DOI QR코드

DOI QR Code

Curriculum study of information security awareness for medical institution

의료기관 정보보호 인식교육을 위한 교육과정 연구

  • 김동원 (건양대학교/사이버보안공학과) ;
  • 한근희 (고려대학교/정보보호대학원)
  • Received : 2019.08.05
  • Accepted : 2019.09.21
  • Published : 2019.10.31

Abstract

As smart devices and communication technologies have developed rapidly, the healthcare industry in the globe is seeing remarkable issues on medical security. At the same time, personal medical records are being shared in the network, which would raise the risk of information security. This thesis aims to develop the curriculum to raise the awareness of information security among workers in medical institutions by referring to NCS(National Competency Standards) International standards, medical institutions' requirements and educational institutions' curriculums on information security based on proven results from medical devices and systems introduced in the public health centers, territorial branches, community health posts and primary, secondary, tertiary hospitals. Thus, this thesis offers the method to improve information security in healthcare institutions through validation testing conducted by medical practitioners and ICT experts.

세계적으로 의료분야는 스마트기기의 확산과 통신 기술의 발달로 매우 빠르게 발전하게 됨에 따라 의료보안 문제가 전면으로 대두되고 있다. 또한 진료정보교류로 개인의 민감한 의료정보가 네트워크 상에서 상호 교환되기 때문에 발생 가능한 보안위험이 매우 크다고 할 수 있다. 본 논문에서는 보건소, 보건지소, 보건진료소, 1차, 2차, 3차 병의원 등에서 운용하고 있는 의료기기와 의료시스템을 현장에서 검증한 결과를 토대로 NCS(National Competency Standards)와 국제표준, 의료기관 요구사항, 교육기관의 정보보호 학습모델을 참조하여 의료기관의 정보보호 인식교육을 위한 교육과정을 개발하였다. 이를 의료기관 종사자와 ICT 전문가 집단을 통한 타당성 검증을 진행하여 교육을 통한 의료기관의 정보보호 수준향상을 위한 방법을 연구 제안한다.

Keywords

References

  1. Seung-hwan Kim, "Trend of personal healthdevice standardization for u-health service," Journal of KIISE Vol.29-1, pp.31-37, 2011.
  2. u-Health Forum Korea, "2009 u-Health Industry white paper," 2009.
  3. Don-sik Yoo, "Review & Scheme of u-Health Standardization," TTA 20th Anniversary Seminar, Sep. 2008.
  4. Chan-young Park, jun-ho Lim, Soo-jun Park and Seung-hwan Kim, "Technical trend of u-healthcare standardization," Electronics and Telecommunications Trends Vol. 25, pp. 48-59, Aug. 2010. https://doi.org/10.22648/ETRI.2010.J.250406
  5. Am-suk Oh, "A Study on Home Healthcare Convergence for IEEE 11073 Standard," JKIICE Vol.19 no. 2, pp. 422-427, Feb. 2015.
  6. Nathanael Paul, Tadayoshi Kohno and David C Klonfoo, "AReviewof the Security of Insulin Pump Infusion Systems," Journal of Diabetes Science and Technology, 5(6), pp. 1557-62, Nov. 2011. https://doi.org/10.1177/193229681100500632
  7. ISO/DIS 27799:2014(E), "Health informatics - Information security management in health using ISO/IEC 27002," ISO, Feb. 2015.
  8. ISO/IEC 27005:2011, "Information security risk management (second edition)," ISO, Dec. 2011.
  9. Kyoung-hee Baek and yun-hwa Jang, "A Legal Study on the Relationship between In-Person and Remote Medical Treatments," Seoul Law Review, Vol. 21, pp. 449-482, Feb. 2014 https://doi.org/10.15821/slr.2014.21.3.013
  10. Katherine Chretien, "For Medical Secrets, Try Facebook," Journal of the American Medical Association, vol 302, pp. 1309, Sep, 2009 https://doi.org/10.1001/jama.2009.1387
  11. Barnaby Jack, "Hacker Shows Off Lethal Attack By controlling Wireless Medical Device," RSA Conference, Feb. 2012
  12. http://fox6now.com/2013/02/14/froedte rt-hospital-hacked-patients-alerted-of- illegal-access/, "Froedtert Hospital hacked, patients alerted of illegal access," fox6now.com, Feb. 2013
  13. http://www.esecurityplanet.com/network-security/healthsource-of-ohio-data-breach-exposes-8800-patients-personal-info.html, "HealthSource of Ohio data leak exposed 8,800 patients information," eSecurity Planet, Mar. 2014
  14. http://www.wired.com/2014/06/hospital-networks-leaking-data/, "Hospital database hacked, patient info vulnerable," WIRED, Mar. 2014.
  15. Dong-won Kim, Keun-hee Han, In-seok Jeon and Jin-young Choi, "Telemedicine Security Risk Evaluation Using Attack Tree," Journal of The Korea Institute of Information Security & Cryptology Vol.25, No.4, pp.951-960, Aug. 2015. https://doi.org/10.13089/JKIISC.2015.25.4.951
  16. C. H. Lawshe, "A Quantitative approach to content validity," Personnel Psychology, Volume 28, Issue 4, pp. 563-575, Dec, 1975 https://doi.org/10.1111/j.1744-6570.1975.tb01393.x
  17. KOSF, The Foundation for the spread of the smart plant study on spontaneous composition, 2016
  18. NIST, "Guide for Mapping Types of Information and Information Systems to Security Categories," NIST SP800-60 vol. 1, Ayg. 2008.
  19. In-seok Jeon, Dong-won Kim, Keun-hee Han and Jin-young Choi, "Curriculum Development for Smart Factory Information Security Awareness Training," Journal of The Korea Institute of Information Security & Cryptology Vol.26, No.5, pp.1335-1348, Oct. 2016. https://doi.org/10.13089/JKIISC.2016.26.5.1335
  20. Young-seok Park, Yun-mok Son, Ho-cheol Shin, Doh-yun Kim and Yong-dae Kim, "This ain't your dose: Sensor Spoofing Attack on Medical Infusion Pump," usenix, WOOT'16 Proceedings of the 10th USENIX Conference on Offensive Technologies, Pages 189-199, Aug. 2016.
  21. NIST, "Building an Information Technology Security Awareness and Training Program," NIST SP800-50, Oct. 2003.
  22. NIST, "Information Technology Security Training Requirements:A Role- and Performance-Based Model," NIST SP800-16, Apr. 1998.
  23. 한국융합보안학회.융합보안논문지 제16권 제7호 (2016) pp.21-29 "의료클러스터 기반의 빅데이터환경에대한IP Spoofing 공격발생시상호협력보안 모델 설계" https://www.earticle.net/Article/A301561
  24. 한국융합보안학회.융합보안논문지 제14권 제3호 (2014) pp.11-19 "체내 이식형 의료기기의보안성 향상을 위한 3-Tier 보안 메커니즘 설계" https://www.earticle.net/Article/A224196
  25. 한국융합보안학회.융합보안논문지 제18권 제5호 (2018) pp.75-81 "의료융합 환경에서 수용성을 고려한 비용 효율적 보안체계구축 방안 연구 : 중소의료기관을 중심으로" https://www.earticle.net/Article/A346536