Abstract:
Healthcare industry has become widely dependent on information technology and internet; as it moves from paper to electronic records. Despite the bene ts of electronic system, good quality may not be totally achieved unless its risks to security are mitigated. Working in collaboration with a 150 bed private hospital in Turkey; this study aims to present a secure healthcare network infrastructure while presenting the security vulnerabilities in the current hospital information systems. The regulation criteria in Turkey and counterparts in USA and EU are compared according to their privacy approach and a list of items for common security controls from di erent industries is proposed as a best practice. The study shows that the hospital is not compliant with known healthcare standards like HIPAA or ISO 80001. Managements attitude against privacy and security shows that the responsibility is totally to IT and Biomedical Engineering Departments. Since explaining the threats and corresponding vulnerabilities in the system may cause the hospital be prone to cyber-attacks, the name of the hospital is secluded. As hospitals are adopting electronic transactions, consideration must be given to protect public electronic health records in terms of personal privacy aspects. Healthcare industry in Turkey should bene t from best practices in other industries and applications in other countries. This study can lead the pathway for policy makers in healthcare organizations and regulation authorities to implement a more secure environment for every citizen.|Keywords : Security, Privacy, Electronic Health Records, Personal Health Records, EHR, PHR, Cyber Threats, Hospital Information System, HIPAA, ISO80001, ISO27001, Healthcare Regulations.