| In recent years,while hospital information systems have brought convenience to people’s daily medical care and government social governance,they have also faced new problems brought by information system security risks.Hospital information systems have operated in a relatively closed internal environment in the past due to the large amount of private medical information involved.With the gradual popularization of new ideas and technology applications such as "Internet+Healthcare",hospital information systems have been forced to become more open,and with this comes a significant increase in information security risks.Therefore,how to cope appropriately in the new situation of hospital information system security risk management,reduce the frequency of information security incidents,reduce the various types of losses caused by risk events,it is a common problem faced by most hospitals.Reviewing the existing research,while combining the current situation of security risk management of hospital information systems in China cannot be found,compared with the traditional dominant areas of information system risk management such as finance and aerospace,the security risk management of hospital information systems started relatively late.Although the "Information security technology-Baseline for classified protection of cybersecurity" promulgated in China has become the main reference standard for most public hospitals in their risk assessment work,there is still a gap between this standard in terms of relevance and practicality and the actual situation of hospitals.In the above context,how to do the security risk management of hospital information system,especially the risk assessment among them,becomes the main research direction of this paper.This paper selects the Hospital Information System(HIS)and conducts a systematic study on its information security risk assessment:1)Firstly,we analyzed the concepts related to hospital information system,information security,information security risk management and information security risk assessment,summarized the common methods of risk assessment and their scope of application,and selected the applicable methods for this study.2)Taking F Hospital HIS as an example,based on the introduction of hardware and software and other architectures,we focus on the current status of its security risk management assessment and analyze the limitations of the current level protection assessment.3)Construct a set of risk assessment index system with certain universality for hospital information system.The specific process includes risk identification,risk list construction,risk assessment index determination,and risk level criteria determination.This risk assessment index system has 6 first-class indicators and 25 second-class indicators.4)The quantitative risk assessment results of the HIS of F hospital were given by applying the above index system.Firstly,the Analytic network Process method is used to calculate the index weight values;secondly,the fuzzy comprehensive evaluation method is used to give the quantitative risk assessment results of the case hospital as a whole;finally,the risk values of the secondary indexes are calculated by single-factor fuzzy comprehensive evaluation to further clarify the risk treatment items of HIS of F hospital.5)Risk treatment of HIS in F Hospital.Based on the above quantitative assessment results,specific disposition and management measures are proposed in six aspects:physical security,network security,host security,application security,data security,and security management.Using the management methods proposed in this paper,the risk level of HIS information security of F hospital is finally reduced to low risk level.Through the above research and practice,the information system security risk management of Hospital F has been well enhanced.In addition,given the prevalence of hospital information systems used in medical institutions,the research results have some significance for information security risk assessment in various medical institutions. |
PDF Full Text Request