https://jiae.ub.ac.id/
206
ASSESSING INFORMATION SECURITY RISKS IN CLINICAL LABORATORY IN ACCORDANCE WITH ISO/IEC 27001 STANDARD
1Eddy Susanto, 2Nilo Legowo, 3Benny Ady Prabowo
1,2,3Information Systems Management Department, Bina Nusantara University, Jakarta, Indonesia
Corresponding author:
Abstract Purpose
This study aims to assess the information security risks that still arise in a clinical laboratory accredited to ISO 15189 and certified to ISO 9001, as a preparation for digital-based services.
Design/methodology/approach
Using the ISO/IEC 27001 approach which is embedded in the qualitative method in this study, risk assessment is carried out by identification, analysis and evaluation through interviews with process owners at clinical laboratories in Jakarta.
Findings
As a result, it was found that the Busdev&IT Department had the most information security risks (35 risks out of 384 total risks), which required further treatment based on the established risk appetite. Therefore, vigilance on the use of information systems in the laboratory needs to be increased in terms of information security.
Research limitations/implications
The research object was in the preparation stage for ISO 27001 certification, but the risk assessment is not only to comply with requirements, that also to have effective information security control among their process to ensure the sensitive information is secured.
Originality/value
This study answers the need for establishment of information security risk control in clinical laboratory.
Keywords: ISO/IEC 27001, Information Security, Clinical Laboratory, Risk Management.
ARTICLEHISTORY
Received : August 20, 2023 Published : August 31, 2023 HOWTOCITE
Susanto, E., Prabowo, B. A. & Legowo, N. (2023).
Assessing Information Security Risks in Clinical Laboratory in Accordance with Iso/Iec 27001 Standard.
Journal of Indonesian Applied Economics, 11(2), 206- 216.
DOI: doi.org/10.21776/ub.jiae.2023.011.02.8
207 1. INTRODUCTION
Recently, there have been many incidents regarding disclosure of confidential data;
And moreover, with the issuance of the personal data protection law, many companies, especially those who are become controller of personally identifiable information and/or processors, will be aware to the importance of improving information security through their systems. Information security risk can cause disruption to business processes, reputation decline to financial losses (Suroso & Fakhrozi, 2018). It is often found that both workers and information security professionals misinterpret risk, they sometimes take it lightly or even map out the risk in too much detail, thus disregard the severity of the risk, since risk assessment tends to be subjective (Harkins, 2016). Digitization brings new hope, and can be made available to improve and develop each of these functions and thus the entire value chain (Aagaard, 2019). However, it also increases the security risk (Hill & Swinhoe, 2021).
In health facilities, such as clinical laboratories, of course, patient information which includes personal data and health data is managed as an information asset that needs to be protected. Moreover, in the event of Covid-19 pandemic, it encourages their business to embrace digital transformation to accelerate data exchange process within branches and outlets of the clinical laboratory. Thus, laboratory workers are not only faced with repetitive tasks, but also administrative tasks that become riskier if the information system is not involved (Weemaes et al., 2020). On the other hand, information systems are embedded with information security risks, which include confidentiality, integrity and availability, along with open access to it from various parties involved (Wright, 2016). Protection and control of information in clinical laboratories is important because: corporate decision- making and the operation of health facilities will depend on the information and electronic capabilities embedded in it, protect personal information and medical history, increase patient trust in health facilities, avoid disputes, reduce the risk of medical lawsuits, and comply with legal regulations and reduce confusion that creates mutual distrust in legal cases (Farn et al., 2007). It is true that developments in technology and techniques of cryptography and encryption have helped securing laboratory information systems, but new threats will continue to emerge and make current controls look obsolete.
The real case experienced by the research subjects last year, was the emergence of information security incidents that threatened the company's reputation and caused unrest among employees. The leak of employee data which includes personal data, employment history and payroll, was used by unauthorized persons to threaten the HRD department and ask a ransom for it. Furthermore, preliminary research was conducted to find out what categories of information security risks are owned by clinical laboratories. Twelve managers were interviewed to find out about the risks involved. As can be seen in Figure 1, where availability risk (A = Availability 55%) is the main concern of managers, followed by integrity risk (I = Integrity 33%), and confidentiality risk (C = Confidentiality 12%). A risk, loss of mobile phone/ laptop with patient data inside has marked all three categories.
