To read the full version of this content please select one of the options below:

Utilizing a privacy impact assessment method using metrics in the healthcare sector

Eleni-Laskarina Makri (Department of Digital Systems, University of Piraeus, Athens, Greece)
Zafeiroula Georgiopoulou (Department of Digital Systems, University of Piraeus, Athens, Greece)
Costas Lambrinoudakis (Department of Digital Systems, University of Piraeus, Athens, Greece)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 18 May 2020

Issue publication date: 1 October 2020

Abstract

Purpose

This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the organization (people using the offered services) or the employees (users who operate the systems of the organization). To be more specific, this paper proposes a privacy impact assessment (PIA) method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, demonstrating its applicability to two hospital information systems with different characteristics.

Design/methodology/approach

This paper presents a PIA method that employs metrics and takes into account the peculiarities and other characteristics of the organization. The applicability of the method has been demonstrated on two Hospital Information Systems with different characteristics. The aim is to assist the organizations to estimate the criticality of potential privacy breaches and, thus, to select the appropriate security measures for the protection of the data that they collect, process and store.

Findings

The results of the proposed PIA method highlight the criticality of each privacy principle for every data set maintained by the organization. The method employed for the calculation of the criticality level, takes into account the consequences that the organization may experience in case of a security or privacy violation incident on a specific data set, the weighting of each privacy principle and the unique characteristics of each organization. So, the results of the proposed PIA method offer a strong indication of the security measures and privacy enforcement mechanisms that the organization should adopt to effectively protect its data.

Originality/value

The novelty of the method is that it handles security and privacy requirements simultaneously, as it uses the results of risk analysis together with those of a PIA. A further novelty of the method is that it introduces metrics for the quantification of the requirements and also that it takes into account the specific characteristics of the organization.

Keywords

Citation

Makri, E.-L., Georgiopoulou, Z. and Lambrinoudakis, C. (2020), "Utilizing a privacy impact assessment method using metrics in the healthcare sector", Information and Computer Security, Vol. 28 No. 4, pp. 503-529. https://doi.org/10.1108/ICS-01-2020-0007

Publisher

:

Emerald Publishing Limited

Copyright © 2020, Emerald Publishing Limited