ISO 27001 Information Security Survey of Medical Service Organizations †

: The differences between medical institutions in the security management of information systems were investigated by comparing the differences and the means used by personnel in different units in public and private hospitals. Personnel responsible for information security require the protocol of relevant units to solve information security issues. Based on ISO 27001 as a reference standard, a questionnaire survey was conducted to investigate the need for information security management in medical institutions. The information system security in each unit of medical institutions needs to pursue the goal of more perfection for a fully optimized information system. To help medical institution personnel understand the importance of information security and allow appropriate decision making, the results of this study can be used as a reference.


Introduction
In medicine and health care, the rapid development of the information industry has shed the security problems in their information systems such as the leakage of medical information.Several medical staff have even been caught selling patients' private information illegally.Thus, equipment and system software in the medical and health sector for information security are frequently updated.However, the new system has too many functions to be used adequately, leading to many potential security risks.The risk of hacking and cyber attacks also exists, threatening the information security of medical institutions.Related incidents increase every year, which makes people aware of the damage caused by such incidents.
The information network allows users to access relevant information and data quickly under relevant instructions.Due to the openness of the information network and system, they become useful but dangerous.Use of the information system by an unauthorized person damages the management and financials.Therefore, the development of a system for information security that does not sacrifice convenience and usability is required for securing confidentiality, integrity, and availability.The system also protects information assets and increases overall competitiveness.Information systems can be accessed by users and administrators, but information can be retrieved by inappropriate means.Hackers can damage the system and steal information using point-of-entry attacks, backdoors, Trojan horses, and viruses.Therefore, building a defensive information system security is necessary to provide complete and uninterrupted operation, including resistance, detection, and recovery [1].
Information security in medical institutions differs from that in other industry sectors.As medical care is related to patient safety, information security must be considered more seriously.If the system provides false information, this harms patients as well as the hospital's credit and reputation.In addition, patients' medical records and personal information may be leaked due to inadequate information security protection.If the patient's private information is used by a third party illegally, the patient's rights will be seriously compromised.Therefore, special attention must be paid to the security of patient information.The design of systems must meet the requirements of information security.Therefore, it is necessary to build an information security system that is accurate and effective in security.
The degree of informatization of an organization is closely related to the information strategy, information department structure, information system architecture, and information application areas.Information security strategy is influenced by the differentiation of the internal environment of the organization, so the characteristics of the organization and the degree of informatization lead to different combinations of information risk due to the types of organizations [2].The different information risks require different information security strategies.The growth of organizational information can be measured in four aspects: information system architecture, information department strategy, information department organization, and information application area [3].Although there is no research on the relationship between information security and the degree of informatization, it was found that information security is affected by information threats to personal computers and internal servers (mainframe) and improper operation of networked architectural systems [4,5].
To maintain information security, it is necessary to understand "the prevention and detection of unauthorized situations by users of the processing system" [6].Information security is defined broadly as the protection of confidentiality, integrity, and availability of data stored in a system.There are many norms set for information security, such as BS7799 [7] and ISO 27001 [8].To regulate the security and confidentiality of information and to meet the privacy needs of individuals, the US federal government passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, which specified the security mechanisms that must be in place for information systems.Its contents include the following four categories: administrative procedures, physical safeguards, technical security services, and technical security mechanisms.Based on BS7799, ISO 27001, and HIPAA, we investigated the need for an effective management system for information security through a questionnaire survey to provide the basis for the construction of the system.To assess the information security of an organization, indicators of risk assessment and information protection capability need to be determined.For understanding of the risks in information security and the degree of informatization, an accurate assessment of the existing information protection capability is required.Therefore, information risks were assessed from four aspects: hardware, software, information, and network, in terms of the physical environment, personnel, and management in this study.A questionnaire survey was conducted to define measurement indexes for these seven risks.

