Home > Articles

  • Print
  • + Share This
From the author of

Assets and Security Requirements

An asset is something of value to an organization. An information-security risk evaluation focuses on a subset of those assets: information-related assets. These assets are grouped into the following categories: information, systems, services, applications, and people. During the data-gathering workshops of Phase 1, participants identified about 55 information-related assets. The analysis team reviewed this list to identify the organization's critical assets.

Critical Assets

Critical assets are those information-related assets that would cause a large adverse impact on the organization if

  • They are disclosed to unauthorized people

  • They are lost or destroyed

  • They are modified without authorization

  • Access to them is interrupted

The analysis team identified the following critical assets for the hospital:

  • Patient Information Data System (PIDS)—PIDS is a database system maintained by the contracting organization. This system contains most of the important patient information at the hospital.

  • Paper medical records—This is the official documentation source for all patient medical information.

  • Emergency Care Data System (ECDS)—This system is used to maintain and update patient records and billing related to emergencies.

  • Personal computers—The hospital's staff is dependent on personal computers to access systems and information required for completing day-to-day tasks.

  • The contracting organization that maintains the hospital's computing infrastructure—The hospital is almost completely dependent on the contractor for maintaining PIDS and the network.

This article focuses on one of those assets: the Patient Information Data System (PIDS).

Security Requirements

The first step in analyzing a critical asset is determining what about that asset is important. Security requirements outline the qualities of an asset that are important to protect. Typical security requirements include confidentiality, integrity, and availability. The team reviewed data that the consultant elicited during the early workshops, and constructed the following security requirements for PIDS:

  • Availability. Access to information is required 24/7; it must be available for patient encounters.

  • Confidentiality. Information on PIDS should be kept confidential (restricted to those with "need to know"). Information is subject to the Privacy Act.

  • Integrity. Records on PIDS must be kept accurate and complete. Only authorized users should be allowed to modify information on PIDS.

Each of the security requirements was judged to be important for PIDS. However, the team determined that availability was slightly more important than the other two requirements, because ensuring the availability of patients' medical information enables healthcare professionals to treat their patients in a timely manner, which the team viewed as the primary mission of the hospital. Integrity was judged to be second in importance.

After completing the organizational piece of the OCTAVE Method, the team turned its attention to the computing infrastructure.

  • + Share This
  • 🔖 Save To Your Account