Security Risk Assessment for Patient Portals of Hospitals: A Case Study of Taiwan.

IF 2 4区医学 Q2 HEALTH CARE SCIENCES & SERVICES Risk Management and Healthcare Policy Pub Date : 2024-06-18 eCollection Date: 2024-01-01 DOI:10.2147/RMHP.S463408

Pei-Cheng Yeh, Kuen-Wei Yeh, Jiun-Lang Huang

{"title":"Security Risk Assessment for Patient Portals of Hospitals: A Case Study of Taiwan.","authors":"Pei-Cheng Yeh, Kuen-Wei Yeh, Jiun-Lang Huang","doi":"10.2147/RMHP.S463408","DOIUrl":null,"url":null,"abstract":"Background: Growing cyberattacks have made it more challenging to maintain healthcare information system (HIS) security in medical institutes, especially for hospitals that provide patient portals to access patient information, such as electronic health record (EHR).Objective: This work aims to evaluate the patient portal security risk of Taiwan's EEC (EMR Exchange Center) member hospitals and analyze the association between patient portal security, hospital location, contract category and hospital type.Methods: We first collected the basic information of EEC member hospitals, including hospital location, contract category and hospital type. Then, the patient portal security of individual hospitals was evaluated by a well-known vulnerability scanner, UPGUARD, to assess website if vulnerable to high-level attacks such as denial of service attacks or ransomware attacks. Based on their UPSCAN scores, hospitals were classified into four security ratings: absolute low risk, low to medium risk, medium to high risk and high risk. Finally, the associations between security rating, contract category and hospital type were analyzed using chi-square tests.Results: We surveyed a total of 373 EEC member hospitals. Among them, 20 hospital patient portals were rated as \"absolute low risk\", 104 hospital patient portals as \"low to medium risk\", 99 hospital patient portals as \"medium to high risk\" and 150 hospital patient portals as \"high risk\". Further investigation revealed that the patient portal security of EEC member hospitals was significantly associated with the contract category and hospital type (P<0.001).Conclusion: The analysis results showed that large-scale hospitals generally had higher security levels, implying that the security of low-tier and small-scale hospitals may warrant reinforcement or strengthening. We suggest that hospitals should pay attention to the security risk assessment of their patient portals to preserve patient information privacy.","PeriodicalId":56009,"journal":{"name":"Risk Management and Healthcare Policy","volume":"17 ","pages":"1647-1656"},"PeriodicalIF":2.0000,"publicationDate":"2024-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC11193402/pdf/","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Risk Management and Healthcare Policy","FirstCategoryId":"3","ListUrlMain":"https://doi.org/10.2147/RMHP.S463408","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2024/1/1 0:00:00","PubModel":"eCollection","JCR":"Q2","JCRName":"HEALTH CARE SCIENCES & SERVICES","Score":null,"Total":0}

引用次数: 0

Abstract

Background: Growing cyberattacks have made it more challenging to maintain healthcare information system (HIS) security in medical institutes, especially for hospitals that provide patient portals to access patient information, such as electronic health record (EHR).

Objective: This work aims to evaluate the patient portal security risk of Taiwan's EEC (EMR Exchange Center) member hospitals and analyze the association between patient portal security, hospital location, contract category and hospital type.

Methods: We first collected the basic information of EEC member hospitals, including hospital location, contract category and hospital type. Then, the patient portal security of individual hospitals was evaluated by a well-known vulnerability scanner, UPGUARD, to assess website if vulnerable to high-level attacks such as denial of service attacks or ransomware attacks. Based on their UPSCAN scores, hospitals were classified into four security ratings: absolute low risk, low to medium risk, medium to high risk and high risk. Finally, the associations between security rating, contract category and hospital type were analyzed using chi-square tests.

Results: We surveyed a total of 373 EEC member hospitals. Among them, 20 hospital patient portals were rated as "absolute low risk", 104 hospital patient portals as "low to medium risk", 99 hospital patient portals as "medium to high risk" and 150 hospital patient portals as "high risk". Further investigation revealed that the patient portal security of EEC member hospitals was significantly associated with the contract category and hospital type (P<0.001).

Conclusion: The analysis results showed that large-scale hospitals generally had higher security levels, implying that the security of low-tier and small-scale hospitals may warrant reinforcement or strengthening. We suggest that hospitals should pay attention to the security risk assessment of their patient portals to preserve patient information privacy.

Abstract Image

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

医院患者门户网站的安全风险评估：台湾案例研究。

背景：越来越多的网络攻击使维护医疗机构的医疗信息系统（HIS）安全变得更具挑战性，尤其是对于提供患者门户访问患者信息（如电子健康记录（EHR））的医院：本研究旨在评估台湾 EEC（电子病历交换中心）成员医院的患者门户网站安全风险，并分析患者门户网站安全与医院位置、合同类别和医院类型之间的关联：我们首先收集了 EEC 成员医院的基本信息，包括医院位置、合同类别和医院类型。然后，通过著名的漏洞扫描仪 UPGUARD 对各医院的患者门户网站安全性进行评估，以评估网站是否容易受到高级攻击，如拒绝服务攻击或勒索软件攻击。根据其 UPSCAN 分数，医院被分为四个安全等级：绝对低风险、中低风险、中高风险和高风险。最后，使用卡方检验分析了安全等级、合同类别和医院类型之间的关联：我们共调查了 373 家欧共体成员医院。其中，20 家医院患者门户网站被评为 "绝对低风险"，104 家医院患者门户网站被评为 "中低风险"，99 家医院患者门户网站被评为 "中高风险"，150 家医院患者门户网站被评为 "高风险"。进一步调查显示，欧共体成员医院患者门户网站的安全性与合同类别和医院类型（PConclusion：分析结果表明，大型医院的安全级别普遍较高，这意味着低级别和小型医院的安全可能需要加强或强化。我们建议医院应重视患者门户网站的安全风险评估，以保护患者信息隐私。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Risk Management and Healthcare Policy Medicine-Public Health, Environmental and Occupational Health

CiteScore

6.20

自引率

2.90%

发文量

242

审稿时长

16 weeks

期刊介绍： Risk Management and Healthcare Policy is an international, peer-reviewed, open access journal focusing on all aspects of public health, policy and preventative measures to promote good health and improve morbidity and mortality in the population. Specific topics covered in the journal include: Public and community health Policy and law Preventative and predictive healthcare Risk and hazard management Epidemiology, detection and screening Lifestyle and diet modification Vaccination and disease transmission/modification programs Health and safety and occupational health Healthcare services provision Health literacy and education Advertising and promotion of health issues Health economic evaluations and resource management Risk Management and Healthcare Policy focuses on human interventional and observational research. The journal welcomes submitted papers covering original research, clinical and epidemiological studies, reviews and evaluations, guidelines, expert opinion and commentary, and extended reports. Case reports will only be considered if they make a valuable and original contribution to the literature. The journal does not accept study protocols, animal-based or cell line-based studies.