Information security management in the operations of healthcare entities

• Autorzy: Dobski Paweł

Identyfikatory

DOI

10.29119/1641-3466.2024.192.11

• Języki publikacji: EN

Abstrakty

EN

Purpose: The primary purpose of the study is to indicate the threats faced by medical entities in the context of the growing scale of collection and processing of personal data, including sensitive data. Therefore, it seems justified to attempt to systemically secure the processes related to this. Specific objective: The main objective formulated in this way required further specification through the scientific and cognitive objective, which was to assess whether the implementation of the ISO 27001:2017 information security system in a medical entity allows for reducing the risk of information security incidents. Project/methodology: The scope of scientific research defined in this way required the author not only to conduct literature studies, but also to apply appropriate research methods. As part of the considerations, it was decided to use methods such as: statistical analysis of data on the scale of implementation of a standardized data security system in the world and in Poland and the method of scientific description. Results: The literature studies conducted and the research methods used allowed to demonstrate that the implementation of a standardized information security management system allows, by taking into account the requirements resulting from it, to increase the level of information security in medical entities. Identification of organizational, legal and ICT risks reduces the likelihood of information security incidents, and thus reduces the risk of exposing the healthcare entity to legal liability resulting from violation of the provisions of the Personal Data Protection Act (Journal of Laws of 2018, item 100) and the Regulation of the Parliament European Union and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). Limitations: A certain limitation faced by the author was the inability to take into account the number of ISO 27001:2017 certificates issued in medical entities both in the world and in Poland. This is due to the fact that certification bodies are not obliged to make such information public. Additionally, a certain limitation is the lack of reporting on compensation awarded by common courts to persons who have been harmed as a result of a breach of the protection of their personal data. Practical implications: The study proposes a method for estimating risks in the field of information security in the activities of organizations, including healthcare entities. Additionally, the main benefits resulting from the implementation of the ISO 27001:2017 information security management system were indicated and the barriers that the manager of an entity providing health services should take into account were demonstrated. Originality/value: There are a number of studies in both domestic and foreign literature on the information security system and its importance in organizations. Few authors make the effort to analyze this type of solutions in the context of providing medical services and the problems that must be solved by people managing medical entities.

Słowa kluczowe

EN

cybersecurity; information security incidents; information security system

PL

bezpieczeństwo cybernetyczne; incydenty związane z bezpieczeństwem informacji; system bezpieczeństwa informacji

• Wydawca: Wydawnictwo Politechniki Śląskiej
• Czasopismo: Zeszyty Naukowe. Organizacja i Zarządzanie / Politechnika Śląska
• Rocznik: 2024
• Tom: z. 192
• Strony: 179--197
• Opis fizyczny: Bibliogr. 22 poz.

Twórcy

autor

Dobski Paweł

• Poznań University of Economics and Business

• https://orcid.org/0000-0003-2267-9547

Bibliografia

• 1. Act of May 10, 2018 on the protection of personal data (consolidated text: Journal of Laws of 2018, item 100).
• 2. Beskosty M., (2017). Information security management. Security Studies. Scientific papers of the Pomeranian University in Słupsk, pp. 163-164.
• 3. Dobska, M., Dobski, P. (2023). The role of standardized systems in the management of medical entities. Difin, pp. 107-110.
• 4. Dobski, P., Mikołajczyk, J. (2023). Trade management. Perspective of relations with stakeholders. Poznań: Wydawnictwo UEP, pp. 114-131.
• 5. Hamrol, A. (2017). Quality management and engineering. Warsaw: PWN, pp. 221-222.
• 6. ISO/IEC 27000:2009 Information technology, security techniques, overview and terminology.
• 7. ISO/IEC 27002:2005 Information technology, security techniques, practical principles for information security management.
• 8. ISO/IEC 27003:2010 Information technology, security techniques, information security management system (ISMS) implementation guidance.
• 9. ISO/IEC 27004:2009 Information technology, security techniques, measurements.
• 10. ISO/IEC 27005:2008 Information technology, security techniques, information security risk management.
• 11. ISO/IEC 27006:2007 Information technology, security techniques, requirements for auditing and certifying authorities for information security management systems.
• 12. Olkiewicz, M. (2016). Management systems as a determinant of business information security. Security studies. Scientific Journals of the Pomeranian University in Słupsk, no. 1, pp. 91-94.
• 13. PN-EN ISO/ICE 27001:2017 Information technology - Security techniques - Information security management systems - Requirements.
• 14. PN-ISO/ICE 27001:2007 Information technology - Security techniques - Information security management systems - Requirements.
• 15. PN-ISO/ICE 27001:2014 Information technology - Security techniques - Information security management systems - Requirements.
• 16. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• 17. Regulation of the Minister of Health of April 6, 2020 on the types, scope and templates of medical documentation and the method of its processing, Journal of Laws of 2020 of April 14, 2020, item 666.
• 18. Regulation of the Minister of Health of March 26, 2019 on detailed requirements to be met by the premises and equipment of an entity performing medical activities, Journal of Laws Laws of 2019, item 595.
• 19. Regulation of the Minister of Health of March 29, 2019 on the detailed scope of data covered by entry in the register of entities performing medical activities and the detailed procedure for making entries, changes in the register and deletions from this register, Journal of Laws of April 1, 2019, item 605.
• 20. Skolnik, K., Miciuła, I., Kubiński, P. (2018). Information security management. Methodology, ideology, state. Katowice: Science and Business, pp. 33-34.
• 21. Urbaniak, M. (2004). Quality management. Theory and practice. Warsaw: Difin, p. 367.
• 22. Wiśniewska, M. (2009). Comprehensive approach to information security management -information security management system. Zeszyty Naukowe Politechniki Łódzkiej, No. 1064. Łódź, pp. 80-82.