Health information security: a case study of three selected medical centers in iran.

UNLABELLED: Health Information System (HIS) is considered a unique factor in improving the quality of health care activities and cost reduction, but today with the development of information technology and use of internet and computer networks, patients' electronic records and health information systems have become a source for hackers.
METHODS: This study aims at checking health information security of three selected medical centers in Iran using AHP fuzzy and TOPSIS compound model. To achieve that security measures were identified, based on the research literature and decision making matrix using experts' points of view. RESULTS AND DISCUSSION: Among the 27 indicators, seven indicators were selected as effective indicators and Fuzzy AHP technique was used to determine the importance of security indicators. Based on the comparisons made between the three selected medical centers to assess the security of health information, it is concluded that Chamran hospital has the most acceptable level of security and attention in three indicators of "verification and system design, user access management, access control system", Al Zahra Hospital in two indicators of "access management and network access control" and Amin Hospital in "equipment safety and system design". In terms of information security, Chamran Hospital ranked first, Al-Zahra Hospital ranked second and Al- Zahra hospital has the third place.

1. INTRODUCTION

Nowadays most of modern health systems are based on the computer networks to transfer data among users inside and outside of the health care center (1-10). Legislation is needed, to manage access to computer networks resources. With this tool access control policies can be managed in the therapeutic organizations. Health care sector has changed a lot in providing health services. The changes made through the Internet and mobile technologies include remote health monitoring, counseling, on-line, e-clinics ports, access to patient’s information and tracking of individuals. Given these changes, it is predicted that by 2014 electronic health records (EHR) will be universal and will fit all health maintenance organizations (8). Based on a recent study the US has been able to save up 81 billion dollar using this electronic approach (11). Information technology has invested in health care, but it made much less than the income earned in other industries. The evidence shows that the reason was insufficient security indicators and breach in data security and unfortunately the results were patients’ dissatisfaction, psychological distress and social stigma (10). Advances in information technology and its compatibility with the healthcare industry have been led to progress in health care, higher quality, health care lower cost and advances in medical science. But they have led to increased potential information security risks (6). Also, the growth of digital medical records has made the medical identity theft as a magnet for hackers. In addition a recent study in America showed that 75% of patients are concerned about unauthorized disclosure of their confidential information and to share them on Web sites (12-16). Conscious disclosed medical information is the second created security gap (9). Considering the results of previous studies, it was found that most researchers are interested in the integration of different disciplines together. For example, the integration of psychology and sociology to explore the role of employees in information security risk management (1, 17-22) or economic integration with the information systems to identify the investment decisions (23-25). Unfortunately, little research sought to examine the risks and security gaps in health information systems while the need here felt more than other industries.

1.1. Literature review

Khin Than Win in his study concluded that information security enhances the patient confidentiality and leads to the public interest for EHR use. He drew the conclusion that Security technology is not fully accountable to achieve these goals and a lot of studies are still needed in this area (24). Fernando and Dawson began to study clinical privacy and data security. For this purpose 26 medical centers were studied. They found security vulnerabilities in health information systems and showed that considering them can be effective in security control of health care centers. In this study, researchers examined the techniques involved in the software implementation of health information systems. In this paper, a set of software techniques have been studied for user identification and authentication of access control. Encryption is introduced as a powerful tool to support the storage and transfer of data (15). In a study entitled “the impact of data security and privacy on remote health care applications”, the researcher defines the role of security and privacy in faster and better development of this technology. Telemedicine provides any medical care through an active media such as the Internet, mobile and satellite. Using telemedicine devices largely depends on the system security (25).

As part of the IT industry Cloud Computing is making rapid progress. Along with benefits of this technology credit risks exist. Thus, in this study the security and privacy risks and Cloud Computing have been discussed (19). In the security of health information study some researches were found with a focus on technological solution to protect the privacy of patients in the wired and wireless networks of a medical center (12). Other studies have investigated the impact of HIPAA standards (7, 21). Recently, many studies are oriented on new methods, such as methods based on quantitative research, economic analysis, and statistical models of patient privacy, public policy, risk management and the impact of Health Information Technology on medical errors (2, 14). To check the quality of healthcare provided with the aid of two AHP and TOPSIS approaches, two studies were done entitled “Quality of health care services by using fuzzy AHP approach” and “approach combining the fuzzy AHP and fuzzy TOPSIS based on strategic review of electronic services quality in the health care industry” (3, 4).

