Information system security in health information systems: exploratory research in US and Swiss acute-care hospitals
Gespeichert in:
| 1. Verfasser: | |
|---|---|
| Format: | Abschlussarbeit Buch |
| Sprache: | English |
| Veröffentlicht: |
Lohmar ; Köln
Eul
2008
|
| Ausgabe: | 1. Aufl. |
| Schriftenreihe: | Reihe: Wirtschaftsinformatik
59 |
| Schlagworte: | |
| Online-Zugang: | Inhaltstext Inhaltsverzeichnis |
| Beschreibung: | XIX, 366 S. graph. Darst. 21 cm, 551 gr. |
| ISBN: | 9783899366945 |
Internformat
MARC
| LEADER | 00000nam a2200000 cb4500 | ||
|---|---|---|---|
| 001 | BV035158013 | ||
| 003 | DE-604 | ||
| 005 | 20090121 | ||
| 007 | t | ||
| 008 | 081113s2008 d||| m||| 00||| eng d | ||
| 015 | |a 08,A36,0673 |2 dnb | ||
| 016 | 7 | |a 989019667 |2 DE-101 | |
| 020 | |a 9783899366945 |c kart. : EUR 56.00 |9 978-3-89936-694-5 | ||
| 024 | 3 | |a 9783899366945 | |
| 035 | |a (OCoLC)244627745 | ||
| 035 | |a (DE-599)DNB989019667 | ||
| 040 | |a DE-604 |b ger |e rakddb | ||
| 041 | 0 | |a eng | |
| 049 | |a DE-91G |a DE-945 | ||
| 082 | 0 | |a 362.110285 |2 22/ger | |
| 084 | |a ST 640 |0 (DE-625)143686: |2 rvk | ||
| 084 | |a 360 |2 sdnb | ||
| 100 | 1 | |a Lüthi, Martin |d 1973- |e Verfasser |0 (DE-588)135646545 |4 aut | |
| 245 | 1 | 0 | |a Information system security in health information systems |b exploratory research in US and Swiss acute-care hospitals |c Martin Lüthi |
| 250 | |a 1. Aufl. | ||
| 264 | 1 | |a Lohmar ; Köln |b Eul |c 2008 | |
| 300 | |a XIX, 366 S. |b graph. Darst. |c 21 cm, 551 gr. | ||
| 336 | |b txt |2 rdacontent | ||
| 337 | |b n |2 rdamedia | ||
| 338 | |b nc |2 rdacarrier | ||
| 490 | 1 | |a Reihe: Wirtschaftsinformatik |v 59 | |
| 502 | |a Zugl.: Bern, Univ., Diss., 2008 | ||
| 650 | 0 | 7 | |a Krankenhausinformationssystem |0 (DE-588)4135634-2 |2 gnd |9 rswk-swf |
| 650 | 0 | 7 | |a Computersicherheit |0 (DE-588)4274324-2 |2 gnd |9 rswk-swf |
| 655 | 7 | |0 (DE-588)4113937-9 |a Hochschulschrift |2 gnd-content | |
| 689 | 0 | 0 | |a Krankenhausinformationssystem |0 (DE-588)4135634-2 |D s |
| 689 | 0 | 1 | |a Computersicherheit |0 (DE-588)4274324-2 |D s |
| 689 | 0 | |5 DE-604 | |
| 830 | 0 | |a Reihe: Wirtschaftsinformatik |v 59 |w (DE-604)BV004373821 |9 59 | |
| 856 | 4 | 2 | |q text/html |u http://deposit.dnb.de/cgi-bin/dokserv?id=3120891&prov=M&dok_var=1&dok_ext=htm |3 Inhaltstext |
| 856 | 4 | 2 | |m HBZ Datenaustausch |q application/pdf |u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=016965173&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |3 Inhaltsverzeichnis |
| 943 | 1 | |a oai:aleph.bib-bvb.de:BVB01-016965173 | |
Datensatz im Suchindex
| _version_ | 1805091444152598528 |
|---|---|
| adam_text |
Outline
Outline
List of Figures.X
List of Tables.XIII
List of Symbols.XV
List of Abbreviations.XVI
1 Introduction.1
1.1 Motivation and Background.1
1.2 Current State of Research.2
1.3 Objective and Scope.4
1.4 Language and Terminology.6
1.5 Structure of Dissertation.7
2 Health Care Market.10
2.1 U.S. Health Care System.10
2.2 Swiss Health Care System.20
2.3 Conclusion.30
3 Health Information Regulations.34
3.1 Overview.34
3.2 International Guidelines.38
3.3 U.S. Regulations.44
3.4 Swiss Regulations.59
3.5 Conclusion.69
4 Hospital Structure and Processes.74
4.1 Overview.74
4.2 Organizational Perspective.75
4.3 Process Perspective.84
4.4 Informational Perspective.89
4.5 Conclusion.95
5 Health Information Systems.97
5.1 Overview.97
5.2 Domain Layer.103
Outline
5.3 Logical Layer.106
5.4 Physical Layer.113
5.5 Management Control.117
5.6 Conclusion.121
6 Information System Security.123
6.1 Overview.124
6.2 Objectives.128
6.3 Threats.133
6.4 Technical Controls.137
6.5 Management Controls.155
6.6 Conclusion.177
7 Research Methodology.181
7.1 Overview.181
7.2 Review of Literature.183
7.3 Research Design.194
7.4 Research Framework.199
8 Case Studies.213
8.1 Academic Medical Center (USt).214
8.2 Multi-Hospital Network (US2).230
8.3 Academic Medical Center (CHi).244
8.4 Multi-Hospital Network (CH2).257
8.5 Cross-Case Comparison.267
8.6 Conclusions and Recommendations.274
9 Security Management Method.288
9.1 Overview.289
9.2 Definitions.291
9.3 Graph Model.294
9.4 Software Tool.301
9.5 Conclusion.309
10 Summary and Outlook.311
Outline III
Appendix A: Interview Guide Case Studies.316
Appendix B: Experts, Case Studies, Documents.320
Appendix C: SCMA Software Tool.321
Appendix D: Security Products and Prototypes.322
Bibliography.324
Table of Contents
Table of Contents
List of Figures.