208
Figure 1. Initial Survey Result Regarding Information Security Incidents
In line with the results of the initial research, management's vision and government regulations, this study is aimed to conduct an assessment of information security risks in clinical laboratories using the ISO/IEC 27001:2013 approach. Considering the results of the risk assessment, clinical laboratories which has implemented ISO 15189 and ISO 9001, have an overview of information security risks that need to be managed at all levels of the organization. Although many research has been carried out on information security regarding clinical laboratory information system, this study more focusing on implementation of technical requirements of ISO/IEC 27001 for assessing the information security risk.
2. LITERATURE REVIEW 2.1. Information Security
Information security incidents pose a significant threat to the reputation and business of healthcare facilities, including negative findings from regulators, lawsuits and disruptions to business continuity, which are top management concerns (Herzig, 2019). This urge is strengthened by regulations that encourage management to implement the ISO/IEC 27001 Information Security Management System, namely the Minister of Communication and Information Technology Regulation Number 5/ 2020 article 3 in conjunction with BSSN Agency Regulation Number 8/ 2020 article 9 concerning electronic system operators in private domain.
The international standard that provides requirements for establishing, implementing and maintaining, and continuously improving an information security management system is ISO/IEC 27001 (International Organization for Standardization,
16.92%, A
16.92%, A
12.31%, A
9.23%, A
6.15%, I
4.62%, I
4.62%, C
4.62%, I
3.08%, I
3.08%, C
3.08%, I
3.08%, I
1.54%, I
1.54%, I
1.54%, I
1.54%, C
1.54%, I
1.54%, I
1.54%, C
1.54%, C-I-A
0% 2% 4% 6% 8% 10% 12% 14% 16% 18%
Internet connection is disrupted Office network connection is disrupted Unable to access information system through computer Unable to access company email through computer Patient's Feedback: Wrong address when deliver result Patient data swapped Patient's feedback: data is accessed by unauthorized persons Patient's Feedback: Data is incomplete or damaged Patient data damage due to virus Unknown person trespass working area Employee data damage due to virus Patient's Feedback: Wrong name Employee data swapped Company data damage due to virus Company data swapped Unauthenticated person, enter without permission Lost of company data/ unavailable when accessed Supplier data swapped unauthorized use of employee data Lost of mobile phone/ laptop with patient data inside
209
2013a). This standard incorporates several informal rules that enable organizations to anticipate increasing numbers of threats, provide solutions to security problems and improve the achievement of security targets in general (Meriah & Arfa Rabai, 2019).
2.2. Risk Management
As a risk management framework, ISO 31000 can clarify the concept of information security risk management which implemented in organizations (Suyasa &
Legowo, 2019). It also contains general principles and perspectives that can unify the risk management process from various standards which is issued by the International Standardization Organization (IOS) and other institutions (Barafort et al., 2019;
Muzaimi et al., 2017). Research from Amraoui et al. (2019) concluded that ISO 31000:2018 is the most comprehensive approach to risk management, which includes:
communication and consultation, determination of scope, context and criteria, risk identification, risk analysis, risk evaluation, risk management, monitoring and review, and recording and reporting, as presented in Figure 2 (International Organization for Standardization, 2018).
Figure 2. Risk Management Processes
Source: International Organization for Standardization, 2018
2.3. Related Works
Information security is one of the non-functional requirements that need to be met in a system (Satzinger et al., 2016). One of the things that businesses need to do in maintaining their security is to ensure that problems related to vulnerabilities in a system where vulnerabilities are gaps in the system that cause a system to be damaged by future threats can be handled by the company (Rainer et al., 2020). Likewise in the banking industry, health industry also needs to manage information security risks, which aims to safeguard the information contained in it (Wallin & Xu, 2008).
