Use of 17799 Framework in Health Information Security ... - ICMCC

icmcc.org

Use of 17799 Framework in Health Information Security ... - ICMCC

Use of 17799 Framework in

Health Information Security

Management

Luuc Posthumus

Data Protection Officer, AMC Amsterdam

3 June 2004


Agenda

1. EHR security and the use of frameworks

2. 17799 at first and second glance

3. Healthcare use of 17799

a. By an organisation

b. On a regional or national scale

c. In international standards development

3 June 2004 2


1.a EHR and security

• Shared

– Care

– Records

– Responsibilities

• Common

Security concepts

Security management

• To trust or not to trust …

3 June 2004 3


1.b The use of frameworks

• Consistency between viewing angles

• Scalability and modularity

• Positioning elements

• Locating duplications

• Detecting conflicts

• Finding gaps

‣ Good to have, but hard to build and use

3 June 2004 4


Framework for EHR security

• ISO DTR 21089 Health informatics

Trusted end-to

to-end information flows

Descriptive framework:

‣ 11 positions (stages) in record life span

1. Definition

2. Origination

3. Amendment

4. Translation

5. Access/use

6. De-identification

7. Summarization

8. Report

9. Receipt

10. Archival

11. Destruction

3 June 2004 5


Key points in information flow

3 June 2004 6


Example: Point of record access

3 June 2004 7


2. Security management framework

1. Information security policy

2. Organisational security

3. Asset classification and control

4. Personnel security

5. Physical and environmental security

6. Communications and operations management

7. Access control

8. Systems development and maintenance

9. Business continuity management

10. Compliance

3 June 2004 8


Code of Practice

• ISO/IEC 17799:2000

– 36 control objectives in 10 sections

– Detailed in 127 specific controls to preserve:

‣ Confidentiality

‣ Integrity

‣ Availability

• Trust between business partners

– Requires certified compliance

3 June 2004 9


Information Security

Management System

Plan:

• Scope

• Policy

• Risks

• Relevance of

controls

• Statement of

Applicability

3 June 2004 10


3.a Starting to implement 17799

Information Security: AMC priority (1999)

– Intended multi-pass project

– Initial pass:

‣ Limited scope

‣ Limited # Relevant controls

‣ Clarify responsibilities

‣ Gap analysis

‣ Improvements started

‣ ………..

• To be continued …

3 June 2004 11


3.b NL use of 17799 for HISMS

• NL-standard NEN 7510:2004

Information security in the Healthcare Sector

– Based on ISO 17799 and CEN ENV 12924

– Focus on healthcare specifics and localised

– Implementation guidelines for 7 types of organisation

• New legislation will require compliance

– Implementation directives to replace guidelines

– Audit requirements and certification schemes

3 June 2004 12


3.c ISO Healthcare uses 17799

• New work item in ISO/TC215/WG4

Health Informatics - Security Management in

Health using ISO/IEC 17799:2000

Healthcare risks and requirements

– Action plan for implementing 17799

– Assurance options and potential benefits

Healthcare implications and considerations of 17799

• Working Draft expected soon

• CEN-ISO convergence

3 June 2004 13


Framework for security standards

17799 useful to position security issues:

– Policy management

– Authentication

– Access Control

– Role assignment

– Communication security

– Application security

– …

3 June 2004 14

More magazines by this user
Similar magazines