Towards a maturity model for health-care cloud security (M2HCS)

Abstract

Purpose The purpose of this paper is to propose a novel maturity model for health-care cloud security (M2HCS), which focuses on assessing cyber security in cloud-based health-care environments by incorporating the sub-domains of health-care cyber security practices and introducing health-care-specific cyber security metrics. This study aims to expand the domain of health-care cyber security maturity model by including cloud-specific aspects than is usually seen in the literature. Design/methodology/approach The intended use of the proposed model was demonstrated using the evaluation method – “construct validity test” as the paper’s aim was to assess the final model and the output of the valuation. The study involved a literature-based case study of a national health-care foundation trust with an overall view because the model is assessed for the entire organisation. The data were complemented by examination of hospitals’ cyber security internal processes through web-accessible documents, and identified relevant literature. Findings The paper provides awareness about how organisational-related challenges have been identified as a main inhibiting factor for the adoption of cloud computing in health care. Regardless of the remunerations of cloud computing, its security maturity and levels of adoption varies, especially in health care. Maturity models provide a structure towards improving an organisation’s capabilities. It suggests that although several cyber security maturity models and standards resolving specific threats exist, there is a lack of maturity models for cloud-based health-care security. Research limitations/implications Due to the selected research method, the research results may lack generalizability. Therefore, future research studies can investigate the propositions further. Another is that the current thresholds were determined empirically, although it worked for the case study assessment. However, to establish more realistic threshold levels, there is a need for more validation of the model using more case studies. Practical implications The paper includes maturity model for the assessment management and improvement of the security posture of a health-care organisation actively using cloud. For executives, it provides a detailed security assessment of the eHealth cloud to aid in decision making. For security experts, its quantitative metrics support proactive and reactive processes. Originality/value The paper fulfils a recognised requirement for security maturity model focussed on health-care cloud. It could be extended to resolve evolving cyber settings.