"
"
"
"
"
"
"
"
"
"
"
"
"
"
"
"
"
"
"
! !
A FRAMEWORK TO SELECT RISK ANALYSIS METHODS IN
HEALTHCARE
"
Bachelor Degree Project in Informatics 30 ECTS
Spring term 2014 Amaia Eskisabel
Supervisor: Jianguo Ding
Examiner: Mikael Berndtsson
This"project"has"been"submitted"by"Amaia"Eskisabel"Azpiazu"for"the"Bachelor"Degree"in"Informatics"to"
the"University"of"Skövde,"in"the"School"of"Humanities"and"Informatics.""
Date"of"submission:"27"June"2014"
I"hereby"certify"that"all"material"in"this"dissertation"that"is"not"my"own"work"has"been"identified"and"
that"no"work"is"included"for"which"a"degree"has"already"been"conferred"on"me.""
Amaia!Eskisabel!
ACKNOWLEDGEMENTS!
I" would" like" to" use" these" lines" to" express" my" deep" and" sincere" gratitude" to" all" those" who"
have"collaborated"in"the"realization"of"this"work."In"particular"to"Jianguo"Ding,"the"supervisor"
of" this" thesis," for" the" guidance" and" supervision" and" to" my" examiner" in" the" thesis," Mikael"
Berndtsson,"whose"flexibility"and"support"have"been"very"important"when"I"had"problems"to"
carry"out"the"thesis."
I" would" like" to" extend" my" gratitude" to" my" Erasmus" colleagues" for" their" friendship" and"
support"in"good"and"bad"moments"during"this"year,"because"without"them"it"would"not"have"
been"possible"to"carry"out"this"thesis."
Finally,"thanks"to"my"family"for"the"support"they"have"given"me"during"these"four"years"that"
has"lasted"the"college"career"and"because"they"have"been"the"main"support"and"source"of"
motivation"for"all"the"things"that"I"have"proposed"to"make"during"the"college"career."
To"all"of"them,"thank"you. ! !
ABSTRACT!
This" thesis" proposes" a" framework" for" comparing" different" methods" for" conducting" risk"
analysis"in"hospitals."
The"development"of"the"framework"is"important"because"it"serves"to"hospitals"to"know"the"
current"state"of"security"and"thus"facilitate"decisionPmaking"to"the"directors"of"the"hospitals."
In"addition,"the"obtaining"benefits"are"the"improvement"of"the"performance"of"hospital,"the"
reduction" of" business" risks," the" transformation" into" a" more" sustainable" organization," the"
encouragement" of" innovation," the" improvement" of" the" confidence" of" the" people" and" the"
improvement"of"the"reputation"of"the"organization."
A" search" between" different" baselines," criteria" and" processes" of" different" methods" for" risk"
analysis" and" the" existing" literature" on" the" subject" was" conducted" to" select" the" criteria" of"
comparison" of" the" framework." Then," for" reasons" of" time," a" comparison" with" real" hospital"
information"using"only"four"methods"of"risk"analysis"was"held."
To"correctly"choose"the"method"that"best"suited"to"the"hospital,"it"is"necessary"to"carried"out"
more" researches" because" each" time" there" are" more" methods" and" more" effectives" that"
hinder"further"election."In"addition,"the"specifications"concerning"the"criteria"that"meet"each"
method"should"be"defined"and"explained"better"because"they"hinder"the"election."
!
! !
TABLE!OF!CONTENTS!
1.
!
INTRODUCTION+...+1!
1.1. ! PROBLEM!...!3 !
1.2. ! PURPOSE
!AND
!MOTIVATION!...!5 !
1.3. ! METHODS!...!6 !
1.4. ! DELIMITATIONS!...!7 !
1.5. ! THESIS
!STRUCTURE!...!7 !
2.
!
IMPORTANT+CONCEPTS+AND+RELATED+RESEARCH+...+8!
2.1. ! RISK
!CONCEPT!...!8 !
2.2. ! RISK
!MANAGEMENT!...!8 !
2.2.1. ! RISK(ASSESSMENT(...(9 !
2.3. ! RISK
!ANALYSIS
!MANAGEMENT
!IN
!HEALTHCARE!...!11 !
3.
!
CREATING+THE+FRAMEWORK+...+13!
3.1. ! PROCESS
!TO
!CREATE
!THE
!FRAMEWORK!...!13 !
3.2. ! METHODS
!SELECTION
!PROCESS!...!13 !
3.3. ! METHODS
!DETAILS!...!15 !
3.3.1. ! CCTA(RISK(ANALYSIS(AND(MANAGEMENT(METHOD((CRAMM)(...(15 !
3.3.2. ! OPERATIONALLY(CRITICAL(THREAT,(ASSET(AND(VULNERABILITY(EVALUATION( (OCTAVE)(...(16 !
3.3.3. ! RISK(ANALYSIS(OF(SECURITY(CRITICAL(SYSTEMS((CORAS)(...(17 !
3.3.4. ! INFORMATION(SECURITY(RISK(ANALYSIS(METHOD((ISRAM)(...(18 !
3.4. ! SELECTED
!CRITERIA!...!19 !
3.4.1. ! METHODS(SELECTION(CRITERIA(...(19 !
3.4.2. ! INFORMATION(ABOUT(THE(HOSPITAL(...(20 !
3.4.3. ! ORGANIZATION(...(21 !
3.4.4. ! TYPE(OF(METHOD(...(22 !
3.4.5. ! RISK(MANAGEMENT(...(22 !
