Accepted for/Published in: JMIR Human Factors
Date Submitted: Apr 29, 2021
Open Peer Review Period: Apr 29, 2021 - Jun 24, 2021
Date Accepted: Feb 3, 2022
(closed for review but you can still tweet)
Warning: This is an author submission that is not peer-reviewed or edited. Preprints - unless they show as "accepted" - should not be relied on to guide clinical practice or health-related behavior and should not be reported in news media as established information.
A scoping review of Legal Aspect of Information Security Requirement in healthcare: A Benchmark for Assessing the Security Practice in hospitals
ABSTRACT
Background:
The loss of human lives from cyber-attacks in healthcare is no longer a probabilistic quantification but a reality which has begun. Additionally, the threat scope has expanded to involve threat of National security among others, resulting in surging data breaches within the healthcare sector. For that matter, there have been provisions of various legislations, regulations, and information security governance tools such as policies, standards and directives towards enhancing healthcare information security conscious care behavior among users. But in a research scenario where these required security practices are needed to be compared with ongoing security practices in healthcare, where can the security requirements pertaining to healthcare be obtained in a comprehensive way? Which of the requirements need more concentration of management, end users or both?
Objective:
The objective of this paper is therefore to systematically identify, assess and analyze the state-of-the-art information security requirements in healthcare. These requirements were used to develop a framework to serve as a yardstick for measuring the security practice of healthcare staff.
Methods:
A scoping review was adopted to identify the information security requirement sources within healthcare in Norway, Indonesia, and Ghana. A literature search was conducted in Scopus, PubMed, Google scholar, IEEE Explore and other sources such as legal, regulations, directive, policy and code of conduct related databases of Norway/EU, Indonesia and Ghana. The identified sources were reported with a PRISMA diagram in terms of identification, screening eligibility and inclusion.
Results:
Out of a total of 180 security and privacy requirement sources which were initially identified, 122 of them were fully read by the authors. Subsequently, 74 of these requirement documents fully met the inclusion criteria which were access and analyzed. A total of 68 security and privacy requirements were identified in this work. The findings were then used to develop a framework to serve as a benchmark for modeling and analyzing healthcare security practice.
Conclusions:
Legal requirements for analyzing healthcare security practice were comprehensively identified and analyzed. The finding was used to develop a framework of which the legal requirement serves as a benchmark for modeling and analyzing healthcare security practice.
Citation
Request queued. Please wait while the file is being generated. It may take some time.
Copyright
© The authors. All rights reserved. This is a privileged document currently under peer-review/community review (or an accepted/rejected manuscript). Authors have provided JMIR Publications with an exclusive license to publish this preprint on it's website for review and ahead-of-print citation purposes only. While the final peer-reviewed paper may be licensed under a cc-by license on publication, at this stage authors and publisher expressively prohibit redistribution of this draft paper other than for review purposes.