Topic-specific policies
ISO 27799

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (second edition)



“ISO 27799:2016 gives guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation's information security risk environment(s).
It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.
ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organisations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organisation's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care.
It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected.
ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development and the pace of that change is now measured in months rather than years. By contrast, while subject to periodic review, International Standards are expected on the whole to remain valid for years. Just as importantly, technological neutrality leaves vendors and service providers free to suggest new or developing technologies that meet the necessary requirements that ISO 27799:2016 describes.
As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of ISO 27799:2016.
The following areas of information security are outside the scope of ISO 27799:2016:
a) methodologies and statistical tests for effective anonymization of personal health information;
b) methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic);
c) network quality of service and methods for measuring availability of networks used for health informatics;
d) data quality (as distinct from data integrity).”
[Source: ISO webpage for this standard]


This standard offers guidance on information security management and information security controls in the context of the healthcare industry and medical organisations of various kinds - hospitals, labs, surgeries, medical insurers etc.


Scope and purpose

An extract from the introduction further explains the purpose:

    “This International Standard provides guidance to healthcare organisations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC 27002. Specifically, this International Standard addresses the special information security management needs of the health sector and its unique operating environments. While the protection and security of personal information is important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of subjects of care is to be maintained. The integrity of health information must be protected to ensure patient safety, and an important component of that protection is ensuring that the information’s entire life cycle be fully auditable. The availability of health information is also critical to effective healthcare delivery. Health informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. Protecting the confidentiality, integrity and availability of health information therefore requires health-sector-specific expertise ... It is not intended to supplant ISO/IEC 27002 or ISO/IEC 27001. Rather, it is a complement to these more generic standards ... Annex A describes the general threats to health information. Annex B briefly describes other standards that can be applied to specific aspects of health information security. Annex C discusses the advantages of support tools as an aid to implementation.”

Whereas the stated scope is health, the standard has value beyond the intended audience. For example, advice on defining the scope, analysing gaps and establishing an Information Security Management Forum would apply to many organisations from other industry sectors implementing ISO27k. The advice on risk management draws heavily on ISO/IEC TR 13335 and goes beyond that provided in ISO/IEC 27002. Even governance merits a few mentions.


Status of the standard

The standard was first published in 2008.

The second edition, updated to reflect the 2013 releases of ISO/IEC 27001 and ‘27002, was published in 2016.

It has been proposed to adopt this standard formally into the ISO27k family as a sector-specific standard under SC 27.


Personal comments

This standard was developed and published by ISO technical committee TC215 responsible for health informatics, rather than JTC 1/SC 27, the joint ISO + IEC committee responsible for ISO27k. Whether ISO 27799 is strictly a part of the ISO/IEC 27000 series standards is a moot point: it make little difference to users either way.

Turf wars aside, it is curious that the TC215 seems to have worked in parallel on this, rather than collaborating with the SC 27 team working on 27002. Maybe they approached the editors of ‘27002 but were spurned? Perhaps it didn’t occur to them to collaborate. Perhaps they felt ‘27002 is perfectly self-explanatory, and they were ideally placed to put the health industry spin on it. I have no idea.

The standard reads like an implementation guideline/book, something an experienced consultant might espouse. It offers pragmatic advice - nuggets of wisdom such as (from section

    “In theory, ISO/IEC 27002 can be applied to whole organisations. However, experience from implementations in the UK and elsewhere has shown that very large units struggle to complete the work involved and to deliver the necessary level of compliance in one attempt. Compliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well. For this reason, primary care practices, clinics, home visit teams, hospital specialties and directorates, etc., all make effective scopes. An incremental and iterative process is thus typically followed to achieve total coverage and full benefit. The prospects for achieving such results ought not to be undermined by the selection of an overly broad compliance scope. However, where third-party providers of IT services are employed, “Management of IT Services Delivery” has been widely adopted as a scope for compliance, with considerable success. In health organisations, as elsewhere, activity in recent years has successfully moved information security from being a technical or “back-office” function to being a prominent corporate responsibility. In healthcare, the extensive interdependency of functions makes scope definition a challenge. For this reason, it is all the more important to get it right.”

As you can see, the style is quite verbose, at one point stating that implementing ISO/IEC 27002 is not simply a matter of following a checklist. How true!

The 2016 version continues in the vein of helping users interpret and apply the ISO/IEC 27002:2013 controls in the context of a medical/healthcare organisation.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.