ISO 27799:2008 Health informatics — Information security management in health using ISO/IEC 27002
The abstract from the ISO site reads:
“ISO 27799:2008 defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that standard.
ISO 27799:2008 specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing this International Standard, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information.
ISO 27799:2008 applies to health information in all its aspects; whatever form the information takes (words and numbers, sound recordings, drawings, video and medical images), whatever means are used to store it (printing or writing on paper or electronic storage) and whatever means are used to transmit it (by hand, via fax, over computer networks or by post), as the information must always be appropriately protected.”
Scope and purpose
An extract from the introduction further explains the purpose:
“This International Standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC 27002. Specifically, this International Standard addresses the special information security management needs of the health sector and its unique operating environments. While the protection and security of personal information is important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of subjects of care is to be maintained. The integrity of health information must be protected to ensure patient safety, and an important component of that protection is ensuring that the information’s entire life cycle be fully auditable. The availability of health information is also critical to effective healthcare delivery. Health informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. Protecting the confidentiality, integrity and availability of health information therefore requires health-sector-specific expertise ... It is not intended to supplant ISO/IEC 27002 or ISO/IEC 27001. Rather, it is a complement to these more generic standards ... Annex A describes the general threats to health information. Annex B briefly describes other standards that can be applied to specific aspects of health information security. Annex C discusses the advantages of support tools as an aid to implementation.”
The standard has value beyond the intended audience. For example, advice on defining the scope, analyzing gaps and establishing an Information Security Management Forum would apply to many organizations implementing ISO27k. The advice on risk management draws heavily on ISO/IEC TR 13335 and goes beyond that provided in ISO/IEC 27002. Even governance merits a few mentions.
Status of the standard
The standard was published in 2008.
It is currently being revised to align with the 2013 versions of ISO/IEC 27001 and 27002. The new version is at DIS stage so may be published at the end of 2015, more likely in 2016.
This standard was developed and published by ISO technical committee TC215 responsible for health informatics, rather than JTC1/SC 27, the joint ISO + IEC committee responsible for ISO27k. Whether ISO 27799 is strictly a part of the ISO/IEC 27000 series standards is a moot point: it make little difference to users.
Turf wars aside, it is curious that the TC215 seems to have worked in parallel on this, rather than collaborating with the SC 27 team working on 27002. Maybe they approached the editors of 27002 but were spurned? Perhaps it didn’t occur to them to collaborate. Perhaps they felt 27002 is perfectly self-explanatory, and they were ideally placed to put the health industry spin on it. I have no idea.
The standard is written like an implementation guideline/book, something an experienced consultant might espouse. It offers pragmatic advice - nuggets of wisdom such as (from the draft of section 184.108.40.206):
“In theory, ISO/IEC 27002 can be applied to whole organizations. However, experience from implementations in the UK and elsewhere has shown that very large units struggle to complete the work involved and to deliver the necessary level of compliance in one attempt. Compliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well. For this reason, primary care practices, clinics, home visit teams, hospital specialties and directorates, etc., all make effective scopes. An incremental and iterative process is thus typically followed to achieve total coverage and full benefit. The prospects for achieving such results ought not to be undermined by the selection of an overly broad compliance scope. However, where third-party providers of IT services are employed, “Management of IT Services Delivery” has been widely adopted as a scope for compliance, with considerable success. In health organizations, as elsewhere, activity in recent years has successfully moved information security from being a technical or “back-office” function to being a prominent corporate responsibility. In healthcare, the extensive interdependency of functions makes scope definition a challenge. For this reason, it is all the more important to get it right.”
As you can see, the style is quite verbose, at one point stating that implementing ISO/IEC 27002 is not simply a matter of following a checklist. How true!