Data surety adventure direction for computerized wellness entropy systems in hospitals: a suit survey of Iran

1 Wellness Info Direction, Wellness Direction and Economics Explore Centre, Civilise of Wellness Direction and Ip, Iran University of Checkup Sciences, Tehran, Islamic Commonwealth of Iran

2 Wellness Info Direction Section, Civilize of Wellness Direction and Informatics, Iran University of Aesculapian Sciences, Tehran, Islamic Commonwealth of Iran

Symmetry: Farahnaz Sadoughi, Section of Wellness Data Direction, Shoal of Wellness Direction and Info Sciences, Iran University of Aesculapian Sciences, No 6, Rashidi Yasemi Street, Vali-e Asr Boulevard, Tehran 1995614111, Islamic Democracy of Iran, Tel +98 21 8879 4302, Fax +98 21 8888 3334, Netmail

Copyright 2016 Zarei and Sadoughi. This study is promulgated and licenced by Squab Aesculapian Jam Circumscribed

The wide-cut footing of this permission are uncommitted at p


In late age, hospitals in Iran interchangeable to those in over-the-counter countries sustain experient development use of computerized wellness info systems (CHISs), which gambol a substantial use in the operations of hospitals. But, the major gainsay of CHIS use is data protection. This discipline attempts to judge CHIS entropy surety chance direction at hospitals of Iran.

Materials and methods

This applied work is a descriptive and cross-section explore that has been conducted in 2015. The information were poised from 551 hospitals of Iran. Based on lit reassessment, experts ruling, and observations at cinque hospitals, our intensifier questionnaire was intentional to measure protection hazard direction for CHISs at the interested hospitals, which was so sent to all hospitals in Iran by the Ministry of Wellness.

Ilxx percentage of the studied hospitals engage data surety policies and procedures in accord with Iran Hospitals Accreditation Standards. At approximately hospitals, hazard recognition, danger rating, and jeopardy idea, too as peril handling, are amorphous without any specified access or methodology. Thither is no meaning integrated overture to hazard direction at the studied hospitals.


Data surety adventure direction is not followed by Irans hospitals and their entropy certificate policies. This job can causa a plurality of challenges for their CHIS certificate in futurity. Consequently, Irans Ministry of Wellness should acquire virtual policies to meliorate data certificate adventure direction in the hospitals of Iran.

Keywords: info protection, hazard direction, wellness info systems, infirmary


In late age, zoom of info and communicating technologies and increasing pressures for reduction healthcare costs, up healthcare lineament, ensuring patient refuge, and reduction checkup mistakes birth led to increasing use of computerized wellness entropy systems (CHISs) in healthcare organizations.1 3 Presently, use of CHIS is a canonical demand for any healthcare constitution such as hospitals.4 CHIS refers to any adps capturing, storing, managing, and transmittal personal or organisational wellness entropy in healthcare sectors.5 One of the major challenges of CHIS use is data certificate.6 8 Patients personal wellness data contained in the CHIS is considered the virtually secret personal info that should be saved.9 Electronic wellness info transcription increases the hazard of unauthorised entree and revealing of entropy. In pillowcase of wildcat revealing of data, patients, practitioners, and hospitals see grave problems.10

Computerized entropy systems of organizations are faced with a diversity of inner and extraneous threats, which can crusade dissimilar types of indemnity.11 They can birth contrary effects on organisational operations, info assets, individuals, organizations, and subject areas of studies.12 So, info protection is important for organisational selection, minimisation of threats endangering organisational operations, and security of confidentiality, wholeness, and availableness of entropy.13 ,14 The independent accusative of data protection is implementing earmark restraint measures for eliminating or minimizing the impacts of unlike organisational security-related threats and organisational vulnerabilities.15 The principal inquiry is how data protection can be efficaciously and economically enforced in organizations. The result is Data Surety Chance Direction (ISRM).16

ISRM is a integrated and uninterrupted summons with the determination of identifying, evaluating, and minimizing roughly types of risks, besides as achieving earmark acceptableness.17 ISRM is really crucial for organisational successful info certificate programs for the next reasons.18 Kickoff, entropy certificate risks are not ceaseless o'er clip and variegate contingent the weather of the organizations, maturation and changes in the data organisation, new users, etc..19 ISRM is one of the slipway to dilute the veto gremlin of risks on the organisation.20 Secondment, done hazard direction, organizations can center resources of speculative areas and can supervise them by victimization allow and mensurable slipway piece constrictive risks pretty.21 3rd, one of the characteristics of a successful protection programme is costbenefit psychoanalysis of the effectuation of info surety controls. This precise psychoanalysis is performed by the chance direction treat.16 ,19

