INFORMATION ASSURANCE MATURITY IN SAUDI HEALTHCARE ENTITIES: A DEVELOPED MATURITY FRAMEWORK AND ASSESSMENT INSTRUMENT

Abstract

Although the emergence of new technology in medical care settings has been lagging behind other sectors, particularly in information technology utilisation, medical institutions have recently realised the importance of having such systems to maintain their information as their primary asset. Hence, they have been investing in adopting health information systems (HIS) through standardising medical data to ensure better data quality and reliability. Recent research has shown that A high level of information assurance (IA) can preserve medical data and reduce risks to sensitive information and increase the efficiency of information security performance to ensure confidence within healthcare organisations overall. Hence, this research proposes a framework called the IAHCE (Information Assurance for Healthcare Entities) that aims to investigate the factors underpinning information asset assurance in healthcare entities to provide an appropriate framework for IA. It was developed based on a critical review of published literature of IA studies together with an in-depth investigation of current information security management standards to create the first iteration of the IAHCE framework. The framework comprises three main areas – administrative, technical and legal – each of which is an umbrella of one or more of seven related main factors (Organisational Management, Culture, Risk Management, Security, Resilience, Dependability and Data Protection). IAHCE was validated through two iterations of exploratory reviews with experts and practitioners in its confirmation. This has confirmed that all the proposed factors are significant for effectively adopting an IA strategy in the medical arena except for minor modifications suggested by reviewers and validated through surveys with the practitioners. The instrument (AssurHiS) was built as a practical implementation of the confirmed IAHCE that can help healthcare entities measure the IA maturity level of their information assets. It comprised 123 items under seven factors. Findings based on the adopted methods revealed that the factors included in the IAHCE for effective IA are important and statistically significant. The results of real case studies conducted using AssurHiS, including three healthcare entities, revealed that the AssurHiS could truly assess the IA maturity levels in the studied entities. The practicality and use of AssurHiS were also measured by experts who participated in the case studies. They all unanimously agreed that it was useful, satisfactory and easy to use. This research is imperative, as it aims to define a generic evaluation model, applicable to all sizes of entities, by integrating all the control objectives found in the literature and the evolved information security standards. It bridges the theory–practice gap by applying AssurHiS and its items to a reallife case study. Hence, it is useful to both healthcare entities and researchers in similar domains.