Information Security Standards for Health Information Systems the Implementers Approach

8/14/2019 Information Security Standards for Health Information Systems the Implementers Approach

1/33

113

Copyright 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

Chapter 6

Information Security Standardsfor Health Information Systems:

The Implementers Approach

Evangelos Kotsonis

Adacom SA, GreeceStelios Eliakis

Athens University of Economics and Business, Greece

introduCtion

While security of personal information is consid-ered important to all individuals, corporations,institutions and governments, there are specialrequirements in the health sector that need to be

met to ensure confidentiality, integrity, auditabilityand availability of personal health information.This type of information is considered by many asthe most security demanding, since confidential-ity, availability and integrity is considered to becritical for such information in several contextsand environments. Protecting confidentiality isessential if the privacy of subjects of care is to be

abstraCt

Current developments in the eld of integrated treatment show the need for IS security approacheswithin the healthcare domain. Health information systems are called to meet unique demands to remainoperational in the face of natural disasters, system failures and denial-of-service attacks. At the sametime, the data contained in health information systems are strictly con dential and, due to the ethical,

judicial and social implications in case of data loss, health related data require extremely sensitivehandling. The purpose of this chapter is to provide an overview of information security management standards in the context of health care information systems and focus on the most widely accepted ISO/ IEC 27000 family of standards for information security management. In the end of the chapter, a guideto develop a complete and robust information security management system for a health care organiza-tion will be provided, by mentioning special implications that are met in a health care organization, aswell as special considerations related to health related web applications. This guide will be based on

special requirements of ISO/IEC 27799:2008 (Health informatics Information security managementin health using ISO/IEC 27002).

DOI: 10.4018/978-1-61692-895-7.ch006


2/33

114

Information Security Standards for Health Information Systems

maintained. Integrity of health information must be protected to ensure patient safety, and an importantcomponent of this protection is ensuring that theinformations entire life cycle is fully auditable.Availability of health information is also criticalto effective health care delivery.

Because of this critical nature of requirementsthat characterizes health care information, allhealth organizations should examine whetherthey have established information systems thatsatisfy privacy, safety, security and availabilityrequirements, regardless of their size, locationand model of service delivery (Sunyaev, 2009).

When addressing these special informationsecurity needs of the health sector, a security ap-

proach should accordingly take into considerationthe unique operating environment in health orga-nizations (ISO 27799:2008). If the understandingof the security requirements is not the same forall involved parties and the security mechanismsthat will be implemented do not comply with someglobally accepted rules and practices, then thesystem that will be designed will not necessarilyachieve the desired security level. Thus, it will bevery difficult to interoperate with other systems,which, in the context of health care, could havelethal consequences.

Additionally, it is of general agreement thatsecurity issues should be considered very earlyin an e-health development process, in order toavoid risks and to facilitate the achievement ofthe overall e-health system (Sunyaev A., 2009).It is therefore clear that the role and contribu-tion of international standards to the design andimplementation of security in health care informa-tion systems is dominant. Standards-setting and

professional regulatory organizations have been busy addressing the problems of medical privacyand the security of healthcare information fromtheir own perspectives, but until recently a uni-fied approach was not available in the form ofan international standard, focused on managinginformation security in health organizations. Thisgap has been filed by ISO/IEC 27799:2008, which

was issued by the International Organization forStandardization.

The purpose of this chapter is to provide anoverview of information security managementstandards in the context of health care informationsystems and focus on the most widely acceptedfamily of standards for information security man-agement which is the ISO/IEC 27000 family ofstandards.

In the following section, an overview of stan-dard organizations and standardization processeswill be provided. Following, the ISO/IEC 27000family of standards will be described and a fo-cus on ISO 27001:2005, ISO 27002:2005 andISO 27799:2008 will be provided. In the end ofthis chapter, a guide to develop a complete androbust information security management systemfor a health care organization will be provided

by mentioning special implications, which aremet in a health care organization in general, andspecial considerations related to health related webapplications. This guide will be based on specialrequirements of ISO/IEC 27799:2008.

baCkground on standardsand CertifiCations

Standardization is the process of developing andagreeing upon technical standards. A standard isa document that establishes uniform engineeringor technical specifications, criteria, methods, pro-cesses, or practices (Tsohou, 2009). Standardsmay fall into one of the following categories:International standard (a standard adopted by aninternational standards organization and madeavailable to the general public), European stan-dard (a standard adopted by a European standardsorganization and made available to the general

public), and National standard (a standard adopted by a national standards organization and madeavailable to the general public) (Guijarro, 2009).

The development of standards for software inhealthcare has been an essential step for creat-


3/33

115


ing architectures for rational health informationexchange (Department of Health and Human Ser-vices, 2000). Healthcare information technology(HIT) has utilized a number of standards that areconsidered to be generic purpose standards andhave been used in other industries for a long time(such as XML for message formats and the ISO/IEC 17799:2005 Security Standards or NIST-800Series Security Framework). In addition, a numberof standards have been developed which are usedalmost exclusively by healthcare. Healthcare ITstandards include messaging standards such asthe various versions of HL7.

There are at least six principal organizationswhich have developed health related internationalstandards including ASTM-E31, ANSI-HL7,CEN-TC 251, ISO-TC 215, NEMA-DICOM,and IEEE. ASTM, the American Society for Test-ing and Materials based in the United States, ismainly used by commercial laboratory vendors.Its committee E31 is focused in developing e-health standards. ANSI, the American NationalStandards Institute operating in the United States,is developing HL7 which is a family of stan-dards for the exchange, integration, sharing andretrieval of electronic health information. CEN,the European Committee for Standardization, hasformed the Technical Committee CEN/TC 251Health Informatics, which has created a series ofEuropean pre-standards and standards covering theelectronic exchange of medical data principallyfocused on Electronic Health Records. ISO, theInternational Organization for Standardization,develops e-health standards through the technicalcommittee ISO TC215, which involves a numberof other organizations such as CEN and HL7. TheAmerican College of Radiology (ACR) and the

National Electrical Manufacturers Association(NEMA) have published DICOM, a standard thataddressed the methods for data transfer in digitalmedical images in the United States. Finally IEEE,the Institute of Electrical and Electronics Engi-neers, is establishing a series of standards relatedwith medical device communications.

iso 27000 standardsfor healthCareinformation systems

Standards set specifications, formats, terminol-ogy and others to enable information exchange.There are standards which have been developedfor the same purpose offering two or more solu-tions, but none of them can be considered to beuniversally acceptable. Thus, it is not easy toselect the best or most relevant standard. On theother hand, the existence of multiple standardsis also important as it leads to competition andhelps promote the quality of the e-health systemenvironment (Chheda, 2008). The InternationalOrganization for Standardization (ISO) (Stan-dardization) standards and guides for conformityassessment represent an international consensuson best practices. Their use contributes to theconsistency of conformity assessment worldwideand so facilitates trade (Tsohou, 2009).

Information security management is a continu-ous, everlasting process that allows an organizationto achieve the desired level of confidentiality,integrity and availability of its information andservices. An information security managementsystem (ISMS) refers to that part of the overallmanagement system, based on a business riskapproach, to establish, implement, operate, moni-tor, review, maintain and improve informationsecurity. (Tsohou, 2009)

ISO/IEC JTC 1 SC 27 maintains an expertcommittee dedicated to the development of in-ternational management systems standards forinformation security, also known as the Informa-tion Security Management System (ISMS) familyof standards. Through the use of the ISMS fam-ily of standards, organizations can develop andimplement a framework for managing security oftheir information assets. Also, organizations canuse the standards of the ISMS family to preparefor an independent assessment of their ISMS, ap-

plied to the protection of information assets, suchas financial information, intellectual property,


4/33

116


and employee details or information entrustedto them by customers or third parties. (ISO/IEC27000:2009).

The ISMS family of standards that ISO has pub-lished intended to assist organizations of all typesand sizes to implement and operate an effectiveand operating ISMS. Each international standardthat belongs to the ISMS family of standards hasspecific purpose and contents which is utilized bythe rest of the standards that belong to the family.