List of Tables.XI11
YV
List of Symbols.AV
List of Abbreviations.AVl
1 Introduction.
1.1 Motivation and Background.1
1.2 Current State of Research.2
1.3 Objective and Scope.4
1.4 Language and Terminology.6
1.5 Structure of Dissertation.7
2 Health Care Market.10
2.1 U.S. Health Care System.10
2.1.1 Overview.10
2.1.2 Hospital System.16
2.2 Swiss Health Care System.20
2.2.1 Overview.20
2.2.2 Hospital System.26
2.3 Conclusion.30
3 Health Information Regulations.34
3.1 Overview.34
3.1.1 Information Privacy.36
3.1.2 Data Protection.37
3.2 International Guidelines.38
3.2.1 Structure.38
3.2.2 Privacy Guidelines.40
3.2.3 Security Guidelines.42
3.3 U.S. Regulations.44
3.3.1 Overview.44
3.3.2 Protection of Health Information.47
Table of Contents
3.3.2.1 Privacy Standards.48
3.3.2.2 Security Standards.52
3.3.2.2.1 Administrative Safeguards.55
3.3.2.2.2 Physical Safeguards.57
3.3.2.2.3 Technical Safeguards.58
3.4 Swiss Regulations.59
3.4.1 Overview.59
3.4.2 Protection of Health Information.61
3.4.2.1 Data Protection Standards.61
3.4.2.2 Security Standards.66
3.5 Conclusion.69
4 Hospital Structure and Processes.74
4.1 Overview.74
4.2 Organizational Perspective.75
4.2.1 Functional Orientation.80
4.2.2 Specialty Orientation.81
4.2.3 Patient Orientation.83
4.3 Process Perspective.84
4.3.1 Administrative Processes.84
4.3.1.1 Intake.86
4.3.1.2 Financial and Utilization Management.86
4.3.1.3 Bed Utilization and Admission.87
4.3.1.4 Billing, Reimbursement, and Denial.87
4.3.2 Patient Care Processes.88
4.3.2.1 Observation.88
4.3.2.2 Diagnosis.89
4.3.2.3 Therapy.89
4.4 Informational Perspective.89
4.4.1 Intra-Organizational Information Flow.91
4.4.2 Inter-Organizational Information Flow.93
Table of Contents
4.5 Conclusion.95
5 Health Information Systems.97
5.1 Overview.97
5.2 Domain Layer.103
5.3 Logical Layer.106
5.4 Physical Layer.113
5.5 Management Control.117
5.6 Conclusion.121
6 Information System Security.123
6.1 Overview.124
6.2 Objectives.128
6.2.1 Confidentiality.129
6.2.2 Integrity.130
6.2.3 Availability.130
6.2.4 Accountability.132
6.3 Threats.133
6.4 Technical Controls.137
6.4.1 Authentication.138
6.4.2 Authorization.141
6.4.3 Auditing.147
6.4.4 Non-Repudiation.149
6.4.5 Continuity.152
6.5 Management Controls.155
6.5.1 Normative Methods.156
6.5.1.1 ISO-BS.158
6.5.1.2 COBIT.161
6.5.1.3 BSI.164
6.5.1.4 NIST.167
6.5.2 Risk Analysis Methods.168
6.5.2.1 Quantitative Methods.169
Table of Contents VII
6.5.2.2 Qualitative Methods.171
6.5.3 Evaluation Methods.172
6.5.3.1 Common Criteria.173
6.5.3.2 SSE-CMM.175
6.6 Conclusion.177
7 Research Methodology.181
7.1 Overview.181
7.2 Review of Literature.183
7.2.1 Information System Security Research.184
7.2.2 Information System Adoption Research.189
7.3 Research Design.194
7.3.1 Research Method.194
7.3.2 Data Collection.196
7.3.3 Data Analysis.198
7.4 Research Framework.199
7.4.1 Conceptual Framework.201
7.4.2 Formulation of Research Question 1.204
7.4.3 Formulation of Research Question II.207
7.4.4 Formulation of Research Question III.209
8 Case Studies.213
8.1 Academic Medical Center (USi).214
8.1.1 Overview.214
8.1.2 Health Information System.214
8.1.3 Information System Security.217
8.1.3.1 Organizational Controls.217
8.1.3.2 Technical Controls.221
8.1.4 Analysis.225
8.1.4.1 Research Question 1.225
8.1.4.2 Research Question II.226
8.1.4.3 Research Question III.229
VIE Table of Contents
8.2 Multi-Hospital Network (US2).230
8.2.1 Overview.230
8.2.2 Health Information System.230
8.2.3 Information System Security.233
8.2.3.1 Organizational Controls.233
8.2.3.2 Technical Controls.236
8.2.4 Analysis.240
8.2.4.1 Research Question 1.240
8.2.4.2 Research Question II.242
8.2.4.3 Research Question III.244
8.3 Academic Medical Center (CHi).244
8.3.1 Overview.244
8.3.2 Health Information System.245
8.3.3 Information System Security.247
8.3.3.1 Organizational Controls.247
8.3.3.2 Technical Controls.250
8.3.4 Analysis.252
8.3.4.1 Research Question 1.252
8.3.4.2 Research Question II.254
8.3.4.3 Research Question III.256
8.4 Multi-Hospital Network (CH2).257
8.4.1 Overview.257
8.4.2 Health Information System.257
8.4.3 Information System Security.260
8.4.3.1 Organizational Controls.260
8.4.3.2 Technical Controls.261
8.4.4 Analysis.263
8.4.4.1 Research Question 1.263
8.4.4.2 Research Question II.264
8.4.4.3 Research Question III.266
Table of Contents IX
8.5 Cross-Case Comparison.267
8.5.1 U.S. Hospitals.267
8.5.2 Swiss Hospitals.268
8.5.3 U.S. and Swiss Hospitals.269
8.6 Conclusions and Recommendations.274
9 Security Management Method.288
9.1 Overview.289
9.2 Definitions.291
9.3 Graph Model.294
9.3.1 Constraints.294
9.3.2 Attributes.295
9.3.3 Analysis.296
9.3.4 Example.298
9.4 Software Tool.301
9.4.1 Visualization.302
9.4.2 Nodes.303
