Patrones GoF

4.4.2.1 Secondary databases

The HI-risk method is designed as a method that is used by a group of healthcare organisations simultaneously. To execute the method, data about past information security incidents in healthcare was needed.

The implementation of the method was not performed with a real group of voluntary participating organisations. Instead, it was attempted to gather data from a variety of healthcare organisations in order to create a diverse dataset. This data was sought in secondary data from past information security incidents. Methodical collected information about data security breaches is available through different sources. Several private organisations, research institutes and governmental bodies publish reports, statistics, papers and surveys about data breaches and information security incidents.

ENISA evaluated more than 60 existing initiatives that collected security incident data (Casper, 2007). The list in their study was used for this research as a starting point to find data on security breaches. Additional sources were added, which were found through references in journal articles or on the web. Table 4.5 shows the overview of the data security breach reports and websites in this review. Some surveys are repeated every year and in those cases only the most recent ones were included.

Table 4.5 Data security breach reports and websites

Year Organisation Title Healthcare

respondents

2010 Kroll Fraud solutions Security of patient data 100%

2009 E&Y Global Information Security Survey

Global Information Security Survey 2009, Outpacing Change

6%

2009 Ponemon Institute 2009 Annual Study: Cost of a data breach.

0%

2009 McAfee 2010 Threat Predictions

2009 Deloitte 2009 TMT Global Security Survey.

2009 Govcert.nl Trend report 2008. Insight into cyber

crime: trends & figures 2009 PricewaterhouseCoopers BERR Information security

Breaches Survey 2008

2008 Computer Security Institute CSI Computer crime & security survey

8%

2008 Verizon 2008 Data breach investigations

report

<3%

2008 Perimeter eSecurity A Comprehensive study of

healthcare data security breaches in the U.S. from 2000-2007

100%

2008 CompTIA research 7th Annual Trends in Information

Security: an Analysis of IT Security and the Workforce

-

2007 CSO magazine, U.S. Secret 2007 E‐ Crime Watch Survey – 7%

Year Organisation Title Healthcare

2007 European commission Statistical data on network security - 2007 IT policy compliance group Taking action to protect sensitive

data. Benchmark Research Report. methodologies to collect data, with different taxonomies, over different time spans, dealing with different geographical areas and legislation. The result is that different organisations came to different and, sometimes, even contradictory, conclusions.

Discovering information about data security breaches with a specific focus on healthcare was even more challenging. In most of the surveys, healthcare organisations form a minority within the group of respondents. The majority of the reports give a general overview spanning a diversity of industries and are limited in exposing information about healthcare organisations. A final shortcoming was that the collected data was often based on the memory of experts filling in a questionnaire and not based on consistent evidence gathering through incident registers. For all of these reasons, the data from these reports could not be used as a data source.

4.4.2.2 Survey

A new strategy to gather incident data was designed and involved approaching healthcare organisations directly. Some NHS organisations in the UK publish information about data breaches in the Information Governance section of the annual report. This information is publicly available. However, since this information is highly aggregated and not all NHS organisations do publish this information, it was decided to

approach healthcare organisations directly with a request for insight into security incident information. After consultation with the dissertation supervisors, it appeared that another research project within the faculty was searching for options to gather very similar information from NHS boards in Scotland. It was advised that it would appear unprofessional for the university to have two different researchers from within the same faculty approaching NHS organisations with very similar questions, and it was recommended to approach this survey as a team.

The researchers met a number of times to discuss the best way to retrieve the information and the best format to gain quality data that would suit both projects. The format that would give the best possibilities for both projects to succeed was a survey by email.

Surveys can be a helpful means to collect large volumes of data. The questions can be completed at the convenience of the respondents without interviewer bias or error. The main difficulty in using a questionnaire is securing a high response rate. Kotulic and Clark (2004) tried to survey 1540 organisations about the effectiveness of security risk management. After intensive attempts to receive response to the survey, the response rate did not get higher than 0.61%. The researchers decided to change the focus of their study to investigate why organisations did not want to participate. They learned that the top reasons for not responding to the original survey were related to surveys in general, company policy regarding security information sharing, and excessive use of management time. The conclusion was that it is nearly impossible to extract information about security by mail from business organisations without having a major supporter.

