ISO 27799

ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (2nd edition)

Introduction

This standard provides guidance on information security management and information security controls for organizations in the healthcare industry – such as hospitals, labs, surgeries, and healthcare insurers.

(Part of) the abstract from the ISO website is as follows:

“ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s). It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.

ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum required level of security that is appropriate to their organization’s circumstances and that will maintain confidentiality, integrity and availability of personal health information in their care. It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always appropriately protected.

Combined, ISO 27799:2016 and ISO/IEC 27002 set out what is required in terms of information security in healthcare, but do not specify how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral …”

Scope and objectives

A further explanation of the purpose is given in the introduction:

“This International Standard guides healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC 27002. Specifically, this International Standard addresses the special information security management needs of the health sector and its unique operating environments. While the protection and security of personal information are important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, suitability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of subjects of care is to be maintained.
The integrity of health information must be protected to ensure patient safety, and an important component of that protection is ensuring that the information’s entire life cycle be fully auditable. The availability of health information is also critical to effective healthcare delivery. Health informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. Protecting the confidentiality, integrity and availability of health information, therefore, requires health-sector-specific expertise … It is not intended to supplant ISO/IEC 27002 or ISO/IEC 27001. Rather, it is a complement to these more generic standards … Annex A describes the general threats to health information. Annex B briefly describes other standards that can be applied to specific aspects of health information security. Annexe C discusses the advantages of support tools as an aid to implementation.”

Though the standard’s declared scope is health, its value extends beyond the intended audience. It would apply to a wide variety of companies from other industries implementing ISO27k advice about defining the scope, analyzing gaps, and establishing a Security Management Forum. In addition to ISO/IEC 27002, an emphasis is placed on ISO/IEC TR 13335 to provide advice on risk management. A few words about governance are also in order.

The standard’s status

In 2008, the standard was published for the first time.

In 2016, the second edition was published, which reflected the 2013 amendments to ISO/IEC 27001 and 27002.

The standard is being proposed to be formally included in ISO27k as a sector-specific standard under SC 27.

Commentary

In contrast to the joint ISO + IEC committee responsible for ISO27k, the technical committee responsible for this standard was ISO technical committee TC215 responsible for health informatics. It makes little difference to users whether ISO 27799 is strictly part of the ISO/IEC 27000 series of standards or not.

Despite the turf wars, it is curious that TC215 has worked on 27002 in parallel, rather than collaboratively with SC27. They may have attempted to approach 27002’s editors but were turned down? Maybe they didn’t think of collaborating. Perhaps they felt that 27002 is self-explanatory, and they were ideally suited to explain it from the health industry’s perspective. There’s no way I can tell you.

Reading the standard is like reading a guidebook, something a consultant might recommend. It presents pragmatic advice, including (from section 6.4.1.1):

“In theory, ISO/IEC 27002 can be applied to whole organizations. However, experience from implementations in the UK and elsewhere has shown that very large units struggle to complete the work involved and to deliver the necessary level of compliance in one attempt. Compliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well. For this reason, primary care practices, clinics, home visit teams, hospital specialities and directorates, etc., all make effective scopes. An incremental and iterative process is thus typically followed to achieve total coverage and full benefit. The prospects for achieving such results ought not to be undermined by the selection of an overly broad compliance scope. However, where third-party providers of IT services are employed, “Management of IT Services Delivery” has been widely adopted as a scope for compliance, with considerable success. In health organizations, as elsewhere, activity in recent years has successfully moved information security from being a technical or “back-office” function to being a prominent corporate responsibility. In healthcare, the extensive interdependency of functions makes scope definition a challenge. For this reason, it is all the more important to get it right.”

The style is very verbose as you can see, stating at one point that implementing ISO/IEC 27002 is not as simple as checking boxes. How true!

With the 2016 version, user interpretation and application of ISO/IEC 27002 will be guided in the context of medical organizations.