9.4.3 Edges.305
9.4.4 Analysis.306
9.5 Conclusion.309
10 Summary and Outlook.311
Appendix A: Interview Guide Case Studies.316
Appendix B: Experts, Case Studies, Documents.320
Appendix C: SCMA Software Tool.321
Appendix D: Security Products and Prototypes.322
Bibliography.324
List of Figures
List of Figures
Figure 1-1: Structure of dissertation.8
Figure 2-1: Overview of the U.S. healthcare system.13
Figure 2-2: Overview of the Swiss health care system.24
Figure 3-1: Classification of affected data controllers (HIPAA).49
Figure 3-2: Classification of protected data objects (HIPAA).50
Figure 3-3: Security management process (HIPAA).54
Figure 3-4: Classification of affected data controllers (DSG).62
Figure 3-5: Classification of protected data objects (DSG).63
Figure 3-6: Security management process (VDSG).67
Figure 3-7: Comparison of security standards (VDSG, HIPAA).72
Figure 4-1: Exemplary organizational structure of a hospital.76
Figure 4-2: Stakeholders of health information systems.78
Figure 4-3: Functionally-oriented hospital organization.81
Figure 4-4: Specialism-oriented hospital organization.82
Figure 4-5: Patient-oriented hospital organization.83
Figure 4-6: Administrative hospital processes.85
Figure 4-7: Patient information confidentiality model.90
Figure 4-8: Exemplary intra-organizational information flow.92
Figure 4-9: Exemplary inter-organizational information flow.94
Figure 5-1: Synthesized health information system layers.102
Figure 5-2: Representation of the domain layer.104
Figure 5-3: Representation of the logical layer.107
Figure 5-4: Application integration on the logical layer.109
Figure 5-5: Integration architecture topologies.111
Figure 5-6: Representation of the physical layer.114
Figure 5-7: Representation of the control layer.118
Figure 5-8: Aspects of management control.119
Figure 6-1: Security properties, functions, and mechanisms.137
List of Figures XI
Figure 6-2: Model of access matrices.142
Figure 6-3: Model of role-based access control.145
Figure 6-4: Exemplary model of application auditing.149
Figure 6-5: Exemplary model of digital signature processes.150
Figure 6-6: Exemplary model of continuity methods.153
Figure 6-7: Management process of BS 7799-2.159
Figure 6-8: Management process of COBIT.162
Figure 6-9: Management process of BSI.165
Figure 6-10: Example of a qualitative risk assessment matrix.171
Figure 7-1: Classification of information system research approaches.182
Figure 7-2: Classification of information system security approaches.184
Figure 7-3: Classification of adoption and acceptance approaches.189
Figure 7-4: Convergence andnon convergence of multiple sources of evidence.197
Figure 7-5: Ladder of analytical abstraction.198
Figure 7-6: Conceptual framework.202
Figure 8-1: Organizational structure of US i.217
Figure 8-2: Security responsibilities of USi.219
Figure 8-3: Risk assessment process of USi.220
Figure 8-4: Process of assigning access rights of USi.223
Figure 8-5: Disaster recovery infrastructure of US].224
Figure 8-6: Information system adoption and security capability of USi.228
Figure 8-7: Organizational structure of US2.231
Figure 8-8: Gap analysis of security policies and procedures of US2.235
Figure 8-9: Process of granting access rights of US2.237
Figure 8-10: Considered business recovery planning strategies of US2.239
Figure 8-11: Information system adoption and security capability of US2.243
Figure 8-12: Organizational structure of CHi.246
Figure 8-13: Information and application classification process of CHi.249
Figure 8-14: Application classification availability of CHi.252
Figure 8-15: Information system adoption and security capability of CHi.256
Last of Figures
Figure 8-16: Organizational structure of CH2.258
Figure 8-17: Informal role creation process of CH2.262
Figure 8-18: Information system adoption and security capability of CH2.266
Figure 8-19: Organizational integration of the management of information systems. •¦• 272
Figure 8-20: Assessment of health information system adoption.276
Figure 8-21: Phases of health information system adoption.277
Figure 8-22: Assessment of information system security capability.279
Figure 8-23: Phases of information system security capability.280
Figure 9-1: Graph theoretical model of computer security._.290
Figure 9-2: Graph of the spreading of a worm._.291
Figure 9-3: Undirected and directed graphs._.292
Figure 9-4: Not oriented and oriented graphs._.293
Figure 9-5: Graphs with and without loop._.293
Figure 9-6: Graph and sub-graph._.294
Figure 9-7: Graph-based model for an information entity._.298
Figure 9-8: Software tool: Modeling and visualization screen._.302
Figure 9-9: Software tool: XML policy file and its graphical representation._.305