2. METHODOLOGY

Based on the objective this research is, research–practical. In this study preliminary data collection is through a questionnaire. The study population included IT management staff in medical centers, IT management experts in Isfahan University of Medical Science and scholars in this field. In this study to assess the safety of patient health information, 3 medical centers (Amin hospital, Chamran Hospital and Al-Zahra Hospital) were chosen (that their HIS is under Windows and some under the Web produced by various companies). The sample is composed of 40 people. Scientific validity of the questionnaire was determined by group of academic experts. The reliability of the questionnaire was calculated around 0.916 using Cronbach’s alpha. The information security evaluation in each medical center was calculated with a hybrid model of fuzzy AHP and TOPSIS.

2.1. Multi Criteria Decision Approaches

Decision-making is a multi-criteria mathematical model and refers to a problem-solving approach which is used to choose one option among a limited number of options (17). MADM methods are known to facilitate the application procedure and compound approaches can preserve this strength and create multiple sources of knowledge (18). To achieve more efficient decisions, this study uses compound AHP and fuzzy TOPSIS approach so that each approach compensates for the weaknesses of the other.

The underlying logic of TOPSIS method was to define the positive ideal solution and negative ideal solution (23) and is based on the fact that the option selected has the shortest distance from the ideal solution. Positive and negative ideal solution is a hypothetical solution in which all index values are similar to the maximum and minimum index values in the database (17). In summary, the positive ideal solutions are the best available measures of values and negative ideal solution are the worst available measures of values (23). Because the measured variables are the language variables, we use the theory of fuzzy AHP. Five-point Likert scale is the range of each question. For each option (very high, high, moderate, low, very low), a triangular membership function is defined in the range of zero to 100, which is shown in Table 1. Then, the procedure is explained step by step. Health information security evaluation framework is shown in Figure 1.

Table 1.

Membership function of triangular fuzzy numbers

Value	Membership function	Five-grade Likert
9	(40,70,100)	Very High
7	(30,60,90)	High
5	(20,50,80)	Average
3	(10,40,70)	Low
1	(0,30,60)	Very Low

Figure 1.

Information security framework for the study of selected medical centers.

Step One: Determine the index of fuzzy numbers based on the principle of expansion. At this stage, the numbers are added together and the average is calculated.

Eij can be displayed as a triangular fuzzy number.

Three-point triangular number is calculated as follows:

Step Two: change fuzzy values into defuzzy ones based on the center.

Then we use the TOPSIS method.

Step Three: Quantification and scaling of the matrix (N): a restless Norm scaling is used for no scaling.

Step Four: Get the amorphous matrix weighted scale (V): No Scale Matrix (N) is multiply by diagonal scale weights (Wn * n), it means:

Step Five: Determine the positive ideal solution (Vj +) and negative ideal solution (Vj):

The best values for each matrix index vector v + j = v

Worst vector-matrix values for each index v + j = v

Sixth step: calculate the each variable distance to positive and negative ideals:

Calculating the Euclid distance of each alternative to the positive ideal

Calculating the Euclid distance of each alternative to the ideal negative

Step Seven: Determine the relative proximity (CL *) of an alternative to the ideal solution:

Step Eight: Rating Options: Any option that has a larger CL* is better.

Determining the indicators of health information security

Based on studying the literature and interviews with the designers and managers of health information systems, 27 indicators were selected which are presented in Table 2. In the next step, to identify effective criteria, a questionnaire with a range of five-point Likert scale was created and distributed then was analyzed by t-test. Among the 27 indicators, 7 indexes gained points more than 3 (values less than three are not importance) and were selected as effective indicators which are shown in Table 3.

Table 2.

Indicators of health information systems security

Indicators

Management commitment to safety information

Independent review of safety information

Safety of third-party access

Independent contractor

Independent contractor

Classified information

Audit

Inclusion of safety requirements in job responsibilities

User training

Security Incident Response

Safety Equipment

Operational procedures and responsibilities

Verification and system design

Network Management

Media handling and safety

Exchange of information

Audit logging

Access control policy

User access management

Network access control

Access control system

Access control systems

Control access to applications

Functional immune system

Immune system files

Safety in the development and support processes

Cryptographic controls

Table 3.

Impact indicators

Impact indicators

Safety Equipment

Verification and system design

User access management

Network access control

Cryptographic controls

Safety in the development and support processes

Access control system

The used model

For each variable, there exist answers based on the number of respondents which has a triangular fuzzy number. Table 4 shows the fuzzy performance criteria. So far the weight of each indicator and security situation of each center based on each index was determined. Because the performances are in a form of fuzzy, these values must be Defuzzy. To turn fuzzy numbers into a certain number, (area center) method is used. Certain amount of security indicators in health centers is shown in Table 5. We are now at a stage where we can use the TOPSIS method. We use TOPSIS method, using weights derived from the AHP method and considering the absolute values of the security measures in health care centers. In the first step, we change a decision matrix to no scale one. No scaling is performed, using Norm technique. In Table 6, no scale decision matrix is shown. After entropy technique, the weight of each index is calculated. The following table shows the weight of each indicator after using the entropy technique. After that we make scaling values ready for a harmonious no scaling. To achieve that we multiply by the no scale matrix into square matrix (Wn*n) whose core diameter elements are weights of indicators and its other elements are zero. Outcome of this operation is shown below: In the next step we should gain the positive and negative ideal solution for the index. Positive and negative ideals values are as follows:

Table 4.

