HI-risk: A method to analyse health information risk intelligence

Information security threat intelligence is a prevalent topic amongst researchers, long-established IT-vendors and start-ups. The possibilities of Big Data analytics to security threat and vulnerability scanning offer a significant development in the protection of infrastructures. At the same time, industry research reports continue to state that the main contributing factor in the events leading to a data breach is human error. The common response of information security professionals is to resort to technological solutions to prevent these human errors. However, some very important information security intelligence is not hidden within the network traffic: it's available from the people that work with sensitive information. This article describes the Health Information risk (HI-risk) method to identify non-technical information security risks in healthcare. The method includes risks related to skills, behaviour, processes, organisational culture, physical security, and external influences. HI-risk offers a solution to collect intelligence about nontechnical information security incidents from across the healthcare sector to demonstrate past trends and to be ahead of future incidents. A test of a HI-risk forecast proved the feasibility of this approach in healthcare and beyond. It is suggested that HI-risk could become a valuable addition to existing technical threat and vulnerability monitoring tools.