Figure 9-10: Software tool: Information system structure and security reports._.307
Figure 9-11: Software tool: Degree and even weighting._.309
List of Tables XIII
List of Tables
Table 2-1: U.S. health care payers and expenses.14
Table 2-2: U.S. hospitals by ownership.17
Table 2-3: U.S. hospital admissions by ownership.18
Table 2-4: Swiss health care payers and expenses.25
Table 2-5: Swiss hospitals by categories.27
Table 2-6: Swiss hospitals by ownership.28
Table 2-7: Comparison of U.S. and Swiss health care systems.31
Table 3-1: Comparison of U.S. and Swiss health information regulations.70
Table 3-2: Comparison of U.S. and Swiss privacy and data protection principles.71
Table 5-1: Access types on the domain layer.105
Table 5-2: Access types on the logical layer.112
Table 5-3: Application component configurations on the physical layer.115
Table 6-1: Assessment of authentication methods.140
Table 6-2: Security policy principles for a clinical IS.144
Table 6-3: Properties of single sign-on systems.146
Table 6-4: Assessment of authorization methods.147
Table 6-5: Categories and controls of ISO 17799.160
Table 6-6: Categories and controls of COBIT.163
Table 6-7: Categories and controls of BSI.166
Table 6-8: Categories and controls of NIST.168
Table 6-9: Categories and controls of CC.174
Table 6-10: Categories and controls of SSE-CMM.176
Table 6-11: Assessment of management control methods.178
Table 7-1: Information system security research.188
Table 7-2: Health care information system adoption and user acceptance research.193
Table 7-3: Relevant situations for different research strategies.195
Table 8-1: Operating overview of US i.225
Table 8-2: Health information system adoption of USi.226
XIV List of Tables
Table 8-3: Information system security capability of US|.227
Table 8-4: Operating environment of US2.240
Table 8-5: Health information system adoption of US2.241
Table 8-6: Information system security capability of US2.242
Table 8-7: Overview of CH,.253
Table 8-8: Health information system adoption of CHj.253
Table 8-9: Information system security capability of CH].255
Table 8-10: Overview of CH2.263
Table 8-11: Health information system adoption of CH2.264
Table 8-12: Information system security capability of CH2.265
Table 8-13: U.S. and Swiss hospital comparison.274
Table 8-14: Recommendations for executive management.282
Table 8-15: Recommendations for IS security management.283
Table 8-16: Recommendations for assets.286
Table 9-1: Exemplary controls and calculation of single compliance factors.299
Table 9-2: Exemplary calculation of aggregated compliance factors.300
Table 9-3: Software tool: Node types.303
Table 9-4: Software tool: Node attributes.304
Table 9-5: Software tool: Security attributes.304
Table 9-6: Software tool: Edge types.306
Table 9-7: Software tool: Edge attributes.306
Table 9-8: Software tool: Analysis modes.308 |
| adam_txt |
Outline
Outline
List of Figures.X
List of Tables.XIII
List of Symbols.XV
List of Abbreviations.XVI
1 Introduction.1
1.1 Motivation and Background.1
1.2 Current State of Research.2
1.3 Objective and Scope.4
1.4 Language and Terminology.6
1.5 Structure of Dissertation.7
2 Health Care Market.10
2.1 U.S. Health Care System.10
2.2 Swiss Health Care System.20
2.3 Conclusion.30
3 Health Information Regulations.34
3.1 Overview.34
3.2 International Guidelines.38
3.3 U.S. Regulations.44
3.4 Swiss Regulations.59
3.5 Conclusion.69
4 Hospital Structure and Processes.74
4.1 Overview.74
4.2 Organizational Perspective.75
4.3 Process Perspective.84
4.4 Informational Perspective.89
4.5 Conclusion.95
5 Health Information Systems.97
5.1 Overview.97
5.2 Domain Layer.103
Outline
5.3 Logical Layer.106
5.4 Physical Layer.113
5.5 Management Control.117
5.6 Conclusion.121
6 Information System Security.123
6.1 Overview.124
6.2 Objectives.128
6.3 Threats.133
6.4 Technical Controls.137
6.5 Management Controls.155
6.6 Conclusion.177
7 Research Methodology.181
7.1 Overview.181
7.2 Review of Literature.183
7.3 Research Design.194
7.4 Research Framework.199
8 Case Studies.213
8.1 Academic Medical Center (USt).214
8.2 Multi-Hospital Network (US2).230
8.3 Academic Medical Center (CHi).244
8.4 Multi-Hospital Network (CH2).257
8.5 Cross-Case Comparison.267
8.6 Conclusions and Recommendations.274
9 Security Management Method.288
9.1 Overview.289
9.2 Definitions.291
9.3 Graph Model.294
9.4 Software Tool.301
9.5 Conclusion.309
10 Summary and Outlook.311
Outline III
Appendix A: Interview Guide Case Studies.316
Appendix B: Experts, Case Studies, Documents.320
Appendix C: SCMA Software Tool.321
Appendix D: Security Products and Prototypes.322
Bibliography.324
Table of Contents
Table of Contents
List of Figures.