3.4.6. ! SECURITY(PLANS(AND(DOCUMENTS(...(24 !
3.5. ! FRAMEWORK
!TEMPLATE!...!25 !
3.5.1. ! SELECTION
!CRITERIA!...!25 !
3.5.2. ! HOSPITAL
!INFORMATION
!TEMPLATE!...!26 !
3.5.3. ! METHOD
!TEMPLATE!...!27 !
4.
!
APPLYING+THE+FRAMEWORK+ON+RISK+ANALYSIS+METHODS+...+30!
4.1. ! HOW
!TO
!USE
!THE
!FRAMEWORK!...!30 !
4.2. ! CASE
!STUDY!...!30 !
4.2.1. ! METHODS(COMPARISON(...(31 !
4.2.2. ! RESULTS(...(34 !
4.3. ! EVALUATION
!OF
!THE
!FRAMEWORK!...!35 !
4.3.1. ! RELATED(WORK(...(36 !
5.
!
CONCLUSIONS+...+37!
5.1. ! ETHICAL
!CONSIDERATION!...!38 !
APPENDICES+...+46
! APPENDIX
!B:
!ABBREVIATION
!LIST!...!46 !
!
! !
LIST!OF!FIGURES!
FIGURE!1:!RISK!MANAGEMENT!(SYXON,!N.D)!...!9
!
FIGURE!2:!CRAMM!PROCESS!(SEGURIDAD!INFORMATICA,!N.D)!...!15
!
FIGURE!3:!OCTAVE!PROCESS!(ALBERT,!2001)!...!16
!
FIGURE!4:!CORAS!PROCESS!(THE!CORAS!METHOD,!2013)!...!17
!
FIGURE!5:!ISRAM!PROCESS!(KARABACAK,!2003)!...!18
!
" !
LIST!OF!TABLES!
TABLE!1:!QUALITATIVE!METHODS!...!14
!
TABLE!2:!QUANTITATIVE!METHODS!...!14
!
TABLE!3:!METHOD!SELECTION!CRITERIA!...!26
!
TABLE!4:!INFORMATION!ABOUT!THE!HOSPITAL!...!26
!
TABLE!5:!ORGANIZATION!CRITERIA!...!27
!
TABLE!6:!TYPE!OF!METHOD!CRITERIA!...!28
!
TABLE!7:!RISK!MANAGEMENT!CRITERIA!...!28
!
TABLE!8:!DOCUMENTS!CRITERIA!...!29
!
TABLE!9:!APPLYING!INFORMATION!ABOUT!THE!HOSPITAL!...!31
!
TABLE!10:!APPLYING!THE!ORGANIZATION!CRITERIA!...!33
!
TABLE!11:!APPLYING!THE!TYPE!OF!METHOD!CRITERIA!...!33
!
TABLE!12:!APPLYING!THE!RISK!MANAGEMENT!CRITERIA!...!34
!
TABLE!13:!APPLYING!THE!DOCUMENTS!CRITERIA!...!34
!
!
" !
1. INTRODUCTION!
The" patient" is" the" most" important" figure" in" healthcare" and" that" is" the" reason" for" the"
importance"of"the"patient's"data."During"an"illness,"it"is"increasingly"common"for"a"patient"to"
visit"different"doctors"and"these"doctors"must"have"permissions"to"access"patient’s"data."This"
is" the" reason" why" in" recent" years," the" use" of" electronic" health" records" (EHR)" has" gained"
strength"in"the"health"sector"(Åhlfeldt,"2008)."
The" EHR" are" available" to" certain" providers" that" store" all" the" data" of" the" patients" over"
time."These"data"are"the"electronic"medical"history,"including"demographic"data,"problems,"
medications,"vital"signs,"etc."Thanks"to"the"EHR"information,"getting"the"data"is"much"more"
automated" and" it" also" optimizes" the" workflow" (Terry," 2005)." The" use" of" this" technology"
means"to"increase"automation"in"the"healthcare"environment,"in"addition"to"savings"in"costs."
However,"not"all"are"advantages,"because"with"the"use"of"EHRs,"the"potential"risks"of"privacy"
and"security"increase"impacting"on"potential"costs"and"adverse"effects"on"the"reputation"of"
the" organization." Even" like" this," why" would" anyone" want" to" obtain" medical" data" from"
patients?" The" use" of" the" EHRs" has" created" opportunities" to" medical" identity" theft," fraud,"
blackmail," etc." but" most" importantly," an" inaccurate" medical" record" can" lead" to" serious"
consequences" for" the" patient" that" could" end" in" death." That" is" why" it" is" very" important" to"
have"the"patient"information"secure"and"private."
A" study" performed" by" The" Swedish" Data" Inspection" Board" in" 2009" show" that" different"
organizations"of"healthcare"around"Sweden"did"not"control"the"access"medical"records"and"
felt" that" the" problem" was" spreading" across" the" country" (Eriksson," 2011)." For" example," in"
2009" a" woman" from" Kiruna" illegally" accessed" the" health" information" of" a" family" member"
because"she"felt"threatened"and"she"wanted"to"know"whether"the"familiar"was"dangerous"or"
not."She"did"not"access"just"once,"up"to"three"times"and"that"is"why"she"was"sentenced"to"
pay"30"dayPfines"by"the"District"Court."Another"example"happened"in"the"hospital"of"Gälve."A"
nurse" saw" the" medical" record" of" his" exPgirlfriend" not" knowing" that" it" was" illegal" to" access"
medical"information"from"other"people"without"consent."
