Information technology in medical research improving the security of medical research information. a case study of Kenya Medical Research Institute (KEMRI)

Abstract

This research describes the current status of the security of medical research information with the focus on Kenya Medical Research Institute (KEMRI) and how to improve it. Currently, there are no adequate security protection mechanisms for medical research information at the institution. The aim of this research was to design a framework that would ensure improved security of medical research information. To achieve this, the researcher had to determine and document the specific threats to the medical research information and their relative frequency of occurrence, determine the information systems security controls in place to secure the information and their relative predominance and to determine the security policies in place to govern the medical research information on storage and during transmission. Qualitative and quantitative research methods were used to collect data for the study. Research instruments employed were interviews, observations and structured questionnaires. The respondents were data analysts, lab technicians and doctors. Study results show that 75% of the threats most experienced were from viruses and worms followed by data leakage at 42.2%. The security measures in place were also inadequate, with 73% of the respondents using passwords and 68% using access restrictions. Security policies were not clearly defined, documented, distributed, or communicated to the employees and 55% were not aware of any policy. The policies were also not easily accessible. There were also no security policies to govern electronic medical research information The proposed framework, called the Comprehensive Enterprise Security Approach (CESA), consists of Security Policy, Asset Classification, Threat Classification, Controls Analysis, Implementation, Audit and Maintenance activities. When implemented, it will aid the organisation to increase user awareness through trainings, add the security measures and security policies, and protect the hardware and the information or data by preventing threats, hence increasing the security to the medical research information.