Questionnaire Survey
Based on the theory of Icove et al. [9], information risk was analyzed to understand the level of protection of information using the protection measures of each risk.Siegel referred to ISO 17799 [10] and InfoSec international standards, while Richardson [11] referred to the Computer Security Institute (CSI) against network risk threats for analysis.Referring to CNS 27001 [12] of the Ministry of Economic Affairs, BS7799 of the UK, and the international information security standard ISO 27001, we created a questionnaire to understand preventative measures for information security.The questionnaire was revised by experts to improve its validity.The final questionnaire was designed to measure the level of knowledge of information security and the importance of information security in the organization.
The questionnaire consisted of three parts including basic information, the current situation of information security, and risk awareness of information security.In this study, the risk to information security was classified into physical and system aspects.
In the physical aspect, the risks were grouped as the physical, human, and managerial risks, while in the system aspect, the risks in hardware, software, data, and network were included.The questionnaire included questions on equipment, management, virus, training, troubleshooting, and accounts of the information security systems.Figure 1 illustrates the structure of the questionnaire.The questions for the seven were contained in the six categories.
the risk to information security was classified into physical and system aspects.In the physical aspect, the risks were grouped as the physical, human, and managerial risks, while in the system aspect, the risks in hardware, software, data, and network were included.The questionnaire included questions on equipment, management, virus, training, troubleshooting, and accounts of the information security systems.Figure 1 illustrates the structure of the questionnaire.The questions for the seven were contained in the six categories.A five-point Likert scale was used in the questionnaire.Scores were given to strongly agree, agree, average, disagree, and strongly disagree with the organization's ability for information security, with one point representing no protection and five points representing sufficient protection.The reliability of the questionnaire was analyzed using Cronbach's alpha coefficient [13,14].The internal consistency was also tested with Cronbach's alpha coefficient.The overall reliability was 0.949.The reliability of questions of software risk, hardware risk, data risk, network risk, physical risk, human risk, and managerial risk was 0.796, 0.639, 0.709, 0.790, 0.724, 0.751, and 0.813, all of which showed acceptable reliability and credibility.
A total of 150 questionnaires were distributed to the personnel in charge of information security in public and private hospitals in the southern region and military and security units in Taiwan, with 123 returned.The total number of valid questionnaires was 113.The respondents included administrative and information security staff, network administrators, and supervisors.The education of the respondents was at least college-and university-level (Table 1).A five-point Likert scale was used in the questionnaire.Scores were given to strongly agree, agree, average, disagree, and strongly disagree with the organization's ability for information security, with one point representing no protection and five points representing sufficient protection.The reliability of the questionnaire was analyzed using Cronbach's alpha coefficient [13,14].The internal consistency was also tested with Cronbach's alpha coefficient.The overall reliability was 0.949.The reliability of questions of software risk, hardware risk, data risk, network risk, physical risk, human risk, and managerial risk was 0.796, 0.639, 0.709, 0.790, 0.724, 0.751, and 0.813, all of which showed acceptable reliability and credibility.
A total of 150 questionnaires were distributed to the personnel in charge of information security in public and private hospitals in the southern region and military and security units in Taiwan, with 123 returned.The total number of valid questionnaires was 113.The respondents included administrative and information security staff, network administrators, and supervisors.The education of the respondents was at least collegeand university-level (Table 1).Some 72.6% of the respondents were male, and 27.4% were female.A majority of the respondents were executives (56.1%),followed by information security personnel (29.0%), network administrators (9.3%), and supervisors (5.6%).Respondents with eight years of work experience accounted for 31.0%,followed by those with less than one year (29.2%), those with two to four years (25.7%), and those with five to seven years (14.2%)(Table 2).As shown in Table 3, the respondents mainly served in military health units (46.9%), followed by private hospitals (37.2%), and then public hospitals (15.9%).Detailed information on the units was recorded in the interview.

Results
The results of the survey are shown in Table 4.The highest protection ability of information security was observed for software risk, with a sum of scores of 436.835, while the lowest was for data risk, with a sum of scores of 400.882.For hardware risk, the ability showed the highest average score of 3.357, while the lowest score was observed for managerial risk, with an average score of 3.000.The highest average score was obtained for software risk, with a score of 4.196, while the lowest score was for data risk, with an average score of 3.912 (Tables 4 and 5).
Table 4 shows the standard deviation of the scores in this study.The smaller the standard deviation, the more concentrated the data are in this dimension, while the larger the standard deviation, the more scattered the data are in this dimension.It was found that the dimension of network risk was widely dispersed, while the data for the aspect of risk management were more concentrated.This result indicated that the respondents held diverse perspectives on cyber risks, which might be influenced by personal experiences, knowledge, or preferences.However, their views on risk management are more uniform, and may be influenced by shared norms or standards.

Conclusions
Personnel in public hospitals understood the importance of all risks to information security better than those in other healthcare institutions.However, public hospitals do not invest more in information security than private hospitals, nor do they have a higher degree of information restriction than military health care units.Thus, public hospitals need to place more emphasis on the quality of personnel and management systems with various information security policies, rapid troubleshooting, reliable backup of important data, regular updates to key system security, training of personnel on information security, and control of information flow.The maintenance of information security must be conducted by constantly updating software and hardware equipment and maintaining the information security system.All information in the system must be restricted to authorized personnel and operators.The most effective way to maintain information security is to cultivate personnel and establish an effective managerial system.

Figure 1 .
Figure 1.Structure of questionnaire in this study.

Figure 1 .
Figure 1.Structure of questionnaire in this study.

Table 1 .
Information on respondents of questionnaire survey.

Table 1 .
Information on respondents of questionnaire survey.

Table 2 .
Working seniority scale table.

Table 3 .
Unit type ratio table.

Table 4 .
Protection ability of information security for each risk.

Table 5 .
Summary of result of questionnaire survey.