Selected Aspects of Information Security Management in Entities Performing Medical Activity

Abstract

The article is devoted to the issues related to an information security management in medical entities. The healthcare entities have been amongst the prime targets for hackers for several years. According to the IBM report “The 2016 X-Force Cyber Security Intelligence Index” in 2015 most of the attacks were carried out against these entities. The years 2016 and 2017 also witnessed spectacular cyberattacks, for example: medical records breach of 3.3 million people because of an unauthorized access to a server in the US, some WannaCry ransomware attacks on the UK hospitals, some MongoDB Database Leaks in the US or NotPetya ransomware attacks in the US hospitals. Entities performing medical activity are processing personal data concerning health that is classified as a “sensitive data” and needs a special protection. The article presents the results of the survey – interviews with IT managers (or designated persons) in entities performing medical activity in Lodz Voivodeship in Poland. The aim of the research was analysis and evaluation of information security management in these entities. The interviews had been performed between December, 2017 and January, 2018. As the results of the research, the ways of information security management were identified (in particular such aspects as: characteristics of the information security teams, information security management system auditing, risk management, information security incidents, budgets for information security, training and the General Data Protection Regulation implementation). The paper also describes the types of information that should be protected in healthcare entities and characteristic of surveyed entities that subordinate to the local government of Lodz Voivodeship in Poland.