Thursday, 07 December 2017 12:12

Hospital Information Systems Security Featured

Written by
Rate this item
(2 votes)


There has been increased effort to promote electronic ways of managing healthcare information. However, the issue of information system security appears to be the most significant concern that is hindering the shift to electronic ways of managing health information. The term information security refers to the integrity, confidentiality and availability of information (Peltier, Peltier & Blacklet, 2004). This paper has examined the fundamental concepts and principles of information systems security.

Fundamental Concepts of Information Systems Security

As portrayed by the definition, information security has three fundamental goals; confidentiality; integrity, and availability of information. Confidentiality is concerned with ensuring that private information is not disclosed to unauthorized persons. This principle seeks to ensure that information that is meant to be private remains private. A large portion of healthcare information is private. This includes patients’ personal data, the organizations financial records, insurance records, employee records and many others. Unauthorized access to this information can have devastating consequences not only to individuals but also for organization (Peltier, Peltier & Blacklet, 2004). There are various threats to confidentiality of information including; poor administration of systems; insecure networks; social engineering; intrusion, and malware.

Integrity refers to the correctness, completeness, origin, and trustworthiness of information, as well as, proper management of information (Peltier, Peltier & Blacklet, 2004). The principle of integrity seeks to ensure that the information stored in the system is trustworthy and prevent improper modification of this information. Availability is also a vital pillar of information security. The availability pillar is concerned with ensuring that authorized users of information can access and use the information. Efforts to guard the integrity and confidentiality of information will be meaningless if the authorized users of information cannot access or use the information. Therefore, a balanced interaction between these three principles of information security is vital.

The Principles Associated with Information Security

            The main focus of information security system is to safeguard the integrity, availability and confidentiality of information. This goal is achieved through three main processes; identification; authentication, and authorization (Brinkley & Schell, 2004). The identification process seeks to make out the authorized user of information whenever they try to access information. Identification process is carried out on a daily basis by computerized systems and humans. For instance, the hospital administer may ask the patient to produce the social security number when services are demanded. Identification systems differ from one institution to the next. In electronic information system, identification is mainly done through usernames or user ID.

            The authentication process is concerned with verifying the identity provided by the prospective user at the identification stage (Peltier, Peltier & Blacklet, 2004). Similarly, different settings have different authentication mechanism. In a context involving face to face banking, a written signature is often used as the mode of authentication. In electronic systems, passwords and pin numbers are often used as the mode of authentication. The authorization process provides access to the person who declares identity and correctly proves the identity at the authentication stage.  While the identification and authentication processes focus on protecting the integrity and confidentiality of information, the authorization process focuses on protecting the availability of information (Brinkley & Schell, 2004). However, the authorization process may also focus on protecting the integrity and confidentiality where the process entails giving different levels of authorization.    

Security Concepts, Principles and Models

  1. Least Privilege

There are various universal information security concepts, principles and models. The principle of least privilege is one these universal concepts.  The principle of least privilege suggests that, in order to protect integrity, availability and confidentiality of information, an organization should not assign more privilege than that which is required to complete a task when it comes to authorizing access to information (Peltier, Peltier & Blacklet, 2004). This is a preventive control measure because it reduces exposure of information by reducing the number of privileges. For instance, employees of the finance department may only be granted access to information relating to the hospital finance and denied access to patients’ personal data and medical history.

  1. Defense in Depth

The doctrine of defense in depth recommends that an organization should not have just one layer of security when it comes to guarding the security of information (Brinkley & Schell, 2004). The defense system should have multiple protection mechanisms.

  1. Cost Benefit Analysis

The principle of cost-benefit-analysis advocates that organizations compare the benefits associated with developing a particular security mechanism with the cost associated with this development (Peltier, Peltier & Blacklet, 2004). The costs should not exceed the benefits.

  1. Compartmentalization

The principle of compartmentalization advocates for use of compartments while storing data so as to limit losses in the event of a security breach (Brinkley & Schell, 2004). In essence, the principle argues against “carrying all eggs in one basket” when it comes to creating an information system.

  1. Segregation of duty

The principle of segregating duties requires an organization to assign different responsibilities to different people when it comes to access and protection of data (Peltier, Peltier & Blacklet, 2004). The rationale behind segregation of duty is to ensure that no single person has control over all functions and information within the organization. This principle also advocates for rotation of duty.  

Security Management and Education for the Personnel

Information system security has a technology element and the human element. Many organizations fail because they focus on the technical elements and ignore the human elements (Roper, Grau & Fischer, 2006). Human elements must also be address in order to ensure effective management of information security. Human elements in information security are best addressed through policy and education. The organization needs to develop clear policies regarding the use of health information, as well as, the responsibility of each person in protecting the security of information. The policies should also identify consequences that will follow employees who do not adhere to the organization’s policies.

Education for the personnel is also a vital component of security management. It is not enough to formulate policies. These policies will have little meaning if employees are not aware that they exist and how to implement them (Roper, Grau & Fischer, 2006). Thus, education programs should focus on familiarizing employees with the organization’s information security policies, as well as, best practices in managing healthcare information. The education programs should engage employees on issues relating to protection of organizational information. They program should also focus on updating the skills and knowledge of employees on information security matters.  

Cryptography and Access Control

Cryptography is one of the mechanisms used to protect the confidentiality of information in information systems. Cryptography entails developing secret codes that are often used for authentication purpose (Kessler, 2014). Cryptography is a popular mechanism of protecting information that is found in electronic formats. Examples of cryptography include; password, secret words, and pin numbers. 

Another mechanism used to protect the confidentiality of information is access control. This mechanism seeks to limit the number of people who have access to information (Brinkley & Schell, 2004). Restraining the number of persons that have the right to use to information reduces the exposure of information thus reducing the chances of disclosure. Access control also helps to guard the integrity of information by preventing unauthorized modification of information.


Information system security is concerned with protecting the integrity, confidentiality, and availability of information. In order to realize these information security goals, organizations rely on the processes of identification, authentication, and authorization. Other principles that are applied in the management of information system security include; the principle of least privilege; defense in depth, cost-benefit analysis; segregation of duty, and compartmentalization. Managing the human element within the organization is also a vital component in managing the security of information systems.  


Brinkley, D. & Schell, R. (2010). Concepts and Terminology for Computer Security. Retrieved from

Kessler, G. (2014). An Overview of Cryptography. Retrieved from

Peltier, T. Peltier, J. & Blacklet, J. (2004). Information Security Fundamentals. USA, CRC Press

Roper, C. Grau, J. & Fischer, L. (2006). Security Education, Awareness, and Training. USA, Butterworth-Heinemann Publishers

Nancy Simon is the Managing Director of WritingCapital.Com a globally competitive custom essay writing company  which is the premiere provider of Essay Writing Services, Research Paper Writing Services at Term Paper Writing Services at very affordable cost. For 9 years, she has helped a number of students in different academic subjects.

Read 301 times
Prof. Richard Brixton

Prof. Richard Brixton is Author of this paper and is associated with TopCustomWriting.Com which is a global Custom Essay Writing and Term Paper Writing Company. If you would like help in Research Papers and Term Paper Help you can visit our website. 

You can place an order similar to this with us. You are assured of an authentic custom paper delivered within the given deadline besides our 24/7 customer support all through. Visit

Leave a comment

2014 Hospital Information Systems Security - ResearchWriting.Education .
Powered by Joomla 1.7 Templates