Information security in Dutch hospitals

Abstract

This thesis researches how Dutch hospitals improve information security. Information security has become an important topic for many Dutch hospitals, as they are since a few years required to comply with information security regulations. However, hospitals face various difficulties when improving information security and earlier research has shown that many hospitals did not comply with information security standards. Common practice in hospitals sometimes conflicts with information security measures: timely and unrestricted access to critical medical information is essential for effective treatment of patients, but on the other hand, medical information is often confidential and sensitive information which should not be disclosed to unauthorized persons. Furthermore, it is important that information systems are reliable and that the integrity of information is ensured.

This study aims to find out which problems Dutch hospitals face when improving information security, and how hospitals mitigate these problems. The conflicts of interest described above are important causes, but there are also other problems which prevents hospitals from complying to information security standards.

The research is divided in two phases. The first phase consists of a case study in one hospital, where problems with improving information security are analyzed in a detailed method. The second phase of the study is a validation study where the results of the case study are validated among a representative set of hospitals.

Various problems have been found by this study, but also many best practices have been found. These best practices are useful for other hospitals: they provide workable solutions that address both information security requirements, as well as medical requirements.

The main conclusions of this study are that hospitals should address information security seriously, and that hospitals should solve problems together when possible.