Can an Adapted Clinical Governance Model be used to Improve Medical Information Security?

Document Type

Conference Proceeding


Academic Publishing


Faculty of Computing, Health and Science


School of Computer and Information Science / Centre for Security Research




Williams, P. (2008). Can an Adapted Clinical Governance Model be used to Improve Medical Information Security?. Proceedings of the 7th European Conference on Information Warfare and Security (pp. 219-228). University of Plymouth, UK : Reading , Academic Publishing. Original conference website available here


Governance is an increasingly important legally and ethically for business and the professions. Further, accountability using best practice is essential to defensible governance. Information governance is a major aspect of governance and in turn, security is a major aspect of information governance. Implementing effective security is often difficult for those who are not security aware or trained. Whilst this poses serious risk for business, it is potentially graver for the custodians of personal medical information such as general medical practices. Research has shown that there exist severe deficiencies in information security in general medical practices, whose primary concern is the welfare and treatment of patients and not the security of the information systems. Although technological solutions are plentiful, it is the lack of awareness, non-acceptance of risk and lack oif suitable protection that pose the greatest insecurity. Methods for improving recognition of the need for security and its effective implementation, essentially a cultural shift in thinking about security, are necessary if information governance is to be fulfilled. In general medical practice, clinical governance is a becoming a fundamental aspect of medical practice even though it is a relatively modern concept. The objectives of clinical governance are to enhance the quality of healthcare by employing evidence-based decision making to improve standards of care, outcomes and cost-efficiency. Thus, monitoring and providing evidence of process and resultant improvement must be utilised supported by governance plans. In essence, clinical governance is a vehicle for promoting a cultural shift to a more cost-efficient and responsible service environment for medical practice. Therefore it is worthwhile exploring if an improvement in medical information security can be achieved using parallels with clinical governance term. These terms are already accepted by the medical profession. This theoretical investigation compares the objectives and use of governance in clinical and information applications. Further, it suggests that using a model analogous to clinical governance for information governance may provide a better method for sustained improvement in medical information security practice. Information governance plans would provide explicit evidence of attempts at quality improvement which is a cornerstone of meeting governance requirements. As information governance becomes a driving force for accountability in medical practices, methods to support this will be paramount. A clinical governance approach would benefit medical practices by providing them with a definable model for information security governance using a contextually acceptable paradigm. Further, the adaptation of an environment specific model would indicate how security, and thus the security profession, can provide pragmatic and practical assistance to those professions and organisations who do not retain security trained personnel.