Exploring Information Security Risks in Healthcare Systems

The volume and severity of information security breaches encountered continues to increase as organizations, including healthcare organizations, struggle to identify more effective security policies and procedures. Publicly available guidelines such as GASSP or ISO17799 that are designed to facilitate development of effective security policies and procedures have been criticized for, among other things, inadequate attention to differences in organizational security needs (Baskerville & Siponen, 2002), and for inadequate attention to the social dimensions of security problems (Dhillon & Backhouse, 2001). In this contribution, we argue that the diversity of organizational security needs, as well as the need to recognize the social dimensions to security problems, will continue to grow as companies move away from employing unique, proprietary approaches to software and network development, in favor of adopting standards-based plug-and-play applications, and related standardsbased methods and technologies designed to enable interorganizational as well as local systems interoperability. We use complexity science and adaptive structuration theory to support our arguments that current security management policies and procedures focus on what technologies are used, and on planned systems use to the exclusion of unplanned—but real—emergent use and emergent development of systems. A more holistic approach to security that adapts to emergent systems developments—and most importantly, addresses alternative, emergent uses of systems—is needed, we argue. Throughout the article, we use examples from the healthcare sector to illustrate our points. We do this because Electronic Health Record (EHR) systems that will enable information to be shared across a variety of organizations (local doctors’ offices, hospitals, 1713