[[alternative]]A study of Implementation and Evaluation of Applying Information Security Management to Health Information System-An Example of Web Based Health Management System

[[abstract]]隨著醫療資訊的發展，相關的資訊安全問題也隨之而來。資訊安全事件的發生需從整體的角度來分析，在ISO27001標準中，提出資訊安全政策需依據組織的目標，而訂定不同的資訊安全管理需求，並說明資訊安全應從整體管理著手，以資訊技術作為支援，因此，本研究依據ISO27001標準中的規範，實作安全機制並提出資訊安全管理的建議，以達成資訊安全管理的目標。本研究從資訊安全管理的角度探討健康資訊系統，並利用某網路健康管理系統為例實作，以資訊安全管理的角度分析其系統可能發生的資訊安全問題。運用ISO27001的十一項控制目標作為分析標準，以資料機密性、完整性及可用性作為醫療資訊系統的分析及某網路健康管理系統的實作方向，建置一個健全的安全機制。提出針對一般醫療資訊系統提出資訊安全管理在政策面及技術面的建議，包括機房管理、存取權限管理、資訊系統安全管理、資訊安全技術的導入及系統效能評估等進而防範資訊系統中可能造成的損害，以保障醫療資訊安全。[[abstract]]The information security is an important issue in the development of medical information systems. An information incident should be analyzed from whole point of view. In ISO27001 standard, information security policy is based on organization's goals to define the requirements of information security management. The achievement of information security management should be supported by using information technologies. Thus, we aimed to implement a security mechanism and provide information security management suggestions based on ISO27001 standard.In the current study, we implemented a prototype information security system for a web-based health management system from the view of information security management. The security mechanism for the web-based health management system was built to comply the 11 control objectives of ISO27001 and the fulfillments of confidentiality, integrity and availability of information. The results from this study suggested that the information security may be reinforced through strengthen the management of computer center operation, multiple hierarchy access control, information system security management protocol, and periodic testing and evaluation of the effectiveness of information security