University of Twente Student Theses
Information Security in the Dutch Health Insurance Industry: Analyzing the impact of the Dutch Data Protection Act and the reformed European Privacy Act at Dutch health insurers
Bus, T.J.F. (2015) Information Security in the Dutch Health Insurance Industry: Analyzing the impact of the Dutch Data Protection Act and the reformed European Privacy Act at Dutch health insurers.
PDF
2MB |
Abstract: | In this thesis we present a research on Information Security at Dutch health insurers, with the purpose of giving insight in the current maturity, and providing a guide on quick-wins for Information Security improvements. This research is sparked by 1) research project of the Dutch National Bank on the state of Information Security at Dutch financial institutions, 2) the relevance of Information Security in light of the new European privacy regulations, and 3) the necessity of Information Security for health insurers because of the significant amounts of privacy sensitive health data they collect. In order to develop an analytical framework for the assessment of Information Security maturity at health insurers we have firstly created an insight in the European General Data Protection Regulation in comparison with the Dutch Data Protection Act. Secondly a literature study of both scientific and practice-oriented research was conducted. For the framework we have taken ISACA’s Business Model for Information Security as a basis, and combined it with insights from COBIT 5 and ISO 27000. After the literature study the research population, CIO’s and Security Officers at health insurers, was been contacted for an interview of about one hour, and the filling of the analytical framework. These interviews and the filling of the framework had the purpose of testing and verifying the analytical framework. However, because only three out of nine organizations responded to the interview request this data collection step yielded too little data too analyze with SPSS. Therefore we have not been able to statistically verify the findings from literature and the analytical framework. We conclude from this research that the since about the start of the DNB research on Information Security in 2010 the Information Security function has been significantly professionalized to maturity level 3. The general attitude among insurers is that keeping health data safe is rooted in their nature. With the little data we collected we can make a conservative estimate that the analytical framework is to a large degree correct and usable to analyze health insurers. We find that the main technological measures for Information Security, such as network compartmentalization, firewalls, Identity and Access Management, have been developed by all interviewed organizations to at least a sufficient degree. However, for further maturity development the human factor plays a significant role. Therefore, all insurers are currently executing or developing security awareness programs to increase the awareness of Information Security threats, mainly among non-IT personnel. With regard to the analytical framework we developed we have too little data to be able to verify and sharpen the framework. However, from the one organization that filled the framework we can make a safe statement that the basis of the framework is correct and applicable. We conclude from this research that the since about the start of the DNB research on Information Security in 2010 the Information Security function has been significantly professionalized to maturity level 3. The general attitude among insurers is that keeping health data safe is rooted in their nature. With the little data we collected we can make a conservative estimate that the analytical framework is to a large degree correct and usable to analyze health insurers. We find that the main technological measures for Information Security, such as network compartmentalization, firewalls, Identity and Access Management, have been developed by all interviewed organizations to at least a sufficient degree. However, for further maturity development the human factor plays a significant role. Therefore, all insurers are currently executing or developing security awareness programs to increase the awareness of Information Security threats, mainly among non-IT personnel. |
Item Type: | Essay (Master) |
Faculty: | BMS: Behavioural, Management and Social Sciences |
Subject: | 85 business administration, organizational science |
Programme: | Industrial Engineering and Management MSc (60029) |
Link to this item: | https://purl.utwente.nl/essays/67569 |
Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Repository Staff Only: item control page