Information Security Governance Guidelines: A self assessment guide for general medical practice

The aim of these Information Security Governance Guidelines is to promote performance improvement in information security practice within general medical practice. This website outlines an information security governance framework that general practice may adopt in an endeavour to improve information security within their practice. At present, focus group participants are being asked to review the Information Security Governance Guidelines. Should you wish to participate in this phase of the research, please Contact Rachel.

Based on the focus group reviews, the Guidelines will be amended as needed, and general medical practices will be recruited to implement the Guidelines during iterative cycles of participant observations.


Background Information
General medical practices are increasingly keeping healthcare information in an electronic format, and electronic healthcare information is being increasingly exchanged. General practices’ are vulnerable to information security threats and insecure practices (Mahncke & Williams, 2011). The theft and sale of healthcare information has become more valuable to fraudsters than financial information (Allen, 2012). The Ponemon Institute survey (2011) found that healthcare is one of the most breached industries with 96% of health organisations surveyed reporting at least one data beach in the last 24 months. Securing healthcare information is becoming significantly important in the developing electronic healthcare environment.

It is becoming well accepted in healthcare, that information security is both a technical and a human endeavour, and that the human behaviours, particularly around integration with healthcare workflow, are key barriers to good information security practice (Mahncke & Williams, 2011). The Royal Australian College of General Practitioners (RACGP) reviewed and updated their Computer Security Guidelines (3rd edition) for general practices’ in 2011. These guidelines are aligned with international standards and best practice. Further, organisations such the General Practice Computing Group (GPGG), the Department of Health and Ageing, the National e-Health Transition Authority (NEHTA), and Standards Australia E-Health (2003) etcetera, offer computer security support and assistance to general practices. Available guidelines predominantly address operational and technical computer security requirements.

Once operational recommendations have been implemented, then the future management, or governance, of the information systems can be addresses. The International Standards organisation’s (ISO) ISO/IEC DIS 27014 Information technology – Security techniques- Governance of information security (DIS), is under development and due to be released late in 2012 (International Standards Organisation, 2012). Implementation of information security governance within general practice is emerging. Information security governance is defined as:
“the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk”(NIST 800-100.)
Developing information security governance processes requires planning and knowledge. These preliminary Information Security Governance Guidelines extend the research and publications conducted by the RACPG; ISACA’s CobiT 4.1 (2004); International Standards Organisation’s ISO/IEC 27001, 27002 (2005) and ISO 27799-2008; The IT Governance Institute (ITGI); National Institute od Science and Technology (NIST) Security Metrics Guide for Information Technology Systems - Special Publication 800-55 (2008); Hertzog’s OSSTMM 3 (2010); Committee of Sponsoring organisations of the Treadway Commission (COSO) (2005); IsecT (2012); ISM3 (2007); Department of Health’s Clinical Governance Standards for Western Australian Health Services (2005); and William’s TIGS-CMM (2007a). General practice staff, not being ICT trained, require practical resources to assist in implementing information security governance.

The aim of the Information Security Governance Guidelines is to promote performance improvement in information security governance practice within general medical practice. The guidelines assist practices’ to establish an information security governance baseline from which improvement in information security performance can be measured. The element of continuous improvement is important as the governance review meetings take into account breaches, weaknesses or failures which then become opportunities for improvement in policies, practices and procedures. Further, empowering staff with the supporting mechanisms to perform information security responsibilities, forms the basis of information security governance capability.

The purpose of focusing on information security governance is for the practice to enter into discussions on where the practice is at in terms of its aspirations to improve its information security practices. It may be that the practice desires to reach a high level of security in a certain timescale, and so a regular item at a governance meeting would be to track progress against that goal. It is the task of the governance review meeting to re-affirm or otherwise, the practices information security governance performance, and if necessary, explore any implications for the practice in terms of accountability, resource management and governance planning. Ultimately, these guidelines may assist practices in improving their security performance and thereby assist in securing healthcare information.

The primary researcher is Rachel J Mahncke. See » About

This work is licensed under a copyright license: © 2012 Rachel J Mahncke All Rights Reserved