Information security risks can occur if information system vulnerabilities are successfully exploited by threats such as those mentioned in the NIST SP 800-30 document (NIST, 2012; Zhiwei & Zhongyuan, 2012). Securing information means protecting information from all possible threats, to ensure the continuity of business processes, minimize risks and maximize opportunities (Eskaluspita, 2020).
An information security management system is part of an organization's business processes and integrated into management structure, where information security is
210
considered in the design of processes, information systems, and their controls (Barafort et al., 2017). In managing information security risks, ISO/IEC 27001 establishes reference to the ISO 31000 methodology on risk management guidelines (International Organization for Standardization, 2013b). Previous studies have identified that in dealing with risks, ISO 27001 will provide control requirements that help organizations to understand the information security domain and the necessary actions (Eskaluspita, 2020).
For more results on this topic, we refer readers to (Amraoui et al., 2019; Barafort et al., 2017; Eskaluspita, 2020; Grusho et al., 2020; Schnitzler, 2018; Suyasa &
Legowo, 2019; Zhiwei & Zhongyuan, 2012) and the references therein: to get an overview regarding the implementation of the information security management system, which begins with setting context and understanding critical processes, as well as assessing asset sensitivity, followed by a risk assessment that includes identification, analysis and risk evaluation to assist organizations in being aware of vulnerabilities and anticipating possible threats (Zhiwei & Zhongyuan, 2012).
A laboratory that implements an information system to handle their core process, hold sensitive information that needs to be secured through information security risk mitigation, to prevent risk occurrence, while increasing the effectiveness of the management system (Eskaluspita, 2020; Grusho et al., 2020). Implementation of other ISO standards with a risk management perspective, will support the organization's ability to adapt and provide a basis for improving, managing, and interoperating risk management activities in IT settings, which are tailored to the objectives of implementing the management system (Barafort et al., 2017).
3. RESEARCH METHODS
This research begins with a literature study, the methods used are content analysis, conceptual analysis, and relational analysis (Sekaran & Bougie, 2016). It followed with qualitative method to collect data through a short survey using questionnaires and interviews, which encourage respondents to be able to explore more clearly about certain events based on their insights (Sekaran & Bougie, 2016). The interpretation and analysis of the interview results are used to make conclusions about the messages in the text, the effect of environmental variables on the content of the message, and the effect of the message on the recipient. The next research step is to assess the organization's business processes and related assets, conduct risk assessments for each department that implement information systems and present them in a risk table as a result of the research.
When assessing current risk control, each discussion is based on technical control factors in ISO 27001:2013 as well as organizational procedures for implementing them. As a result, a resume of the risk assessment will be presented based on the department being studied, the domain of risk control aspects of ISO 27001:2013, and risk categories based on their acceptability and classification. This will become consideration for companies in managing information security risks in clinical laboratories.
The study was conducted in a clinical laboratory in Indonesia which is established since 1983 and has 14 branches. Having various laboratory examination services, including hematology, chemistry, microbiology, and immune-serology, including radiology services to support its operations and business, information system become the core of their system to rely on. This selection also considers that the subject is very committed to maintain its achievements with ISO 9001 certification and ISO 15189 accreditation, which means this could be relevant with other clinical laboratory on the same implementation scope of ISO 9001 and ISO 15189.
211 4. FINDINGS
4.1.Identification of Context and Asset
Understanding the process is a better way of identifying risks, as well as uncovering vulnerabilities that could expose assets (Zhiwei & Zhongyuan, 2012). The description of business processes based on Porter's value chain analysis (Fisher et al., 2020) of clinical laboratories can be seen in Figure 3.
Figure 3. Value Chain Analysis of Clinical Laboratory in This Study
The assets identified in the value chain analysis above are classified according to their sensitivity. The higher the sensitivity, the more attention needs to be paid to protection against it. Assets are grouped based on the following criteria: people (HR), information, technology (hardware and software), services and intangible assets. As for asset sensitivity, it is determined based on interviews with the respective asset managers. The results of asset identification can be seen in table 1.