The most important international standards ofthe ISMS family of standards are the following:

ISO/IEC 27000:2009, Information secu-rity management systems Overviewand vocabulary. This standard provides anoverview of information security manage-ment systems and de nes terms which arerelated to the overall ISMS family of stan-dards (ISO/IEC 27000:2009)

ISO/IEC 27001:2005, Information securi-ty management systems Requirements- speci es the requirements for establish-ing, implementing, operating, monitoring,reviewing, maintaining and improving adocumented ISMS within the context ofthe organizations overall business risks(ISO/IEC 27001:2005)

ISO/IEC 27002:2005, Code of practice forinformation security management - Thisstandard establishes guidelines and general

principles for initiating, implementing,maintaining, and improving informationsecurity management in an organization.(ISO/IEC 27002:2005)

Additionally, ISO has prepared and publisheda series of international standards purposed to

provide guidelines on several aspects of the pre-viously mentioned baseline standards. The mostimportant of these additional standards are thefollowing:

ISO/IEC 27003:2009, Information secu-rity management system implementationguidance. This standard guides the designof an ISO/IEC 27001:2005-compliantISMS, leading up to the initiation of anISMS implementation project.(ISO/IEC27003:2009)

ISO/IEC 27004:2009, Information securitymanagement Measurement. Measuresand measurement methods are providedin this standard that can be used to exam-ine the effectiveness of an implementedinformation security management system(ISMS) and controls or groups of controls,as speci ed in ISO/IEC 27001:2005.(ISO/IEC 27004:2009)

ISO/IEC 27005:2008, Information secu-rity risk management. This standard pro-vides guidelines for Information SecurityRisk Management in an organization, sup-

porting in particular the requirements of anISMS according to ISO/IEC 27001:2005.(ISO/IEC 27005:2008)

Finally, in the context of ISMS, ISO has pub-lished a number of industry specific internationalstandards. In the case of healthcare informationsystems, the corresponding international standardis ISO/IEC 27799:2008. This standard providesguidance specifically focused to healthcare orga-nizations and other custodians of personal healthinformation that will assist them to understandhow best to protect the confidentiality, integrityand availability of health related information byimplementing ISO/IEC 27002:2005 (ISO/IEC27799:2008).

In the rest of this section, the three most important International Standards are going to bedescribed, as they are the ones which can formthe basis for the development of a certified healthISMS.


5/33

117


iso/ieC 27001:2005 t r q

ISO/IEC 27001:2005 is the formal set of speci-fications against which organizations may seekindependent certification of their InformationSecurity Management System (ISMS). It appliesto all types of organizations (e.g. commercial,enterprises, government agencies), regardless oftype, size and nature.

ISO/IEC 27001:2005 specifies requirementsfor the establishment, implementation, monitoringand review, maintenance and improvement of amanagement system - an overall management andcontrol framework - for managing an organiza-tions information security risks. For the develop-ment of this framework, the standard proposes theapplication of a system of processes, together withinteractions between these processes, and theirmanagement. Such a system is further referredto as a process approach, which is structuredin the circular Plan-Do-Check-Act (PDCA)model (Tsohou, 2009).

An ISO/IEC 27001:2005 compliant ISMStherefore incorporates several Plan-Do-Check-Act(PDCA) cycles. Information security controls arenot merely specified and implemented as one-offactivities but are continually reviewed and adjustedto take account of changes in the security threats,vulnerabilities and impact of information securityfailures, using review and improvement activities,which are also specified within the managementsystem.

The requirements set by ISO/IEC 27001:2005do not mandate the implementation of specificinformation security controls. Instead, severalsecurity controls are noted in an appendix (annex),with references to ISO/IEC 27002:2005. Thesesecurity controls are provided indicatively andorganizations adopting ISO/IEC 27001:2005 arefree to choose the specific information securitycontrols that are applicable to their particularinformation security needs.

iso/ieC 27002:2005 tC p c c

ISO/IEC 27002:2005, the latest version of Infor-mation technology - Security techniques - Code of

practice for information security management, togive it its full title, is an internationally-acceptedstandard of good practice for information security.Tens or hundreds of thousands of organizationsworldwide follow ISO/IEC 27002:2005.

ISO/IEC 27002:2005 is a code of practice - ageneric, advisory document, not truly a standard orformal specification such as ISO/IEC 27001:2005.It lays out a reasonably well structured set ofsuggested controls that can be used to addressinformation security risks, covering confidenti-ality, integrity and availability aspects (ISO/IEC27002:2005).

ISO/IEC 27002:2005 is highly interrelated toISO/IEC 27001:2005, as it provides further detailsfor the implementation of security controls that areincluded in the annex of ISO/IEC 27001:2005. Itis intended to serve as a single reference point foridentifying a range of controls, suitable for differ-ent contexts and environments where informationsystems are used.

The control objectives and controls that ISO/IEC 27001:2005 proposes intend to meet therequirements identified by a formal risk assess-ment. Therefore organizations that adopt ISO/IEC 27002:2005 must first assess their own in-formation security risks and then apply suitablecontrols, using the standard for guidance (ISO/IEC 27002:2005).

The structure of the best practice includes 39control objectives, aimed to protect informationassets against threats to confidentiality, integrityand availability. These control objectives indicatewhat has to be achieved to satisfy 11 specifiedcontrol clauses. Additionally, for each one of thecontrol objectives, a number of suggested controlsis mentioned. These controls are indicative con-trols that are considered sufficient to achieve eachcorresponding objective. The implementation of


6/33

118


each of these controls is not mandatory; rather theyare mentioned as alternatives to the users duringthe implementation of the ISMS. The decision forthe control that is suitable for each environmentshould be based on a risk assessment process andthe users are free to mitigate identified risks byimplementing controls that are not mentioned inISO/IEC 27002:2005.

iso/ieC 27799:2008 th c p c v

The special requirements and the diverse environ-ment of health organizations were taken into con-sideration by ISO, which in June 2008 publishedthe first final version of ISO/IEC 27799:2008.The purpose of ISO/IEC 27799:2008 is to pro-vide assistance in the development process of anISMS explicitly in a health organization, basedon guidelines and control objectives that were

provided in ISO/IEC 27002:2005.ISO 27799:2008 defines guidelines to support

the interpretation and implementation of ISO/IEC 27002:2005 in health informatics and is acompanion to that standard. It specifies a set ofdetailed controls for managing health informationsecurity and provides health information security

best practice guidelines (ISO/IEC 27799:2008).The purpose of ISO/IEC 27799:2008 is not

to substitute ISO/IEC 27002:2005 in the contextof health care. Rather it is designed to be used asa focused and fine grained guideline that can beused as a guide to healthcare organizations andother custodians of personal health information,to indicate how to protect confidentiality, integrityand availability of such information by implement-ing controls mentioned in ISO/IEC 27002:2005,which is a generic guide.

Health information may be met in differentformats (words and numbers, sound recordings,drawings, video and medical images), stored invarious media (printing or writing on paper orelectronic storage) and transmitted by multiplemethods (by hand, via fax, over computer net-

works or by post). ISO/IEC 27799:2008 appliesto health information in all its aspects; whateverform, media or transmit method, as the outmostobjective is the protection of health information(ISO/IEC 27799:2008).

The standard is written like an implementa-tion guideline/book, something an experiencedconsultant might espouse. The first section of thestandard provides an overview on health informa-tion security. This overview includes the definitionof security goals for health information security,as well as placing the information security withininformation governance, corporate governanceand clinical governance. Additionally, in orderto define the exact scope of the ISMS that will

be developed, ISO/IEC 27799:2008 provides adefinition of the health information that should

be protected and finally, it includes a descriptionof threats and vulnerabilities that might affecthealth information security.

The second section of ISO/IEC 2799:2008describes a practical action plan for implement-ing ISO/IEC 27002:2005 in the context of healthinformation security management systems. Inthis section, a taxonomy of ISO/IEC 27001:2005and ISO/IEC 27002:2005 standards is provided,as well as a first definition of the importance ofmanagement commitment in the implementationof ISO/IEC 27002:2005. In the rest of the section,the user is provided with guidance on establishingand then operating an ISMS in a health environ-ment, through the creation of a circular Plan-Do-Check-Act (PDCA) model (Tsohou, 2009).

The third section of the standard containsspecific advice on the 11 security control clausesand 39 main security control categories describedin ISO/IEC 27002:2005, which is adjusted to thespecial requirements of health information. Basedon these control clauses and objectives, minimumrequirements are stated where appropriate and, ina few cases, normative guidelines are set out de-scribing the proper application of certain ISO/IEC27002:2005 security controls to the protection ofhealth information. These minimum requirements


7/33

119


are considered to be essential to the protectionof personal health information and even in thestandard it is stated that compliance with theserequirements are a prerequisite for achievingcompliance with the standard itself (ISO/IEC27799:2008).

Finally, the standard contains 3 informativeannexes. In these annexes, the standard ini-tially provides an overview of threats to healthinformation security and how they can affectconfidentiality, integrity or availability of infor-mation. Except from these threats, the standardalso describes in these annexes specific tasks andrelated documents that the ISMS, which is underdevelopment, should contain and also suggests aset of support tools that could be utilized as anaid to implementation process.

iso/ieC 27799:2008 apraCtiCal approaCh

The purpose of this chapter is to constitute anexplanatory guide on the process of implement-ing a health ISMS, compliant with ISO/IEC27799:2008. According to ISO/IEC 27000:2009,the establishment, operation, maintenance andimprovement of an effective health ISMS should

be based on a process based Plan Do Check Act (PDCA) cycle.

The activities and documents mandated forISO/IEC 27001:2005 certification are describedin generic manner in the standard itself, while amore structured approach with specific steps foreach phase of the PDCA cycle is provided in ISO/IEC 27799:2008. In this chapter the structure ofactivities that is provided by ISO/IEC 27799:2008is followed, in order to be able to meet require-ments set by both international standards. In thefollowing sections the actions that are included ineach phase of the PDCA cycle will be described indetail, intended to provide proper guidance duringthe implementation of an ISO/IEC 27799:2008compliant ISMS in a health organization.

p

The first phase of the PDCA cycle is the phasewhere the health ISMS is created and established.All the subsequent phases of each PDCA cycledepend on what is specified, defined and docu-mented in this phase, as this is when the systemis defined in terms of environment, boundaries,

people involved, status and purpose. The docu-ments that are developed during the planning phaseare used as reference, in the form of high levelguidelines and policies for the development of theentire ISMS. Thus, special care and significanteffort must be given during this phase.

In the planning phase, six (6) discrete imple-mentation steps can be distinguished. These stepsare provided in the following list:

Obtain and document management support. De ne the scope of the health ISMS De ne Information Security Policy Create the structure of the ISMS

management Assess the risks of the organization Manage identi ed risks

Through the actions that are required for eachof these steps, certain documents are produced.The generated documents will be used as the

basic documentation of the entire ISMS that will be developed.

In the rest of this section, the user will be provided with guidelines for the implementa-tion of the above mentioned steps, and specialrequirements that exist in the context of a healthorganization will be explicitly stated and takeninto consideration.

Management Support

It is clearly stated in all international standardsthat management support is vital for the develop-ment of a concrete and operational system withthe complexity of an ISMS. Evident support from


8/33

120


the management of the health organization isnecessary prior to the initiation of the ISMS estab-lishment efforts. Management of the organizationmust be actively involved in the implementation

process and support all efforts by providing stra-tegic instructions and required resources.

The involvement of the management should be documented in the form of written and verbalstatements of commitment, in which the impor-tance of health information security and recog-nition of its benefits should be mentioned (ISO/IEC 27799:2008). Through this statement, themanagement should set the health informationsecurity goals that the health ISMS is implementedto fulfill. Through these goals, the managementshould communicate the importance of meetingthe information security objectives and conform-ing to the information security policy. Finally, thestatement should also contain the responsibilitiesthat the management has according to the law and

point out the need for continual improvement(ISO/IEC 27001:2005).

The main goals/objectives of an ISMS should be the protection of confidentiality, integrity andavailability of information. In the context of ahealth ISMS, these objectives can be translatedas follows (Farn, 2007):

Protecting Personal Information;- Con dentiality

Preventing Mistakes in HealthcarePractice; - Integrity

Maintaining the Functions of theHealthcare Organs (The Continuity ofHealthcare Services) Availability.

According to ISO/IEC 27799:2008, the infor-mation security goals that a health organizationshould meet are not restricted solely to the assur-ance of confidentiality, integrity and availabilityof health information. Even if these attributes ofinformation are of major importance, the followingconsiderations should also be taken into account

when defining the goals of health informationsecurity:

honoring legislative obligations as expressed in applicable data protection lawsand regulations protecting a subject ofcares right to privacy,

maintaining established privacy and secu-rity best practices in health informatics,

maintaining individual and organizationalaccountability among health organizationsand health professionals,

supporting the implementation of sys-tematic risk management within healthorganizations,

meeting the security needs identi ed incommon healthcare situations,

reducing operating costs by facilitating theincreased use of technology in a safe, se-cure, and well managed manner that sup-

ports but does not constrain currenthealth activities,

maintaining public trust in health organi-zations and the information systems theseorganizations rely upon,

maintaining professional standards andethics as established by health-related pro-fessional organizations (insofar as infor-mation security maintains the con dential-ity and integrity of health information),

operating electronic health informationsystems in an environment appropriatelysecured against threats,

facilitating interoperability among healthsystems, since health information increas-ingly ows among organizations andacross jurisdictional boundaries (espe-cially as such interoperability enhances the

proper handling of health information toensure its continued con dentiality, integ-rity and availability).

Additionally, the management should establishand document a control procedure of the system.


9/33

121


Through this procedure, the management shouldseek to achieve the following goals:

Ensure that ISMS objectives and goals areestablished and met

Specify the criteria for accepting risks andfor acceptable risk levels and ensure thatthey are followed

Ensure that internal audits of ISMS areconducted

Conduct management reviews of the ISMS

Health ISMS Scope Definition

Following the managements documented com-mitment for support of the health ISMS, the limitsand boundaries of the ISMS should be formallydefined. Provided that health organizations areusually large units with multiple processes anddifferent departments, it is hard to achieve thenecessary level of compliance in one attempt.Thus, it is recommended to prefer an incrementaland iterative process to achieve total coverage andfull benefit, during the definition of the scope ofa health ISMS (ISO/IEC 27799:2008).

The scope should be clearly documented in theform of a scope statement, which will be publicizedwithin the organization. This statement will definethe boundary of the compliance activity in termsof people, processes, platforms and applications(ISO/IEC 27799:2008). Additionally, this docu-ment should be publicized widely, reviewed andadopted by all organizations information, clini-cal and corporate governance groups (ISO/IEC27799:2008).

Due to the integrated future e-health, theinterconnection of health information systems isexpected to be increased. This fact makes securityapproaches in healthcare especially challenging,as health organizations can no more act as if theirsystems were isolated islands of information (Sun-yaev, 2009). The strategic goal of every health unitmay differ, functions and services provided mayvary and even business and operational objectives

and structure may have nothing in common acrossvarious health organizations. This complexity andinterconnectivity between different functions anddepartments of health information systems, maytransform scope definition in a quite complex anddemanding task.

To aid the scope definition of a health ISMS,it is essential to use certain criteria that will coverall aspects of the organization and ensure thatobjectives and boundaries of the ISMS are clearlydefined. When developed, these criteria will in-dicate the exact expectations anticipated by theISMS. Visibility, balance between technical and

business involvement, degree of local or centralrelevance, management overhead that the ISMSwill introduce can only be a fragment of expecta-tions that the ISMS will be called to satisfy, andthey should all be reflected in a properly definedscope (ISO/IEC 27799:2008).

A very useful tool for the determination of theacceptance criteria that can and should be used dur-ing the scope definition would be a summary levelgap analysis. This analysis could be performed ona sampling basis to gain an initial understandingon the work that would be required to achievecompliance to the scope that is formulated.

Information Security Policy Definition

After the definition of the scope of the ISMSof a health organization, ISO/IEC 27001:2005mandates the development of an informationsecurity policy document. This document is alsomentioned as ISMS policy and is considered to

be a superset of the information security policySunyaev, 2009). This document should be commu-nicated across the organization to users in a formthat is relevant, accessible and understandable tothe intended reader, while special care should betaken not to disclose sensitive information (ISO/IEC 27001:2005).

The information security policy documentshould state management commitment and set outthe organizations approach to managing informa-


10/33

122


tion security (ISO/IEC 27001:2005). This policywill be used as a reference to all policies that will

be developed in the context of the ISMS and thisis the document that the rest of the policies will

be based upon.The contents of the information security policy

document are specifically defined in ISO/IEC27001:2005 and ISO/IEC 27799:2008. Although,in ISO/IEC 27799:2008 additional factors thatshould be concerned are mentioned to coverspecial requirements of the healthcare sector, thedefinition of this document is almost the same andshould contain the following information:

The sense of direction and principles foraction with regard to information security.To de ne this, a framework for setting ob-

jectives and goals of the ISMS with refer-ence to the decided scope and managementcommitment should be provided.

Explanation of legislative, regulatory andcontractual requirements that the ISMSshould meet.

Responsibilities for information securitymanagement, including reporting informa-tion security incidents.

As the security policy will constitute the policyof policies for the system, it should be carefullydeveloped to provide the proper guidelines for thedevelopment of the ISMS. Special care should betaken for special factors that should be taken intoconsideration when developing health care infor-mation systems. Such factors are the following:

Consent: clinicians have access to sensitivehealthcare information of patients, but inthe same time the patients have the right toallow or deny access to these records. Thisvery right of the patients to determine theaccess rights to their medical data can belegitimately overcome in cases of health-care priorities which are usually linked to

the incapacity of the certain subjects ofcare to express their preferences.

Responsibilities: In a health organization, anumber of different roles and responsibili-ties may exist. Respectively, arrangementsand authority limits are also complicatedand they can also be temporary and con-stantly changing (e.g. in the case of stu-dents, on call staff or support staff).

Information Sharing: Health organizationsare usually distributed or are required toexchange sensitive patient information formultiple and different purposes (e.g. forthe treatment of a patient or for research ormedical trials reasons).

During the development of the informationsecurity policy of a health ISMS, the above factorsshould be taken into consideration. This meansthat a health ISMS policy should state genericexclusions and procedures that would be requiredwhen restrictions in access to medical data should

be overcome or information sharing should beallowed. Additionally, in the case where healthorganizations obtain support for third party orga-nizations, controls and procedures should coverthe interactions and specify responsibilities ofeach party (ISO/IEC 27799:2008).

ISMS Management Structure

After the definition of the ISMS scope and the preparation of the information security policy,the task that follows is the development of thestructure of the ISMS. This structure should bedecided and security responsibilities should beassigned to roles that are included and describedin the structure of the ISMS. This structure should

be appropriately designed to enforce and ensurecoordination between stakeholders and depart-ments of the organization. This coordination isan essential requirement to the timely establish-ment of the system and the achievement of theestablished objectives.


11/33

123


Allocation of Security ResponsibilitiesEach entity that will be included in the ISMS struc-ture should be accompanied with a documentedset of security responsibilities. Responsibilitiesfor protection of individual assets and roles re-lated to specific security processes (e.g. businesscontinuity planning) or sites/information process-ing facilities should be clearly identified and, ifrequired, be supplemented with more detailedguidance. When defining security responsibilities,the following should not be omitted:

Assets and security processes Entity responsible for each asset or secu-

rity process Details of responsibilities Authorization levels

Individuals with security responsibilities maydelegate tasks to others, but the responsibilityitself is not transferable. Therefore the individualsremain responsible and should monitor the correct

performance of delegated tasks.A special requirement for a health organization

when defining responsibilities and ISMS structureis to clearly define access rights that facilitateaccess by subjects of care (e.g. requests should

be made to obtain personal health information inany case). This kind of responsibility definitionis required to facilitate reporting and to ensuretimely delivery of information.

Coordination of ActivitiesThe management structure of the ISMS can beconfigured to better match existing structure of theorganization. Nevertheless, ISO/IEC 27799:2008mandates the creation of two new entities in theorganization chart, the Information Security Of-ficer and the Information Security ManagementForum.

The Information Security Officer will be re-sponsible for health information security withinthe organization and will participate in the Infor-mation Security Management Forum.

The Information Security Management Forum(ISMF) will be in the heart of the ISMS, purposedto coordinate security activities, to oversee andto direct information security. The ISMF shouldinvolve members from the full range of infor-mation assurance and information governancefunctions. Managers, users, administrators, ap-

plication designers, auditors, security personneland specialists skilled in areas such as insurance,legal issues, human resources, IT or risk manage-ment should be present in the ISMF.

The ISMF will have to meet regularly (ISO/IEC27799:2008 dictates that the ISMF should meetat least on a monthly basis) and the InformationSecurity Officer should report to the ISMF and

provide it with secretariat services. Finally, theInformation Security Officer will be responsibleto collate, publish and comment on the reports re-ceived by ISMF members (ISO/IEC 27799:2008).

Risk Analysis

The next step, following the definition of ISMSstructure and allocation of security responsibilities,will be to locate and assess all information securityrisks that the organization faces. This assessmentis performed via a structured risk analysis. RiskAnalysis (RA) is a methodology for the assess-ment of risks, which involves the identificationand valuation of assets and the assessment ofthreats and vulnerabilities. (Gritzalis D.,2003).In the context of a healthcare organization, assetsinclude health information, IT services, hardware,software, communication facilities, media, ITfacilities and medical devices that have value tothe organization (ISO/IEC 13335-1:2004). A threatis a potential cause of an unwanted incident, thatmay result in harm to a system or organization(ISO/IEC 13335-1:2004) and vulnerabilities areweaknesses of assets or groups of assets that can

be exploited by one or more threats (ISO/IEC13335-1:2004). The risk is the combination of the

probability of an event and its consequences andcan be estimated by combining threats, vulner-


12/33

124


abilities, assets, asset values, and security controlsthat are currently applied (ISO/IEC 27799:2008).

Healthcare organizations may find selectinga risk analysis methodology a quite competitivetask (Vorster, 2005). Currently, there are numer-ous methodologies available, some of which arequalitative, while others are quantitative in nature(Vorster, 2005). Due to the special requirements,especially in the evaluation of risks that healthcareorganizations face, information risk analysis inhealthcare ought to consider qualitative as wellas quantative factors. Financial losses should not

be the primary consideration, but may be takeninto account where there is evidence of large sums

being paid for negligence.A health care organization can choose from a

number of standardized methodologies as a guideto identify and evaluate information security risk.

NIST 800 30 (Stoneburner G., 2002), CRAMM(Zeki, 2002), OCTAVE (Alberts C., 2002) andISO/IEC 13335-1:2004 are some of these meth-odologies, but when it comes to determine anideal methodology there is no silver bullet. Allthe above mentioned methodologies are sup-

ported by automated tools, which can save theanalyst from a large amount of work and guidethem during the risk analysis process, accordingto the methodology it complies with. In general,risk analysis methodologies usually follow fourstages (Gritzalis D., 2003), followed by the riskmanagement stage, when the mitigation of identi-fied risk is decided. The stages that are includedin the risk analysis and management phases can

be considered to be the following:

Identi cation of assets Valuation and classi cation of information

assets Threat and vulnerability evaluation Risk evaluation Risk management

The risk analysis cannot typically be delivered by any single individual, rather it is an activity

designed to reach consensus, so that all viewpointsare collected and taken into consideration in evalu-ation of asset values, threats, vulnerabilities andrisks (ISO/IEC 27799:2008).