The" health" sector" is" supported" by" information" obtained" from" patients" so" that" health"
mentioned"above,"the"information"security"plays"a"very"important"role"to"carry"out"health"
services" and" is" for" this" reason" that" standards" are" a" critical" factor" for" data" exchange" to" be"
done" in" an" efficient," consistent" and" safe" way." In" an" area" such" as" the" Information" and"
Communications" Technology" (ICT)," which" is" a" field" that" is" not" regulated," the" use" of" safety"
standards"is"essential."Therefore,"whether"we"add"the"areas"of"ICT"and"the"health"sector,"the"
use"of"standards"becomes"a"requirement"and"almost"an"obligation."
A"standard"can"be"defined"as"a"“a"document"that"provides"requirements,"specifications,"
guidelines"or"characteristics"that"can"be"used"consistently"to"ensure"that"materials,"products,"
processes" and" services" are" fit" for" their" purpose”" (ISO" Standards," n.d)." Although" there" are"
many"standards"related"to"the"information"security"at"the"global"level,"long"enough"time"has"
not"been"taken"in"order"to"create"resources"that"facilitate"the"understanding"of"such"security"
standards."The"standards"that"currently"exist"have"been"written"by"an"expert"in"the"area"and"
are" intended" for" people" who" have" a" high" level" of" understanding" in" the" sector." However,"
when"it"comes"to"the"truth,"these"standards"are"read"and"implemented"by"people"from"the"
health" sector" that" are" not" experts" on" the" subject" and" this" is" a" big" limitation" for" the"
application"of"standards."
Security" standards" are" a" primary" need" because" they" are" those" who" serve" to" establish"
quality" objectives," besides" increasing" the" efficiency" in" safety" practices." However," existing"
standards"are"very"general"and"hinder"its"implementation."Several"health"organizations"have"
recognized"the"function"played"by"security"standards"as"very"important"by"the"existing"need"
to"distribute"data"and"increase"connectivity."In"regards"to"the"collection"of"information"and"
their"standardized"reports,"there"is"an"obvious"gap"in"the"existing"security"standards."This"has"
been" one" of" the" reasons" why" Health" Informatics" groups" have" been" created" all" over" the"
world."These"groups"have"recognized"that"there"is"a"need"to"create"security"standards"that"
are"more"comprehensible"and"more"concrete"guidelines"and"not"as"generic"as"they"are"the"
actual" ones" for" the" implementation" and" evaluation" of" established" security" systems" to"
become"an"easier"work"for"the"staff"that"is"responsible"for"this."
1.1. PROBLEM ! !
Information" is" the" centre" of" power" of" the" majority" of" entities." In" the" case" of" the"
healthcare" sector," data" from" patients" have" gone" from" being" kept" in" paper" to" be" kept" in"
electronic" format." This" is" a" breakthrough" because" data" can" be" shared" between" doctors,"
hospitals"and"even"providers,"but"also"carries"risks."
The"information"that"is"stored"about"patients"is"confidential"and"the"advancement"and"
improvement"of"technologies"also"increase"the"possibility"of"new"dangers"for"the"security"of"
the"information."That"is"why"it"is"very"important"to"have"the"patient"information"secure"and"
private."Even"taking"into"account"all"research"and"practices"that"have"been"made,"the"gaps"in"
the" information" security" remain" a" top" concern" for" all" types" of" organizations" (Workman,"
2008)," but" specifically" to" the" health" sector" (Gold," 2010)." At" first" it" was" thought" that" the"
security" of" the" information" was" merely" a" technical" aspect," however," it" goes" beyond" the"
technical" aspect" (Nissenbaum," 2005)." It" also" has" to" do" with" social" and" organizational"
dimensions"(Torkzadeh,"2006)."During"the"past"30"years"the"security"threats"have"evolved,"
but"the"issues"related"to"the"security"of"the"information"remain"high"(PWC,"2010)."
For" example" the" company" Information" Security" Media" Group" Corp." (ISMG)," which" is" a"
company" specializing" in" coverage" of" information" security," held" every" year" a" survey" in"
hospitals,"clinics,"and"health"organizations"in"the"United"States."In"a"survey"conducted"in"fall"
2012," with" around" 200" chief" information" security" officers," CIOs," directors" of" IT" and" other"
senior" leaders" was" obtained" that" from" September" 2009" more" than" 570" major" breach"
incidents"were"added"to"the"federal"list"(Information"Security"Media"Group,"2012)."
Nowadays"in"hospitals,"due"to"the"lack"of"tools,"hospitals"do"not"correctly"measure"the"
security." The" measurement" of" the" information" security" has" been" a" difficult" task" over" the"
years."In"addition,"even"whether"security"gaps"in"their"systems"worried"the"organizations,"it"
has"been"quiet"hard"to"justify"an"expenditure"or"investment"in"the"area"of"security"(Saxena,"
2010)."Information"security"is"a"primary"concern"for"many"organizations,"but"many"of"them"
do" not" have" the" necessary" systems" to" ensure" information." To" this" end," reliable" and"
quantifiable"measurements"are"needed"(Jaquith,"2003)"because"that"way"the"organizations"
systems"are"reliable"and"effective"(Savola,"2007)."The"managers"of"the"hospitals"need"to"take"
strategic" and" tactical" decisions" and" planning" future" investment" in" the" area" of" security" of"
information,"so"that"they"need"to"get"answers"to"questions"(Brotby,"2009)."These"questions"
can" be" such" as," how" secure" is" the" organization" at" the" present?" How" much" security" is"
enough?"How"do"we"know"when"we"have"achieved"the"required"level"of"security?"What"are"
the"most"costPeffective"solutions?"How"do"we"prevent"overPspending"on"IT"assets"or"underP protecting"assets?"How"well"can"risk"be"predicted?"
