Developing a Risk Analysis Framework for Hospital Information Security Management

The purpose of this paper is to develop the hospital information security risk framework and to raise organizational risk sense and effective decision making. This study adopted the ISO27799 with the ten controls items for risk management. In order to make sure the feasibility of the proposed framework, we conducted a field study for a medical center to investigate the risk of identification, analyses, measurement and control, respectively. Based on the result, the proposed framework be able to elicit the real risk attitude of each stakeholder more accurate than the Riskit model. Additionally, it implicated a great diversity of human decision behavior uncertainty under risky environment. According to the review of the risk experiences, it can know the potential incident well by investigate into the risk cognition of stakeholders more in detail. Further, it not only can realize the more accurate potential risk incident by utilize the non-parameter method, but also achieve the purpose of shift risk and control losses. The proposed framework can deal with information security risk about hospital-wide by considering stakeholders´ decision positions and behavior attribute, and provide decision makers the effective support for quality decision making. Finally, the implications of the research findings could use and to probing into other similar decision making issue under risk.