Table 1. Asset Identification Result of Clinical Laboratory
Asset Class Descriptions Importance Level
People All employee at all branches, including Top Management High Information Policy & Procedure, Company Website,
Patient Data, Patient Health Record, Employee Data, Financial Data, Company Asset and Legal Information
High
Technology Software:
Ms. Office, Zoom, MIS, LIS, HRIS, Development Software
Hardware:
Server, PC/ Laptop, Printer, Router, Firewall, CCTV, Telephone, Barcode Scanner
High
Medium to High
Services Development of LIS, Internet Service Provider, Web Hosting, Mail Server, Utility Services, Telephone Network, Infrastructure Maintenance, Fire Suppression.
High
Intangible Brand Image, Logo and Trade Mark, and Company Licenses
Medium
212 4.2.Risk Assessment
As a results of qualitative risk identification through interviews with key persons from each department of information system users (Wheeler, 2011), associated with the assets used in each process, the results of the assessment are as listed in table 2.
Table 2. Information Risks Grading Summary
# Department Information
System
Total Risk
High Moderate Medium Low 1 Business Development & IT LIS, MIS 87 0 35 43 9
2 Operational LIS, MIS 87 1 5 65 15
3 CRM LIS, MIS 68 0 1 15 52
4 HR&GA HRIS, MIS 61 0 2 44 15
5 Logistic LIS 50 0 1 35 14
6 R&D LIS, MIS 31 0 0 8 23
Total 384 1 45 210 128
From each identified risk, it can be associated with the information security risk category, namely: Confidentiality, Integrity, Availability, or a combination of it. So, each mapped risk can be correlated with more than one category of information security risk, as can be seen in table 3.
Table 3. Information Risks Category Summary
# Department Information
System
Total Risk
Confidentiality (C)
Integrity (I)
Availability (A)
1 Business Development & IT LIS, MIS 87 18 49 53
2 Operational LIS, MIS 87 10 37 49
3 CRM LIS, MIS 68 5 32 35
4 HR&GA HRIS, MIS 61 5 32 37
5 Logistic LIS 50 2 34 27
6 R&D LIS, MIS 31 2 14 15
Total 384 42 198 216
Taking into account the risk appetite of companies that accept only low and medium levels of risk, forty-six (46) risks required to be followed-up. As a result of the risk evaluation, it was identified the need for additional controls to support the management system in protecting processes and information from information security threats. Shown in table 4, which is in line with the requirements of ISO/IEC 27001:2013, care should be taken in control factors A.8.2 related to Information Classification and A.15.2 related to Supplier Service Provision Management. Risk owners who need to implement additional control include branch managers, nurses and/or analysts, customer service officers, Busdev&IT GMs, IT staff and other administrative functions. The description also shows that information security is not only the responsibility of the IT function, but also the responsibility of every function in the organization, this is stated in table 5.
213
Table 4. Information Risks Evaluation Summary
Additional Control Needed based on Annex A ISO/IEC 27001:2013
# Risks which exceed company
appetite
A.5 A.6.1 A.6.2 A.7.2 A.7.3 A.8.1 A.8.2 A.8.3 A.9.1 A.9.2 A.9.3 A.9.4 A.10 A.11.1 A.11.2 A.12.1 A.12.2 A.12.3 A.12.4 A.12.5 A.12.6 A.12.7 A.13.1 A.13.2 A.14.1 A.14.2 A.14.3 A.15.1 A.15.2 A.16 A.17 A.18.1 A.18.2
1 35 risks
2 7 risks
3 1 risk
4 2 risks
5 1 risk
6 0 risks
Each identified risk may require a combined control factor of the technical control requirements recommended by ISO/IEC 27001:2013. Another important matter is that besides being implemented, these control factors also need to be communicated to every employee, management as well as external parties that support clinical laboratory services, to achieve a uniform understanding of the handling of information security.