In Iran, a infirmary is the primary healthcare constitution.22 Olibanum, one of the major pieces of wellness data is recorded at hospitals. In the retiring 10, CHIS has been progressively exploited by Irans hospitals. Consequently, clinical, fiscal, and administrative activities of hospitals are progressively contingent the execution of the CHIS, as compared with the preceding.23 Consequently, ensuring info certificate in these systems is of essential grandness for the hospitals. Nevertheless, in late geezerhood, CHIS certificate at Irans hospitals has faced greater challenges. In 2014, for the determination of reduction world costs of healthcare, a wellness rectify project was enforced as one of the major policies of the new regime.24 Consequently, hospitals are needful to link their infirmary info arrangement programs to the Iranian scheme of electronic wellness records (SEPAS arrangement) done the Net. Connecter done populace Cyberspace meshwork well increases the risks of wildcat admission to data; interim, approximately findings unwrap deficiency of specified rules on confidentiality of patient entropy in electronic wellness systems of hospitals.25 Furthermore, in late geezerhood, due to the disputes concerning Irans atomic plan and Irans disagreements with Westerly countries and approximately of the Centre E countries, Irans estimator info arrangement has been uncovered to cyber threats, such as the Net viruses Stuxnet and Flare.26 28 These viruses, according to many data certificate experts in the mankind, are real composite and cannot easy be confronted.27 ,29 In 2014, the data protection firms Kaspersky Lab and Symantec reported an innovative espionage malware (Regin), one of whose quarry countries was Iran.30 ,31

Considering the entropy certificate risks at Irans hospitals and grandness of ISRM in reduction and minimizing inauspicious effects of data protection risks, too as the strength of the data surety programs in hospitals, this work investigates the ISRM condition at hospitals of Iran. Findings of this survey can cater a comp purview of the ISRM post and its office in wellness data protection policies of hospitals and can assist researchers and insurance makers concerned in ISRM in healthcare.

Materials and methods

This applied enquiry is a descriptive cross-section discipline conducted in 2015. All combat-ready hospitals in Iran (until Revered 2014) were studied. In the initiative, the inquiry cat's-paw for the appraisal of ISRM spot in the hospitals of Iran was intentional. To pattern the cat's-paw, key processes of ISRM were identified by victimisation the lit reexamination in related info sources. The collected information included guidelines, frameworks, standards, and methodologies for data certificate chance judgement and chance direction, late studies on ISRM in the hospitals, and early documents related ISRM.

Respective hunt engines and databases such as Google Student, Establish of Electric and Electronics Engineers Digital Library, Connexion for Calculation Machinery Digital Library, and PubMed were searched to receive the relevant documents. Documents were identified by the next keywords: Info certificate endangerment direction and Entropy certificate chance appraisal, combined with the footing Criterion, Method, Simulation, Fabric, Guidepost, and Outdo recitation or Infirmary, and Wellness in English terminology. We jailed our explore to documents promulgated from 2000 to 2014. Comprehension criteria for selecting resources included the pursual: 1) handiness of documents in English words and 2) release admittance to full-text documents. Non-full-text articles and documents were excluded. Lit was reviewed to information intensity layer. When leastwise a chance judgement and direction summons rationale appears in phoebe retrieved sources, including articles, books, standards, guidelines, and methodologies, it was considered information chroma grade. The information vividness grade was set based on trey experts judging (specializer in info certificate peril direction). Sample was not performed, and all the relevant lit, retrieved based on comprehension criteria, were evaluated.

A checklist was exploited to distill capacity from retrieved documents. In summate, the particular guidelines, standards, and methodologies for info surety chance appraisal and danger direction were as follows: Outside Touchstone Organisation/Outside Electrotechnical Mission (ISO/IEC) 27005,32 Interior Establish of Standards and Engineering Especial Issue 800-30 (NIST SP 800-30),12 Operationally Vital Terror, Plus, and Exposure Rating (OCTAVE) allegro,33 Method for Harmonised Psychoanalysis of Danger (MEHARI),34 ,35 Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion (MAGRIT),36 it (IT)-Grundschutz,37 It Surety Guidance- IT certificate danger direction: a lifecycle approach-33 (ITSG-33),38 Protection Officers Direction Psychoanalysis Externalise (SOMAP),39 Menace Factor Endangerment Judgement (TARA),40 CORAS,41 Scourge Exposure and Hazard Psychoanalysis (TVRA),42 Constituent Psychoanalysis of Entropy Jeopardy (Sightly) Psychoanalysis (O-RA),43 and Reflection des Besoins et Designation des Objectifs de Scurit (EBIOS)44 ; and outside standards of data certificate direction (ISM), including ISO/IEC 1779945 and ISO 27799,46 were identified and surveyed. Furthermore, 8 studies related entropy protection jeopardy appraisal and chance direction in infirmary,47 54 one account,55 and one book56 were retrieved and reviewed. In the indorsement footprint, key processes of ISRM were extracted from the retrieved literatures. Design 1 shows these stages.

Key operation of info protection chance direction.

In the one-third tone, based on results of the late leg, wellness info direction and reckoner experts opinions, and observations of the phoebe selected hospitals, a comp mannikin was intentional to valuate the condition of ISRM for computerized wellness entropy systems, including quartet distinguishable parts all-embracing ecumenical info roughly hospitals, specifications of computerized wellness info systems, info certificate incidences, and self-assessment checklist of ISRM. Its message rigor was confirmed by 12 experts of wellness entropy direction, checkup ip, it (IT), and figurer technology (leash professionals per arena of bailiwick). These scholars were selected on the cornerstone of their old study see in the hospitals IT departments or their intimacy with the construction of the IT section in the hospitals of Iran. For information solicitation, this questionnaire and its guidepost were sent to all 908 combat-ready hospitals in Iran by the Ministry of Wellness of Iran. To hit any potential equivocalness, an direction shroud was affiliated to this questionnaire, explaining all sections. The hospitals were selected with heed to their CHIS diligence, such as infirmary info organization, Electronic Anamnesis, Patients Access and Release Systems, etcetera. Hospitals that did not use CHIS at the meter of this search were excluded. To alleviate and hasten the collecting of information, this manikin was situated electronically in the prescribed Website (portal) of the Ministry of Wellness of Iran and hospitals were asked to registry the relevant info in the aforesaid Website.

Aft information collecting, master psychoanalysis was conducted in decree to fix the defects and chastise the entropy. So, hospitals were asked done a sec ball missive to contract fulfill to chasten the fault. The self-contained information were analyzed by victimization descriptive statistics (frequence) in Surpass 2003 package.

Honourable issues

The cogitation was sanctioned by the Surrogate of Inquiry and Engineering of the Iran University of Checkup Sciences, Tehran, Iran.

Entropy related the studied hospitals

Out of 908 combat-ready hospitals in Iran, 551 hospitals (60.7%) participated in the discipline. Two hospitals were scope up CHIS at the sentence of this inquiry. Thence, they were excluded from the cogitation and 549 hospitals (60.5%) were studied. The highest pct of involution in the work was related the hospitals attached to the Checkup Sciences Universities ( Board 1 ).

Dispersion of hospitals in Iran that participated in the cogitation

IT force in the studied hospitals

Well-nigh of the hospitals (540 instances, 98.5%) had IT force. Conversely, they had Boss Info Protection Officers (CISOs). On ordinary, one IT force existed per 77 figurer systems and too per 84 bed counts in the infirmary.

Entropy certificate policies and procedures in hospitals

Thither were approximately policies and procedures for info surety in 379 hospitals (69%). Solitary in octad hospitals (1.4%), these policies and procedures were provided based on particular data certificate standards such as ISO/IEC 27001. Additionally, all of these hospitals had a fabric for ISM. Early hospitals chased Iranian Hospitals Accreditation Standards. Alone octad hospitals had a fabric for ISRM, of which 7 hospitals enforced surety policies and procedures of particular data protection standards. None of the hospitals had a taxonomical overture for ISRM ( Tabularise 2 ).

