ISO/IEC 27799
Go home

ISO 27799 - Health informatics — Information security management in health using ISO/IEC 27002 (final draft)

 

Despite its numbering, ISO 27799 has been developed by ISO committee TC215 responsible for health informatics, rather than JTC1/SC27, the joint ISO + IEC committee responsible for the ISO/IEC 27000 Family of Standards (“ISO27k”). Strictly speaking, therefore, ISO 27799 is not formally an ISO27k standard.

 

Extracts and comments added 7th May An extract from the (draft) introduction explains the purpose:

    “This International Standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC 27002. Specifically, this International Standard addresses the special information security management needs of the health sector and its unique operating environments. While the protection and security of personal information is important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of subjects of care is to be maintained. The integrity of health information must be protected to ensure patient safety, and an important component of that protection is ensuring that the information’s entire life cycle be fully auditable. The availability of health information is also critical to effective healthcare delivery. Health informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. Protecting the confidentiality, integrity and availability of health information therefore requires health-sector-specific expertise ... It is not intended to supplant ISO/IEC 27002 or ISO/IEC 27001. Rather, it is a complement to these more generic standards ... Annex A describes the general threats to health information. Annex B briefly describes other standards that can be applied to specific aspects of health information security. Annex C discusses the advantages of support tools as an aid to implementation.”

The standard is written like an implementation guideline/book, something an experienced consultant might espouse. It offers pragmatic advice - nuggets of wisdom such as (from the draft of 6.4.1.1):

    “In theory, ISO/IEC 27002 can be applied to whole organizations. However, experience from implementations in the UK and elsewhere has shown that very large units struggle to complete the work involved and to deliver the necessary level of compliance in one attempt. Compliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well. For this reason, primary care practices, clinics, home visit teams, hospital specialties and directorates, etc., all make effective scopes. An incremental and iterative process is thus typically followed to achieve total coverage and full benefit. The prospects for achieving such results ought not to be undermined by the selection of an overly broad compliance scope. However, where third-party providers of IT services are employed, “Management of IT Services Delivery” has been widely adopted as a scope for compliance, with considerable success. In health organizations, as elsewhere, activity in recent years has successfully moved information security from being a technical or “back-office” function to being a prominent corporate responsibility. In healthcare, the extensive interdependency of functions makes scope definition a challenge. For this reason, it is all the more important to get it right.”

As you can see, the style is quite verbose, at one point stating that implementing ISO/IEC 27002 is not simply a matter of following a checklist. How true!

The standard has value beyond the intended audience. For example, advice on defining the scope, analyzing gaps and establishing an Information Security Management Forum would apply to many organizations implementing ISO27k. The advice on risk management draws heavily on ISO/IEC TR 13335 and goes beyond that provided in ISO/IEC 27002. Even governance merits a few mentions.

[FWIW Speaking personally, I have a few relatively minor concerns with the FDIS version, mostly relating to the use of specific ISO reserve terms such as “shall” and “must” in section 7, but overall I feel this guideline will be beneficial to the health sector.]

Copyright © 2008 IsecT Ltd.