{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,18]],"date-time":"2025-12-18T14:11:34Z","timestamp":1766067094782,"version":"3.41.2"},"reference-count":42,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2019,12,16]],"date-time":"2019-12-16T00:00:00Z","timestamp":1576454400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,12,16]]},"abstract":"\nPurpose<\/jats:title>\nThe purpose of this paper is to propose a novel maturity model for health-care cloud security (M2<\/jats:sup>HCS), which focuses on assessing cyber security in cloud-based health-care environments by incorporating the sub-domains of health-care cyber security practices and introducing health-care-specific cyber security metrics. This study aims to expand the domain of health-care cyber security maturity model by including cloud-specific aspects than is usually seen in the literature.<\/jats:p>\n<\/jats:sec>\n\nDesign\/methodology\/approach<\/jats:title>\nThe intended use of the proposed model was demonstrated using the evaluation method \u2013 \u201cconstruct validity test\u201d as the paper\u2019s aim was to assess the final model and the output of the valuation. The study involved a literature-based case study of a national health-care foundation trust with an overall view because the model is assessed for the entire organisation. The data were complemented by examination of hospitals\u2019 cyber security internal processes through web-accessible documents, and identified relevant literature.<\/jats:p>\n<\/jats:sec>\n\nFindings<\/jats:title>\nThe paper provides awareness about how organisational-related challenges have been identified as a main inhibiting factor for the adoption of cloud computing in health care. Regardless of the remunerations of cloud computing, its security maturity and levels of adoption varies, especially in health care. Maturity models provide a structure towards improving an organisation\u2019s capabilities. It suggests that although several cyber security maturity models and standards resolving specific threats exist, there is a lack of maturity models for cloud-based health-care security.<\/jats:p>\n<\/jats:sec>\n\nResearch limitations\/implications<\/jats:title>\nDue to the selected research method, the research results may lack generalizability. Therefore, future research studies can investigate the propositions further. Another is that the current thresholds were determined empirically, although it worked for the case study assessment. However, to establish more realistic threshold levels, there is a need for more validation of the model using more case studies.<\/jats:p>\n<\/jats:sec>\n\nPractical implications<\/jats:title>\nThe paper includes maturity model for the assessment management and improvement of the security posture of a health-care organisation actively using cloud. For executives, it provides a detailed security assessment of the eHealth cloud to aid in decision making. For security experts, its quantitative metrics support proactive and reactive processes.<\/jats:p>\n<\/jats:sec>\n\nOriginality\/value<\/jats:title>\nThe paper fulfils a recognised requirement for security maturity model focussed on health-care cloud. It could be extended to resolve evolving cyber settings.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-05-2019-0060","type":"journal-article","created":{"date-parts":[[2020,1,9]],"date-time":"2020-01-09T07:14:44Z","timestamp":1578554084000},"page":"321-345","source":"Crossref","is-referenced-by-count":19,"title":["Towards a maturity model for health-care cloud security (M2<\/sup>HCS)"],"prefix":"10.1108","volume":"28","author":[{"given":"Opeoluwa Ore","family":"Akinsanya","sequence":"first","affiliation":[]},{"given":"Maria","family":"Papadaki","sequence":"additional","affiliation":[]},{"given":"Lingfen","family":"Sun","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"12","key":"key2020071513123364400_ref001","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1145\/322796.322806","article-title":"Users are not the enemy","volume":"42","year":"1999","journal-title":"Communications of the Acm"},{"key":"key2020071513123364400_ref002","article-title":"Accounting for value and uncertainty in security metrics","volume":"6","year":"2008","journal-title":"Information Systems Control Journal"},{"issue":"6","key":"key2020071513123364400_ref003","doi-asserted-by":"publisher","first-page":"42","DOI":"10.1145\/1167948.1167976","article-title":"Practical issues in usability measurement, interactions","volume":"13","year":"2006","journal-title":"interactions"},{"key":"key2020071513123364400_ref004","unstructured":"Bevan, N. (2009), \u201cInternational standards for usability should be more widely used, journal of usability studies\u201d, available at: http:\/\/uxpajournal.org\/wp-content\/uploads\/sites\/8\/pdf\/JUS_Bevan_May2009.pdf (accessed 18 July 2019)."},{"key":"key2020071513123364400_ref005","doi-asserted-by":"publisher","first-page":"143","DOI":"10.1007\/978-3-319-20901-2_13","article-title":"ISO 9241-11 revised: what have we learnt about usability since 1998","volume-title":"Human-Computer Interaction: Design and Evaluation.HCI 2015. Lecture Notes in Computer Science","year":"2015"},{"key":"key2020071513123364400_ref006","unstructured":"Bourdon, R. (2019), \u201cWampServer, a windows web development environment, WampServer\u201d, available at: www.wampserver.com\/en\/ (accessed 18 July 2019)."},{"issue":"6","key":"key2020071513123364400_ref007","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1007\/s10916-016-0486-5","article-title":"Maturity models of healthcare information systems and technologies: a literature review","volume":"40","year":"2016","journal-title":"Journal of Medical Systems"},{"key":"key2020071513123364400_ref008","unstructured":"Chaudry, Z. (2014), \u201cHealth information exchanges: global lessons learnt from implementations and best practices\u201d, available at: https:\/\/www2.health.vic.gov.au\/about\/publications\/researchandreports\/Gartner\u2013Health-Information-Exchanges-Global-Lessons-Learnt-From-Implementations-and-Best-Practices-June-2014 (accessed 6 October 2018)."},{"key":"key2020071513123364400_ref009","unstructured":"CSA (2017), \u201cIntroduction to cloud control matrix (CCM)\u201d, available at: https:\/\/cloudsecurityalliance.org\/ (accessed 17 July 2019)."},{"key":"key2020071513123364400_ref010","unstructured":"Duarte, A.A.R. (2013), \u201cCloud maturity model. Instituto superior T\u00b4ecnico Lisboa, Portugal\u201d, available at: https:\/\/fenix.tecnico.ulisboa.pt\/downloadFile\/395145548817\/Thesis.pdf (accessed 10 October 2018)."},{"key":"key2020071513123364400_ref011","unstructured":"Giokas, D., Sekhon, H., Mestre, A., Geffen, M., Nouri, H. and Twoekowski, K. (2015), \u201cA discussion paper for health information network (HIN) capability maturity model\u201d, available at: www.colleaga.org\/sites\/default\/files\/attachments\/hin-discussion-paper-maturity-model-en.pdf"},{"issue":"1","key":"key2020071513123364400_ref012","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1186\/s12911-015-0145-7","article-title":"A scoping review of cloud computing in healthcare","volume":"15","year":"2015","journal-title":"BMC Medical Informatics and Decision Making"},{"key":"key2020071513123364400_ref013","doi-asserted-by":"publisher","first-page":"146970","DOI":"10.1155\/2014\/146970","article-title":"Proposal for a security management in cloud computing for health care","volume":"2014","year":"2014","journal-title":"The Scientific World Journal"},{"edition":"1st edn,","volume-title":"Complete Guide to Security and Privacy Metrics: Measuring Regulatry Compliance, Operational Resilience, and ROI","year":"2007","key":"key2020071513123364400_ref014"},{"issue":"1","key":"key2020071513123364400_ref015","doi-asserted-by":"crossref","first-page":"75","DOI":"10.2307\/25148625","article-title":"Design science in information systems research","volume":"28","year":"2004","journal-title":"MIS Quarterly. Society for Management Information Systems"},{"volume-title":"CS0405 - Top 10 Cloud Security Concerns","year":"2017","author":"HIMSS","key":"key2020071513123364400_ref016"},{"article-title":"Directions in security metrics research (NISTIR 7564)","year":"2009","key":"key2020071513123364400_ref017","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.IR.7564"},{"volume-title":"Security Metrics: replacing Fear, Uncertainty, and Doubt","year":"2007","key":"key2020071513123364400_ref018"},{"issue":"3","key":"key2020071513123364400_ref019","first-page":"227","article-title":"Peer review in scientific publications: benefits, critiques, & a survival guide","volume":"25","year":"2014","journal-title":"The Journal of the International Federation of Clinical Chemistry and Laboratory Medicine (EJIFCC)"},{"issue":"3","key":"key2020071513123364400_ref020","doi-asserted-by":"publisher","first-page":"e67","DOI":"10.2196\/jmir.1867","article-title":"Opportunities and challenges of cloud computing to improve health care services","volume":"13","year":"2011","journal-title":"Journal of Medical Internet Research"},{"journal-title":"Advanced Outsourcing Practice: Rethinking ITO, BPO and Cloud Services","year":"2012","key":"key2020071513123364400_ref025a"},{"key":"key2020071513123364400_ref021","doi-asserted-by":"publisher","first-page":"277","DOI":"10.12694\/scpe.v18i4.1329","article-title":"Capability maturity model and metrics framework for cyber cloud security","volume":"18","year":"2017","journal-title":"Special Issue on Communication, Computing, and Networking in Cyber-Physical Systems"},{"key":"key2020071513123364400_ref022","unstructured":"Leveraging Cloud Computing for Healthcare (2016), available at: www.cocir.org\/fileadmin\/4.4_Digital_Health__Public_Website_\/16039.COC.eHealth_Cloud_Computing_web.pdf (accessed 6 October 2018)."},{"article-title":"NIST cloud computing reference architecture","year":"2011","key":"key2020071513123364400_ref023","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.500-292"},{"issue":"12","key":"key2020071513123364400_ref024","doi-asserted-by":"publisher","first-page":"52","DOI":"10.1109\/2.889093","article-title":"Windows of vulnerability: a case study analysis","volume":"33","year":"2000","journal-title":"Computer"},{"issue":"3","key":"key2020071513123364400_ref025","doi-asserted-by":"publisher","first-page":"157","DOI":"10.5539\/gjhs.v9n3p157","article-title":"Security challenges in healthcare cloud computing: a systematic review","volume":"9","year":"2016","journal-title":"Global Journal of Health Science"},{"key":"key2020071513123364400_ref026","unstructured":"NHS (2011), \u201cNHS infrastructure maturity model (NIMM), the national archives\u201d, available at: https:\/\/webarchive.nationalarchives.gov.uk\/20110503144044\/; www.connectingforhealth.nhs.uk\/systemsandservices\/nimm (accessed 1 April 2019)."},{"key":"key2020071513123364400_ref027","unstructured":"NIST (2017), \u201cFramework for improving critical infrastructure cybersecurity\u201d, available at: www.nist.gov\/sites\/default\/files\/documents\/draft-cybersecurity-framework-v1.1-with-markup1.pdf (accessed 15 July 2019)."},{"issue":"8","key":"key2020071513123364400_ref028","doi-asserted-by":"publisher","first-page":"e186","DOI":"10.2196\/jmir.2494","article-title":"Analysis of the security and privacy requirements of Cloud-Based electronic health records systems","volume":"15","year":"2013","journal-title":"Journal of Medical Internet Research"},{"key":"key2020071513123364400_ref025c","doi-asserted-by":"publisher","first-page":"S55","DOI":"10.5694\/J.1326-5377.2004.TB05947.X","article-title":"Diffusion of innovation theory for clinical change","volume":"180","year":"2014","journal-title":"Medical Journal of Australia"},{"key":"key2020071513123364400_ref029","unstructured":"Savvides, A. (2009), \u201cNHS infrastructure maturity model BCS\/ASSIST presentation\u201d, available at: nww.connectingforhealth.nhs.uk\/pspg\/"},{"key":"key2020071513123364400_ref030","unstructured":"Schneier, B. (2000), Secrets and Lies: Digital Security in A Networked World, John Wiley, New York, NY, available at: https:\/\/primo.plymouth.ac.uk\/primo-explore\/fulldisplay?docid=44PLY_ALMA_DS2139942790001281&context=L&vid=VU_PLY&lang=en_US&adaptor=LocalSearchEngine&tab=local&query=any, (accessed 18 February 2019)."},{"key":"key2020071513123364400_ref031","unstructured":"Scott, J. and Harder, R. (2017), \u201cNetwork security policy\u201d, available at: www.plymouthhospitals.nhs.uk\/trust-policies (accessed 23 June 2019)."},{"journal-title":"Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS \u201906","article-title":"Why Johnny Still Can\u2019t Encrypt: Evaluating the Usability of Email Encryption Software","year":"2006","key":"key2020071513123364400_ref025b"},{"issue":"3","key":"key2020071513123364400_ref032","doi-asserted-by":"publisher","first-page":"349","DOI":"10.1007\/s11548-011-0625-x","article-title":"A PACS archive architecture supported on cloud services","volume":"7","year":"2012","journal-title":"International Journal of Computer Assisted Radiology and Surgery"},{"key":"key2020071513123364400_ref033","unstructured":"Spruit, M. and R\u00f6ling, M. (2014), \u201cISFAM: the information security focus area maturity model\u201d, European Conference on Information Systems (ECIS), AIS Electronic Library (AISeL), Tel Aviv, p. 16, available at: http:\/\/aisel.aisnet.org\/ecis2014 and http:\/\/aisel.aisnet.org\/ecis2014\/proceedings\/track14\/6"},{"key":"key2020071513123364400_ref034","unstructured":"Staggers, N., Rodney, M., Alafaireet, P., Backman, C., Bochinski, J., Schumacher, B. and Xiao, Y. (2011), \u201cPromoting usability in health organizations: Initial steps and progress toward a healthcare usability maturity model\u201d, available at: www.himss.org\/sites\/himssorg\/files\/2013-HIMSS-Usability-Maturity-Model.pdf (accessed 11 July 2019)."},{"key":"key2020071513123364400_ref035","first-page":"211","article-title":"Current cyber security maturity models: how effective in healthcare cloud","volume-title":"5th Collaborative European Research Conference (CERC 2019)","year":"2019"},{"issue":"2","key":"key2020071513123364400_ref036","doi-asserted-by":"publisher","first-page":"854","DOI":"10.20533\/IJISR.2042.4639.2019.0098","article-title":"Factors limiting the adoption of cloud computing in teleradiology","volume":"9","year":"2019","journal-title":"International Journal for Information Security Research (IJISR)"},{"key":"key2020071513123364400_ref037","doi-asserted-by":"publisher","first-page":"184","DOI":"10.2053\/\/ICITST.WorldCIS.WCST.WCICSS.2018.0029","article-title":"Organizational factors influencing medical data sharing in cloud","volume-title":"Infonomics Society, Internet Technology and Secured Transactions (ICITST-2018)","year":"2018"},{"key":"key2020071513123364400_ref038","doi-asserted-by":"publisher","first-page":"564","DOI":"10.1109\/ESEM.2009.5314213","article-title":"Using security metrics coupled with predictive modeling and simulation to assess security processes","volume-title":"3rd International Symposium on Empirical Software Engineering and Measurement","year":"2009"},{"key":"key2020071513123364400_ref039","unstructured":"Payne, S.C. (2007), \u201cA guide to security metrics\u201d, available at: www.sans.org\/reading-room\/whitepapers\/auditing\/guide-security-metrics-55."}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-05-2019-0060\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-05-2019-0060\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:55Z","timestamp":1753406575000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/3\/321-345\/199288"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,12,16]]},"references-count":42,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,12,16]]}},"alternative-id":["10.1108\/ICS-05-2019-0060"],"URL":"https:\/\/doi.org\/10.1108\/ics-05-2019-0060","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"},{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2019,12,16]]}}}