Hospitals"need"to"implement"security"standards"to"protect"the"privacy"of"patient"data,"
ensure" secure" access" to" sensitive" data" and" deal" with" the" questions" above." The" general"
problem"that"exists"with"these"legislations,"standards"and"good"practices"is"that"there"are"
many"dealing"with"the"security"of"the"information,"but"none"really"covers"all"the"fields"of"the"
information" security." They" are" very" complex" to" understand" and" implement" them" well" by"
people"who"are"not"experts"in"the"field"of"information"security."As"Eugene"Spafford"said"“a"
secure"system"is"one"that"does"what"it"is"supposed"to”"(Breaux,"Antón,"&"Spafford,"2009)."
Therefore," it" is" very" difficult" to" define" a" security" structure" that" is" valid" for" all" hospitals,"
because"not"all"work"the"same"way."Taking"into"account"the"security"standards,"this"always"
leads"to"the"same"question"for"the"managers"of"the"hospitals,"which"of"the"existing"standards"
is"the"most"complete"one"to"ensure"the"information"security"of"the"hospital?"How"can"be"
chosen?" There" are" also" other" smaller" problems," but" which" are" just" as" important" as" the"
general"one."For"example,"to"implement"a"security"standard,"the"first"step"to"perform"is"a"
risk" analysis." Gerber" et" al." (2001)" stated" that" the" process" of" the" risk" analysis" could" be"
described"as"‘‘inconsistent,"long"lasting"and"difficult"to"apply’’."There"are"different"reasons"
why"organizations"do"not"perform"risk"analysis."Coles"et"al."(2003)"define"the"reasons,"such"
as,"lack"of"time,"the"extra"costs"posed"for"the"hospital"by"the"hiring"of"people"to"perform"the"
analysis"or"the"training"of"the"personnel"of"the"hospital"and"the"mistaken"idea"that"there"is"
an"adequate"level"of"protection."
Different" publications" (Berler," n.d.)" state" that" one" of" the" problems" affecting" the"
information"security"is"the"poor"design"of"safety"management."The"biggest"challenge"from"a"
poor" design" is" the" identification" and" classification" of" security" risks" that" a" system" may" be"
exposed." The" first" step" to" develop" and" manage" a" security" plan" is" the" realization" of" a" risk"
analysis."There"are"different"methodologies"that"allow"to"carry"out"the"risk"analysis"to"help"
organizations"assess"the"risks"which"are"exposed"to"be"able"to"create"and"implement"a"plan"
to" improve" security." Different" authors" argue" (Sadok" et" al.," 2014)" that" it" is" very" difficult" to"
choose"a"method"for"the"risk"analysis,"because"these"are"based"mainly"on"the"technical"side"
and"in"the"development"of"plans"or"strategies"for"the"protection"of"the"security."The"goal"of"
all" methods" is" the" same," but" not" all" the" methods" use" the" same" approach." Some" focus" on"
specific"risks"while"others"are"more"general."The"IT"department"of"an"hospital"is"responsible"
for"ensuring"the"safety,"but"it"is"sometimes"difficult"to"have"a"clear"picture"of"the"state"of"
security," without" a" risk" analysis." To" be" able" to" implement" a" security" standard," various"
questions" have" to" be" answered," such" as:" How" is" the" state" of" the" security" of" the" hospital"
currently?"How"can"be"analysed?"Which"is"the"best"method?"
1.2. PURPOSE*AND*MOTIVATION*
The"aim"of"this"project"is"to"consider"a"framework"to"evaluate"the"existing"methods"to"
perform" a" risk" analysis" and" thus" recommend" a" series" of" assessments" to" evaluate" the"
framework."
The" objectives" of" this" thesis" are:" to" create" a" framework" for" guidelines" to" choose" the"
appropriate" risk" analysis" method" taking" into" account" the" frameworks" existing" in" the"
literature,"to"test"the"framework"created"using"real"information"about"a"hospital"and"draw"
conclusions"and"suggest"improvements"for"the"future"about"the"created"framework."
The" main" motivation" to" develop" this" thesis" is" the" lack" of" information" available" in" the"
current" literature" of" the" guidelines" that" help" to" select" the" best" method" to" perform" a" risk"
analysis"to"see"the"current"state"of"security"and"thus"facilitate"decisionPmaking"to"managers"
of"hospitals."Knowing"the"current"state"of"the"security"of"the"hospital"helps"the"managers"to"
invest"money"to"improve"security."Get"benefits"such"as"the"improvement"of"the"performance"
of" the" hospital," the" reduction" of" the" business" risks," the" transformation" into" a" more"
sustainable"organization,"encouragement"of"innovation,"the"improvement"of"people's"trust"
and"the"improvement"of"the"reputation"of"the"organization."The"report"can"help"hospitals"
managers" to" understand" better" the" different" methods" that" are" compared" getting" the"
hospital"more"effective"in"preventing"and"analysing"risks"gaining."
1.3. METHODS!
This"chapter"provides"information"on"how"each"objective"will"be"performed."