In the rest of this section, guidance will be provided for the performance of each of the riskanalysis stages, in respect to special requirements

present in the healthcare sector.

Identification of Assets

The first step to an effective risk analysis is toidentify the assets that are included in the scopeof the analysis, which is the same with the scopeof the health ISMS itself. As mentioned in ISO/IEC 27799:2008, in the context of health informa-tion security, assets include health information,IT services, hardware, software, communicationfacilities, media, IT facilities and medical devicesthat record or report data.

Health information can be met in various types,each one of which has different confidentiality,availability and integrity requirements. ISO/IEC27799:2008 defines the following types of healthinformation:

personal health information; pseudonymized data derived from personal

health information via some methodologyfor pseudonymous identi cation;

statistical and research data, including ano-nymized data derived from personal healthinformation by removal of personally iden-tifying data;

clinical/medical knowledge not relatedto any speci c subjects of care, includingclinical decision support data (e.g. data onadverse drug reactions);

data on health professionals, staff andvolunteers;

information related to public healthsurveillance;

audit trail data, produced by health infor-mation systems that contain personal health


13/33

125


information, or pseudonymous data de-rived from personal health information, orthat contain data about the actions of userswith regard to personal health information;

System security data for health informa-tion systems, including access control dataand other security related system con gu-ration data for health information systems.

In order to identify the assets within the scopeof the risk analysis, the analyst should use as astarting point the following:

Patient care systems, applications and de-vices that store and process health infor-mation (e.g., pharmacy, infection control,cancer registry, MRI, CTI, Ultrasound),whether they are standalone systems orconnected to the network

Business systems and applications thatstore, process, or transmit health informa-tion to support billing, customer serviceand general administrative operations,(e.g., supply chain, state submissions,credentialing)

Infrastructure components, such as routersand rewalls, that are connected to or fa-cilitate the transmission of health informa-tion to/from the types of systems describedabove

In complex information systems it may be use-ful to designate groups of assets, which act togetherto provide a particular function as services. Inthis case the service owner is responsible for thedelivery of the service, including the functioningof the assets, which provide it. In order to detect

possible grouping capabilities of a set of assets,the following clauses may be utilized:

Assets that are under the same direct man-agement control

Assets that have the same function or mis-sion objective

Assets that have essentially the same oper-ating characteristics and security needs

Assets that reside in the same general oper-ating environment.

Especially for the case of medical devices thatreport or record data, special care should be taken.These devices often operate within special envi-ronments and electromagnetic emissions occurduring their operation. Therefore, it is importantto uniquely identify such devices in the inventoryof assets. These devices may have on-boardcomputers that are used to manage the equipmentand to gather, store and analyze results and may beconnected to external or internal networks throughdial-up connections or local area network connec-tions. It is not necessary to gather and report oneach individual device, rather, it is important togroup and gather information on types of devices.

All assets should be clearly identified and aninventory of important assets should be drawnup and maintained (ISO/IEC 17799:2005). Theinventory of assets should include all informationrelated to each asset including:

Type of asset (e.g. information, software, physical, services, people, intangible asset)

Format (e.g. electronic document, printeddocument, hardware, network equipment,database)

Location

According to ISO/IEC 27002:2005, all as-sets should be owned by a designated part ofthe organization. The term owner identifies anindividual or entity that has approved managementresponsibility for controlling the production, de-velopment, maintenance, use and security of theassets. The term owner does not mean that the

person actually has any property rights to the asset(ISO/IEC 17799:2005). The asset owner should

be responsible to ensure that information andassets that they own are appropriately classified


14/33

126


and should periodically review access restrictionsand classifications.

In the case of medical data and personal healthinformation ownership should remain on the sub-

ject of care, and custodians should be designatedfor each asset. Specific rules should be definedand documented for the acceptable use of healthinformation assets.

Valuation and Classificationof Information Assets

Accountability for assets helps to ensure thatappropriate protection is maintained. Health in-formation assets should be classified to indicateneeds, priorities and expected degree of protec-tion when handled (ISO/IEC 17799:2005). Theclassification scheme that will be developed must

be documented and rules and guidelines that willdefine how information of each class should betreated should be specified and communicatedacross the organization.

Classification and valuation of assets in generalshould be based on the security attributes of theassets. The security attributes refer to the assetsconfidentiality, integrity and availability. Mostcommonly, classification schemes are based solelyon confidentiality requirements and the other twosecurity attributes are taken into consideration dur-ing the risk analysis. However, when performinginformation classification in healthcare relatedassets, availability and integrity of informationare essential for the ongoing provision of service,thus classification in respect of availability andintegrity should also be applied to assets (ISO27799:2008).

In regards to confidentiality, special require-ments that are pointed in ISO/IEC 27799:2008should be taken into consideration when develop-ing a classification scheme for health information.These special requirements are enhanced by thefact that confidentiality of personal health orga-nization is subjective, context dependent and can

shift over the lifetime of an individuals healthrecord (ISO 27799:2008).

Due to the sensitivity of personal health in-formation, it is very important for users of healthinformation systems to know when the data theyare accessing contains personal health information.Therefore procedures for labeling and handlingof confidential information are considered to beextremely important. These procedures shouldcover all information handling aspects for each ofthe classifications level, by defining how informa-tion should be processed, stored, transmitted anddestroyed. Finally, special care should be taken toclearly mention the requirements that should bemet to declassify confidential information, and areview process should be established to continu-ously examine if the classification level meets thesecurity requirements of each asset.

Threat and Vulnerability Evaluation

As previously mentioned, there is a close relation-ship and interdependency between assets, vulner-abilities and threats. This relationship, togetherwith metrics like impact of an attack or probabilityof vulnerability exploitation constitutes the overallinformation security risk of the organization. Inorder to determine these metrics, the asset evalu-ation and classification information is utilized inthe next phase of the risk analysis which includesthe determination of threats and vulnerabilitiesthat are related to the assets of the ISMS.

A threat is a potential cause of a securityincident that may cause an information systemor organization to be lost or damaged (JIPDEC,2004).The scale of the threat is determined byevaluating the probability of its occurrence foreach factor or information asset. Threats can beidentified by investigating on ways that someonecould exploit vulnerabilities that exist on the as-sets of the system to perform attacks against thesecurity of the information system.

Common threat sources can be categorizedin natural threats, human threats and environ-


15/33

127


mental threats (Stoneburner G., 2002). ISO/IEC 27799:2008 contains a full annex with 25healthcare specific threats that should not beomitted when determining threats that a healthinformation system may face.

Vulnerabilities are weak points and securityholes, which are specific to an information asset.Vulnerabilities do not cause any damage but theyallow threats to exist or to be exploited and causedamage or any kind of failure. Vulnerabilitiescan easily be identified if they are considered inrelation to the characteristics and attributes ofinformation assets (JIPDEC, 2004). Evaluation ofvulnerabilities can be explained as the evaluationof the weakness level of an information asset.Although the extent to which assets should becategorized will differ for different organizations,vulnerabilities are typically categorized as Low,Medium or High. The same categorizationapplies to threats (JIPDEC, 2004).

Risk Evaluation

In the final step of the risk analysis, the definitionand evaluation of risk should be performed. Asstated above, the risk is a function of a numberof factors, including asset value, threats, vulner-abilities, impact and existing security controls.From the number of factors that are involved inthe evaluation of risk, it may seem that this estima-tion is a difficult task, but if previous stages of therisk analysis have been completed in an accurateand correct manner, at this stage, the followinginformation will have already been defined andformally documented:

Inventory of assets Asset values and classi cation Evaluated threats that assets face Existing vulnerabilities of assets

By combining the above mentioned informa-tion, the analyst can develop a business impactanalysis document, as a first step toward risk evalu-

ation. The business impact analysis documentwill depict the amount of damage that a securityincident would have on the organization. Also, inthe business impact analysis, the dependency of

business processes upon IT services, hardware,software, media and locations will be understood.

