Abstract
Ph.D.
The present study originated from a realisation about the unique nature of the
medical domain and about the limitations of existing risk-management
methodologies with respect to incorporating the special demands and salient
features of the said domain. A further incentive for the study was the long-felt
need for proper Information Technology (IT) risk management for medical
domains, especially in the light of the fact that IT is playing an ever-greater part
in the rendering of health-care services. This part, however, introduces new
information-security challenges every day, especially as far as securing
sensitive medical information and ensuring patients' privacy are concerned.
The study is, therefore, principally aimed at making a contribution to improving
IT risk management in the medical domain and, for this reason, culminates in
an IT risk-management model specifically developed for and propounded in the
medical domain. While developing this model, special care was taken not only
to take into consideration the special demands of the said domain when
assessing IT risks but also that it would be suited to the concepts, terminology
and standards used in and applied to this domain every day.
The most important objectives of the study can be summarised as follows:
A thorough investigation into modern trends in information security in the
medical domain will soon uncover the key role IT is playing in this domain.
Regrettably, however, this very trend also triggers a steep increase in IT riskincidence
figures, which, in this domain, could often constitute the difference
between life and death. The clamant need for effective risk-management
methods to enhance the information security of medical institutions is, therefore,
self-evident.
After having explored the dynamic nature of the medical domain, the
requirements were identified for a risk-management model aimed at effectively
vi
managing the IT risks to be incurred in a typical medical institution. Next, a
critical evaluation of current risk-assessment techniques revealed that a fresh
approach to IT risk management in medical domains is urgently necessary. An
IT risk-management model, entitled "RiMaHCoF" (that is, "Risk Management in
Health Care — using Cognitive Fuzzy techniques"), was developed and
propounded specifically for the medical domain hereafter.
The proposed model enhances IT risk management in the said domain in the
sense that it proceeds on the assumption that the patient and his/her medical
information constitute the primary assets of the medical institution.