Study On Risk Prevention Management Strategy For Hospital Information System Security

Objective: On the basis of understanding the status quo of information system security risk at home and abroad, to further clarify risk and problem of hospital information system security that already existed in our country, using for reference of feasible feature in prevention strategy of information system security risk that already existed, putting forward possible measures and strategy to prevent security risk of hospital information system from angle of management, providing reference for decision-making and system security administrator to carry out risk prevention management of information system security better.Methods:1. Document Retrieval and information analysis: The method is through collection, identification, trimming documents and conducting research to form a scientific understanding of facts. In this paper, on the basis of consulting relevant theory and practical progress about system security and management strategy of risk prevention, summed up some of what can draw on, ascertained target, content, methods, questionnaires and interview outline of this study.2. Statistical analysis of description: The method is calculated by statistical charts and data distribution of samples to understand distribution characteristics of observations. In this paper, used this method to sum up and analyze basic situation of survey hospitals and the crowd, staffing and training of system security etc. Chi-square test was used on appraisement of ability to protect system safety and security product, perceive differences of sufficient degree of investment funds for different groups of the personnel of hospital information bureau.3. Principal component analysis: It is statistical method of melting many variables into a few unrelated comprehensive variables, from relationship between many variables, using thinking of reducing dimension. The method was used on many risk factors impacting system security in this study.4. Scene typical investigation: It is a method of systematic survey selecting representative areas or organizations according to content and purpose of the study. In this paper, this method was used, conducting investigation on the personnel of hospital information bureau and personnel that using hospital information subsystems. A total of seven hospitals in cities of Wuhan and Ezhou ,three hundreds and thirty people were investigated in this study.5. The method of sociology qualitative research: It is a method carrying through deep level discussion about indicators which unable to quantify or information which unable to access directly by questionnaire. In this paper, special topic group discussion was used, inviting many fields of experts in information management, health statistics etc. probing into implementation scheme and data analysis methods of this study. Personal semi-structured interview was used on key people, probing into relevant experience and problems about risk prevention management of hospital information system security.Results and analysis:1. The analysis for personnel deploying and work of dividing in the field of hospital information system securityHospital information system security includes many aspects, such as hardware, software, network, database, system rooms and so on. System security is carried through under the unified leadership of management dean in this field and director of information bureau. There is only one person or more responsible for management of security in certain aspect in some hospitals, but there is only one person should be responsible for various aspects of security in other hospitals. When serious security incidents happened, many aspects of people who are responsible for system security cooperate with each other to solve them. In some hospitals, tasks of system security managers are too heavy, academic qualifications are on the low side, specialties are not very consistent with system security management, organizational structure of system security management is not perfect enough, lack of communication and harmonization between multi-sectors2. The analysis for personnel training of hospital information system securityThere are some hospitals who are not given enough attention to security training of system, the content and methods of training are not very affluent in, selecting of training time and frequency is not very suitable, training investment is not very enough, the effect of training is not very good.3. The analysis for security risk of hospital information systemThere are internal and external sources of system security risk, which mostly comes from five aspects of data, network, hardware, software, system rooms. The better way of detecting security risk of system is monitored by system administrator or security products, but there are still some hospitals which find it by analysis after accident or by suddenness4. The analysis for selecting risk prevention measures of hospital information system security availably.There are places which should be improved on in selecting security measures availably in hospital, such as system architecture, the level of operating system, the level of system, data, network, management and technology, and so on. 5. The analysis for appraisement of ability to protect system safety and security productThe majority of people consider that ability to protect system security in their hospitals is not very high. In the personnel of hospital information bureau, different ones of age distribution (χ2 = 9.033, P = 0.046), different ones of academic level (χ2 = 10.189, P = 0.023), ones of different work years who engage in current jobs (χ2 = 13.168, P = 0.005), different ones of title distribution (χ2 = 10.567 P = 0.016) exist significant differences on appraisement of ability to protect system safety. In the personnel of hospital information bureau, ones of different work years who engage in current jobs (χ2 = 9.167, P = 0.01), different ones of age distribution (χ2 = 17.206, P = 0.000) exist significant differences on appraisement of system security product. Main problems of system security product in market focus on lacking of flexibility and stability, poor in ease of use, lagging behind in technical level, high in expenses, etc.6. The analysis for capital investment of hospital information system securityCapital investment of information system security includes many aspects, such as investment of purchase and maintenance for security hardware equipment, investment of purchase and upgrade for security software, security management and training investment for human resource and so on. There are hospitals which do not have budget, invest at discretion and the amount is not very enough, selecting investment direction availably should be improved on.In the personnel of hospital information bureau, different ones of age distribution (χ2 = 6.425, P = 0.039), different ones of academic level (χ2 = 13.258, P = 0.001), ones of different work years who engage in current jobs (χ2 = 11.723, P = 0.004), different ones of title distribution (χ2 = 10.381, P = 0.003) exist significant differences on perceive of sufficient degree of system security investment funds.Discussion and suggestions:1. To establish organizational structure and deploy administrators rationally, to increase investment for important equipmentA scientific and rational organizational structure for risk prevention management of system security should be formed in hospitals. A leading group of security should be formed, under the leadership of management dean in this field. Administrators of system security should be deployed rationally. The division of work and respective responsibility should be more perspicuity. Cooperation content of corresponding sector should be ruled well.The lead of hospitals should change their notion and be fully convinced of importance of risk prevention management of system security. Capital investment for it and especially for important equipment should be increased.2. To strengthen dissemination, education and training of system security knowledge in personnel that using systemsFor those hospitals who do not give enough attention to security training of system should enrich the content and methods of training in the future, focus on selecting training time and frequency, increase appropriately training investment, improve on correlated aspects in order to enhance the effect of training.3. To establish a suit of more comprehensive, operational management system and contingency plansAppropriate management system and its using method should be prescribed, according to actual situation of different types, different sensitivity of information, trying for putting system into effect. General and urgency disposal plans of specific should be designed and exercised regularly to meet an emergency, in order to improve ability of hospitals to deal with unexpected incidents, to minimize disruption time of system, loss and social impact of it.4. To establish monitoring system, assessment and detection mechanism of system security,Key management and supervision should be given to those who bring about serious and hidden dangers to system security. In order to establish assessment mechanism for security risk, a long-term cooperation with firms of professional security service could be established.Plans and schemes for security testing should be established, and testing group should be specially organized. Do a good job of preventive maintenance of hardware equipment.5. To strengthen management of important information and document of system Intact system documents are basis for faults analysis and troubleshooting, so management of system documents should be strengthened.6. To perfect function of system, improve security level of application Purview of system software should be set reasonably. System function should be considered carefully. Numbers of super users should be limited strictly. Passwords of system login should be replaced regularly. Lending ID and password to others should be prohibited strictly.7. To strengthen guarantee for security technology of information systemIt should strengthen guarantee for security technology of system from two aspects of hardware and software. Communication with professional firms of security service should be reinforced. Corresponding standards should be established. Corresponding legal or policy support should be strengthened.