List of Tables.XI11
YV
List of Symbols.AV
List of Abbreviations.AVl
1 Introduction.
1.1 Motivation and Background.1
1.2 Current State of Research.2
1.3 Objective and Scope.4
1.4 Language and Terminology.6
1.5 Structure of Dissertation.7
2 Health Care Market.10
2.1 U.S. Health Care System.10
2.1.1 Overview.10
2.1.2 Hospital System.16
2.2 Swiss Health Care System.20
2.2.1 Overview.20
2.2.2 Hospital System.26
2.3 Conclusion.30
3 Health Information Regulations.34
3.1 Overview.34
3.1.1 Information Privacy.36
3.1.2 Data Protection.37
3.2 International Guidelines.38
3.2.1 Structure.38
3.2.2 Privacy Guidelines.40
3.2.3 Security Guidelines.42
3.3 U.S. Regulations.44
3.3.1 Overview.44
3.3.2 Protection of Health Information.47
Table of Contents
3.3.2.1 Privacy Standards.48
3.3.2.2 Security Standards.52
3.3.2.2.1 Administrative Safeguards.55
3.3.2.2.2 Physical Safeguards.57
3.3.2.2.3 Technical Safeguards.58
3.4 Swiss Regulations.59
3.4.1 Overview.59
3.4.2 Protection of Health Information.61
3.4.2.1 Data Protection Standards.61
3.4.2.2 Security Standards.66
3.5 Conclusion.69
4 Hospital Structure and Processes.74
4.1 Overview.74
4.2 Organizational Perspective.75
4.2.1 Functional Orientation.80
4.2.2 Specialty Orientation.81
4.2.3 Patient Orientation.83
4.3 Process Perspective.84
4.3.1 Administrative Processes.84
4.3.1.1 Intake.86
4.3.1.2 Financial and Utilization Management.86
4.3.1.3 Bed Utilization and Admission.87
4.3.1.4 Billing, Reimbursement, and Denial.87
4.3.2 Patient Care Processes.88
4.3.2.1 Observation.88
4.3.2.2 Diagnosis.89
4.3.2.3 Therapy.89
4.4 Informational Perspective.89
4.4.1 Intra-Organizational Information Flow.91
4.4.2 Inter-Organizational Information Flow.93
Table of Contents
4.5 Conclusion.95
5 Health Information Systems.97
5.1 Overview.97
5.2 Domain Layer.103
5.3 Logical Layer.106
5.4 Physical Layer.113
5.5 Management Control.117
5.6 Conclusion.121
6 Information System Security.123
6.1 Overview.124
6.2 Objectives.128
6.2.1 Confidentiality.129
6.2.2 Integrity.130
6.2.3 Availability.130
6.2.4 Accountability.132
6.3 Threats.133
6.4 Technical Controls.137
6.4.1 Authentication.138
6.4.2 Authorization.141
6.4.3 Auditing.147
6.4.4 Non-Repudiation.149
6.4.5 Continuity.152
6.5 Management Controls.155
6.5.1 Normative Methods.156
6.5.1.1 ISO-BS.158
6.5.1.2 COBIT.161
6.5.1.3 BSI.164
6.5.1.4 NIST.167
6.5.2 Risk Analysis Methods.168
6.5.2.1 Quantitative Methods.169
Table of Contents VII
6.5.2.2 Qualitative Methods.171
6.5.3 Evaluation Methods.172
6.5.3.1 Common Criteria.173
6.5.3.2 SSE-CMM.175
6.6 Conclusion.177
7 Research Methodology.181
7.1 Overview.181
7.2 Review of Literature.183
7.2.1 Information System Security Research.184
7.2.2 Information System Adoption Research.189
7.3 Research Design.194
7.3.1 Research Method.194
7.3.2 Data Collection.196
7.3.3 Data Analysis.198
7.4 Research Framework.199
7.4.1 Conceptual Framework.201
7.4.2 Formulation of Research Question 1.204
7.4.3 Formulation of Research Question II.207
7.4.4 Formulation of Research Question III.209
8 Case Studies.213
8.1 Academic Medical Center (USi).214
8.1.1 Overview.214
8.1.2 Health Information System.214
8.1.3 Information System Security.217
8.1.3.1 Organizational Controls.217
8.1.3.2 Technical Controls.221
8.1.4 Analysis.225
8.1.4.1 Research Question 1.225
8.1.4.2 Research Question II.226
8.1.4.3 Research Question III.229
VIE Table of Contents
8.2 Multi-Hospital Network (US2).230
8.2.1 Overview.230
8.2.2 Health Information System.230
8.2.3 Information System Security.233
8.2.3.1 Organizational Controls.233
8.2.3.2 Technical Controls.236
8.2.4 Analysis.240
8.2.4.1 Research Question 1.240
8.2.4.2 Research Question II.242
8.2.4.3 Research Question III.244
8.3 Academic Medical Center (CHi).244
8.3.1 Overview.244
8.3.2 Health Information System.245
8.3.3 Information System Security.247
8.3.3.1 Organizational Controls.247
8.3.3.2 Technical Controls.250
8.3.4 Analysis.252
8.3.4.1 Research Question 1.252
8.3.4.2 Research Question II.254
8.3.4.3 Research Question III.256
8.4 Multi-Hospital Network (CH2).257
8.4.1 Overview.257
8.4.2 Health Information System.257
8.4.3 Information System Security.260
8.4.3.1 Organizational Controls.260
8.4.3.2 Technical Controls.261
8.4.4 Analysis.263
8.4.4.1 Research Question 1.263
8.4.4.2 Research Question II.264
8.4.4.3 Research Question III.266
Table of Contents IX
8.5 Cross-Case Comparison.267
8.5.1 U.S. Hospitals.267
8.5.2 Swiss Hospitals.268
8.5.3 U.S. and Swiss Hospitals.269
8.6 Conclusions and Recommendations.274
9 Security Management Method.288
9.1 Overview.289
9.2 Definitions.291
9.3 Graph Model.294
9.3.1 Constraints.294
9.3.2 Attributes.295
9.3.3 Analysis.296
9.3.4 Example.298
9.4 Software Tool.301
9.4.1 Visualization.302
9.4.2 Nodes.303
9.4.3 Edges.305
9.4.4 Analysis.306
9.5 Conclusion.309
10 Summary and Outlook.311
Appendix A: Interview Guide Case Studies.316
Appendix B: Experts, Case Studies, Documents.320
Appendix C: SCMA Software Tool.321
Appendix D: Security Products and Prototypes.322
Bibliography.324
List of Figures
List of Figures
Figure 1-1: Structure of dissertation.8
Figure 2-1: Overview of the U.S. healthcare system.13
Figure 2-2: Overview of the Swiss health care system.24
