Information Security Management in Health Care According to ISO/IEC 27799 Standard
|
If you are the presenter of this abstract (or if you cite this abstract in a talk or on a poster), please show the QR code in your slide or poster (QR code contains this URL). |
Abstract
Background: Since information systems involved in health care are indispensable, information security associated with data processing and storage is considered to be very important, especially due to the sensitivity of such data – patients’ records are highly sensitive and patients’ right to privacy should be respected. It is a widely (also politically) accepted fact that patients are at the core of health care systems, thus the need to provide for security in order to protect patients’ privacy should be prioritised.
By looking at different structures that support healthcare facilities it is clear that unique information security needs ought to be explored. As decisions related to the methods for treating patients are based on information from different entities, primarily providers of health services as well as health insurance and a variety of health-related administrative institutions, patient data records should be transferable between units but well protected.
Objective: The ISO 27799:2008 standard (Health informatics — Information security management in health using ISO/IEC 27002) defines guidelines to support the interpretation and implementation of ISO/IEC 27002:2013 (Information technology — Security techniques — Code of practice for information security controls) in health informatics and accompanies that standard. By analysing the aforementioned standards (ISO/IEC 27002 and ISO/IEC 27799) and proposing practical experience-based guidelines, this paper emphasises the importance of applying standards for information security in healthcare to maintain patient privacy and protect their personal data.
Methods: This paper considers recommendations for security controls and their updates by means of a comparative analysis of the aforementioned standards. The characteristics of information security management, which are specific to healthcare environments, are based on experience and patients’ needs, and developed on the basis of rigorous literature reviews and practical implementation in hospitals.
Results: The security of information in healthcare is of utmost importance. The areas of management, information security and health informatics are closely related. Guidelines for the application of ISO/IEC 27002 and ISO/IEC 27799 in practice and a comparison between the ISO standards and the needs of the current practice are shown.
Conclusions: Even though modern healthcare systems are based on the use of ICT — or perhaps due to that very fact — preserving the patients’ privacy should be a priority. At the same time, it is necessary to allow adequate access to information required by healthcare professionals and take care of a comprehensive information security. In order to achieve the appropriate security level, it is reasonable to use the provisions of ISO/IEC 27002 and ISO/IEC 27799 standards.
By looking at different structures that support healthcare facilities it is clear that unique information security needs ought to be explored. As decisions related to the methods for treating patients are based on information from different entities, primarily providers of health services as well as health insurance and a variety of health-related administrative institutions, patient data records should be transferable between units but well protected.
Objective: The ISO 27799:2008 standard (Health informatics — Information security management in health using ISO/IEC 27002) defines guidelines to support the interpretation and implementation of ISO/IEC 27002:2013 (Information technology — Security techniques — Code of practice for information security controls) in health informatics and accompanies that standard. By analysing the aforementioned standards (ISO/IEC 27002 and ISO/IEC 27799) and proposing practical experience-based guidelines, this paper emphasises the importance of applying standards for information security in healthcare to maintain patient privacy and protect their personal data.
Methods: This paper considers recommendations for security controls and their updates by means of a comparative analysis of the aforementioned standards. The characteristics of information security management, which are specific to healthcare environments, are based on experience and patients’ needs, and developed on the basis of rigorous literature reviews and practical implementation in hospitals.
Results: The security of information in healthcare is of utmost importance. The areas of management, information security and health informatics are closely related. Guidelines for the application of ISO/IEC 27002 and ISO/IEC 27799 in practice and a comparison between the ISO standards and the needs of the current practice are shown.
Conclusions: Even though modern healthcare systems are based on the use of ICT — or perhaps due to that very fact — preserving the patients’ privacy should be a priority. At the same time, it is necessary to allow adequate access to information required by healthcare professionals and take care of a comprehensive information security. In order to achieve the appropriate security level, it is reasonable to use the provisions of ISO/IEC 27002 and ISO/IEC 27799 standards.
Medicine 2.0® is happy to support and promote other conferences and workshops in this area. Contact us to produce, disseminate and promote your conference or workshop under this label and in this event series. In addition, we are always looking for hosts of future World Congresses. Medicine 2.0® is a registered trademark of JMIR Publications Inc., the leading academic ehealth publisher.
This work is licensed under a Creative Commons Attribution 3.0 License.