Information assurance maturity in Saudi healthcare entities: a developed maturity framework and assessment instrument
Information assurance maturity in Saudi healthcare entities: a developed maturity framework and assessment instrument
Although the emergence of new technology in medical care settings has been lagging behind other sectors, particularly in information technology utilisation, medical institutions have recently realised the importance of having such systems to maintain their information as their primary asset. Hence, they have been investing in adopting health information systems (HIS) through standardising medical data to ensure better data quality and reliability. Recent research has shown that A high level of information assurance (IA) can preserve medical data and reduce risks to sensitive information and increase the efficiency of information security performance to ensure confidence within healthcare organisations overall. Hence, this research proposes a framework called the IAHCE (Information Assurance for Healthcare Entities) that aims to investigate the factors underpinning information asset assurance in healthcare entities to provide an appropriate framework for IA. It was developed based on a critical review of published literature of IA studies together with an in-depth investigation of current information security management standards to create the first iteration of the IAHCE framework. The framework comprises three main areas – administrative, technical and legal – each of which is an umbrella of one or more of seven related main factors (Organisational Management, Culture, Risk Management, Security, Resilience, Dependability and Data Protection). IAHCE was validated through two iterations of exploratory reviews with experts and practitioners in its confirmation. This has confirmed that all the proposed factors are significant for effectively adopting an IA strategy in the medical arena except for minor modifications suggested by reviewers and validated through surveys with the practitioners. The instrument (AssurHiS) was built as a practical implementation of the confirmed IAHCE that can help healthcare entities measure the IA maturity level of their information assets. It comprised 123 items under seven factors. Findings based on the adopted methods revealed that the factors included in the IAHCE for effective IA are important and statistically significant. The results of real case studies conducted using AssurHiS, including three healthcare entities, revealed that the AssurHiS could truly assess the IA maturity levels in the studied entities. The practicality and use of AssurHiS were also measured by experts who participated in the case studies. They all unanimously agreed that it was useful, satisfactory and easy to use. This research is imperative, as it aims to define a generic evaluation model, applicable to all sizes of entities, by integrating all the control objectives found in the literature and the evolved information security standards. It bridges the theory–practice gap by applying AssurHiS and its items to a real life case study. Hence, it is useful to both healthcare entities and researchers in similar domains.
University of Southampton
Almarshad, Fahdah, Ali A
66e33106-5bc5-4560-b358-8c0d424de4e6
Almarshad, Fahdah, Ali A
66e33106-5bc5-4560-b358-8c0d424de4e6
Wills, Gary
3a594558-6921-4e82-8098-38cd8d4e8aa0
Almarshad, Fahdah, Ali A
(2021)
Information assurance maturity in Saudi healthcare entities: a developed maturity framework and assessment instrument.
University of Southampton, Doctoral Thesis, 191pp.
Record type:
Thesis
(Doctoral)
Abstract
Although the emergence of new technology in medical care settings has been lagging behind other sectors, particularly in information technology utilisation, medical institutions have recently realised the importance of having such systems to maintain their information as their primary asset. Hence, they have been investing in adopting health information systems (HIS) through standardising medical data to ensure better data quality and reliability. Recent research has shown that A high level of information assurance (IA) can preserve medical data and reduce risks to sensitive information and increase the efficiency of information security performance to ensure confidence within healthcare organisations overall. Hence, this research proposes a framework called the IAHCE (Information Assurance for Healthcare Entities) that aims to investigate the factors underpinning information asset assurance in healthcare entities to provide an appropriate framework for IA. It was developed based on a critical review of published literature of IA studies together with an in-depth investigation of current information security management standards to create the first iteration of the IAHCE framework. The framework comprises three main areas – administrative, technical and legal – each of which is an umbrella of one or more of seven related main factors (Organisational Management, Culture, Risk Management, Security, Resilience, Dependability and Data Protection). IAHCE was validated through two iterations of exploratory reviews with experts and practitioners in its confirmation. This has confirmed that all the proposed factors are significant for effectively adopting an IA strategy in the medical arena except for minor modifications suggested by reviewers and validated through surveys with the practitioners. The instrument (AssurHiS) was built as a practical implementation of the confirmed IAHCE that can help healthcare entities measure the IA maturity level of their information assets. It comprised 123 items under seven factors. Findings based on the adopted methods revealed that the factors included in the IAHCE for effective IA are important and statistically significant. The results of real case studies conducted using AssurHiS, including three healthcare entities, revealed that the AssurHiS could truly assess the IA maturity levels in the studied entities. The practicality and use of AssurHiS were also measured by experts who participated in the case studies. They all unanimously agreed that it was useful, satisfactory and easy to use. This research is imperative, as it aims to define a generic evaluation model, applicable to all sizes of entities, by integrating all the control objectives found in the literature and the evolved information security standards. It bridges the theory–practice gap by applying AssurHiS and its items to a real life case study. Hence, it is useful to both healthcare entities and researchers in similar domains.
Text
Fatima A Almarshad PhD cyber physical group 24_3_2022
- Version of Record
Text
Permission to deposit thesis - form
Restricted to Repository staff only
More information
Submitted date: June 2021
Identifiers
Local EPrints ID: 457186
URI: http://eprints.soton.ac.uk/id/eprint/457186
PURE UUID: 868f1466-6bdd-469b-8829-aa22ed5b460f
Catalogue record
Date deposited: 26 May 2022 16:34
Last modified: 17 Mar 2024 07:20
Export record
Contributors
Author:
Fahdah, Ali A Almarshad
Thesis advisor:
Gary Wills
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics