You are here: Home Contents V7 N2 V7N2_Thambusamy.html
Personal tools

Design of a Secure Electronic Medical Records Process Using Secure Activity Resource Coordination



Full text

Journal of Information System Security
Volume 7, Number 2 (2011)
Pages 4977
ISSN 1551-0123
Ravi Thambusamy — The University of North Carolina, Greensboro, USA
Rahul Singh — The University of North Carolina, Greensboro, USA
Information Institute Publishing, Washington DC, USA




Organizations create customer value through effective use of information systems to implement their business processes. This often involves sharing information within and across multiple organizations to accomplish objectives. In the health care environment, health care providers and their partner organizations use Electronic Medical Record (EMR) systems to streamline their business processes, achieve cost savings and improve the quality of care. Security concerns with technology, particularly for inter-organizational business processes, have a significant impact on user perceptions and nature of use of the technology. While EMRs have tremendous benefits, studies have shown that the perceived security of EMRs among users is low. In this paper, we demonstrate the application of the Secure Activity Resource Coordination (SARC) approach to design a secure EMR business process. We illustrate the utility of our approach by developing the design of an artifact with improved security for an inter-organizational EMR business process. We use a case study in a multi-practice primary care practice organization. The process description is part of a case study from an organization engaged in the medical transcription and billing business processes. We discuss the contextually situated evaluation of the enhanced security of the business process design using the SARC artifact.




Anderson, J.G. (2007) “Social, ethical and legal barriers to E-health”, International Journal of Medical Informatics 76, 480–483.

Baskerville, R. (1988) “Designing Information Systems Security”, John Wiley & Sons, New York.

Basu, A., and A., Kumar (2002) “Research Commentary: Workflow and Management Issues in e-Business,” Information Systems Research, 13(1), pp. 1-14.

Bates, D.W., Ebell, M., Gotlieb, E., Zapp, J., and Mullins, H.C. (2003) “A Proposal for Electronic Medical Records in U.S. Primary Care”, J Am Med Inform Assoc. Jan–Feb; 10(1): 1–10.

Benbasat, I., Goldstein, D.K., Mead, M. (1987). The Case Research Strategy in Studies of Information Systems, MIS Quarterly, September, pp.369–386.

Burt, C.W., and Sisk, J.E. (2005) “Which Physicians And Practices Are Using Electronic Medical Records? Survey data show limited use of these information tools”, Health Affairs, Volume 24, Number 5, 1334-1343.

Codd, E. (1970) "A Relational Model for Large Shared Data Banks," Communications of the ACM. 13, 6, 377-387.

Crowston, K. and Osborn, C. (2003) “The Interdisciplinary Study of Coordination,” in Malone, T. W., Crowston, K., and Herman, G. A., editors, Organizing business knowledge: the MIT process handbook, MIT Press, Cambridge, Massachusetts.

D'Aubeterre, F., Singh, R. and Iyer, L.S. (2008a). A Semantic Approach to Secure Collaborative Inter-Organizational eBusiness Processes (SSCIOBP). Journal of the Association for Information Systems. 9(3/4), 233-269.

D’Aubeterre, F., Singh, R., and Iyer, L.S. (2008b). “Secure Activity Resource Coordination: Empirical Evidence of Enhanced Security Awareness in Designing Secure Business Processes,” European Journal of Information Systems.

Davenport, T.(1993)  “Process Innovation: Reengineering Work through Information Technology”, Harvard Business School Press, Boston.

Dhillon, G. & Backhouse, J., (2001). Current directions in IS security research: towards socio-organizational perspectives, Information Systems Journal, 11: 127–153.

Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14: 532–550.

Eisenhardt, K. M. 2007. Theory Building from Cases: Opportunities and Challenges. Academy of Management Journal, 50(1): 25–32.

Ferraiolo, D. and Kuhn, R. (1992). Role-based access control. In Proceedings of the NIST–NSA National (USA) Computer Security Conference, 554–563.

Ford, E. W., (2009) Predicting the Adoption of HIT by Physicians and Hospitals: When will Health Care be Paperless? The University of North Carolina at Greensboro.

Gans, D., Kralewski, J., Hammons, T., and Dowd, B. Medical Groups’ Adoption Of Electronic Health Records And Information Systems, HEALTH AFFAIRS ~ Volume 24, Number 5, pp. 1323 – 1333.

Gregor, S. "Design Theory in Information Systems," Australian Journal of Information Systems, Special Issue 2002. pp. 14-22.

Grover, V. (2009) A Tutorial on Survey Research: From Constructs to Theory. Retrieved November 11, 2009, from

Hevner, A., March, S.T., Park, J., and Ram, S. (2004) Design Science Research in Information Systems, MIS Quarterly 28(1), March, 75-105.

Hillestad, R., Bigelow, J., Bower, A., Girosi, F., Meili, R., Scoville, R., and Taylor, R., “Can Electronic Medical Record Systems Transform Health Care? Potential Health Benefits, Savings, and Costs”. Health Affairs, Volume 24, Number 5, 1102-1117.

Hsiao, C.J., Burt, C.W., Rechtsteiner, E., Hing, E., Woodwell, D.A., Sisk, J.E. (2008) “Preliminary estimates of electronic medical records use by office-based physicians: United States, 2008”. Health E-Stat. National Center for Health Statistics. 2008. Available from:

Kazley, A.S., and Ozcan, Y.A. (2009) “Electronic medical record use and efficiency: A DEA and windows analysis of hospitals”, Socio-Economic Planning Sciences 43 (2009) 209–216.

Lee, A., (1989). A Scientific Methodology for MIS Case Studies. MIS Quarterly, March, pp. 33–50.

Loomis, Glen A., Ries, Scott J., Saywell, Robert M., and Thakker, Nitesh R. (2002) “If electronic medical records are so great, why aren’t family physicians using them?”, The Journal of American Family Practice, July, Vol. 51, No. 7.

Malone, T. W. (1987). Modeling Coordination in Organizations and Markets. Management Science, 33:1317–1332.

Malone, T. W. and Crowston, K. (1990). What is Coordination Theory and How Can It Help Design Cooperative Work Systems? CSCW Proceedings, October 90 357–370.

McDonald, C.J. (1997) “The barriers to electronic medical record systems and how to overcome them”, Journal of the American Medical Informatics Association, 4:213–21.

Mouratidis, H., Giorgini, P., and Manson, G. (2005)  “When Security Meets Software Engineering: A Case of Modelling Secure Information Systems,” Information Systems 30, pp. 609-629.

Oh, S. and Park, S. (2003) Task-role-based Access Control Model, Information Systems, (28:6), September, 533-562.

Ornstein, S.M. (1997) “Electronic medical records in family practice: the time is now”, The Journal of Family Practice, 44:45–8.

Powner, David A. (2004) “National Strategy Needed to Accelerate the Implementation of Information Technology”, United States Government Accountability Office, July 14.

Raghu, T.S. and A., Vinze (2007) A Business Process Context for Knowledge Management, Decision Support System, 43(3), April, 1062-1079.

Rind, D.M., and Safran, C. (1994) Real and Imagined Barriers to an Electronic Medical Record. AMIA, pp. 74–78.

Sandhu, R.S., Coyne, E.J., Feinstein, H.L., and Youman, C.E. (1996) Role-Based Access Control Models, IEEE Computer, 29(2), February, 38-47.

Simon. H. (1981) Sciences of the Artificial, (2nd Edition), MIT Press, Cambridge, MA.

Singh, R. and Salam, A.F. (2006) Semantic Information Assurance for Secure Distributed Knowledge Management: A Business Process Perspective, IEEE Transactions on Systems, Man and Cybernetics 36(3), 472-486.

Siponen, M.T., Baskerville, R., and Heikka, J. (2006) A Design Theory for Secure Information Systems Design Methods, Journal of the Association for Information Systems 7(8), August, 568-592 

Straub, D.W.(1989) Validating Instruments in MIS Research. MIS Quarterly, Vol. 13, No. 2, June, pp. 147-169.

The National Alliance for Health Information Technology (2008) “Report to the Office of the National Coordinator for Health Information Technology on Defining Key Health Information Technology Terms”. April, 28. Available from:, accessed Sep. 26, 2009.

Valdes, I., Kibbe, D.C., Tolleson, G., Kunik, M.E., Petersen, L.A. (2004) “Barriers to Proliferation of Electronic Medical Records”, Informatics in Primary Care 2004;12:3–9

Vishwanath, A., and Scamurra, S.D. (2007) “Barriers to the adoption of electronic health records: using concept mapping to develop a comprehensive empirical model”. Health Informatics Journal, 13(2); 119-134.

van der AALST, W.M.P. and KUMAR, A. (2003) XML Based Schema Definition for Support of Inter-Organizational Workflow, Information Systems Research 14(1), 23-46.

van Wyk, K. and G., McGraw (2005). “Bridging the Gap Between Software Development and Information Security,” IEEE Security & Privacy, Sept-Oct, pp. 75-79.

Vishwanath, A., and Scamurra, S.D., (2007) “Barriers to the adoption of electronic health records: using concept mapping to develop a comprehensive empirical model”. Health Informatics Journal, 13(2); 119-134.

Wager, K.A., Ornstein, S.M., Jenkins, R.G. (1997) “Perceived value of computer-based patient records among clinician users”, MD Computing, 14:334–6, 338, 340.

Wager, K.A., Lee, F.W., White, A.W., Ward, D.M., Ornstein, S.M. (2000) “Impact of an electronic medical record system on community-based primary care practices”, Journal of The American Board of Family Practice, 13:338–48.

Walls, J.G., Widmeyer, G.R., and El Sawy, O. A. (1992) “Building an Information System Design Theory for Vigilant EIS,” Information Systems Research, (3)1, 36-59.

Yin, R.K. (1984) Case Study Research, Design and Methods, Sage Publications, Beverly Hills, California.