Antonio Jose Segovia
June 13, 2016
More and more hospitals are interested in protecting their patient information, but they see ISO 27001 as not being specific enough. Although it covers many general aspects about information security, you can integrate it with other standards to cover specific aspects – for example, ISO 27799 for the protection of personal health information. This integration is similar to ISO 27001 and ISO 27002.
The main objective of ISO 27799 is to provide security controls to protect personal health information. It’s actually using the ISO 27002 controls, adapted to a health environment. But, you will also need ISO 27001. Let me explain that in the next point. (See also: ISO 27001 vs ISO 27002.)
One more thing should be clarified – the latest version of the ISO 27799 standard is not aligned with the current versions of ISO 27001:2013 and ISO 27002:2013, because ISO 27799 (last version is from 2008) explicitly refers to ISO 27002:2005, but mapping can be made, because there are few changes between ISO 27002:2005 and ISO 27002:2013. This article can help you: Main changes in the new ISO 27002.
By the way, in the USA there is HIPAA (Health Insurance Portability and Accountability Act), which regulates the use and disclosure of protected health information. This regulation has many common points with ISO 27799, so you can use this standard to be compliant with HIPAA, but you need to fulfill more specific requirements to be HIPAA compliant (for example, rules specifically related to privacy). And, vice versa: if you have implement HIPAA you need to fulfill a few more requirements to be ISO 27799 compliant (for example, information security incident management).
The main similarity between both standards is that they talk about an ISMS and security controls, but the main difference is that ISO 27799 does not define ISMS requirements (it’s ISO 27001 that defines requirements for the risk assessment & treatment, SoA, etc.). ISO 27799 is only a code of best practices – like ISO 27002 – and is mainly focused on the security controls. By the way, in ISO 27001 the security controls are included in an Annex, while in ISO 27799 the security controls are a fundamental part of the standard.
Therefore, in a health environment you can implement an Information Security Management System (based on ISO 27001), and implement the ISO 27799 security controls (which, as you just learned, really are the ISO 27002 controls but adapted to a health environment).
Hospitals, as well as any other type of organization, also have a technological infrastructure, information systems and applications that may be vulnerable, and they manage personal health information, so there are also risks that must be managed.
ISO 27001 is a standard that establishes requirements for an Information Security Management System, and can be integrated with other standards like ISO 27002 to implement security controls, but in a health environment ISO 27799 provides specific security controls, so in this case the integration of ISO 27001 and ISO 27799 makes sense.
ISO 27001 and ISO 27002 are not specifically developed for a health environment (or any other environment), but in ISO 27799 we have a list of specific threats for this sector, which can be found in Annex A. They are listed below:
The consequences of the materialization of these threats can be disastrous, not only for the image of the hospital, but also for the health of the patient. We can imagine what would happen in a hospital where everything depends on information systems (generation and storage of radiographs, health systems connected to the network, etc.), and if they stop working due to technical failures, or do not work properly. Imagine a patient who has suffered a serious accident and urgently needs an x-ray, but the system does not work due to a failure related to malicious software.
Hospitals worry about the health of the patients because its main mission is to cure diseases or medical conditions, but should also be concerned about personal health information, since as we have seen in this article, there are many of threats, which if realized could damage the image of the hospital, or in the worst cases, even irreparable damage to the health of their patients.
So, the health sector should be happy, because it can use an international standard with the prestige of ISO 27001 to implement the ISO 27799 security controls, in order to protect the personal health information. Obviously, the health of the people and the information related to their health are very important.
If you would like to learn more about ISO 27001 and its requirements, use our free online courses ISO 27001 Online Courses.