<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2012.32020</article-id><article-id pub-id-type="publisher-id">JIS-18830</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  A Tree Model for Identification of Threats as the First Stage of Risk Assessment in HIS
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>hmad</surname><given-names>Bakhtiyari Shahri</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Zuraini</surname><given-names>Ismail</given-names></name><xref ref-type="aff" rid="aff2"><sup>2</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib></contrib-group><aff id="aff2"><addr-line>Advanced Informatics School, Universiti Teknologi Malaysia, Johor Bahru, Malaysia</addr-line></aff><aff id="aff1"><addr-line>Faculty of Computer Science and Information Systems, Universiti Teknologi Malaysia, Johor Bahru, Malaysia</addr-line></aff><author-notes><corresp id="cor1">* E-mail:<email>bsahmad2@live.utm.my(HBS)</email>;<email>zurainisma@ic.utm.my(ZI)</email>;</corresp></author-notes><pub-date pub-type="epub"><day>26</day><month>04</month><year>2012</year></pub-date><volume>03</volume><issue>02</issue><fpage>169</fpage><lpage>176</lpage><history><date date-type="received"><day>January</day>	<month>22,</month>	<year>2012</year></date><date date-type="rev-recd"><day>February</day>	<month>24,</month>	<year>2012</year>	</date><date date-type="accepted"><day>March</day>	<month>28,</month>	<year>2012</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  Security remains to be a critical issue in the safe operation of Information Systems (IS). Identifying the threats to IS may lead to an effective method for measuring security as the initial stage for risk management. Despite many attempts to classify threats to IS, new threats to Health Information Systems (HIS) remains a continual concern for system developers. The main aim of this paper is to present a research agenda of threats to HIS. A cohesive completeness study on the identification of possible threats on HIS was conducted. This study reveals more than 70 threats for HIS. They are classified into 30 common criteria. The abstraction was carried out using secondary data from various research databases. This work-in-progress study will proceed to the next stage of ranking the security threats for assessing risk in HIS. This classification of threats may provide some insights to both researchers and professionals, who are interested in conducting research in risk management of HIS security.
 
</p></abstract><kwd-group><kwd>Health Information System; Threat; Security</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>As the European Union has acknowledged, “innovation is important in today’s society, but it should not go at the expense of people’s fundamental right to privacy” [<xref ref-type="bibr" rid="scirp.18830-ref1">1</xref>]. An effective information security program includes a combination of human and technological controls to prevent loss of data, accidental or deliberate unauthorized activity, and illegal access to data [<xref ref-type="bibr" rid="scirp.18830-ref2">2</xref>].</p><p>However use of information and communication technology (ICT) in healthcare has created the electronic health environment and electronic health information is the core of an electronic health system that is managed by ICTs [<xref ref-type="bibr" rid="scirp.18830-ref3">3</xref>]. In addition because healthcare information technology has different potential to improve the quality of care and efficiency and it can also reduce medical costs and save lives so, it is currently one of the important factors for major innovations and is used in widespread around the world [<xref ref-type="bibr" rid="scirp.18830-ref4">4</xref>]. Therefore, if an E-health system guarantees privacy and security of patients it will succeed [<xref ref-type="bibr" rid="scirp.18830-ref5">5</xref>].</p><p>In recent years number of threats in health information systems (HIS) area has increased dramatically and lack of adequate security measures has caused in numerous data breaches, leaving patients vulnerable to economic threats, mental anguish and maybe social stigma. [<xref ref-type="bibr" rid="scirp.18830-ref6">6</xref>]. For example, between the years of 2006 to 2007 in hospitals alone, occurred exposing of more than 1.5 million names during data breaches [<xref ref-type="bibr" rid="scirp.18830-ref7">7</xref>]. In addition, result of 2010 Healthcare Information and Management Systems Society Security Survey suggests that the reports of more than 110 healthcare organizations have shown the loss of sensitive Protected Health Information or Personal Identifying Information affected over 5,306,000 individuals since January 2008. They were received as theft (stolen laptops, computers, or media), loss or negligence by employees or third parties, malicious insiders, system hacks, web exposure, and virus attacks [<xref ref-type="bibr" rid="scirp.18830-ref8">8</xref>]. So, storage information in electronic format increases the concerns about the security and privacy of patients [<xref ref-type="bibr" rid="scirp.18830-ref9">9</xref>]. Another study has shown that healthcare information systems of accidental events and deliberate action threats are two parameters that can severely damage HIS reliability and have negative effects on HIS [<xref ref-type="bibr" rid="scirp.18830-ref10">10</xref>]. However, poor organization of security measures, lack of an integrated security assessment architecture and framework and low aware&#173;ness of risk analysis practices also need particular attention. As in developed countries standards of framework use in place. For example, using ISO/IEC 27002 (ISO 27799:2008) or the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare environment in protecting computerized information assets [<xref ref-type="bibr" rid="scirp.18830-ref11">11</xref>].