8.3 Execution of the group study - first session
8.3.3 The customised GST instances
Figure 8.1, 8.2 and 8.3 show the resulting instances of the Generic Security Template for the incidents by following the rules in section 8.3.2.
The process of mapping between the US case study and the context in Chinese healthcare yielded some significant insights. For instance, in the VA 2007 data leakage incident, one of them which is “Risk Analysis”, has changed to be under the strategy
“Argument over All missing Recommendations”. It identifies a new security require- ment that is probably missed by GB/T22239. Some of the lessons learned identified from VA 2006/2007 data leakage incident can be mapped to a deeper level, which is the bottom level of the GB/T22239. For example, the lessons learned “Sensitive In- formation” from the VA 2006 data leakage incident is mapped to the goal (security requirement) 8.1.5.2.b as is shown in Figure 8.2, however, a similar lessons learned in the Shenzhen data leakage incident “Sensitive Data” is mapped to a higher level goal (security requirement) 8.1.5.2. This to some extent indicates the different maturity level of the healthcare system security management in the VA and in China.
8.3. EXECUTION OF THE GROUP STUDY - FIRST SESSION 139
(Type III) Position Description: Re-evaluate and correct position sensitive level.
(Type IV) Risk Analysis: Develop and issue Government-wide risk analysis criteria (Type III) Management Structure: Establish a functional description and performance plan to clarify the line authority and reporting relationship. (Type I) Access Control: Avoid the abuse of programmer level access control.
(Type I) Sensitive Information: Use encryption, or other effective tool, to protect personally identifiable information stored on removable storage.
Argument over All Missing Security Recommendations (Standard non-existent): Government-wide risk analysis criteria (Type III) Administrative Action: Take appropriate administrative action against the people involved in this incident for their inappropriate actions.
8.2: Management Requirements are addressed
Healthcare System (HS) is acceptably Secure 8.1: Technical Requirements are addressed
Argument over GB/T22239
Healthcare System of Shenzhen Hospital Security Standard China 8.1.5.2 Data confidentiality (S4) is addressed 8.1.5.2.b Use encryption or other protective measures for system data management, information identification, and the storage of critical business data
8.2.2.1 Position description (G4) is addressed 8.2.2 Security Management Structure is addressed
8.1.4 Application Security is addressed 8.1.4.3.d Minimum required permissions should be granted to different account
8.2.5.12 Security Incident Handling (G4) is addressed8.2.1.1 Management Policy (G4) is addressed
8.2.1 Security Management Policy is addressed
8.1.5 Data security and recovery are addressed 8.1.4.3 Access Control (S4) is addressed
8.2.5 System operation and maintenance management are addressed (Type III) Security Policy: Discontinue storing email on unauthorized system
(Type III) Security Policy: Ensure human subjects in research, compliance with information security requirements
(Type III) Security Policy: Ensure that data security plans for research projects comply with information security policies
Figure 8.1: Instance of the Generic Security Template VA 2007 - customised by replac- ing the security standard
8.3. EXECUTION OF THE GROUP STUDY - FIRST SESSION 140
(Type I) Sensitive Information: Use encryption, or other effective tool, to protect personally identifiable information stored on removable storage.
(Type III) Administrative Action: Take administrative actions against the people involved in this incident for their inappropriate actions.
7.2: Management requirements are addressed.
Healthcare System (HS) is acceptably secure. 7.1: Technical requirements are addressed.
Argument over GB/T22239Chinese Security Standard 7.1.5.2 Data confidentiality (S4) is addressed. 7.1.5.2.b Use of encryption or other protective measures for system data management, information identification, and the storage of critical business data is addressed.
7.2.2.1 Position description (G4) is addressed.
7.2.2 Security management structure is addressed. 7.2.5.12 Security incident handling (G4) is addressed.
7.1.5 Data security and recovery are addressed.7.2.5 System operation and maintenance management are addressed. (Type III) Position Description: Define the position sensitive level.
7.2.3.4 Security education and awareness training (G4) is addressed.
7.2.3 Human recourse security management is addressed. (Type III) Security Training: Provide linkage to all applicable laws and VA policy as part of the security awareness training.
7.2.5.12.d Development of security incident reporting and response procedure, scope, extent and treatment method is addressed. (Type I) Incident Handling: Enhance incident-response program on promptly identification and thoroughly investigation of the incidents.
Healthcare System of XXX Central Hospital
Figure 8.2: Instance of the Generic Security Template VA 2006 - customised by replac- ing the security standard
8.3. EXECUTION OF THE GROUP STUDY - FIRST SESSION 141
7.2: Management requirements are addressed.
Healthcare System (HS) is acceptably secure. 7.1: Technical requirements are sufficiently addressed. (Type II) Security Audit: Establish and conduct security audit plan according to the security standards.
(Type II) Security Policy: Establish and enforce security policy according to the security standards.
(Type II) Security Training: Establish and execute security training programs by following the security standards.
7.1.2: Internet Security Control is addressed.7.2.2: Security management structure is addressed. 7.2.2.5: Audit and assessment (G4) are addressed.
(Type II) Network Security: Ensure network security by following the security standards.
Argument over GB/T22239
Healthcare System of XXX Central Hospital Chinese Security Standard 7.2.3.4 Security education and awareness training (G4) is addressed.
7.2.3 Human recourse security management is addressed. 7.2.1.1 Management policy (G4) is addressed.
7.2.1 Security management policy is addressed. (Type III) Sensitive Information: Defined the information sensitive level.
8.1.5.2 Data confidentiality (S4) is addressed 7.1.5 Data security and recovery are addressed.
Figure 8.3: Instance of the Generic Security Template Shenzhen