Assessing the Legal Aspects of Information Security Requirements for Health Care in 3 Countries: Scoping Review and Framework Development.

Background: The loss of human lives from cyberattacks in health care is no longer a probabilistic quantification but a reality that has begun. In addition, the threat scope is also expanding to involve a threat of national security, among others, resulting in surging data breaches within the health care sector. For that matter, there have been provisions of various legislation, regulations, and information security governance tools such as policies, standards, and directives toward enhancing health care information security-conscious care behavior among users. Meanwhile, in a research scenario, there are no comprehensive required security practices to serve as a yardstick in assessing security practices in health care. Moreover, an analysis of the holistic view of the requirements that need more concentration of management, end users, or both has not been comprehensively developed. Thus, there is a possibility that security practice research will leave out vital requirements.

Objective: The objective of this study was to systematically identify, assess, and analyze the state-of-the-art information security requirements in health care. These requirements can be used to develop a framework to serve as a yardstick for measuring the future real security practices of health care staff.

Methods: A scoping review was, as a result, adopted to identify, assess, and analyze the information security requirement sources within health care in Norway, Indonesia, and Ghana.

Results: Of 188 security and privacy requirement sources that were initially identified, 130 (69.1%) were fully read by the authors. Subsequently, of these 188 requirement documents, 82 (43.6%) fully met the inclusion criteria and were accessed and analyzed. In total, 253 security and privacy requirements were identified in this work. The findings were then used to develop a framework to serve as a benchmark for modeling and analyzing health care security practices.

Conclusions: On the basis of these findings, a framework for modeling, analyzing, and developing effective security countermeasures, including incentivization measures, was developed. Following this framework, research results of health care security practices would be more reliable and effective than relying on incomprehensive security requirements.