</p><p>By understanding the threats to health information security, the organization can better protect its information assets and strengthen the level of protection of information in health information system. Therefore management of E-Health information needs to identify the threats for an effective framework by considering the comprehensive incorporation of confidentiality, integrity and availability to be the core principles of information security. This raises major challenges that require new exhaustively attitudes such as a wide variety of policies, ethical, psychological, information and security procedures [5,12]. Hence the objective of this paper attempt to provide an up-to-date categorize of threats to healthcare assets.</p></sec><sec id="s2"><title>2. Review and Role of Identification of Threats in Information Security Risk Management</title><p>Risk assessment requires an understanding of the threat sources, threat action and how that sources can be exploited vulnerability in a health information asset [<xref ref-type="bibr" rid="scirp.18830-ref4">4</xref>]. Although identifying of threats in information system is crucial stage in risk management [<xref ref-type="bibr" rid="scirp.18830-ref13">13</xref>] and discussion about privacy and security [<xref ref-type="bibr" rid="scirp.18830-ref12">12</xref>] has long been a major subject in the social science and business press, there has been controversy about lacking a systematic investigation to identify and categorize various sources of threats of information security and privacy in academic literature [<xref ref-type="bibr" rid="scirp.18830-ref6">6</xref>].</p><p><xref ref-type="fig" rid="fig1">Figure 1</xref> shows a conceptual framework for implementing of information security in HIS. This figure was adopted from works of Z. Ismail, et al. [<xref ref-type="bibr" rid="scirp.18830-ref14">14</xref>] and A. Yasinsac, et al. [<xref ref-type="bibr" rid="scirp.18830-ref15">15</xref>]. It was further adapted to include inputs, output, and also process of some steps. Based on ISO/IEC27002 [<xref ref-type="bibr" rid="scirp.18830-ref16">16</xref>] risk assessment is a critical strategy and identification</p></sec></body><back><ref-list><title>References</title><ref id="scirp.18830-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">National Science Foundation, “Changing the Conduct of Science in the Information Age,” 2011.</mixed-citation></ref><ref id="scirp.18830-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">H. Jahankhani, et al., “Security Risk Management Strategy: Handbook of Electronic Security and Digital Forensics,” World Scientific, New Jersey, London and Singapore, 2009, p. 237.</mixed-citation></ref><ref id="scirp.18830-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">K. M. Albert, “Integrating Knowledge-Based Resources into the Electronic Health Record: History, Current Status, and Role of Librarians,” Medical Reference Services Quarterly, Vol. 26, No. 3, 2007, pp. 1-19. 
doi:10.1300/J115v26n03_01</mixed-citation></ref><ref id="scirp.18830-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">J. P. Landry, et al., “A Threat Tree for Health Information Security and Privacy,” Proceedings of the 17th American Conference on Information Systems, Detroit, 4-8 August 2011.</mixed-citation></ref><ref id="scirp.18830-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">C. A. Shoniregun, et al., “Introduction to e-Healthcare Information Security,” Electronic Healthcare Information Security, Vol. 53, 2010, pp. 1-27. 
doi:10.1007/978-0-387-84919-5_1</mixed-citation></ref><ref id="scirp.18830-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">A. Appari and M. E. Johnson, “Information Security and Privacy in Healthcare: Current State of Research,” International Journal of Internet and Enterprise Management, Vol. 6, No. 4, 2010, pp. 279-314. 
doi:10.1504/IJIEM.2010.035624</mixed-citation></ref><ref id="scirp.18830-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">HIMSS, “Kroll-HIMSS Analytics 2010 Report on Security of Patient Data,” 2008. </mixed-citation></ref><ref id="scirp.18830-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">HIMSS, “Kroll-HIMSS Analytics 2010 Report on Security of Patient Data,” 2010. </mixed-citation></ref><ref id="scirp.18830-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">G. N. Samy, et al., “Threats to Health Information Security,” Proceedings of the 5th International Conference on Information Assurance and Security of the IEEE IAS, Xi’an, 8-20 August 2009, pp. 540-543. 
doi:10.1109/IAS.2009.312</mixed-citation></ref><ref id="scirp.18830-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">S. Kahn and V. Sheshadri, “Medical Record Privacy and Security in a Digital Environment,” IT Professional, Vol. 10, No. 2, 2008, pp. 46-52. doi:10.1109/MITP.2008.34</mixed-citation></ref><ref id="scirp.18830-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">G. N. Samy, et al., “Security Threats Categories in Healthcare Information Systems,” Health Informatics Journal, Vol. 16, No. 3, 2010, pp. 201-209. 
doi:10.1177/1460458210377468</mixed-citation></ref><ref id="scirp.18830-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">S. Samsuri, et al., “User-Centered Evaluation of Privacy Models for Protecting Personal Medical Information,” Informatics Engineering and Information Science, Vol. 251, 2010, pp. 301-309. doi:10.1007/978-3-642-25327-0_26</mixed-citation></ref><ref id="scirp.18830-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">A. Ekelhart, et al., “AURUM: A Framework for Information Security Risk Management,” Proceedings of the 42nd Hawaii International Conference on System Sciences, Hawaii, 5-8 January 2009, pp. 1-10. 
