Context: The recurrence of past security breaches in healthcare showed that lessons had not been effectively learned across different healthcare organisations. Recent studies have identified the need to improve learning from incidents and to share security knowledge to prevent future attacks. Generic Security Templates (GSTs) have been proposed to facilitate this knowledge transfer. The objective of this paper is to evaluate whether potential users in healthcare organisations can exploit the GST technique to share lessons learned from security incidents.
Methodology: We conducted a series of case studies to evaluate GSTs. In particular, we used a GST for a security incident in the US Veterans' Affairs Administration to explore whether security lessons could be applied in a very different Chinese healthcare organisation.
Results: The results showed that Chinese security professional accepted the use of GSTs and that cyber security lessons could be transferred to a Chinese healthcare organisation using this approach. The users also identified the weaknesses and strengths of GSTs, providing suggestions for future improvements.
Conclusion: Generic Security Templates can be used to redistribute lessons learned from security incidents. Sharing cyber security lessons helps organisations consider their own practices and assess whether applicable security standards address concerns raised in previous breaches in other countries. The experience gained from this study provides the basis for future work in conducting similar studies in other healthcare organisations.
Keywords: Generic Security Template; Healthcare; Knowledge redistribution; Lessons learned; Security incident.
Copyright © 2015 Elsevier Ireland Ltd. All rights reserved.