, S., & Pottas, D. (2011). Information Security Management Systems in the Healthcare Context. In Proceedings of the South African Information Security Multi-Conference: Port Elizabeth, South Africa, 17-18 May 2010 (p. 177). Lulu. com.
Uwizeyemungu, S., & Poba-Nzaou, P. (2016). Security and Privacy Practices in Healthcare Information Systems: A Cluster Analysis of European Hospitals. In ICISSP (pp. 37-45).
Van Deursen, N., Buchanan, W. J., & Duff, A. (2013). Monitoring information security risks within health care. computers & security, 37, 31-45. https://doi.org/10.1016/j.cose.2013.04.005
Vorakulpipat, C., Siwamogsatham, S., & Kawtrakul, A. (2014). An investigation of information security as a service practice: case study in healthcare. International Journal of Computer Applications in Technology, 49(3-4), 365-371. https://doi.org/10.1504/IJCAT.2014.062372
Wang, J., Xiao, N., & Rao, H. R. (2012). An exploration of risk information search via a search engine: Queries and clicks in healthcare and information security. Decision Support Systems, 52(2), 395-405. https://doi.org/10.1016/j.dss.2011.09.006
Warren, B. (2005). Identity theft prevention in the healthcare setting. Journal of healthcare protection management: publication of the International Association for Hospital Security, 21(1), 101-111.
Williams, J. (2010, May). Social networking applications in health care: threats to the privacy and security of health information. In Proceedings of the 2010 ICSE workshop on software engineering in health care (pp. 39-49). ACM. https://doi.org/10.1145/1809085.1809091
Zafar, H., & Sneha, S. (2012). Ubiquitous Healthcare Information System: Toward Crossing the Security Chasm. Communications of the Association for Information Systems, 31.
Zineddine, M. (2011, December). Automated healthcare information privacy and security: UAE case. In Internet Technology and Secured Transactions (ICITST), 2011 International Conference for (pp. 592-595). IEEE.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2019 Revista de Gestão em Sistemas de Saúde
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Autores mantém os direitos autorais e concedem à revista o direito de primeira publicação, com o trabalho simultaneamente licenciado sob a Creative Commons Atribuição - Não comercial - Compartilhar igual 4.0 Internacional que permite o compartilhamento do trabalho com reconhecimento da autoria e publicação inicial nesta revista.
Autores têm autorização para assumir contratos adicionais separadamente, para distribuição não-exclusiva da versão do trabalho publicada nesta revista (ex.: publicar em repositório institucional ou como capítulo de livro), com reconhecimento de autoria e publicação inicial nesta revista.
Autores têm permissão e são estimulados a publicar e distribuir seu trabalho online (ex.: em repositórios institucionais ou na sua página pessoal) a qualquer ponto antes ou durante o processo editorial, já que isso pode gerar alterações produtivas, bem como aumentar o impacto e a citação do trabalho publicado (Veja O Efeito do Acesso Livre) em http://opcit.eprints.org/oacitation-biblio.html