Tuesday, June 9, 2009

ITsec in healthcare - ISO 27799

I recently ordered a copy of the ISO 27799 "Information security management in health using ISO/IEC 27002" because I was curious of the content and I applied to some positions in health organisms. I am fully happy with it and I'll tell you why: it's going further than the ISO 27001 and 27002 norms, but it's also giving examples and diagrams around these norms. So, I think it would be a good read even for someone outside the field of healthcare.

Let me summarize it my own way. The big parts I would make:
  1. Introduction on healthcare
  2. Lexicon of concepts around ITsec and around healthcare
  3. What's specific in the ITsec of healthcare?
  4. An action plan for an ISMS "How to be concrete [and successful] in ISO 27001?"
  5. A review of ISO 27002 control points and what's specific for them in healthcare.
Once that little summary done, here are my reading notes on what's so specific about healthcare:
  • Because hospitals and clinics are open places, because of mobility constraints, and because medical hardware is expensive, there is a high risk in threats related to physical security of the IS.
  • There is a very low level of homogeneity both in hardware and in practices for using the hardware.
  • There is a devoted and experienced staff, both in IT and in medics, making insider threats lower and making cooperation easier between IT and non-IT people.
  • As a good health diagnosis includes various types of data about the patient, the databases about patients are huge and thus, an extremely valuable target.
  • Because of the broad interdependency of functions, necessary for the good handling of health issues and making the IS and IT processes extremely complex, it's almost impossible to consider a security initiative on the whole of the IS at once. Or at least it's impossible to have it succeed.
  • Thus, definition of good domains of application for a security initiative are needed. Examples are given of adequate sizes for domains of application:
    • 2 or 3 remote sites
    • 50 employees
    • 10 processes
  • Because of the importance of health itself and that of the public's opinion, cost in money of a project is rarely the first decision factor.
(I can't wait to get started.)