<![CDATA[The healthcare sector is currently becoming one of the paramount targets for cyberattacks. The utilization of information technology in the healthcare sector triggers the emergence of its varied vulnerabilities. Information security risk management is considered one of obligatory jobs for healthcare sector organizations. This study aims at constructing an information security risk management framework in the healthcare sector based on a study of its existing risk profile. This research employed qualitative method. Based on risk profiling results, the healthcare sector had two critical assets, namely electronic health records and Internet of Medical Things. These assets had high sensitivity, however, had numerous vulnerabilities that were prone to exploitations. In order to overcome this, an information security risk management framework consisting of four stages is proposed, namely Risk Profiling, Risk Level Assessment, Risk Treatment, and Monitoring. Risk Profiling is a vital stage in the risk management process. This stage is performed to produce an overview of the information security risk profile resulted from critical assets owned by the organization and the condition of cyberspace in the information security in the healthcare sector. The proposed framework is cyclical as the risk profile in the healthcare sector is dynamic. Thus, monitoring changes in the organization's risk profile is imperative. The proposed framework design was tested in Puskesmas XYZ which isĀ kind of health care facility agencies. The resul of the testing is there are seven risks in the information security contex. There are three High Level riskd and four Medium Level risks. All the risks are reduced by applying some controls. The result of the evaluation of proposed framework state that it has described the sequence of security risk management stage, all activities in information security risk management are includes, and the proposed framework can be applied to health care facilities.]]>