Create! a! framework! for! guidelines! to! choose! the! appropriate! analysis! risk! method!
taking!into!account!the!frameworks!existing!in!the!literature:"The"framework"to"be"created"
will" be" based" on" different" models" that" are" found" in" the" literature" about" risk" analysis"
methods." A" search" between" different" digital" libraries" has" been" conducted" to" select" the"
scientific"articles"published"in"journals,"conferences,"etc."The"digital"libraries"used"to"find"the"
articles"are"DiVa,"ACM,"Google"Scholar,"FLOSShub,"ScienceDirect,"CiteSeerx"and"IEEE"Xplore."
The"criterion"to"fulfilled"by"the"articles"are:"the"main"topic"of"the"scientific"article"should"be"
related" to" the" selection" and" evaluation" frameworks" for" risk" analysis" methods," the" article"
must"include"details"about"the"methodology"and"the"data"to"understand"the"results"and"the"
conclusions,"other"authors"in"their"scientific"publications"must"have"cited"the"scientific"article"
and" scientific" articles" must" have" been" published" in" a" journal" or" a" conference." The" type" of"
framework" created" is" a" theoretical" framework." The" created" framework" used" different"
criteria"to"make"the"comparison"of"the"methods."The"criteria"are"explained"in"chapter"3.4."
Test!the!framework!created!using!information!about!a!hospital:"To"test"the"framework"
created," will" seek" information" on" any" hospital" that" has" performed" the" risk" analysis." The"
information"from"the"hospital"will"be"used"to"obtain"its"characteristics"and"requirements"and"
perform"the"comparison"between"different"methods"to"suggest"the"method"that"would"be"
better"adjusted"to"that"hospital."To"perform"the"test,"the"information"about"the"methods"is"
obtained"using"standards,"baselines,"security"policies"of"hospitals"and"the"existing"literature."
Draw! conclusions! and! suggest! improvements! for! the! future! about! the! created!
framework:"To"obtain"the"conclusions"and"future"improvements,"the"results"obtained"in"the"
above"objective"be"will"analyse."The"findings"will"serve"to"evaluate"the"framework"created"
and"the"evaluation"method."Thanks"to"this"assessment"the"that"things"can"be"improved,"the"
gaps"in"this"version,"what"has"been"done"well"and"the"steps"that"could"take"in"the"future"to"
continue"to"develop"the"framework"and"its"evaluation"will"be"known."
1.4. DELIMITATIONS*!
The"research"area"of"this"thesis"is"located"between"the"health"sector"and"the"information"
security."For"the"limited"time"available,"this"thesis"will"focus"on"four"different"risk"analysis"
methods."The"selection"process"is"explained"in"the"third"chapter"of"the"thesis."
1.5. THESIS!STRUCTURE!
"The"following"is"the"list"summarizes"the"structure"of"the"thesis"and"which"contains"for"
each"chapter:"
Chapter!1!–"This"chapter"details"the"reader"what,"why"and"how"is"set"this"report."
Chapter! 2! –" This" chapter" serves" to" familiarize" and" improve" the" understanding" of" the"
reader"with"what"constitutes"the"information"security,"risk"analysis"and"the"methods."
Chapter! 3! –" This" chapter" explains" the" process" that" has" been" followed" to" create" the"
framework"and"how"it"works."
Chapter!4!–"This"chapter"explains"the"application"of"the"framework"to"methods"and"the"
obtained"results."
Chapter!5!–"This"chapter"details"the"conclusions"after"analysing"the"results"of"Chapter"4."
Chapter!6!–"This"chapter"details"the"improvements"for"the"future."
2. IMPORTANT)CONCEPTS!AND$RELATED$RESEARCH!
This" section" describes" important" concepts" and" related" research" to" the" area" of" risk"
analysis."
2.1. RISK*CONCEPT*
There"are"different"definitions"for"risk."
• Oxford" dictionary" (Oxford" dictionary," n.d)" declares" “" (1)" a" situation" involving"
exposure"to"danger,"(2)"the"possibility"that"something"unpleasant"will"happen"and"
(3)"a"person"or"thing"causing"a"risk"or"regarded"in"relation"to"risk”."
• The"Public"Risk"Management"Association"(PRIMA),"express"risk"as"“the"threat"of"
an"action"or"inaction"that"will"prevent"an"entity"from"achieving"its"objectives”"or"
“uncertainty" that" arises" from" a" possible" occurrence”" (Public" Risk" Management"
Association,"n.d).""
2.2. RISK!MANAGEMENT!
Risk"management"is"a"tactic"that"serves"to"lessen"and"monitor"the"possibility"of"damage."
In"Figure"1"it"can"be"seen"the"phases"that"composed"the"risk"management"strategy."For"the"
realization"of"this"thesis"will"focus"on"the"part"of"risk"assessment"and"specifically"in"the"risk"
analysis"section."
"
Figure!1:!Risk!Management!(Syxon,!n.d)!
"
2.2.1. !!!!!!RISK!ASSESSMENT!
Risk"assessment"is"a"general"process"composed"of"phases"to"identify,"analyse"and"assess"
risks." The" ISO" 31000" standard" defines" the" processes" that" compose" the" risk" assessment"
process"the"following"way"(ISO,"2008)."
2.2.1.1. RISK!IDENTIFICATION!
The" risk" identification" process" is" designed" to" enable" organizations" to" perform" a" list"
identifying"the"risks"to"which"they"are"exposed."This"part"is"very"important,"because"whether"
a"risk"or"threat"has"not"been"identified"will"not"be"taken"into"account"in"the"following"stages"
of"the"risk"assessment."The"list"must"include"all"types"of"risk,"the"ones"that"the"organization"
controls"and"the"ones"that"not."To"identify"risks,"identification"techniques"must"be"employed"
and" people" who" are" in" charge" should" have" knowledge" on" the" identification" of" risks." Once"
risks" have" been" identified," the" organization" should" consider" the" causes" and" consequences"
that"may"have"these"risks"related"to"the"organization,"its"security"and"the"how"it"works."
