Information Security Management in Healthcare - ISO 27799 under ISO 27001
Information security of all types of data in healthcare is one of the most debated topics when it comes to protecting personal information! So how can you ensure as best as possible that they are protected or properly used and managed? Of course with THE information security standard herself - ISO 27001!
So, how does ISO 27001 handle healthcare on a daily basis? Ask her grandchild ISO 27799!
It carries the official title: „Health informatics — Information security management in health using ISO/IEC 27002“
How is ISO 27799 related to ISO 27001?
ISO 27799 provides guidance to support the implementation of information security controls in healthcare organizations based on ISO 27002. Ah yes, we already know ISO 27002! The firstborn daughter of the queen, ISO 27001 -The guardian of the ISO 27k family!
One line on that: Vulnerability Management, also known as ISO 27002, is a detailed supplemental guide to the security controls in ISO 27001. Important to know: You can't get ISO 27002 certified because she's her mother's first soldier and doesn't even want the throne! But some of her children have the opportunity... Let's see.
Be smart and read this ISO 27002 blog before reading on further here. If you are already familiar with the ISO 27k family, keep reading.
Just to clarify, everyone in the ISO 27k family pays into ISO 27001 certification of an organization as needed, but not every member receives an invite to every audit-party. A financial organization does not have to deal with ISO 27799. Rather, it is in negotiation with other members of the ISO 27k family.
ISO 27799 is specifically for the healthcare sector! Period.
By the way, my God, this matriarchy is huge! BEAST... it's like a couple of lost ISO 27k grandchildren popping up out of nowhere...
But this grandchild doesn't appear out of nowhere. And it wasn't even lost... Basically, like already mentioned, ISO 27799 serves as a tool to protect personal health information. So this one is busy working in a damn big industry and doesn't have time to show up at all the family celebrations that come up during the year. Even the name "27799" already sounds like an outsider who lives in the woods and works from home. Wonderful :).
What is ISO 27799?
Official wording of the International Organization of Standardization: „ISO 27799 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).“
ISO 27799 applies to health information in all its facets, regardless of its type (words and figures, sound recordings, drawings, videos, and medical images), regardless of how it is stored (printed or recorded on paper or stored electronically), and regardless of how it is transmitted (by hand, by fax (yes, that still exists, especially in health care), via computer networks, or by mail)), because information must always be adequately protected.
„So it defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.“
No no, not a companion, a beloved child ;)!
So, as mentioned enough above, ISO 27799 provides implementation guidance for the controls described in ISO 27002! And also like ISO 27018 (another kid of ISO 27002), ISO 27799 enhances them where necessary so that they can be used effectively for healthcare information security management.
So ISO 27799 and mom ISO 27002 define what is required in terms of healthcare information security, they don't define how to meet those requirements.
ISO 27799 also remains technology neutral as much as possible. Why, in fact?
Security technology is evolving rapidly! A new tech development pops up every month, and since information security and cyber security will remain the topic of the day and international standards such as ISO are regularly audited, the standard cannot define ONE technological solution as a given! Or even better: insisting on paper documentation for all tides! Send help!
Here, too, it is a matter of meeting the particular requirements of the standards.
And how? That is up to you! Of course, it's best to use an automated solution that evolves just like a company's ISMS does. This is where Secfix come in.
How much is the healthcare industry worth?
It may sound strange to call healthcare an industry! But it is! The healthcare industry is worth $808 billion in the United States as of 2021. Germany brings 67.9 billion euros to the table, and if you include the rest of the world, the global healthcare industry is worth $12 trillion! Given these numbers, one can only imagine the incredible amounts of data and information involved.
Somehow, then, the importance of patient data and information should seem "worth it" to you. Regardless of the sensitive content of the patient file... There is a huge amount of money involved here! So many aspects on this topic.
Why is information security management important in healthcare?
Healthcare is different from other industries in many ways. Here, the primary focus is on improving and caring for patients' lives. A "healthy" person certainly can't really understand what one wants with his or her illness data. I personally would be interested in that!
Okay, I have health insurance or private insurance and I had a tooth pulled yesterday because I had no idea about Ice Hockey, maybe my blood values or my date of birth are somewhere. What exactly are healthcare hacking attacks about?
Dear hacker, please enlighten me! Identity theft? Or as is so often the case, simply the challenge. Well, the drives to do this may never be fully known....
So healthcare leaders cannot afford to ignore cybersecurity issues. Cyber threat spending has increased significantly, and executives across the healthcare industry are reporting increasing threats and data breaches.
And as more healthcare facilities begin to store patient information and data using digital methods, it's important to put them under a high level of protection. To ensure patient safety, all of this important information must be protected. It goes without saying that patient data, such as lab reports, is extremely sensitive. Only authorized persons should have access to it!
This is where ISO 27001 comes into play with ISO 27799 in her backpack! IT systems and the associated information security must be in perfect working order for data storage.
By implementing ISO 27799, health care organizations that handle sensitive information can ensure a minimum level of security. Minimum level? That doesn't sound satisfactory at first. However, the guidelines are adapted to the circumstances of each healthcare organization and in doing so, this very "minimum level" of confidentiality, integrity and availability of managed personal health information is maintained.
And since ISO 27799 is to be understood as an industry-specific supplement to the ISO 27001 standard, she is also part of an ISO 27001 certification, she cannot be achieved alone, she needs her grandmother. Of course, the grandmother is grateful and allows her granddaughter to have her own certificate, but only under her own! It is actually the same as her brother ISO 27018. Healthcare organizations can get ISO 27799 certification as part of an ISO 27001 certification process.
And since ISO 27799 takes into account the special security requirements in the healthcare sector and, for example, Israel requires an "extra" ISO 27799 certificate for any health institutions, there's no getting around ISO 27001 certification. This sounds a bit sobering at first, but let's take a look.
There are reasons why ISO 27001 certification is still "the choice". So let's check out the benefits!
Benefits of ISO 27001 and ISO 27799 in the healthcare sector
The increasing implementation of almost all organizations on digital technologies has led to more attention being paid to ISO standards in healthcare. For example, "HIPAA compliance" has been put in place to protect patients' private medical data from any kind of threat. But wait. HIPAA is more of a United States thing. HIPAA regulations must be followed by all U.S. healthcare providers who transmit health data in electronic form. So let's put HIPAA aside for a moment.
By building ISO 27001-certified information security management systems, all types of organizations are demonstrating their commitment to protecting all of their business data.
Healthcare is no different. Customers, referred to here as patients, want to know that their data is properly protected, whether it's written on paper, stored on digital platforms or in the minds of employees.
The benefits of this standard apply to all healthcare organizations, regardless of their size, type or level of complexity.
Healthcare organizations equally, or especially, have technology infrastructures, information systems, and information assets that are highly sensitive and vulnerable to weaknesses. ISO 27799 (as part of ISO 27001) will help these organizations securely manage the personal data they process.
- An active approach to properly manage and protect critical data is defined, with an understanding of the relationship between the components of information security controls.
- By implementing and managing ongoing information security controls based on ISO 27799, it facilitates the regulation, management and proper handling of all data within a healthcare organization.
- Risks associated with inadequate data processing can be quickly identified and thus also immediately mitigated. Read more about this topic: ISO 27005.
- In the event of an information security incident, business operations continue
- Compliance with applicable national and international regulations
- Patients, authorities and all other stakeholders can be sure that their sensitive data is protected in the best possible way.
Make an appointment with us and let us talk about your compliance ideas for your company.