Figure 3-1: Classification of affected data controllers (HIPAA).49
Figure 3-2: Classification of protected data objects (HIPAA).50
Figure 3-3: Security management process (HIPAA).54
Figure 3-4: Classification of affected data controllers (DSG).62
Figure 3-5: Classification of protected data objects (DSG).63
Figure 3-6: Security management process (VDSG).67
Figure 3-7: Comparison of security standards (VDSG, HIPAA).72
Figure 4-1: Exemplary organizational structure of a hospital.76
Figure 4-2: Stakeholders of health information systems.78
Figure 4-3: Functionally-oriented hospital organization.81
Figure 4-4: Specialism-oriented hospital organization.82
Figure 4-5: Patient-oriented hospital organization.83
Figure 4-6: Administrative hospital processes.85
Figure 4-7: Patient information confidentiality model.90
Figure 4-8: Exemplary intra-organizational information flow.92
Figure 4-9: Exemplary inter-organizational information flow.94
Figure 5-1: Synthesized health information system layers.102
Figure 5-2: Representation of the domain layer.104
Figure 5-3: Representation of the logical layer.107
Figure 5-4: Application integration on the logical layer.109
Figure 5-5: Integration architecture topologies.111
Figure 5-6: Representation of the physical layer.114
Figure 5-7: Representation of the control layer.118
Figure 5-8: Aspects of management control.119
Figure 6-1: Security properties, functions, and mechanisms.137
List of Figures XI
Figure 6-2: Model of access matrices.142
Figure 6-3: Model of role-based access control.145
Figure 6-4: Exemplary model of application auditing.149
Figure 6-5: Exemplary model of digital signature processes.150
Figure 6-6: Exemplary model of continuity methods.153
Figure 6-7: Management process of BS 7799-2.159
Figure 6-8: Management process of COBIT.162
Figure 6-9: Management process of BSI.165
Figure 6-10: Example of a qualitative risk assessment matrix.171
Figure 7-1: Classification of information system research approaches.182
Figure 7-2: Classification of information system security approaches.184
Figure 7-3: Classification of adoption and acceptance approaches.189
Figure 7-4: Convergence andnon convergence of multiple sources of evidence.197
Figure 7-5: Ladder of analytical abstraction.198
Figure 7-6: Conceptual framework.202
Figure 8-1: Organizational structure of US i.217
Figure 8-2: Security responsibilities of USi.219
Figure 8-3: Risk assessment process of USi.220
Figure 8-4: Process of assigning access rights of USi.223
Figure 8-5: Disaster recovery infrastructure of US].224
Figure 8-6: Information system adoption and security capability of USi.228
Figure 8-7: Organizational structure of US2.231
Figure 8-8: Gap analysis of security policies and procedures of US2.235
Figure 8-9: Process of granting access rights of US2.237
Figure 8-10: Considered business recovery planning strategies of US2.239
Figure 8-11: Information system adoption and security capability of US2.243
Figure 8-12: Organizational structure of CHi.246
Figure 8-13: Information and application classification process of CHi.249
Figure 8-14: Application classification availability of CHi.252
Figure 8-15: Information system adoption and security capability of CHi.256
Last of Figures
Figure 8-16: Organizational structure of CH2.258
Figure 8-17: Informal role creation process of CH2.262
Figure 8-18: Information system adoption and security capability of CH2.266
Figure 8-19: Organizational integration of the management of information systems. •¦• 272
Figure 8-20: Assessment of health information system adoption.276
Figure 8-21: Phases of health information system adoption.277
Figure 8-22: Assessment of information system security capability.279
Figure 8-23: Phases of information system security capability.280
Figure 9-1: Graph theoretical model of computer security._.290
Figure 9-2: Graph of the spreading of a worm._.291
Figure 9-3: Undirected and directed graphs._.292
Figure 9-4: Not oriented and oriented graphs._.293
Figure 9-5: Graphs with and without loop._.293
Figure 9-6: Graph and sub-graph._.294
Figure 9-7: Graph-based model for an information entity._.298
Figure 9-8: Software tool: Modeling and visualization screen._.302
Figure 9-9: Software tool: XML policy file and its graphical representation._.305
Figure 9-10: Software tool: Information system structure and security reports._.307
Figure 9-11: Software tool: Degree and even weighting._.309
List of Tables XIII
List of Tables
Table 2-1: U.S. health care payers and expenses.14
Table 2-2: U.S. hospitals by ownership.17
Table 2-3: U.S. hospital admissions by ownership.18
Table 2-4: Swiss health care payers and expenses.25
Table 2-5: Swiss hospitals by categories.27
Table 2-6: Swiss hospitals by ownership.28
Table 2-7: Comparison of U.S. and Swiss health care systems.31
Table 3-1: Comparison of U.S. and Swiss health information regulations.70
Table 3-2: Comparison of U.S. and Swiss privacy and data protection principles.71
Table 5-1: Access types on the domain layer.105
Table 5-2: Access types on the logical layer.112
Table 5-3: Application component configurations on the physical layer.115
Table 6-1: Assessment of authentication methods.140