After collecting all the above information, theanalyst will have the task to evaluate identifiedrisks, as combinations of assets, threats, vulner-abilities and existing controls. The risk levels thatwill be used for the classification of risks should

be determined in advance and specific rules orformulas should be developed to formalize the

process of risk evaluation. Risk assessment au-tomated tools can provide significant assistancein this part of the procedure as they already con-tain standard based formulas of risk calculation

based on information provided for the risk factorsmentioned above.

Risk Management

After the completion of the identification andevaluation of risks, the risk management planningis performed. Risk management responds to therisk analysis by identifying which controls should

be strengthened, which controls are already ef-fectively in place and which additional controlsthe organization needs to implement in order toreduce the residual level of risk to an acceptablelevel (ISO 27799:2008). The decisions related torisk management are based upon and should reflectthe organizations appetite for risk and should be

properly justified on cost benefit basis.Risk appetite, at the organizational level, is

the amount of risk exposure, or potential adverseimpact from an event that an organization iswilling to accept or retain. Once the risk appetitethreshold has been breached, risk managementand business controls are implemented to bringthe exposure level back within the accepted range(Tipton, 2007). To determine the risk appetite ofthe organization and accordingly develop an ef-fective risk management plan, special care should


16/33

128


be taken to ensure the alignment of responsibilityfor information security with the authority to makerisk management decisions (ISO 27799:2008).

To establish the organizations risk appetiteand determine the acceptable level of risk, spe-cific criteria should be defined, based on objec-tive decision parameters. Such criteria can bedeveloped by taking into consideration resourceavailability, priorities in risk mitigation, level ofcomplexity or difficulty in mitigating each riskand previous experience or events that occurred inthe past. Especially for health organizations, ISO/IEC 27799:2008 defines a set of considerationsthat should not be omitted when defining the riskappetite of the health care organizations, whichis provided in the following list:

health sector, industry or organizationalstandards;

clinical or other priorities; cultural t; reactions of subjects of care; coherence with IT, clinical, and corporate

risk acceptance strategy; cost; effectiveness; type of protection; number of threats covered; risk level at which the controls become

justi ed; risk level that led to the recommendation

being made; alternatives already in place; additional bene ts derived.

Taken together, these factors will yield a cost benefit assessment that can underpin the necessary business case for seeking funding. Based on therisk appetite and the results of the risk evaluation,the organization should decide on the managementof each risk. Although most information security

professionals focus on reducing risk throughcontingency planning, many alternatives exist

and should be taken into consideration. Thesealternatives are provided in the following list(Tipton, 2007):

Accept risk. A decision is made to continueoperations as-is, with a consensus to acceptinherent risks.

Transfer risk. A decision is made to trans-fer risk, for example, from one businessunit to another or from one business areato a third party (e.g. insurer).

Mitigate risk. The organization has a corecompetency that allows the elimination orreduction of risk through establishment orimprovement in controls and processes.

Share risk. Attempts are made to share riskthrough partnerships or outsourcing.

The decision of whether a risk will be accepted,transferred, mitigated or shared will be made bythe ISMF of the health organization and it will

be formally recorded for periodic review andre-assessment. The document that will includedecisions on risk management should have theform of a risk treatment plan. The role of the risktreatment plan is to provide direction on how theorganization will address each risk. The point isto produce a plan that specifies and provides arationale behind each action. The risk treatment

plan should contain a priority list of how to ad-dress organizational risks to each asset. Necessarycontrols will be allocated to each asset and theactions that will address the risk as well as the

priority in which actions will be performed willalso be described. Overall, the risk treatment planshould contain the following information for eachrisk that was identified (Calder, 2009):

What decision the organization made forthe management of this risk;

What controls are already in place; What additional controls are considered

necessary;


17/33

129


The timeframe for the implementation ofthe controls.

The risk treatment plan document may contain

the Statement of Applicability document. Thestatement of applicability is the document fromwhich an auditor will begin the process of con-firming whether or not appropriate controls are in

place and operative. It is a formal statement as towhich of the selected mitigation security controlsare applicable to the organization and which arenot (Calder, 2009). In Table 1 an example struc-ture of the statement of applicability is provided.

The first column is a reference to the corre-sponding control in the ISO/IEC 27001:2005

standard. The second column describes requiredactions and includes a reference to the risk treat-ment plan. The third column describes the statusof implementation of the selected control; pos-sible values for this column are full, partial,or not at all. The fourth column provides a justi-fication on the decision for selecting or excludinga control. The fifth column indicates relevant

procedures or policies and the last column is provided for additional comments (Calder, 2009).

After its initial development, both the risk

treatment plan and the statement of applicabilitydocument will be maintained by the informationsecurity officer or similar officer on behalf of theISMF. These documents should be provided to theclinical and corporate governance functions toform a key part of the governance documentationset (ISO 27799:2008).

Documentation Summaryof the Plan Phase

The plan phase produces documents relevant to

the ISMS implementation. First and foremost isthe need for a plan phase guideline document toensure the organization is capturing and executingall the relevant steps for the plan phase. The es-sential documents that should be prepared duringthe planning phase are the following:

Scope statement Information security policy of the

organization Organizational security policy

Inventory of assets and system assets to be protected

Business impact analysis Risk assessment plans and risk assessment

report(s) Standards and procedural guidelines and

templates that will be followed. Such pro-cedures may contain the following: Procedures for identifying informa-

tion assets Asset valuation and classi cation

procedures Asset handling guidelines Risk management procedures

Contractual agreements (including ser-vice level agreements and acceptable useagreements)

Risk treatment plan Statement of applicability

Table 1. Example structure of a statement of applicability (Arnason S.T., 2008)

Control Reference Description Implement JustifyProcedureApproach Comment

A.10.7.2 A paper shredder has been ad de d. Ne w process for securedisposal of media has

been implemented.

Fully Please refer to thecontrol and policydocument.

To reduce the risk ofunauthorized accessto sensitive informa-tion. See the resultfrom the risk treat-ment plan.


18/33

130


In addition, the health care organization candocument and materialize priorities in meetingclinical needs. This information can be developedin cooperation with clinical and corporate gover-nance functions and used by the ISMF as backupmaterial in support of risk acceptance decisionsthat will be made (ISO 27799:2008).

d

During the planning phase, the ISMS is actuallydesigned and materialized. In the Do phase thedocuments that guide the implementation of theISMS are produced, with implementation beingthe focus of the phase. The core purpose of theDo phase is the implementation of the RiskTreatment Plan that was generated in the end ofthe Plan phase, based on the risk analysis thatwas performed.

The Do phase can be implemented in anumber of different ways. The main goals thatISO/IEC 27799:2008 indicates to be achievedare the following:

Creating and scheduling a risk treatment plan

Allocating resources Selecting and implementing security

controls Training and educating Managing operations Managing resources Managing security incidents:

In order to achieve the above mentionedgoals the organization must develop a number of

policies, procedures, guides and standards, andimplement the technical security controls that aredefined and prioritized in the risk treatment plan.

For the proper delivery of the required artifacts, prior to any additional action, the organizationshould first develop an ISMS implementation

program, in which the implementation schedulewill be detailed. In this plan, tasks, required re-

sources and estimated durations will be included,to ensure the availability of human and non humanresources that will be required during the ISMSimplementation.

Often formatted as a Gant chart, this planshould be made available to clinical and otherstaff, to minimize interruptions to operations uponintegration of information security improvementsin every day operations. An effort to combine thisintegration with planned changes in IT facilitiesand health care service provision would increasethe effectiveness of the ISMS. Finally, special careshould be taken to depict in the implementationschedule known periods of unusual healthcareactivity such as the influx of a new batch of in-terns and trainees, as such activities may affectthe progress of ISMS implementation.