This"step"will"serve"to"assess"better"then"the"data"obtained"in"the"process"of"risk"analysis."
2.2.1.1. RISK!ANALYSIS!
Risk"analysis"aims"to"develop"an"understanding"of"the"risk"by"providing"information"to"
perform"the"assessment"of"risks"and"thus"be"able"to"take"the"decisions"needed"to"treat"the"
identified"risks"and"the"methods"used"to"identify"them."To"identify"the"risks"should"take"into"
account"the"consequences"that"can"have"a"risk,"the"odds"of"this"happening"and"causes"by"
which"can"happen."The"way"in"which"the"consequences"and"probabilities"relate"will"have"to"
do" with" the" type" of" risk," available" information" and" the" purpose" for" which" will" use" the"
information"obtained"in"the"phase"of"risk"evaluation."It"is"important"to"take"into"account"the"
relationship"between"risks"and"their"sources"and"the"confidence"in"the"determination"of"risks"
and"their"sensitivity"to"the"preconditions"for"the"analysis"and"communicate"it"to"the"people"
that"are"responsible"of"making"the"decisions."
Risk"analysis"can"be"made"with"different"levels"of"detail"depending"on"the"risk"and"the"
purpose"of"the"analysis"and"the"available"information"and"resources."
2.2.1.1.1. RISK*ANALYSIS*METHODS*
The"methods"for"performing"risk"analysis"can"be"divided"into"two"groups,"the"qualitative"
methods"and"the"quantitative"methods"(The"Security"Risk"Analysis"Directory,"2003)."
Qualitative!method:"these"methods"are"the"most"commonly"used"for"risk"analysis."For"
the" analysis," these" methods" use" the" estimate" of" the" losses" rather" than" the" probability" of"
data."It"uses"the"following"elements"that"are"related"between"them:"
• Threats:" “any" circumstance" for" event" with" potential" to" adversely" impact" an"
information" system" through" unauthorized" access," destruction," disclosure,"
modification"of"data"or"denial"of"service”"(Herrmann,"2007).""
• Vulnerabilities:"“Weakness"in"an"information"system,"system"security"procedures,"
internal" controls," or" implementation" that" could" be" exploited" or" triggered" by" a"
threat"source”"(Herrmann,"2007)."
• Controls:"measures"to"address"the"vulnerability."There"are"four"types:""
o Deterrent"controls:"responsible"for"decreasing"the"odds"of"an"intentional"
attack"occurring."
o Preventative"controls:"tries"to"protect"the"system"from"vulnerabilities."
o Corrective"controls:"tries"to"reduce"the"effects"that"can"have"an"attack."
o Detective" controls:" responsible" for" uncover" the" onslaught" and" activate"
controls"that"are"temporary"or"correctional."
Quantitative!method:"this"type"of"methods"used"two"elements"for"the"analysis,"the"first"
is"the"likelihood"that"exist"to"make"an"event"happen"and"the"second"the"consequences"or"
losses" whether" it" happens." The" use" of" this" method" to" perform" risk" analysis" involves" the"
problem"of"the"lack"of"reliability"and"inaccurate"data"because"the"probability"is"almost"never"
exact" and" may" promote" complacency." Despite" the" drawbacks," a" number" of" organizations"
had"successfully"adopted"the"quantitative"risk"analysis."
2.2.1.2. RISK!EVALUATION!
Based"on"the"results"of"the"risk"analysis"phase,"this"phase"aims"to"help"making"decisions"
to"the"organization"on"the"priority"of"the"risks"and"their"treatment."To"assess"the"risks,"the"
list"created"during"the"risk"identification"should"be"compare"with"data"obtained"in"the"phase"
of"risk"analysis."After"the"comparison,"the"risks"that"are"not"within"the"criteria"established"by"
the"organization"should"be"treated"taking"into"account"the"laws,"regulations,"etc."There"may"
be"cases"in"which"the"organization"decides"that"a"risk"is"not"to"be"treated"and"the"existing"
controls"will"be"maintained."
2.3. RISK!ANALYSIS!MANAGEMENT!IN!HEALTHCARE!
Health" care" organizations" should" select" the" most" appropriate" method" for" the" risk"
analysis,"adjusting"to"the"needs"of"the"organization"(Vorster,"2005)."Information"security"has"
conditions"that"must"be"met"within"healthcare"(Brooks"et"al.,"2004).""
Analysing"different"standards"(Office"Civil"Rights,"2010;"Carlson"2011;"National"Institute"
of"Standards"and"Technology,"2011;"National"Institute"of"Standards"and"Technology,"2012),"
baseline"(ENISA"2006;"Ontario"Health"Informatics"Standards"Council"2007)"and"information"
security"policies"(University"Hospital"of"South"Manchester"2011;"King"2011;"Agfa"Healthcare"
2012;" Queensland" Government," 2012;" Information" Security" Project" Board," 2013;" Nebraska"
Medical"Center,"2013)"can"be"concluded"that"the"methodology"of"the"risk"analysis"should"be"
composed"of"a"group"of"concepts"regardless"the"risk"analysis"method."This"concepts"include"
the"identification"and"documentation"of"potential"threats"and"vulnerabilities,"the"assignment"
security"measures,"determine"the"likelihood"of"threat"occurrence,"determine"the"potential"
impact"of"threat"occurrence,"determine"the"level"of"risk"and"periodic"review"and"updates"to"
the"risk"assessment."
