School of Computer and Information Science, Edith Cowan University, Perth, Western Australia
Security is most commonly seen as a business concept. This is one reason for the poor uptake and implementation of standard security processes in non-business environments such as general medical practice. It is clear that protection of sensitive patient information is imperative yet the overarching conceptual business processes required to ensure this protection are not well suited to this context. The issue of sensitivity of information, together with the expectation that security can be effectively implemented by non-security trained professionals creates an insecure environment. The general security processes used by business, including those for risk assessment, are difficult to operationally put into practice in the medical environment and this one-sizefits- all approach is shown to be ineffective. Therefore more explicit models are required which provide contextually relevant guidance and can be implemented within the capability of those using them.