Hasil Penilaian Risiko Keamanan Informasi pada Laboratorium Klinik Berdasarkan Kriteria Kendali Dalam Penerapan ISO 27001
DOI:
https://doi.org/10.26593/jrsi.v12i2.6315.155-164Kata Kunci:
ISO 27001, Keamanan Informasi, Laboratorium Klinik, Pengelolaan RisikoAbstrak
Informasi merupakan bagian dari sistem informasi yang penting untuk dilindungi dari segi kerahasiaan, keutuhan dan ketersediaannya, dalam meningkatkan realibilitasnya. Apalagi informasi yang mengandung data diri dan kesehatan tentu tersedia di laboratorium klinik. Hal ini menjadi pertimbangan bagi manajemen laboratorium klinik untuk menyiapkan transformasi digital pada sistem layanannya. Penelitian ini bertujuan untuk menilai risiko keamanan informasi yang masih muncul pada sebuah laboratorium klinik yang terakreditasi ISO 15189 dan tersertifikasi ISO 9001, sebagai persiapan layanan berbasis digital. Dengan menggunakan pendekatan ISO 27001 yang disematkan pada metode kualitatif dalam penelitian ini, penilaian risiko dilakukan dengan identifikasi, analisis dan evaluasi melalui wawancara dengan pemilik proses pada laboratorium klinik di Jakarta. Sebagai hasilnya, ditemukan bahwa Departemen Busdev&TI memiliki risiko keamanan informasi terbesar (35 risiko dari total 384 risiko), yang memerlukan penanganan lebih lanjut berdasarkan selera risiko yang telah ditetapkan. Oleh karena itu, kewaspadaan pada penggunaan sistem informasi di laboratorium perlu ditingkatkan dari segi keamanan informasi.
Referensi
Aagaard, A. (2019). Digital Business Models. Springer International Publishing. https://doi.org/10.1007/978-3-319-96902-2
Amraoui, S., Elmaallam, M., Bensaid, H., & Kriouile, A. (2019). Information Systems Risk Management: Litterature Review. Computer and Information Science, 12(3), 1. https://doi.org/10.5539/cis.v12n3p1
Barafort, B., Mesquida, A.-L., & Mas, A. (2017). Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces, 54, 176–185. https://doi.org/10.1016/j.csi.2016.11.010
Barafort, B., Mesquida, A.-L., & Mas, A. (2019). ISO 31000-based integrated risk management process assessment model for IT organizations. Journal of Software: Evolution and Process, 31(1), e1984. https://doi.org/10.1002/smr.1984
Eskaluspita, A. Y. (2020). ISO 27001:2013 for Laboratory Management Information System at School of Applied Science Telkom University. IOP Conference Series: Materials Science and Engineering, 879(1), 012074. https://doi.org/10.1088/1757-899X/879/1/012074
Farn, K.-J., Hwang, J.-M., & Lin, S.-K. (2007). Study on Applying ISO/DIS 27799 to Healthcare Industry’s ISMS. WSEAS TRANSACTIONS on BIOLOGY and BIOMEDICINE, 4(8).
Fisher, G., Wisneski, J. E., & Bakker, R. M. (2020). Value Chain Analysis. In Strategy in 3D (pp. 118–129). Oxford University Press. https://doi.org/10.1093/oso/9780190081478.003.0014
Grusho, A. A., Zabezhailo, M. I., Piskovski, V. O., & Timonina, E. E. (2020). Industry 4.0: Opportunities and Risks in the Context of Information Security Problems. Automatic Documentation and Mathematical Linguistics, 54(2), 55–63. https://doi.org/10.3103/S000510552002003X
Harkins, M. W. (2016). Managing Risk and Information Security. Apress. https://doi.org/10.1007/978-1-4842-1455-8
Herzig, T. W. (2019). Information Security in Healthcare: Managing Risk. Taylor & Francis.
Hill, M., & Swinhoe, D. (2021, July 16). The 15 biggest data breaches of the 21st century. Https://Www.Csoonline.Com/Article/2130877/the-Biggest-Data-Breaches-of-the-21st-Century.Html.
International Organization for Standardization. (2013). Information technology — Security techniques — Information security management systems — Requirements (ISO/IEC Standard No. 27001:2013).
International Organization for Standardization. (2018). Risk Management - Guideline (ISO Standard no. 31000:2018).
Meriah, I., & Arfa Rabai, L. ben. (2019). Comparative Study of Ontologies Based ISO 27000 Series Security Standards. Procedia Computer Science, 160, 85–92. https://doi.org/10.1016/j.procs.2019.09.447
Muzaimi, H., Chew, B. C., & Hamid, S. R. (2017). Integrated management system: The integration of ISO 9001, ISO 14001, OHSAS 18001 and ISO 31000. 020034. https://doi.org/10.1063/1.4976898
NIST. (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30).
Rainer, R. K., Prince, B., Splettstoesser-Hogeterp, I., Sanchez-Rodriguez, C., & Ebrahimi, S. (2020). Introduction to Information Systems. John Wiley & Sons Canada, Ltd.
Satzinger, J. W., Jackson, R. B., & Burd, S. D. (2016). Systems Analysis and Design in a Changing World (7th ed.). Cengage Learning.
Schnitzler, S. (2018). A universal guideline for the implementation of a specific ISMS for all Bavarian universities and universities of applied sciences using the example of the University of Applied Sciences Augsburg [Case Study]. University of Applied Science Hochschule Ausburg.
Sekaran, U., & Bougie, R. (2016). Research Methods For Business: A Skill Building Approach (7th ed.). John Wiley & Sons Ltd.
Suroso, J., & Fakhrozi, M. (2018). Assessment of Information System Risk Management with Octave Allegro at Education Institution. Procedia Computer Science, 135, 202–213. https://doi.org/10.1016/j.procs.2018.08.167
Suyasa, G. W. A., & Legowo, N. (2019). The Implementation of System Enterprise Risk Management Using Framework ISO 31000. Journal of Theoretical and Applied Information Technology, 97(10).
Wallin, E., & Xu, Y. (2008). Managing Information Security in Healthcare: A Case Study in Region Skåne. Lund University.
Weemaes, M., Martens, S., Cuypers, L., van Elslande, J., Hoet, K., Welkenhuysen, J., Goossens, R., Wouters, S., Houben, E., Jeuris, K., Laenen, L., Bruyninckx, K., Beuselinck, K., André, E., Depypere,
M., Desmet, S., Lagrou, K., van Ranst, M., Verdonck, A. K. L. C., & Goveia, J. (2020). Laboratory information system requirements to manage the COVID-19 pandemic: A report from the Belgian national reference testing center. Journal of the American Medical Informatics Association, 27(8), 1293–1299. https://doi.org/10.1093/jamia/ocaa081
Wheeler, E. (2011). Security Risk Management. Syngress - Elsevier Inc.
Wright, C. (2016). Fundamentals of Information Risk Management Auditing (1st ed.). IT Governance Publishing.
Zhiwei, Y., & Zhongyuan, J. (2012). A Survey on the Evolution of Risk Evaluation for Information Systems Security. Energy Procedia, 17, 1288–1294. https://doi.org/10.1016/j.egypro.2012.02.240.