Identify! and! document! potential! threats! and! vulnerabilities:" the" organizations" should"
identify" and" document" the" threats" and" the" vulnerabilities" that" exist" in" the" security"
information"environment."
Assignment! of! responsibilities:" the" organizations" should" assign" the" responsibilities" for"
each" person" so" they" know" what" their" work" is" with" respect" to" the" information" security"
analysis."
Training! programmes! for! the! awareness! of! the! staff:" the" organization" provides" and"
maintains"a"strategy"of"education"and"training"programmes"for"workers,"so"they"are"aware"
of"the"importance"of"information"security"within"the"hospital."
Assess!current!security!measures:"the"organizations"should"identify"and"document"the"
security"assess"that"are"using."
Determine! the! likelihood! of! threat! occurrence:" the" organizations" should" consider" the"
probability"to"happen"a"risk."
Determine!the!potential!impact!of!threat!occurrence:!the"organizations"should"identify"
and"document"the"impact"that"would"have"the"risk"on"organization"whether"it"happens."
Determine!the!level!of!risk!and!periodic!review!and!updates!to!the!risk!assessment:!the"
organization" should" conduct" continuous" analysis" to" improve" and" ensure" the" security"
detecting"the"need"of"it."
" "
3. CREATING)THE)FRAMEWORK!
3.1. PROCESS*TO*CREATE*THE*FRAMEWORK*
This"section"describes"the"process"followed"for"the"creation"and"implementation"of"the"
framework."First,"the"information"has"been"sought"in"the"existing"literature"about"the"criteria"
that"are"used"to"perform"risk"analysis."To"do"so,"different"standards"and"information"security"
policies"of"hospitals"have"been"used."Then,"processes"of"different"methods"used"for"carrying"
out" risk" analysis" have" been" analysed" to" get" points" in" common" between" them" and" the"
baselines"and"establish"the"criteria,"which"are"used"to"perform"the"comparison."Then,"the"
methods"of"risk"analysis"that"are"used"to"perform"the"comparison"have"been"chosen"based"
on" the" way" that" performs" the" selection" Vorsters" (2005)." This" selection" has" been" made"
because"there"are"many"different"risk"analysis"methods"and"for"the"realization"of"this"thesis,"
it" is" very" difficult" to" compare" them" all." Once" the" criteria" and" methods" that" are" used" for"
comparison" are" determined," the" next" step" is" to" perform" the" comparison" using" real"
information" from" a" hospital." The" created" framework" for" comparison" is" divided" into" two"
parts,"the"first"is"used"to"obtain"information"about"the"hospital"and"the"second"is"to"compare"
the" methods." Finally," the" results" are" explained" and" the" strengths" and" weaknesses" of" the"
created"framework"are"outlined."
3.2. METHODS*SELECTION*PROCESS*
Taking"into"account"that"all"the"methods"of"risk"analysis"that"exist"can"not"be"compared"
in"this"thesis,"a"search"in"the"existing"literature"to"know"the"most"used"methods"has"been"
carried"out."To"do"this,"different"articles,"which"talk"about"the"risk"analysis"and"risk"analysis"
methods," have" been" selected." After" that," two" tables" that" contain" on" one" hand" qualitative"
methods"(Table"1)"and"on"the"other"hand"quantitative"methods"(Table"2)"have"been"created."
Once" these" tables" have" been" made," the" methods" that" appear" in" every" article" have" been"
determined,"assigning"a"one"if"it"appears"and"a"zero"if"it"does"not"appear."Once"the"previous"
step"has"been"completed,"all"the"values"for"each"method"were"added"and"thus"obtained"the"
four" methods" that" will" be" used" to" perform" the" comparison" in" the" second" part" of" the"
framework,"which"is"explained"in"the"chapter"four."
QUALITATIVE!METHODS!
! COBRA! CORAS! CRAMM! FRAP! OCTAVE!
(Aagedal!et!al.,!
2002)!
0" 1" 1" 0" 0"
(Ahmad,!2012)! 0" 1" 1" 0" 1"
(Berler!et!al.,!n.d)! 0" 0" 1" 1" 1"
(Lee,!2014)! 1" 1" 1" 1" 1"
(Rajbhandari,!2013)! 0" 1" 1" 0" 1"
(Rot,!2008)! 0" 0" 1" 0" 0"
(Sadok!et!al.,!2014)! 0" 0" 1" 0" 1"
(Shukla!et!al.,!2012)! 0" 1" 1" 0" 1"
(Vorster,!2005)! 0" 1" 0" 0" 1"
TOTAL!SCORE!=! 1! 6! 8! 2! 7!
Table!1:!Qualitative!methods!
This"table"details"the"number"of"times"that"appears"each"quantitative"method."
QUANTITATIVE!METHODS!
! CORA! IS! ISRAM! RISK!WATCH!
(Aagedal!et!al.,!2002)! 0" 0" 0" 0"
(Ahmad,!2012)! 0" 0" 1" 0"
(Berler!et!al.,!n.d)! 0" 0" 0" 0"
(Lee,!2014)! 0" 0" 1" 1"
(Rajbhandari,!2013)! 0" 0" 1" 0"
(Rot,!2008)! 0" 0" 0" 0"
(Sadok!et!al.,!2014)! 1" 1" 1" 0"
(Shukla!et!al.,!2012)! 1" 1" 1" 0"
(Vorster,!2005)! 1" 1" 1" 0"
TOTAL!SCORE!=! 3! 3! 6! 1!
