ISO 27799:2008 Standard Provides Information Security Guidelines for Health Sector

September 7, 2008 // Published as a news service by IHS

ISO 27799:2008 applies to health information in all its aspects - whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it, ISO said.

The standard specifies a set of controls for managing health information security and provides health information security best practice guidelines.

By implementing this international standard, health care organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their size and circumstances, according to ISO.

Health informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. At the same time, the data they contain is confidential, and its integrity must be preserved.

Because of these requirements, and regardless of their size, location and model of service delivery, all health care organizations need to have stringent controls in place to protect the health information entrusted to them, ISO said.

According to the organization, the increasing use of wireless and Internet technologies in health care delivery and the consequent growth of electronic exchange of personal health information between health professionals make the need for effective IT security management in health care more urgent and imply a benefit to adopting a common reference for information security management in health care.

ISO 27799:2008 is a companion to ISO/IEC 27002:2005 - Information technology - Security techniques - Code of practice for information security management.

Health sector professionals contributed their expertise to defining guidelines to specifically support the interpretation and implementation of ISO/IEC 27002 in health informatics, ISO said.

A consideration was the adaptability of the guidelines, bearing in mind that many health professionals work as solo health providers or in small clinics that lack dedicated IT resources to manage information security.

Although all of the security control objectives described in ISO/IEC 27002 are relevant to health informatics, some controls require additional explanations with regard to how they can be used to protect the confidentiality, integrity and availability of health information.

Also, there are some additional requirements that are specific to the health sector.

ISO 27799 contains an action plan for implementing ISO/IEC 27002 in a health environment.

Taken together, ISO said, these two standards define what is required in terms of information security in health care. Three annexes are included in the new standard, covering the general threats to health information, tasks and related documents of the information security management system and the advantages of support tools as an aid to implementation.

Source: International Organization for Standardization (ISO).