Table 5. Top 10 (ten) Risks Evaluation Result Refer to Additional Control Grade* Category* Process Annex Description Risk Owner
H I Critical Result Handling
A.13.2.2 Agreement on information transfer
Branch Manager A.13.2.3 Electronic messaging
A.15.1.3 Information and communication
technology supply chain A.18.1.1 Identification of applicable
legislation and contractual agreement
M I Home Services A.13.2.1 Information transfer policies and procedures
Nurse or Analyst M I & A Transportation
of Specimen
A.8.3.1 Management of removable media
Operation Staff A.8.3.3 Physical media transfer
A.12.3.1 Information backup
M A Referral
Specimen Arrival
A.8.2.3 Handling of asset Transporter
M I Laboratory
Result Handover to
A.8.2.3 Handling of Asset Customer Support A.8.3.3 Physical media transfer
214
Grade* Category* Process Annex Description Risk Owner Patient
M A Laboratory
Result Delivery to Patient
A.8.2.3 Handling of asset Branch Manager A.8.3.3 Physical media transfer
A.13.2.1 Information transfer policies and procedures A.13.2.3 Electronic messaging
M A Equipment
Maintenance
A.11.2.4 Equipment maintenance GA Staff A.12.1.1 Documented operating
procedures M C & I Access
Authorization
A.9.1.1 Access control policy IT Staff A.9.2.1 User registration and de-
registration M C & I User
Authentication
A.9.2.1 User registration and de- registration
IT Staff A.9.2.2 User access provisioning
M I & A LIS
Development
A.14.2.7 Outsourced development GM
Busdev&IT A.15.1.3 Information and
communication
technology supply chain
M C Document
Handling
A.8.2.1 Classification of information
Document Controler A.8.2.2 Labelling of information
A.8.2.3 Handling of asset
5. CONCLUSION(S)
The thirty-five risks identified in the Busdev&IT department which are categorized as moderate, most of them are issues that need additional control as stated in ISO/IEC 27001:2013. This risk shall be considered by management to be followed up to prevent risk occurrence in the future.
Availability is a major concern that is part of clinical laboratory information security, this confirms a preliminary study conducted on twelve managers. Information security risk assessment has helped management and its staff to understand the behavior of the process more comprehensively, including uncovering weaknesses inherent in assets and threats that may come at any time. The technical control factors provided by ISO/IEC 27001:2013 are important references that help process owners to take responsibility in risk control, which is in line with management's vision to bring digital transformation into the organization.
This research needs to be continued with a reassessment when the recommendations for evaluation results have been implemented, or there are changes to processes and processes and or new services are produced by the clinical laboratory. Of course, this is in line with the principle of continuous improvement outlined in the implementation of an information security management system.
6. REFERENCES
Aagaard, A. (2019). Digital Business Models. Springer International Publishing.
https://doi.org/10.1007/978-3-319-96902-2
Amraoui, S., Elmaallam, M., Bensaid, H., & Kriouile, A. (2019). Information Systems Risk
215
Management: Litterature Review. Computer and Information Science, 12(3), 1.
https://doi.org/10.5539/cis.v12n3p1
Barafort, B., Mesquida, A.-L., & Mas, A. (2017). Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards &
Interfaces, 54, 176–185. https://doi.org/10.1016/j.csi.2016.11.010
Barafort, B., Mesquida, A.-L., & Mas, A. (2019). ISO 31000-based integrated risk management process assessment model for IT organizations. Journal of Software:
Evolution and Process, 31(1), e1984. https://doi.org/10.1002/smr.1984
Eskaluspita, A. Y. (2020). ISO 27001:2013 for Laboratory Management Information System at School of Applied Science Telkom University. IOP Conference Series: Materials Science and Engineering, 879(1), 012074. https://doi.org/10.1088/1757- 899X/879/1/012074
Farn, K.-J., Hwang, J.-M., & Lin, S.-K. (2007). Study on Applying ISO/DIS 27799 to Healthcare Industry’s ISMS. WSEAS TRANSACTIONS on BIOLOGY and BIOMEDICINE, 4(8).