Table 6-2: Security policy principles for a clinical IS.144
Table 6-3: Properties of single sign-on systems.146
Table 6-4: Assessment of authorization methods.147
Table 6-5: Categories and controls of ISO 17799.160
Table 6-6: Categories and controls of COBIT.163
Table 6-7: Categories and controls of BSI.166
Table 6-8: Categories and controls of NIST.168
Table 6-9: Categories and controls of CC.174
Table 6-10: Categories and controls of SSE-CMM.176
Table 6-11: Assessment of management control methods.178
Table 7-1: Information system security research.188
Table 7-2: Health care information system adoption and user acceptance research.193
Table 7-3: Relevant situations for different research strategies.195
Table 8-1: Operating overview of US i.225
Table 8-2: Health information system adoption of USi.226
XIV List of Tables
Table 8-3: Information system security capability of US|.227
Table 8-4: Operating environment of US2.240
Table 8-5: Health information system adoption of US2.241
Table 8-6: Information system security capability of US2.242
Table 8-7: Overview of CH,.253
Table 8-8: Health information system adoption of CHj.253
Table 8-9: Information system security capability of CH].255
Table 8-10: Overview of CH2.263
Table 8-11: Health information system adoption of CH2.264
Table 8-12: Information system security capability of CH2.265
Table 8-13: U.S. and Swiss hospital comparison.274
Table 8-14: Recommendations for executive management.282
Table 8-15: Recommendations for IS security management.283
Table 8-16: Recommendations for assets.286
Table 9-1: Exemplary controls and calculation of single compliance factors.299
Table 9-2: Exemplary calculation of aggregated compliance factors.300
Table 9-3: Software tool: Node types.303
Table 9-4: Software tool: Node attributes.304
Table 9-5: Software tool: Security attributes.304
Table 9-6: Software tool: Edge types.306
Table 9-7: Software tool: Edge attributes.306
Table 9-8: Software tool: Analysis modes.308 |
| any_adam_object | 1 |
| any_adam_object_boolean | 1 |
| author | Lüthi, Martin 1973- |
| author_GND | (DE-588)135646545 |
| author_facet | Lüthi, Martin 1973- |
| author_role | aut |
| author_sort | Lüthi, Martin 1973- |
| author_variant | m l ml |
| building | Verbundindex |
| bvnumber | BV035158013 |
| classification_rvk | ST 640 |
| ctrlnum | (OCoLC)244627745 (DE-599)DNB989019667 |
| dewey-full | 362.110285 |
| dewey-hundreds | 300 - Social sciences |
| dewey-ones | 362 - Social problems and services to groups |
| dewey-raw | 362.110285 |
| dewey-search | 362.110285 |
| dewey-sort | 3362.110285 |
| dewey-tens | 360 - Social problems and services; associations |
| discipline | Informatik Soziologie |
| discipline_str_mv | Informatik Soziologie |
| edition | 1. Aufl. |
| format | Thesis Book |
| fullrecord | <?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>00000nam a2200000 cb4500</leader><controlfield tag="001">BV035158013</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20090121</controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">081113s2008 d||| m||| 00||| eng d</controlfield><datafield tag="015" ind1=" " ind2=" "><subfield code="a">08,A36,0673</subfield><subfield code="2">dnb</subfield></datafield><datafield tag="016" ind1="7" ind2=" "><subfield code="a">989019667</subfield><subfield code="2">DE-101</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9783899366945</subfield><subfield code="c">kart. : EUR 56.00</subfield><subfield code="9">978-3-89936-694-5</subfield></datafield><datafield tag="024" ind1="3" ind2=" "><subfield code="a">9783899366945</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)244627745</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)DNB989019667</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rakddb</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-91G</subfield><subfield code="a">DE-945</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">362.110285</subfield><subfield code="2">22/ger</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 640</subfield><subfield code="0">(DE-625)143686:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">360</subfield><subfield code="2">sdnb</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Lüthi, Martin</subfield><subfield code="d">1973-</subfield><subfield code="e">Verfasser</subfield><subfield code="0">(DE-588)135646545</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Information system security in health information systems</subfield><subfield code="b">exploratory research in US and Swiss acute-care hospitals</subfield><subfield code="c">Martin Lüthi</subfield></datafield><datafield tag="250" ind1=" " ind2=" "><subfield code="a">1. Aufl.</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Lohmar ; Köln</subfield><subfield code="b">Eul</subfield><subfield code="c">2008</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XIX, 366 S.</subfield><subfield code="b">graph. Darst.</subfield><subfield code="c">21 cm, 551 gr.