Policies and procedures for data certificate in hospitals

Outgrowth of info certificate endangerment recognition at hospitals

Among the primary activities of entropy surety peril designation, lonesome recognition of assets, designation of threats, and controller psychoanalysis were performed consistently in a few hospitals; these hospitals took ISM into retainer. At about hospitals, thither was no episode among the subactivities related info protection endangerment designation, 1, the activities were performed unrelated to their premature buy essays online uk cheap and subsequent activities. Completely, the obtained findings indicated the deficiency of a taxonomical attack for jeopardy designation. Among the subactivities related info certificate adventure designation, the highest oftenness was related data assets recognition (415 instances; Tabulate 3 ).

Data surety endangerment recognition in hospitals

Appendage of entropy surety jeopardy psychoanalysis and rating at hospitals

None of the subactivities related the operation of info protection danger psychoanalysis and valuation was performed consistently at the selected hospitals. Although hazard rating was not carried out in hospitals, 124 hospitals attempted to prioritise the data certificate risks ( Tabularize 4 ).

Info certificate chance psychoanalysis and rating in hospitals

Processes of data surety chance discourse and endangerment sufferance at hospitals

No comp contrive was conducted for reduction entropy surety risks. The briny attack of hospitals to danger discussion was chance simplification, on with execution of introductory entropy surety safeguards. None of the subactivities related the processes of entropy protection chance handling and acceptation in hospitals was performed consistently ( Postpone 5 ).

Data surety peril discussion and adventure toleration in hospitals

Balance endangerment espousal and moderation occurred sole in six hospitals, which effected ISM policies and procedures based on particular info surety standards.

Communication and share-out chance direction results at hospitals

Communication and share-out of hazard direction results were not ascertained in any of the hospitals.

ISRM monitoring and reviewing at hospitals

Info surety policies and procedures, too as execution of ascendence measures, were unceasingly monitored and reviewed at 146 hospitals and 142 hospitals, severally, though it was not through consistently ( Board 6 ).

Uninterrupted monitoring and reviewing of ISRM in hospitals


The results establish miss of a taxonomical and comp advance to ISRM at the studied hospitals. Although approximately activities are conducted for adventure designation, chance rating, and endangerment discussion, they are not consistently integrated, 1, the hospitals do not use the specialised methodologies or standards for ISRM. Thus, thither is no cohesiveness betwixt the activities related ISRM at well-nigh hospitals. ISRM is a taxonomic, integrated, and uninterrupted treat, done which respective mutualist stairs are interpreted, and the activities of apiece footmark are unnatural by the results of the former degree.55 Without followers a taxonomic and integrated method, precise chance appraisal and direction is not potential. Thence, diverse standards, methodologies, and tools are highly-developed ended the humanity by world and secret organizations, agencies, and dissimilar companies for info surety peril appraisal and direction.55 57

Just a little turn of hospitals prosecute ISRM model; yet, they are not consistently integrated. Shaping a fabric for adventure direction is one of the initial stairs of execution of the ISRM summons.55 The model maturation specifies scopes of hazard direction activeness, compulsory resources, key stakeholders, and limitations and boundaries of the chance direction treat and likewise makes a part to the ISRM serve.32 Deficiency of adventure direction fabric at Irans hospitals indicates impuissance of entropy protection policies and procedures. Info certificate policies are highly-developed in conformism with Iranian Hospitals Accreditation Standards. Consequently, hospitals are duty-bound to develop policies and procedures for key processes in apiece section.58 But these standards are rattling modified, undefined, and uncompleted, as compared with particular standards, rules, or guidelines for info protection, and do not binding many of the significant details and processes of info protection.

