A Case Study of the Risk Assessment of the Susan G. Komen Virtual Tissue Bank
Health information systems contain information about one's health status, history of disease, living conditions and personal information such as social security number and address. The sensitivity of the health information contributes to the significance of ensuring the security of the health information systems. As more health information is stored, processed and transmitted using information systems, information security breaches have also risen. Risk assessment is a process that quantitatively or qualitatively assesses the adverse impact that a system may suffer in the case of an information security breach. The results of risk assessment provide the system owner with existing security issues as well as adequate controls.^ This study applies the risk assessment model proposed by National Institute of Standards and Technology Special Publication 800-30 (NIST SP 800-30) to the health information systems at the virtual tissue bank of the Susan G. Komen for the Cure® Tissue Bank (KTB) at the IU Simon Cancer Center. The study findings show that there are no high level risk for the KTB's virtual tissue bank. Nevertheless, risks still exist. The top five risks determined are the fraudulent act from computer criminals, information bribery from computer criminals, social engineering from academic espionage, fraud and theft from insiders, as well as information bribery from insiders. In order to avoid and reduce such risks, the researcher made some recommendations for the management, operational and technical aspects respectively. ^
Melissa J. Dark, Purdue University.