In the rest of the chapter, a brief guide ofdeveloping policies, standards, guides and proce-dures will be provided and additionally specificinstructions for the implementation of controls inhealth care organizations will be mentioned, basedon clause 7 of ISO/IEC 27799:2008.

Policy Development

The ISMS policy and the organizational security policy support that security (or information as-surance) is a necessary part of organizationalexistence and operations. These policies are highlevel and do not identify specific security con-trols. Therefore, the initial step in the do phaseis to develop policies for each security control orclassification of security controls that in turn find

justification in Statement of Applicability.The term security policy appears in the litera-

ture with several different meanings. There aredifferences regarding the content of the policy,the language in which it is expressed (e.g. formalnotation, structured text, natural language, etc.)and the level of abstraction (Gritzalis D., 2003).Based on the contents and the purpose of a policydocument, it can be categorized in one of fivecategories, Policy, Standard, Baseline,


19/33

131


Guideline, or Procedure, as described in thefollowing list (Harris, 2008):

A Policy is an overall general statement produced by senior management (or a se-lected policy board or committee) that dic-tates what role security plays within the or-ganization. It is usually point speci c andcovers a single area to specify requirementsor rules that must be met. For example, anAcceptable Use policy would cover therules and regulations for appropriate use ofthe computing facilities.

A Standard is typically a collection ofsystem-speci c or procedural-speci c re-quirements that must be met by everyone.Standards refer to mandatory activities, ac-tions or rules that can give a policy its sup-

port and reinforcement in direction. For ex-ample, a standard may exist that describeshow to harden a Windows workstation for

placement on an external (DMZ) network.People must follow this standard exactly ifthey wish to install a Windows workstationon an external network segment. Standardscould be internal, or be externally mandat-ed (government laws and regulations).

A Baseline can either refer to a point intime that can be used as a comparison forfuture changes or it can refer to the mini-mum level of protection required.

A Guideline is typically a collection of sys-tem speci c or procedural speci c sug-gestions for best practice that can be usedin cases where a speci c standard doesnot apply. Whereas standards are speci cmandatory rules, guidelines are generalapproaches that provide the necessary ex-ibility for unforeseen circumstances

Procedures spell out how the policy, stan-dards, and guidelines will actually be im-

plemented in an operating environment.They are detailed step-by-step tasks thatshould be performed to achieve a certain

goal. The steps can apply to users, IT staff,operations staff, security members, andothers who may need to carry out speci ctasks. For example, if a policy states thatall individuals who access con dential in-formation must be properly authenticated,the supporting procedures will explain thesteps for this to happen by de ning the ac-cess criteria for authorization, how accesscontrol mechanisms are implemented andcon gured, and how access activities areaudited. Procedures are considered thelowest level in the policy chain becausethey are closest to the computers and us-ers (compared to policies) and providedetailed steps for con guration and instal-lation issues, thus they should be detailedenough to be both understandable and use-ful to a diverse group of individuals.

Security policies, standards, guidelines, and procedures must be developed with a realisticview to be most effective. Highly structured or-ganizations usually follow guidelines in a moreuniform way. Less structured organizations mayneed more explanation and emphasis to promotecompliance. The more detailed the rules are, theeasier it is to know when one has been violated.However, overly detailed documentation and rulescan prove to be more burdensome than helpful. Onthe other hand, many times, the more formal therules, the easier they are to enforce. The businesstype, its culture, and its goals must be evaluatedin order to make sure that the proper language isused when writing security documentation (Har-ris, 2008).

Implications in Developing Policies in a HealthCare ContextAs previously mentioned, the context in whichhealth care organizations and health care informa-tion systems operate creates various implicationsand affects in different ways the requirementsthat a health ISMS should cover. When defining


20/33

132


the security policies in such a system, there are anumber of contextual elements which should betaken into consideration.

These contextual elements can be summarizedin two strong points of interest that the policydevelopment team should have in mind whendeveloping policies (Gritzalis D., 2003). The first

point is the importance of social and ethical valuesthat affect the operation of the entire health careorganization. These values pose ethical consid-erations and social priorities that should not beoverlooked. Especially for policies that are relatedto confidentiality of medical data, special clausesshould be included to create multiple layers of

protection for the medical records. These clausesshould be carefully selected not to affect the timelyaccess of authorized personnel to medical records.

The second point of interest is the diversityand complexity of a healthcare organization.Different interests and concerns of stakehold-ers, extended distribution of decision power andspecial organizational structure form a labyrinthof conflicting interests that raise the difficulty ofdeveloping an applicable and robust policy. The

policy development team should try to level theusability of policies and procedures with the deci-sion power of each party related to each procedureand describe, in a formal and structured way, whocan do what and why within the boundaries ofthe ISMS.

It is obvious that the policy developmentmay prove to be a quite demanding task. Due tothe complexity that the completion of this taskrequires, the policy development should not beexpected to be completed immediately. Rather, the

policies and procedures that constitute the integral parts of a health ISMS are constantly evolving byremaining in the focus of the PDCA cycle. Dur-ing the first cycles, the changes will probably beradical and the corrections may be quite a lot, butas the time passes and the system reaches a levelof maturity, the changes and improvements of the

policies and procedure will be reduced until theyreach their stable versions.

Methodologies and resources exist for thedevelopment of security policies. Generic guide-lines and specific health care related guides existand can be used as assisting documents in thedevelopment of the security policies of a healthISMS. Methods based on security cookbooks,risk analysis, management and socio technicalmethodologies are provided in the bibliography(Gritzalis D., 2003) and are constantly evolvingto meet synchronous environments.

Selection of Security Controls

Once security requirements and risks have beenidentified and decisions for the treatment of riskshave been made, appropriate controls should beselected and implemented to ensure risks are re-duced to an acceptable level. In Annex A of ISO/IEC 27001: 2005 and in ISO/IEC 17799:2005a set of suggested controls that can be used forrisk mitigation is provided. Controls can either

be selected by the above mentioned standards orfrom other controls sets or new controls can bedesigned to meet specific needs as appropriate(ISO/IEC 17799:2005).

However, in a health care organization where personal health information has to be protectedand the environment is significantly different fromany other organization, certain control clausesand control categories should be implemented.In ISO/IEC 27799:2008, minimum requirementsand normative guidelines are set out to describethe proper application of certain security controlswithin the boundaries of health information.These control clauses and control categoriesconstitute additions in controls set out in ISO/IEC 27002:2005 and have been categorized inthe following eleven clauses:

Security policy Organization of information security Asset management Human resources security Physical and environmental security


21/33

133


Communications and operationsmanagement

Access control Information systems acquisition, develop-

ment and maintenance Information security incident management Business continuity management Compliance

The above clauses that are mentioned in ISO/IEC 27799:2008 consider the entire informationsystem of the organization and all the aspects ofsuch an information system, including policies,

people, facilities, applications, hardware anddevices. However, several requirements enforced

by each clause can be adjusted to dictate specificrequirements that a health related web applicationshould cover in order to be part of a certified healthISMS. In the rest of this section, such an adjustmentwill be attempted, depicting certain requirementsthat must be covered by health related web appli-cations. These requirements will be presented in aclause by clause basis, according to the structureof the ISO 27000 family of standards.

Security PolicyThe objective of the security policy clause is to

provide management direction and support for theinformation security in accordance with businessrequirements and relevant laws and regulations.Management should set a clear policy directionin line with business objectives and demonstratesupport for and commitment to information se-curity through the issue and maintenance of aninformation security policy across the organiza-tion (ISO/IEC 17799:2005).

The actual requirement that is posed by thisclause is the existence of a documentation setthat provides management directions, expressesmanagements understanding of informationsecurity and sets the objectives and goals of theISMS. Such documents should have been devel-oped during the planning phase and the policydevelopment phases.