Firms are unwilling to divulge such information without strong assurances that the information provided will in no way harm them.

With this information in mind, and as the aim was to collect a large number of data from each respondent, it was considered that interviews (face-to-face or by telephone) would be too time-consuming. Organisations usually have an up to date list of incidents that they use in reports to the management. Therefore, the easiest way for the respondents to provide the information was to send that list by email. An email request was send to NHS boards and trusts in England and Scotland, for an overview of their information security incidents. As the research did not have a major supporter or sponsor, another strategy was used in the hope to receive the best response rate possible.

Bearing in mind the advice of Kotulic and Clark that a major supporter was needed, and no supporter was available, the request was emailed to the Freedom of Information

officers, referring to the Freedom of Information Act. This Act entitles members of the public to request recorded information from public authorities. A requester may ask for any information that is held (ICO, 2013), but in some cases, the organisation is not obliged to provide the information. However, this strategy resulted in a 81% response rate, which was satisfactory.

The survey contained a questionnaire and a request for a list of information security incidents in the past four years. The questionnaire and the list of incidents was required for the other project and for this research, only the list of incidents was required. The NHS Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents, prescribes that NHS organisations must register information security incidents, and what must be registered (Department of Health, 2007). The survey used a spreadsheet in which the columns required similar information to this checklist. A limitation of this approach was that not the whole HI-risk classification could be tested. The classification contains more categories than the NHS policy. However, the researchers wanted to keep the vocabulary of the incident list close to what the health boards are used to. It was expected that this would be the most simple and effective way to gain a good response. Also, this weakness would be compensated during the later steps in the research, as the classification was going to be evaluated several times during the next stages of the research.

Initially, the emails were sent only to Scottish Health Boards, as the scope of the other project was limited to Scotland. After collecting the responses, the researchers went their own ways. The data was used in a joint paper about the results (Smith et. al. 2010), and in a thesis on IT risk assessments in healthcare by the other researcher (Smith, 2010).

The Scottish Health Boards reported a total of 504 incidents. After adding the Scottish incidents to a database, it was decided to broaden the research bed. The research bed was enlarged by sending the request for the list of incidents to the FOI officers of Care Trusts in England. England was added to create a bigger dataset in the collective register and thus a higher reliability of the representation of risk scenarios and consequently, would provide a better ground for generalisation. It would also enhance the diversity of organisations adding data. A list of the English trusts was available from the NHS website. All trusts have online presence and their websites were searched for the email address of the FOI officers. The FOI officers were sent an email with the

request to provide information about information security incidents (Figure 4-1). Using the exact same request made it possible to combine the data from both surveys.

The responses were collected between September and December 2010. A total of 163 requests were sent and 132 replies were received. This means that a 81% response rate was received and this was considered satisfactory for the purposes of this study, and the remaining organisations were not chased for their reply.

Dear Sir or Madam;

Pursuant to the Freedom of Information Act, I wonder if you could supply me, within the statutory time period, with details of Information Security incidents and further details relating to the incident for your Health Board from 1^st January 2005 until September 2010. This includes classification of incident, nature of incident, system or number of records affected, whether the incident resulted in disciplinary action being taken. Normally this information is recorded as part of Information Governance.

I have enclosed a table (Excel format) as this provides further clarification on the information sought and may aid you in satisfying this request. I have used classifications and types of incidents listed in the NHS Security Policy, which may further aid you.

Please note no identifiable personal details are sought. This request has been issued to all Health Boards and the responses will be used for research purposes as part of an academic study.

Should you require further clarification please do not hesitate to contact me by email.

May I take this opportunity of thanking you for your support, Yours sincerely,

Nature of Incident: Type of incident such as: loss of USB stick containing data, theft of PC or other equipment, misuse of email, unauthorised access to secure area, loss of smart key, unauthorised access to records, failure to appropriately dispose of waste materials containing data, malicious code

damaging systems.

Location of incident:

Cause of incident: Vulnerability in procedure or internal control, vulnerability in physical security, vulnerability in computer security or combination.

Classification of Incident: From NHS Information Security Policy Incident Classification Table: Insignificant, Minor,

Figure 4-1 E-mail request for security incident data