Highlights from risk analysis of information security at a local GP office
At the beginning of 2003 a risk analysis of the information security at a GP
office connected to a regional health care network was performed. A team
consisting of representatives from NST, the GP office and the regional
healthcare network carried out the risk analysis. The presentation will focus on
important issues revealed during the risk analysis.
The GP office where the risk analysis was performed is of medium size. Six doctors and five secretaries work at the office, which is responsible for primary health care treatment of approximately 10.000 patients. The office uses an electronic health care record system that covers approximately all needs with respect to documentation of the patient treatment, including booking. The office receives electronic reports and laboratory results from hospitals. Some telemedicine consultation services are also used by the doctors. The electronic health care record system also serves some small remote branch offices that are connected to the offices local network via the regional health care network. The technical support of the local network and the information system at the GP office is outsourced. The legal framework for security in the health care sector, and the appurtenant security requirements, will be briefly presented. In order to comply with the Norwegian Personal Data Act all enterprises that perform processing of personal data which form part of or are intended to form part of a personal data filing system are obliged to document a control system for information security. This is a challenge for the GP offices, and as part of the risk analysis an example of such a control system was made. The main structure of the control system for security will be presented. Finally, examples of typical security threats towards GP offices connected to a regional (or national) health care network will be presented. This includes examples of threats related to giving the users Internet and e- mail access from the same computer as they access the electronic health care record system, examples of threats related to web-based telemedicine services, examples of threats related to intrusion from other customers/actors in the regional health care network or from Internet.
The presentation will also give examples of important organisational and awareness issues related to information security.