Improving the Exchange of Lessons Learned in Security Incident Reports: Case Studies in the Privacy of Electronic Patient Records

Abstract : The increasing use of Electronic Health Records has been mirrored by a similar rise in the number of security incidents where confidential information has inadvertently been disclosed to third parties. These problems have been compounded by an apparent inability to learn from previous violations; similar security incidents have been observed across Europe, North America and Asia. This paper presents the results of an empirical study that evaluates the utility and usability of conventional text-based security incident reports with a graphical formalism based on the Goal Structuring Notation. The two methods were compared in term of the users’ ability to identify a number of lessons learned from investigations into previous incidents involving the disclosure of healthcare records. These lessons included both the causes of the incident but also the participants’ ability to understand the reasons why particular recommendations were proposed as ways of avoiding future violations. Even using a relatively small sample, we were able to obtain statistically significant differences between the two approaches. The study showed that the graphical approach resulted in higher accuracy in terms of number of correct answers generated by participants. However, subjective feedback raised further questions about the usability of both approaches as the readers of security incident reports try to interpret the lessons that can increase the security of patient data.
Type de document :
Communication dans un congrès
Jianying Zhou; Nurit Gal-Oz; Jie Zhang; Ehud Gudes. 8th IFIP International Conference on Trust Management (IFIPTM), Jul 2014, Singapore, Singapore. Springer, IFIP Advances in Information and Communication Technology, AICT-430, pp.109-124, 2014, Trust Management VIII. 〈10.1007/978-3-662-43813-8_8〉
Liste complète des métadonnées

Littérature citée [23 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01381682
Contributeur : Hal Ifip <>
Soumis le : vendredi 14 octobre 2016 - 15:20:10
Dernière modification le : vendredi 14 octobre 2016 - 15:34:43

Fichier

978-3-662-43813-8_8_Chapter.pd...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Ying He, Chris Johnson, Yu Lyu, Arniyati Ahmad. Improving the Exchange of Lessons Learned in Security Incident Reports: Case Studies in the Privacy of Electronic Patient Records. Jianying Zhou; Nurit Gal-Oz; Jie Zhang; Ehud Gudes. 8th IFIP International Conference on Trust Management (IFIPTM), Jul 2014, Singapore, Singapore. Springer, IFIP Advances in Information and Communication Technology, AICT-430, pp.109-124, 2014, Trust Management VIII. 〈10.1007/978-3-662-43813-8_8〉. 〈hal-01381682〉

Partager

Métriques

Consultations de la notice

47

Téléchargements de fichiers

1