doi:10.1109/HICSS.2009.595</mixed-citation></ref><ref id="scirp.18830-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">Z. Ismail, et al., “Framework to Manage Information Security for Malaysian Academic Environment,” Information Assurance &amp; Cybersecurity, Vol. 2010, 2010, 16 p. doi:10.5171/2010.305412</mixed-citation></ref><ref id="scirp.18830-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">A. Yasinsac and J. H. Pardue, “A Process for Assessing Voting System Risk Using Threat Trees,” Journal of Information Systems Applied Research, Vol. 4, No. 1, 2010, pp. 4-16.</mixed-citation></ref><ref id="scirp.18830-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">R. Gomes and L. V. Lap?o, “The Adoption of IT Security Standards in a Healthcare Environment,” Studies in Health Technology and Informatics, Vol. 136, 2008, pp. 765-770.</mixed-citation></ref><ref id="scirp.18830-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">M. Sumner, “Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness,” Information Systems Management, Vol. 26, No. 1, 2009, pp. 2-12. doi:10.1080/10580530802384639</mixed-citation></ref><ref id="scirp.18830-ref18"><label>18</label><mixed-citation publication-type="other" xlink:type="simple">W. H. Maisel and T. Kohno, “Improving the Security and Privacy of Implantable Medical Devices,” New England Journal of Medicine, Vol. 362, 2010, pp. 1164-1166. 
doi:10.1056/NEJMp1000745 </mixed-citation></ref><ref id="scirp.18830-ref19"><label>19</label><mixed-citation publication-type="other" xlink:type="simple">D. Kotz, “A Threat Taxonomy for mHealth Privacy,” Proceedings of the 3rd International Conference on Communication Systems and Networks of the IEEE COMSNETS, Bangalore, 4-8 January 2011, pp. 1-6. 
doi:10.1109/COMSNETS.2011.5716518</mixed-citation></ref><ref id="scirp.18830-ref20"><label>20</label><mixed-citation publication-type="other" xlink:type="simple">J. H. Pardue and P. Patidar, “Thrats to Healthcare Date: A Threat Tree for Risk Assessment,” Issues in Information Systems, 5-8 October 2011.</mixed-citation></ref><ref id="scirp.18830-ref21"><label>21</label><mixed-citation publication-type="other" xlink:type="simple">R. Power, “CSI/FBI Computer Crime and Security Survey: Computer Security Institute,” SCI &amp; FBI, 2002.</mixed-citation></ref><ref id="scirp.18830-ref22"><label>22</label><mixed-citation publication-type="other" xlink:type="simple">T. C. Rindfleisch, “Privacy, Information Technology, and Health Care,” Communications of the ACM, Vol. 40, No. 8, 1997, pp. 92-100. doi:10.1145/257874.257896</mixed-citation></ref><ref id="scirp.18830-ref23"><label>23</label><mixed-citation publication-type="other" xlink:type="simple">G. Stonebumer, et al., “Risk Management Guide for Information Technology Systems,” National Institute of Standards and Technology, 2002.</mixed-citation></ref><ref id="scirp.18830-ref24"><label>24</label><mixed-citation publication-type="other" xlink:type="simple">M. E. Whitman, “Enemy at the Gate: Threats to Information Security,” Communications of the ACM, Vol. 46, 2003, No. 8, pp. 91-95. doi:10.1145/859670.859675</mixed-citation></ref><ref id="scirp.18830-ref25"><label>25</label><mixed-citation publication-type="other" xlink:type="simple">M. E. Whitman, “In Defense of the Realm: Understanding the Threats to Information Security,” International Journal of Information Management, Vol. 24, No. 1, 2004, pp. 43-57. doi:10.1016/j.ijinfomgt.2003.12.003</mixed-citation></ref><ref id="scirp.18830-ref26"><label>26</label><mixed-citation publication-type="other" xlink:type="simple">M. E. Whitman and H. J. Mattord, “The Enemy Is still at the Gates: Threats to Information Security Revisited,” Proceedings of the 2010 Information Security Curriculum Development Conference, Kennesaw, 1-3 October 2010, pp. 95-96. doi:10.1145/1940941.1940963</mixed-citation></ref><ref id="scirp.18830-ref27"><label>27</label><mixed-citation publication-type="other" xlink:type="simple">M. E. Whitman and H. J. Mattord, “Principles of Information Security,” Course Technology Ptr, Boston, 2011.</mixed-citation></ref><ref id="scirp.18830-ref28"><label>28</label><mixed-citation publication-type="other" xlink:type="simple">R. Richardson, “CSI Computer Crime and Security Survey,” Computer Security Institute, 2008, pp. 1-30.</mixed-citation></ref><ref id="scirp.18830-ref29"><label>29</label><mixed-citation publication-type="other" xlink:type="simple">G. N. Samy, et al., “Health Information Security Guidelines for Healthcare Information Systems,” Zurich, 8-9 September 2011, p. 10.</mixed-citation></ref></ref-list></back></article>