Lonesome in a minor routine of hospitals, this insurance was formulated based on exceptional standards of data surety, such as ISO/IEC 27001. All these hospitals had a fabric for ISRM. Data certificate standards such as the ISO 2700X serial render an earmark fabric for organisational ISM.59 Victimization measure methods for ISM and ISRM is of gravid grandness. Although Iran is a phallus of the ISO and ISO 2700X standards bear been recognised as the interior standards of Iran, hospitals do not use these standards due to the miss of particular internal laws on wellness data certificate. One of the reasons for this trouble is failing of major policies and rules associated with the wellness entropy certificate of Iran. Approximately studies break that rules of wellness entropy in Iran let approximately defects.60 In many highly-developed countries such as Australia61 and the US,62 thither are internal regulations, standards, and guidelines for wellness entropy surety, particularly in the electronic surroundings. These rules furnish healthcare organizations and former stakeholders with a comp and reproducible stand regarding entropy surety. In increase, these rules bit a comp guidepost for implementing data protection programs in healthcare organizations.48 In gain, IT organization and the IT section construction of Irans hospitals feign upon this job. The explore carried out by Shahi63 at ten hospitals of Iran demonstrates no model for IT organisation and IT section construction at the studied hospitals. Additionally, the findings discover that thither are problems with the IT section force, info surety procedures, and IT insurance qualification.63 IT organization has a gravid encroachment on the entropy surety policies of the arrangement. The chief reward of existent data governing in an constitution is innovation of an organisational standpoint toward data surety.64 According to ISO 27799 standards, thither should be an organisational standpoint toward data surety at hospitals. Data surety necessarily to be an organisational activeness with the involvement of all employees. Entropy governing should be interconnected with clinical organization.46 In their chance psychoanalysis modeling for infirmary, Sunyaev and Pflug65 too punctuate on the obligation of the infirmary direction in the info surety summons. The briny trouble of the IT section construction at Irans hospitals is the IT force. In none of the hospitals is the style of CISO much specified in the organisational construction of the IT section. CISO has a key character in ISM in an arrangement.66 Endangerment direction, exposure judgment, and direction of entropy surety are all CISO skills.67 Moreover, ISRM is a composite and specialised treat and hence, for applying the major info surety adventure judgement and direction methodologies, specialised noesis of the administrator squad, including the IT force, is needful.55 Tavakoli et al68 expose that the hospitals selected by them were not associate with particular data surety standards.

The winner of ISRM depends on recognition of all risks and, well-nigh significantly, psychoanalysis and finding of apiece peril storey. Contingent the chance exemplar put-upon, risks are identified by deciding peril factors such as assets, threats, exposure, likeliness of occurrent, and consequences.52 This discipline shows that determinant the likeliness of happening and psychoanalysis of brownie are carried out in less than tierce of the hospitals. Furthermore, adventure psychoanalysis and valuation are not really carried out in the hospitals. Deciding likeliness of happening and psychoanalysis of shock birth an significant function in constructing the scenario for peril incidence and hazard decision.37 Peril psychoanalysis and valuation cast the footing for hazard prioritizationas swell as deciding roughly adventure discourse.69 In plus, determinant likeliness of happening, impingement psychoanalysis, and hazard psychoanalysis and rating ask the use of accurate quantitative or qualitative methods because it is more complicated, as compared with former stages of endangerment direction. Consequently, a form of tools, examples, and methods are commonly provided in adventure judgement and direction standards and methodologies for their precise measuring.55 One ground for this failing at the studied hospitals could be miss of particular methodologies and standards for hazard judgment and direction. Another studies likewise bespeak a failing in ISRM in hospitals.54 ,70

The master coming of hospitals for endangerment decrease is execution of introductory controller measures of info certificate, which includes a set of direction, technological, and strong-arm preservation for data protection auspices. Around of the studies besides argue the execution of staple ascendancy measures of entropy surety.68


Thither is a large length betwixt activities carried out in Iran for ISRM and the usual and received activities of ISRM in pattern. Thither is no capture and touchstone access to ISRM at Irans hospitals. This bailiwick suggests exploitation particular entropy certificate standards such as ISO 2700x serial as an efficacious method in the lawsuit of ISRM execution. Considering the deficiency of particular internal laws for wellness entropy aegis in Iran, ISRM should be addressed comprehensively in a inspection of Iranian Hospitals Accreditation Standards. For a bettor functioning of these cases, they should follow as practically as potential with the standards of ISO 2700x serial such as ISO 27799.

To helper in adventure computation, based on the methodologies and specialised tools of entropy protection endangerment appraisal and peril direction, a programme should be intentional by the Ministry of Wellness of Iran to cipher the jeopardy and this should be made uncommitted to the hospitals. Furthermore, hospitals should be asked to programme their ISM based on master standards of data protection such as ISO 2700x serial.


This field was portion of a PhD thesis supported by the Iran University of Checkup Sciences (concede bit IUMS/SHMIS-1391/489). The authors thank the Post of Infirmary Direction and Clinical Overhaul Excellency, Vice-Chancellor for Handling, and the Ministry of Wellness of Iran for contributions to the discipline.