Tuesday, June 9, 2009

ITsec in healthcare - ISO 27799

I recently ordered a copy of the ISO 27799 "Information security management in health using ISO/IEC 27002" because I was curious of the content and I applied to some positions in health organisms. I am fully happy with it and I'll tell you why: it's going further than the ISO 27001 and 27002 norms, but it's also giving examples and diagrams around these norms. So, I think it would be a good read even for someone outside the field of healthcare.

Let me summarize it my own way. The big parts I would make:
  1. Introduction on healthcare
  2. Lexicon of concepts around ITsec and around healthcare
  3. What's specific in the ITsec of healthcare?
  4. An action plan for an ISMS "How to be concrete [and successful] in ISO 27001?"
  5. A review of ISO 27002 control points and what's specific for them in healthcare.
Once that little summary done, here are my reading notes on what's so specific about healthcare:
  • Because hospitals and clinics are open places, because of mobility constraints, and because medical hardware is expensive, there is a high risk in threats related to physical security of the IS.
  • There is a very low level of homogeneity both in hardware and in practices for using the hardware.
  • There is a devoted and experienced staff, both in IT and in medics, making insider threats lower and making cooperation easier between IT and non-IT people.
  • As a good health diagnosis includes various types of data about the patient, the databases about patients are huge and thus, an extremely valuable target.
  • Because of the broad interdependency of functions, necessary for the good handling of health issues and making the IS and IT processes extremely complex, it's almost impossible to consider a security initiative on the whole of the IS at once. Or at least it's impossible to have it succeed.
  • Thus, definition of good domains of application for a security initiative are needed. Examples are given of adequate sizes for domains of application:
    • 2 or 3 remote sites
    • 50 employees
    • 10 processes
  • Because of the importance of health itself and that of the public's opinion, cost in money of a project is rarely the first decision factor.
(I can't wait to get started.)

4 comments:

  1. Christophe, I'm also working on a project with one of the provincial health ministries in Canada to determine where they are with Information Security and where they want to go with it. I'm using a questionnaire based on 27002 to answer the "where they are" part but we are struggling with what targets we should be setting for a Health Industry. The levels we are using to measure with are the 0 to 5 capability maturity model (CMM) from Carnegie Mellon University. I've used the extra verbiage and action verbs (must/should/may) in 27799 as one measure of what is most important in 27002. Have you ever seen anything as a standard that would state what levels a health industry should target for each of the many security objectives in 27002?

    ReplyDelete
  2. Yes, I have. In France, the Public Health Ministry and the Prime Minister Office do publish such recommendations/regulations, that hospitals and other medical institutions have to implement in a defined timeframe.

    There are globally three main sources of regulations, yet all in French:
    - The "confidentiality decree" which states strict regulations that need be enforced in hospitals, about the handling of medical data. You can read about it in the six pages here.
    - The High Authority for Health that publishes a manual with recommendations on all matters, not only IT.
    - All usual laws that apply to IT, especially those of the "IT and Liberty Commission".

    (If you don't speak French :-/ )

    Besides, I would recommend, above all, to have a look at the other internal policies of the ministry you are working for, in which you will find at least implicit valuation of the abstract criteria of ITsec:
    - IT policies
    - Risk management policies
    - Things related to ethics, patients care, privacy concerns, etc.

    ReplyDelete
  3. I read "un peu de français" and with the help of google translation was able to get a good idea of the document content that you provided links to, thanks.

    I'm being pressured by the director to find something that gives a 0 to 5 target number based on the Capability Maturity Model (CMM) from Carnegie Mellon University (actually their model is 1 to 5 and we added 0 as non-existent ... which also removes 3 as the "middle of the road" which people tend to select too often). See http://en.wikipedia.org/wiki/Capability_Maturity_Model.

    I've used the questionnaire I mentioned to come up with values for "where we are" (0 to 5) with all objectives of the ISO 27002 standard. Now, to present to the top executives, the director I report to wants to show them the target level (0 to 5) that we have to move towards ... that is the gap analysis. Have you seen anything as "pre-canned" as that?

    My feed back to him has been that we have to base this on our needs that can be found only through a risk assessment. Any other thoughts you might have on this would be helpful.

    ReplyDelete
  4. Good evening Don,
    if you're trying to get some source of values between zero and five for the eleven dimensions of ISO 27002 (plus 27001 and 27005 would also be good), sorry, I have none. Nothing as pre-canned as that.
    A risk assessment is one possibility. I would point that scenarios for risks do not fall from the sky and may not be the most appropriate ones from the first time.

    In any organization I've been through, you can almost get a first round of the biggest problems to fix just by speaking with admins. They know the things that they hide from the bosses or that the bosses have forgotten or judged unimportant.
    You also have the technical source: patches, pentesting, etc.
    You also have the organizational source: watch what processes they have, how they are organized, how well they respect their procedures. Find where they do not respect them and deduce where they are vulnerable.

    Also another good source of information for setting acceptable levels is having a value for assets so that you can decide how much you can spend on securing them.

    And finally, I would say that you should look to establishing community links with other health ministries IT services, so that you can share best practices and evaluate your level against similar situations.

    ReplyDelete

I can read French, English, German and Romanian, please feel free to write in whichever language you prefer.