Table!2:!Quantitative!methods!
"
The" selected" methods" are" CCTA" Risk" Analysis" and" Management" Method" (CRAMM),"
Operationally" Critical" Threat," Asset," and" Vulnerability" Evaluation" (OCTAVE)," Construct" a"
platform"for"Risk"Analysis"of"Security"Critical"Systems"(CORAS)"and"Information"Security"Risk"
Analysis"Method"(ISRAM)."These"methods"are"chosen"because"they"appear"more"often"than"
the" other" methods" at" the" selected" articles." Below" the" selected" methods," to" get" a" general"
idea"of"each,"are"explained."
3.3. METHODS*DETAILS*
3.3.1. !!!!!!CCTA!RISK!ANALYSIS!AND!MANAGEMENT!METHOD!(CRAMM)!
The"CCTA"Risk"Analysis"and"Management"Method,"better"known"as"CRAMM,"is"a"method"
that"the"Central"Computing"and"Telecommunications"Agency"(CCTA)"that"nowadays"is"known"
as" Office" of" Government" Commerce" (OGC)" and" belongs" to" the" UK" Government" created" in"
1987." This" method" is" a" qualitative" method" and" serves" to" conduct" security" reviews" of"
information"systems"(Seguridad"Informatica,"n.d)."
The"process"that"follows"the"CRAMM"method"is"divided"into"3"phases"(Figure"2),"the"first"
phase" is" known" as" the" establishment" of" the" objectives" for" security," the" second" as" the"
assessment"of"the"risks"to"the"proposed"system"and"the"requirements"for"security"and"the"
third"as"the"identification"and"selection"of"countermeasures"(Seguridad"Informatica,"n.d)."
"
"
Figure!2:!CRAMM!process!(Seguridad!Informatica,!n.d)!
"
"
3.3.2. !!!!!!OPERATIONALLY!CRITICAL!THREAT,!ASSET!AND!VULNERABILITY!
EVALUATION!(OCTAVE)!
Operationally"Critical"Threat,"Asset"and"Vulnerability"Evaluation,"more"known"as"OCTAVE,"
was"created"in"2001"and"is"a"method"that"is"based"on"strategic"advice"based"on"the"risks"and"
the" planning" of" safety" techniques." The" Carnegie" Mellon" Software" Engineering" Institute,"
known"as"SEI,"created"it"(Albert,"2001)."
This" method" is" directed" towards" risk" and" the" organizational" strategic" issues." The"
practices" of" risk" and" operational" security" are" two" aspects" that" guide" and" approach" this"
method."The"organization"takes"measures"to"combat"the"risks"(such"as"the"assets,"threats,"
vulnerabilities"and"the"organizational"impact)"associated"with"the"CIA"of"the"critical"assets"of"
information"taking"into"account"the"safety"practices"(Albert,"2001).""
The" OCTAVE" uses" a" threePphase" approach" (Figure" 3)" to" examine" organizational" and"
technological"issues"(Albert,"2001).""
"
Figure!3:!OCTAVE!process!(Albert,!2001)!
"
"
"
3.3.3. !!!!!!RISK!ANALYSIS!OF!SECURITY!CRITICAL!SYSTEMS!(CORAS)!
The"method"CORAS"is"a"qualitative"method"that"was"created"in"2001"by"the"Information"
Society"Technologies"(IST)"Programme"as"a"research"and"development"project"(Fredriksen,"
2002)."
This"method"uses"a"formal"or"semiPformal"language"to"model"and"thus"explain"in"details"
the"risks"and"threats"to"an"organization."Explains"the"use"of"the"language,"usually"the"Unified"
Modelling"Language"(UML),"to"know"how"to"model,"documenting"the"intermediate"results"
and"language"for"the"presentation"of"the"General"conclusions"on"the"eight"different"phases"
which"exist"during"the"analysis"(Fredriksen,"2002)."
The" CORAS" process" consists" of" eight" steps," as" it" can" be" seen" in" Figure" 4" (The" CORAS"
Method,"2013)."
"
"
Figure!4:!CORAS!process!(The!CORAS!Method,!2013)!
"
"
"
"
3.3.4. !!!!!!INFORMATION!SECURITY!RISK!ANALYSIS!METHOD!(ISRAM)!
Based"on"the"ideas"of"allowing"people"who"are"related"to"the"security"and"the"process"of"
risk"analysis"to"participate"actively"in"the"process"and"that"a"method"does"not"contain"only"
qualitative"measures"the"National"Research"Institute"of"Electronics"and"Cryptology"and"the"
Gebze"Institute"of"Technology"created"a"quantitative"method"in"2003"called"the"Information"
Security"Risk"Analysis"Method,"more"known"as"ISRAM"(Karabacak,"2003)."
ISRAM"is"a"paperPbased"method"that"performs"the"risk"analysis"getting"the"opinion"that"
people" (managers," directors," technicians," users," etc.)" have" about" issues" related" with" the"
information"security"using"two"different"surveys."These"surveys"consist"of"questions"and"by"
the"different"response"options"that"has"every"question."The"goal"of"using"these"surveys"is"to"
better"understand"the"security"situation"in"the"organization."The"ISRAM"methodology"(Figure"
5)"has"seven"steps"(Karabacak,"2003).""
"
Figure!5:!ISRAM!process!(Karabacak,!2003)
