The recommendation of controls for hospital information system: Case studies of two Korean hospitals

The medical records of diagnostic and testing information include sensitive personal information that reveals some of the most intimate aspects of an individual's life. The hospital information system (HIS) operates in a state of high risk which may lead to the possible loss to the IS resources caused by various threats. This research addresses twofold: (1) to perform asset identification and valuation, and (2) to recommend countermeasures for secure HIS network using case studies. This paper applied a risk management tool, CRAMM (Central Computer and Telecommunications Agency's Risk Analysis and Management Method), to assess asset values and suggest countermeasures for the security of computerized medical information of two large hospitals in Korea. CRAMM countermeasures are recommended at the reference sites from the network security requirements of systems utilized for the diagnosis and treatment of patients. The results of the study will enhance the awareness of IS risk management by IS managers.