Phase performance criteria of three health centers

Indicators of health information systems security evaluation	Amin (C)	Shahid chamran (B)	Azhra (A)
Safety Equipment	(26.54,42.35,52.44)	(27.63,44.87,52.54)	(26.54,35.23,47.12)
Verification and system design	(37.98,43.23,55.36)	(41.32,52.98,4775)	(48.87,32.91,42.56)
User access management	(27.11,32.65,41.99)	(23.65,39.78,45.96)	(48.23,55.34,36.98)
Network access contral	(37.45,44.23,51.98)	(42.53,56.32,68.9)	(53.32,47.65,39.45)
Cryptographic controls	(39.3,48.22,58.45)	(37.54,39.64,55.45)	71.65,42.87,56.52)
Safety in the development and support processes	(39.35,63.24,71.24)	(42.51,59.87,73.36)	73.74,66.21,45.35]
Access control system	(53.21,63.22,71.45)	35.64,42.33,59.87)	42.32,56.69,73.54)

Table 5.

The absolute values of security indicators of three health centers

Indicators of health information systems security evaluation	Amin (C)	Shahid chamran (B)	Azhra (A)
Safety Equipment	64.69	60.30	61.57
Verification and system design	62.64	61.95	48.67
User access management	65.75	65.50	61.10
Network access control	54.91	62.86	62.63
Cryptographic controls	56.70	63.51	64.95
Safety in the development and support processes	62.31	65.61	63.69
Access control system	61.02	63.93	62.20

Table 6.

Scale values of the decision matrix

Treatment centers	Critical indicators
	X1	X2	X3	X4	X5	X6	X7
A	0.401	0.203	0.497	0.572	0.570	0.290	0.379
B	0.562	0.814	0710	0.477	0.684	0.676	0.758
C	0.723	0.543	0.497	0.667	0.456	0.676	0.530

I+ = [0.072, 0.341, 0.227, 0.260, 0.362, 0.145, 0.103]

I- = [0.0401, 0.085, 0.159, 0.186, 0.241, 0.062, 0.051]

In next step the distance of each alternative from the positive and negative ideal is achieved. The values for these matrices are as follows:

Di+= [0.547, 0.075, 0.328]

Di- = [0.061, 0.307, 0.195]

In the fifth and sixth steps relative closeness of each alternative to the ideal solution and the calculated C values are ranked. Results are shown below.

3. DISCUSSION

In this study, subjective judgments of decision makers in the process of paired comparisons and also critical indicators in related to information security were used in assessment of medical centers information security. By comparing the current results and ranking provided, the strengths of this model are clear. One of the important results of this study prove of superiority in diagnostic ability of a hybrid approach Compared with the non-hybrid approach (TOPSIS) is. The comparisons made, using the conceptual model for medical centers and other research institutions in more right decisions will be very useful. The results of this study, information security situation at these centers was determined and Each of these according to the ratings they received should consider appropriate measures to maintain or enhance their status

4. CONCLUSIONS

In the proposed approach, the fuzzy theory was used to determine the security measures. Compound decision model was used in the ranking of selected medical centers (Al-Zahra, Chamran, Amin) and according to that Chamran Hospital was ranked first, Al-Zahra was ranked second and Al-Zahra was ranked third. Medical centers with higher grade should have a convenient way to maintain the security of health information and weaker institutions should try to have more powerful centers. The decision making of the current study in ranking of health care centers was used regarding health safety information. This model can be used in all decisions to rank health care centers.

Table 7.

Weight indicators related to health information security techniques Entropy

Treatment centers	Critical indicators
	X1	X2	X3	X4	X5	X6	X7
WJ	0.100	0.420	0.032	0.039	0.053	0.215	0.136

Table 8.

Scale values of the weighted decision matrix

Treatment centers	Critical indicators
	X1	X2	X3	X4	X5	X6	X7
A	0.0401	0.085	0.159	0.223	0.302	0.062	0.051
B	0.056	0.341	0.227	0.186	0.362	0.145	0.103
C	0.072	0.228	0.159	0.260	0.241	0.145	0.072

Table 9.

Rankings of medical centers in terms of security measures

Medical centers	Ranking	The relative proximity (C)
Shahid chamran	1	C2=0.815
Amin	2	C3=0.385
Azahea	3	C1=0.145