In order for the developed policies to maintaintheir effectiveness and applicability, it is necessaryto establish and follow a formal review process.Through this process, the policies of the healthISMS will be adjusted to incorporate changes inthe organization, the environment or changes inthe requirements that should be met. During thedetermination of this review process, the contextof a health care organization should be takeninto account. Health care specific regulation,addition or alteration in health care units of theorganization, virus out brakes and pandemics thatmay increase risk or apply the need for changesin security safeguards and comments from staffand patients, are only a fraction of the variablesthat may ultimately affect the security policies or

procedures of the organization.Without the existence of a formal documented

security policy set, a web application should not be accepted for use by a health organization thattargets to certification. The functional and nonfunctional requirements of a custom web appli-cation or even a properly configured off the selfapplication should be defined to ensure that theapplication complies with the security policy ofthe organization. Without using policies as pointsof reference, a decision whether the application iscompliant with them cannot be taken and cannot

be justified. Thus, it is important to initially ensurethat formal policies do exist prior initiating anyrequirement analysis of a web application relatedto health information system and secondly, butequally important is to take into considerationevery policy, procedure, guide and standard set

by the security policies, when designing andimplementing an application.

Organizing Information SecurityWhen it comes to organization issues, the mostimportant differentiation of a health care organiza-tion are the high level of third party participationin numerous activities and the sensitivity of theinformation that flows within the organization.Pharmaceutical companies, external practitioners


22/33

134


and doctors must be able to cooperate withoutsignificant disruption, to provide health treatmentto patients. Different level of information accessshould be provided to each stakeholder and specialcare should be taken to protect the patient datathat should be owned by the patients themselves.

It is obvious that the development of a manage-ment structure is not an easy task to be completedin a health care organization, while the respon-sibilities and rights of each stakeholder shouldreflect legal, regulatory, operational and securityrequirements. These requirements and the waythat they will be fulfilled should be a topic ofdiscussion in every meeting of the InformationSecurity Management Forum of the organization,where every party related to the security of theorganization should be represented.

The existence and high level of involvementof external parties should be explicitly statedand identified during the risk assessment and theinformation that crosses the jurisdictional bound-aries of the organization should also be protected.Formal agreements should be signed with all par-ties that have access to confidential information,regardless whether they are employees of theorganization or external cooperating organiza-tions. Such agreements should initially includedefinitions that state the confidential nature andvalue of personal health information, describethe security precautions and measures that each

party should follow, define the level of accessto each service and/or information and state the

penalties exacted in the event of any failure tocomply with the agreement clauses. Additionally,these agreements should contain the obligationsof each party related to reporting to the ISMF,the expected service level related to the servicethat is provided and a description of the requiredrepresentation of each party in health organizationmeetings and working groups.

The nature and capabilities of web applicationscan be considered to be suitable to environmentswith multiple stakeholders, who are geographi-cally dispersed and are characterized by high

level of mobility. However, the above mentionedconsiderations should also be reflected in the ap-

plication when it resides within the boundaries ofa health ISMS. The management structure and theroles that are defined should be depicted withinthe application, accompanied by a description ofthe responsibilities and rights of each role. Theclauses of agreements that are signed betweenrelying parties should also be mapped in certainareas of each application, either in the form of ac-ceptable use screens or in the form of referencesto formal documents of the health ISMS that theapplication belongs to. These clauses should alsocontain the reporting and auditing requirementsthat are agreed between parties, in order for theapplication to be developed with appropriate au-diting and reporting functionalities, which allow

both parties to comply with the agreement termsand conditions.

Asset ManagementAsset management in the context of a health careorganization is considered to be a sensitive andcritical issue. Assets that reside within a healthISMS are immediately related to personal healthinformation. Regardless if they are in intangibleor tangible form, an attack against the assets of ahealth care organization can lead to disclosure of

personal health information, or to loss of integ-rity of such information. Such attack can lead tofaults in patient treatment decisions, or to servicedisruptions, which is considered to be a serious

problem in health environment, where delayscan have severe impact in the health of a patient.

Medical databases, servers that are used totransmit and receive medical information anddevices that are used to read digitalized medicalrecords can all be considered as a single categoryof assets that can be met in a health care organi-zation. These assets should be protected againstloss of integrity, confidentiality or availability asthey are used supportively in every day opera-tions in a health organization, so it is importantto be recognized and uniquely identified. Also,


23/33

135


a designated custodian should have the respon-sibility for each one of these assets and rules foracceptable use should be identified, documentedand implemented to maintain their currency andavailability.

Labeling and handling guides should also be enforced in health related data. Health datacontinuously flow within the organization and isexchanged with third party organizations. Thesedata may exist in more than one form, dependingon their use. For example health information for a

patient may exist in a digital record, in their healthcard or in a hard copy of a medical record that isused for treatment. To be able to preserve securityof health data, labeling and handling proceduresshould be established primarily to uniquely iden-tify such data and secondly to define acceptableuse rules that should be followed by anyone thathandles medical data.

The second category of assets that should bementioned contains medical devices that record orreport data. Such devices have different require-ments in term of availability and integrity of dataas they typically reside in restricted areas. Thefact that they reside in protected areas provides anadequate level of protection against confidentiality

breach, but as medical data are generated throughthese devices, accuracy and integrity should also

be taken into serious consideration. Additionally,these devices often have special requirements in

power and resources that are needed to operate,while they cannot be replicated to ensure theiravailability. Finally, medical devices may re-quire special security considerations and specialhandling rules, due to their sensitivity or due tothe environment in which they operate and tothe electromagnetic emissions that occur duringtheir operation.

Health related web applications within the boundaries of a health ISMS should take intoserious consideration all the above special re-quirements that exist in a health organization.The most important remarks that should not beomitted while developing applications that utilize,

store or process health information can be sum-marized as follows:

Acceptable use of the health informationthat is utilized within the application should

be mentioned within the application. Special countermeasures for ensuring

currency and integrity of all informa-tion should be taken during development.Integrity checks, continuous update of uti-lized information and utilization of mul-tiple information sources (for cross check-ing reasons) can be considered to be onlya reference of potential techniques that can

be utilized for ensuring integrity and cur-rency of health information.

Information classi cation levels should beimplemented and access and authorizationrights should be based on these classi ca-tion levels, in accordance with security

policies and the sensitivity of each piece ofinformation, as indicated by the classi ca-tion process.

Con dential information or security sen-sitive assets should be uniquely identi edand labeling should be used for the rec-ognition of different classi cation levels.Additionally labels should uniquely iden-tify records of subjects of care that mayneed special handling. Such cases may beconsidered to be the following: Subjects of care that are at elevated

risk of non authorized access (e.g.employees of the organization, politi-cians, celebrities, newsmakers, etc.)

Subjects of care that are related toemployees of the organization or

personnel that may be called to treatthem (e.g. neighbors, colleagues, rel-atives, etc.)

Availability requirements should be seri-ously taken into consideration, as the needfor current health related information isoften critical and availability issues may


24/33

136


have severe impact for the health of thesubject of care. The development of spe-ci c hardware and software standards, andtheir integration in the policy set of theorganization, can assist in ensuring avail-ability of a health related web application.

Human Resources SecurityOne characteristic that human resources depart-ment of a health organization has to deal with isthe large number of temporary staff (contractors,volunteers, students, etc.). Such employees shouldhave access to personal health information for acertain period of time and may move from one de-

partment to another or move between institutionsor organizations. To enable control and manage-ment of the required access rights, the managementof external or temporary human resources should

be governed by rules and policies that will definethe entire lifecycle of the employment.

Prior to employment, specific roles and respon-sibilities for temporary or short term staff should

be defined and laid down in the organizationsinformation security policy and in corresponding

job descriptions. Additionally, in order to knowhow and where to contact health professional staff,screening procedures should be applied and fol-lowed to maintain currency on contact information,whilst relationships with academic institutions or

professional bodies may assist this task. Finally, prior to employment all employees that processor have access to personal health informationshould formally agree on clauses that depict theirresponsibilities related to information security. Theformal agreement can have the form of terms andconditions of employment, which should

Date post:	04-Jun-2018
Category:	Documents
Upload:	kkosain
View:	219 times
Download:	0 times

Information Security Standards for Health Information Systems the Implementers Approach

Documents