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="490" ind1="1" ind2=" "><subfield code="a">Reihe: Wirtschaftsinformatik</subfield><subfield code="v">59</subfield></datafield><datafield tag="502" ind1=" " ind2=" "><subfield code="a">Zugl.: Bern, Univ., Diss., 2008</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Krankenhausinformationssystem</subfield><subfield code="0">(DE-588)4135634-2</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="655" ind1=" " ind2="7"><subfield code="0">(DE-588)4113937-9</subfield><subfield code="a">Hochschulschrift</subfield><subfield code="2">gnd-content</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Krankenhausinformationssystem</subfield><subfield code="0">(DE-588)4135634-2</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="830" ind1=" " ind2="0"><subfield code="a">Reihe: Wirtschaftsinformatik</subfield><subfield code="v">59</subfield><subfield code="w">(DE-604)BV004373821</subfield><subfield code="9">59</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="q">text/html</subfield><subfield code="u">http://deposit.dnb.de/cgi-bin/dokserv?id=3120891&prov=M&dok_var=1&dok_ext=htm</subfield><subfield code="3">Inhaltstext</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">HBZ Datenaustausch</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=016965173&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="943" ind1="1" ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-016965173</subfield></datafield></record></collection> |
| genre | (DE-588)4113937-9 Hochschulschrift gnd-content |
| genre_facet | Hochschulschrift |
| id | DE-604.BV035158013 |
| illustrated | Illustrated |
| index_date | 2024-07-02T22:49:31Z |
| indexdate | 2024-07-20T09:55:48Z |
| institution | BVB |
| isbn | 9783899366945 |
| language | English |
| oai_aleph_id | oai:aleph.bib-bvb.de:BVB01-016965173 |
| oclc_num | 244627745 |
| open_access_boolean | |
| owner | DE-91G DE-BY-TUM DE-945 |
| owner_facet | DE-91G DE-BY-TUM DE-945 |
| physical | XIX, 366 S. graph. Darst. 21 cm, 551 gr. |
| publishDate | 2008 |
| publishDateSearch | 2008 |
| publishDateSort | 2008 |
| publisher | Eul |
| record_format | marc |
| series | Reihe: Wirtschaftsinformatik |
| series2 | Reihe: Wirtschaftsinformatik |
| spelling | Lüthi, Martin 1973- Verfasser (DE-588)135646545 aut Information system security in health information systems exploratory research in US and Swiss acute-care hospitals Martin Lüthi 1. Aufl. Lohmar ; Köln Eul 2008 XIX, 366 S. graph. Darst. 21 cm, 551 gr. txt rdacontent n rdamedia nc rdacarrier Reihe: Wirtschaftsinformatik 59 Zugl.: Bern, Univ., Diss., 2008 Krankenhausinformationssystem (DE-588)4135634-2 gnd rswk-swf Computersicherheit (DE-588)4274324-2 gnd rswk-swf (DE-588)4113937-9 Hochschulschrift gnd-content Krankenhausinformationssystem (DE-588)4135634-2 s Computersicherheit (DE-588)4274324-2 s DE-604 Reihe: Wirtschaftsinformatik 59 (DE-604)BV004373821 59 text/html http://deposit.dnb.de/cgi-bin/dokserv?id=3120891&prov=M&dok_var=1&dok_ext=htm Inhaltstext HBZ Datenaustausch application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=016965173&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis |
| spellingShingle | Lüthi, Martin 1973- Information system security in health information systems exploratory research in US and Swiss acute-care hospitals Reihe: Wirtschaftsinformatik Krankenhausinformationssystem (DE-588)4135634-2 gnd Computersicherheit (DE-588)4274324-2 gnd |
| subject_GND | (DE-588)4135634-2 (DE-588)4274324-2 (DE-588)4113937-9 |
| title | Information system security in health information systems exploratory research in US and Swiss acute-care hospitals |
| title_auth | Information system security in health information systems exploratory research in US and Swiss acute-care hospitals |
| title_exact_search | Information system security in health information systems exploratory research in US and Swiss acute-care hospitals |
| title_exact_search_txtP | Information system security in health information systems exploratory research in US and Swiss acute-care hospitals |
| title_full | Information system security in health information systems exploratory research in US and Swiss acute-care hospitals Martin Lüthi |
| title_fullStr | Information system security in health information systems exploratory research in US and Swiss acute-care hospitals Martin Lüthi |
| title_full_unstemmed | Information system security in health information systems exploratory research in US and Swiss acute-care hospitals Martin Lüthi |
| title_short | Information system security in health information systems |
| title_sort | information system security in health information systems exploratory research in us and swiss acute care hospitals |
| title_sub | exploratory research in US and Swiss acute-care hospitals |
| topic | Krankenhausinformationssystem (DE-588)4135634-2 gnd Computersicherheit (DE-588)4274324-2 gnd |
| topic_facet | Krankenhausinformationssystem Computersicherheit Hochschulschrift |
| url | http://deposit.dnb.de/cgi-bin/dokserv?id=3120891&prov=M&dok_var=1&dok_ext=htm http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=016965173&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |
| volume_link | (DE-604)BV004373821 |
| work_keys_str_mv | AT luthimartin informationsystemsecurityinhealthinformationsystemsexploratoryresearchinusandswissacutecarehospitals |