Risk Assessment of Healthcare Information Systems in Indonesian Regional Government Hospitals Using ISO 27001:2022

Abstract

The growing number of cyber-attacks targeting the healthcare sector, particularly Indonesian regional government hospitals, reflects the absence of a structured information security management system. Issues such as shared account usage, lack of staff security training, and undocumented incident reporting present serious risks to patient data. This study aims to assess the current state of information security in a government hospital using the ISO/IEC 27001:2022 standard and to propose mitigation measures based on Annex A controls. The assessment was conducted using the ISO 27001 framework and methodology. A qualitative case study approach was adopted, with data collected through semi-structured interviews, direct observations, and document analysis. The evaluation followed the Plan Do Check Act (PDCA) cycle and ISO 27005 risk assessment matrix, scoring each risk based on likelihood and impact. The results show that out of eight identified risk categories, four were classified as high namely, access management, information security policy, security awareness training, and system backup management while the rest were categorized as medium. A gap analysis indicated that many of these risks were not supported by effective controls. Recommendations include policy updates, regular training, formalized incident reporting, and annual security audits. These findings highlight the urgent need for systematic ISMS implementation to improve cybersecurity resilience and safeguard patient information in public healthcare institutions.