Fisher, G., Wisneski, J. E., & Bakker, R. M. (2020). Value Chain Analysis. In Strategy in
3D (pp. 118–129). Oxford University Press.
https://doi.org/10.1093/oso/9780190081478.003.0014
Grusho, A. A., Zabezhailo, M. I., Piskovski, V. O., & Timonina, E. E. (2020). Industry 4.0:
Opportunities and Risks in the Context of Information Security Problems. Automatic Documentation and Mathematical Linguistics, 54(2), 55–63.
https://doi.org/10.3103/S000510552002003X
Harkins, M. W. (2016). Managing Risk and Information Security. Apress.
https://doi.org/10.1007/978-1-4842-1455-8
Herzig, T. W. (2019). Information Security in Healthcare: Managing Risk. Taylor & Francis.
Hill, M., & Swinhoe, D. (2021, July 16). The 15 biggest data breaches of the 21st century.
Https://Www.Csoonline.Com/Article/2130877/the-Biggest-Data-Breaches-of-the- 21st-Century.Html.
International Organization for Standardization. (2013a). Information technology — Security techniques — Code of practice for information security controls (ISO/IEC Standard No. 27002:2013).
International Organization for Standardization. (2013b). Information technology — Security techniques — Information security management systems — Requirements (ISO/IEC Standard No. 27001:2013).
International Organization for Standardization. (2018). Risk Management - Guideline (ISO Standard no. 31000:2018).
Meriah, I., & Arfa Rabai, L. Ben. (2019). Comparative Study of Ontologies Based ISO 27000 Series Security Standards. Procedia Computer Science, 160, 85–92.
https://doi.org/10.1016/j.procs.2019.09.447
Muzaimi, H., Chew, B. C., & Hamid, S. R. (2017). Integrated management system: The integration of ISO 9001, ISO 14001, OHSAS 18001 and ISO 31000. 020034.
https://doi.org/10.1063/1.4976898
NIST. (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30).
Rainer, R. K., Prince, B., Splettstoesser-Hogeterp, I., Sanchez-Rodriguez, C., & Ebrahimi, S. (2020). Introduction to Information Systems. John Wiley & Sons Canada, Ltd.
Satzinger, J. W., Jackson, R. B., & Burd, S. D. (2016). Systems Analysis and Design in a Changing World (7th ed.). Cengage Learning.
Schnitzler, S. (2018). A universal guideline for the implementation of a specific ISMS for all Bavarian universities and universities of applied sciences using the example of the University of Applied Sciences Augsburg [Case Study]. University of Applied Science
216 Hochschule Ausburg.
Sekaran, U., & Bougie, R. (2016). Research Methods For Business: A Skill Building Approach (7th ed.). John Wiley & Sons Ltd.
Suroso, J., & Fakhrozi, M. (2018). Assessment of Information System Risk Management with Octave Allegro at Education Institution. Procedia Computer Science, 135, 202–
213. https://doi.org/10.1016/j.procs.2018.08.167
Suyasa, G. W. A., & Legowo, N. (2019). The Implementation of System Enterprise Risk Management Using Framework ISO 31000. Journal of Theoretical and Applied Information Technology, 97(10).
Wallin, E., & Xu, Y. (2008). Managing Information Security in Healthcare: A Case Study in Region Skåne. Lund University.
Weemaes, M., Martens, S., Cuypers, L., Van Elslande, J., Hoet, K., Welkenhuysen, J., Goossens, R., Wouters, S., Houben, E., Jeuris, K., Laenen, L., Bruyninckx, K., Beuselinck, K., André, E., Depypere, M., Desmet, S., Lagrou, K., Van Ranst, M., Verdonck, A. K. L. C., & Goveia, J. (2020). Laboratory information system requirements to manage the COVID-19 pandemic: A report from the Belgian national reference testing center. Journal of the American Medical Informatics Association, 27(8), 1293–1299. https://doi.org/10.1093/jamia/ocaa081
Wheeler, E. (2011). Security Risk Management. Syngress - Elsevier Inc.
Wright, C. (2016). Fundamentals of Information Risk Management Auditing (1st ed.). IT Governance Publishing.
Zhiwei, Y., & Zhongyuan, J. (2012). A Survey on the Evolution of Risk Evaluation for Information Systems Security. Energy Procedia, 17, 1288–1294.
https://doi.org/10.1016/j.egypro.2012.02.240