G-3257

2025-10-19 19:15

Written by ARCIMS 26 ARCIMS 26 in Sunday 2025-10-19 19:15

Healthcare Information Security: Assessing Vulnerabilities and Threats in Iranian Hospitals

 Maryam Hassanzad 1, Mahdieh Arian 2, Roghayeh Mollaei 3, Masoumeh Ansari 3 ℗, Mehrdad Khaledian 4, Ali Valinejadi 5 ©, Aliakbar Velayati 6   

 Pediatric Respiratory Disease Research Center, National Research Institute of Tuberculosis and Lung Disease, Shahid Beheshti University of Medical Sciences, Tehran, Iran

 Nursing and Midwifery Care Research Center, Mashhad University of Medical Sciences, Mashhad, Iran

 Student Research Committee, School of Health Management and Information Sciences, Iran University of Medical Sciences, Tehran, Iran

 Human Resources Management, Kurdistan University of Medical Sciences, Sanandaj, Iran

 Social Determinants of Health Research Center, Semnan University of Medical Sciences, Semnan, Iran

 Mycobacteriology Research Center, National Research Institute of Tuberculosis and Lung Diseases, Shahid Beheshti University of Medical Sciences, Tehran, Iran

Email: masomehansari@gmail.com
 

 


 
Abstract

Introduction: As critical infrastructures, hospitals manage vast quantities of highly sensitive healthcare information, making them prime targets for evolving information security threats. The widespread adoption of electronic health records (EHRs) introduces significant challenges to data privacy and security, risking breaches and compromised patient safety. Given these escalating risks, a comprehensive understanding of current security postures is paramount. This study aims to evaluate information security in Iranian hospitals, investigating disparities by size and institutional type. Methods and Materials: This descriptive, cross-sectional study was conducted in 2023 at hospitals in Tehran, Iran. Ethical approval was obtained from the Ethics Committee of the National Research Institute of Tuberculosis and Lung Diseases (NRITLD), Shahid Beheshti University of Medical Sciences (IR.SBMU.NRITLD.1402.155). The study population comprised 165 Chief Information Officers (CIOs) from all hospitals in Tehran, included via a census method. Data were collected using a researcher-made online questionnaire, designed in compliance with the ISO/IEC 27002 standard. This questionnaire featured 24 parameters, using a 4-point Likert scale. Content validity (CVR 0.62, CVI 0.90) was confirmed by 10 experts, and reliability was assessed through internal consistency (Cronbach’s alpha = 91%) and test-retest (ICC = 96%, r = 0.87, P 0.005). Hospitals were classified by bed count (150 beds vs. ≤150 beds) and type (academic, non-academic public, rehabilitation clinics, and private). Data analysis involved descriptive statistics and analytical tests, including Kruskal-Wallis, Friedman, and pairwise comparisons with Bonferroni's corrections. Results: The 165 participating hospitals collectively achieved an average score of less than 55% of the maximum possible score (100%), indicating significant gaps in their information security implementation. Hospitals with more than 200 beds exhibited the highest level of information security, while those with 150–200 beds demonstrated the lowest. Across all surveyed hospitals, the component related to "Backup and security zones" received the highest scores, whereas "Encryption and staging" consistently received the lowest. This pattern persisted even when the analysis was stratified by the number of beds. Furthermore, private and university hospitals demonstrated weaker performance compared to other hospital types in areas such as "organization and risk management" and "protection against attacks". Conclusion and Discussion: Iranian hospitals exhibit an average information security posture, necessitating substantial enhancement. Low scores in "Encryption and staging" and deficiencies in "organization/risk management" and "protection against attacks" (notably in private/university hospitals) reveal fundamental weaknesses compromising data integrity and patient trust. Given highly sensitive healthcare data and escalating cyber threats, a robust, evolving secure platform for information retention is paramount. We recommend healthcare IT managers prioritize a multi-faceted approach: proactive threat identification, policy development, user training, access control, risk management, physical security, and advanced protection strategies. Addressing these is crucial for safeguarding patient data and ensuring operational continuity.


Keywords: Electronic-Health-Records, Hospital-Information-Systems, Risk-Managemen, Computer-Security, Hospitals, Iran

Feedback

What is your opinion? Click on the stars you want.

Comments (0)

No Comment yet. Be the first!

Post a comment