Information governance is becoming an important aspect of organisational accountability. In consideration that information is an integral asset of most organisations, the protection of this asset will increasingly rely on organisational capabilities in security. In the medical arena this information is primarily sensitive patient-based information. Previous research has shown that application of security measures is a low priority for primary care medical practice and that awareness of the risks are seriously underestimated. Consequently, information security governance will be a key issue for medical practice in the future. Information security governance is a relatively new term and there is little existing research into how to meet governance requirements. The limited research that exists describes information security governance frameworks at a strategic level. However, since medical practice is already lagging in the implementation of appropriate security, such definition may not be practical although it is obviously desirable. This paper describes an ongoing action research project undertaken in the area of medical information security, and presents a tactical approach model aimed at addressing information security governance and the protection of medical data.


Ahire, S. L. and Ravichandran, T. (2001), “An innovation diffusion model of TQM implementation”, Engineering Management IEEE Transactions on, 48(4): 445-464.

Baskerville, R. (1999), ‘Investigating information systems with action research’, Communications of the Association for Information Systems, 2, Article 19, http://www.cis.gsu.edu/~rbaskerv/CAIS_2_19/CAIS_2_19.html, 11 January, 2006.

Baskerville, R., L. and Wood-Harper, A. T. (1996), A critical perspective on action research as a method for information systems research’, Journal of Information Technology, 11(3): 235-246.

Business Software Alliance. (2003), ‘Information Security Governance: Toward a Framework for Action’, http://www.entrust.com/resources/whitepapers.cfm, 3 July 2006.

Chang, S. E. and Ho, C. B. (2006), “Organizational factors to the effectiveness of implementing information security management”, Industrial Management & Data Systems, 106(3): 345 - 361.

Cosgrove Ware, L. (2004), ‘The State of Information Security, 2004’, http://www.cio.com/archive/091504/security.html, 13 August 2006.

de Dombal, T. (1993), ‘Medical decision making, clinical judgment, and decision analysis’, in Analysing How We Reach Clinical Decisions, eds. H. Llewelyn and A. Hopkins, Royal College of Physicians of London.

Dick, B. (1993), “You want to do an action research thesis?”, (An Interchange resource document No. v2.06:930507), Interchange,Brisbane.

Dick, B. (2002), ‘Action research: action and research’, http://www.scu.edu.au/schools/gcm/ar/arp/aandr.html, 10 June, 2003.

Entrust. (2004), ‘Information Security Governance: An Essential Element of Corporate Governance’, http://www.entrust.com/resources/whitepapers.cfm, 13 August, 2006.

Heiser, J. G. (2004), “The regulation of information security”, Intermedia, 32(2): 29.

Hinde, S. (2003), “Privacy legislation: A comparison of the US and European approaches”, Computers & Security, 22(5): 378.

Hoddinott, P. and Pill, R. (1997), “Qualitative research interviewing by general practitioners. A personal view of the opportunities and pitfalls,” Family Practice, 14(4): 307-312.

Holzer, G. and Herrmann, N. (2002), ‘Informatics survey for practice managers’, http://www.sadi.org.au/survey/Practice_Managers_Survey_2002.pdf, 14 August, 2005.

IT Governance Institute. (2006), Information Security Governance: Guidance for Boards of Directors and Executive Management (2nd ed.), IT Governance Institute, Rolling Meadows, IL, USA.

Jaye, C. (2002), “Doing qualitative research in general practice: methodological utility and engagement,” Family Practice, 19(5): 557- 562.

Kotulic, A. G. and Clark, J. G. (2004), “Why there aren't more information security research studies?” Information and Management, 41(5): 597- 607.

Moulton, R. and Coles, R. S. (2003), “Applying information security governance,” Computers and Security, 22(7): 580-584.

Muecke, M. A. (1997), ‘Policy as forethought in qualitative research: A paradigm for developing country social scientists’, in Completing a Qualitative Project: details and dialogue, ed. J. M. Morse, Sage Publications Inc., Thousand Oaks, California.

National Cyber Security Summit Task Force. (2004), ‘Corporate Governance Task Force Report: Information Security Governance: A Call to Action’, http://www.cyberpartnership.org/InfoSecGov4_04.pdf, 4 July 2006.

Posthumus, S. and von Solms, R. (2004), “A framework for the governance of information security,”Computers and Security, 23(8): 638-646.

Sarbanes-Oxley. (2002), ‘Sarbanes-Oxley Act of 2002’, http://www.sarbanesoxley.com/section.php?level=1&pub_id=Sarbanes-Oxley, 10 August 2006.

Straub, D. W. and Welke, R. J. (1998), “Coping with systems risk: Security planning models for management decision making,” MIS Quarterly, 22(4): 441-469.

Susman, G. (1983), ‘Action research: a sociotechnical systems perspective’, in Beyond method: Strategies for social research, ed. G. Morgan, Sage, Newbury Park.

von Solms, B. (2000), “Information Security -- The Third Wave?” Computers and Security, 19(7): 615-620.

von Solms, S. H. (2005), ‘Information Security Governance - Compliance management vs operational management’, Computers & Security, 24(6): 443-447.

von Solms, B. (2006), “Information Security – The Fourth Wave,” Computers and Security, 25(3): 165-168.

Whitehead, J. and McNiff, J. (2006), ‘Action Research Living Theory’, Sage Publications, London.

Williams, P. A. H. (2005). ‘The underestimation of threats to patient data in clinical practice’. 3rd Australian Information Security Management Conference. Sept 30. Edith Cowan University, Perth, WA.

Williams, P. A. H. (2006a). ‘Appraising information security rituals in primary care medical practice’. Sixth International Network Conference (INC2006). Jul 11-14. Plymouth, UK.

Williams, P. A. H. (2006b), “Medical data security: Are you informed or afraid?” International Journal of Information and Computer Security, 1(3): (Accepted for publication).

Williams, P. A. H. (2006c). ‘The role of standards in medical information security: An opportunity for improvement’. 2006 World Congress SAM'06 - The 2006 International Conference on Security & Management. Jun 26-29. Las Vegas, Nevada, USA.

Williams, P. A. H. (2006d). ‘Security immunisation using basic countermeasures’. 2006 World Congress SAM'06 - The 2006 International Conference on Security & Management. Jun 26-29. Las Vegas, Nevada, USA.

Williams,P. A. H. and Mahncke, R. (2006), “Shared Electronic Health Records: A changing landscape for security in medical practice”, Journal of Information Warfare, 5(2): 61-72.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.