Haris Hamidovic, CIA, ISMS IA, ITIL-F, IT Project+ and Jasmina Kabil
While the protection and security of personal information is important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information.
ISO/IEC 27002 is already being used extensively for health informatics IT security management through the agency of national or regional guidelines in Australia, Canada, France, The Netherlands, New Zealand, South Africa and the United Kingdom. Interest is growing in other countries as well.1 ISO/IEC 27002 provides a list of commonly accepted control objectives and best practice controls to be used as implementation guidance when selecting and implementing controls for achieving information security.
The International Organization for Standardization (ISO) released ISO 27799:2008 to define guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002, and it is a companion to that standard (see figure 1). ISO 27799:2008 specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. The main objective of this article is to provide an introduction to the key elements of information security management in health care using ISO 27799:2008.
ISO/IEC 27002 is a broad and complex standard, and its advice is not tailored specifically to health care. ISO 27799 allows for the implementation of ISO/IEC 27002 within health environments, in a consistent fashion and with particular attention to the unique challenges that the health sector poses.
Take, for example, the information classification issue. Determining levels of protection for information assets in health care is complex, and comparisons with government or military data classifications can be misleading. The following are important characteristics of information assets within health care:2
Because one cannot predict the sensitivity of a given element of personal health information through all its uses and all the phases of its life cycle, all personal health information should be subject to suitably careful protection at all times. While all personal health information should be uniformly classified as confidential, practical considerations may necessitate identifying the records of subjects of care, who may be at elevated risk of access by those who do not have a need to know. Such individuals include employees of the organization itself (especially if their condition is one eliciting emotional behaviors), heads of government, celebrities, politicians, newsmakers and members of groups facing especially high risks (e.g., those with sexually transmitted diseases, those whose personal health information contains information about genetic predispositions to serious illnesses). The records of such individuals may need to be specially tagged so that access can be closely monitored. However, great care must be exercised in implementing such schemes, as this tagging can exacerbate the very problem it is designed to avoid. That is, it can draw attention to the particular data items tagged. It is also important to emphasize that while certain subjects of care may be at elevated risk, their personal health information is not innately more confidential than that of other subjects of care. All personal health information is confidential and should be treated accordingly.3
It is also important to note the special emphasis that needs to be placed in cases in which subjects of care do not wish their personal health information to be accessed by health workers who are neighbors, colleagues or relatives. Such concerns often make up a large percentage of complaints from those with fears about the confidentiality of their personal health information. Likewise, staff members often do not wish to be placed unnecessarily in the position of reviewing information about friends, relatives or neighbors. Effective management of health information systems needs to address these concerns.4
Until recently, the focus of protection has been on the IT systems that process and store the vast majority of information rather than the information itself. But, this approach is too narrow to accomplish the level of integration, process assurance and overall security that is now required. Information security takes a larger view that the content, information and knowledge based on it must be adequately protected, regardless of how it is handled, processed, transported or stored.
Information security governance is the responsibility of the board of directors and executive management. It must be an integral and transparent part of enterprise governance.5
As health organizations become more critically dependent on information systems to support care delivery, it becomes increasingly evident that events in which losses of integrity, availability and confidentiality occur may have a significant clinical impact, and that problems arising from such impacts will be seen to represent failures in the ethical and legal obligations inherent in a duty of care.
All countries and jurisdictions will undoubtedly have case studies in which such breaches have led to misdiagnoses, deaths or protracted recoveries. Clinical governance frameworks, therefore, need to treat effective information security risk management as equal in importance to care treatment plans, infection management strategies and other core clinical management matters.6
There are several types of health information whose confidentiality, integrity and availability need to be protected7:
The extent to which confidentiality, integrity and availability need to be protected depends upon the nature of the information, the uses to which it is put and the risks to which it is exposed. For example, statistical data (number 3 in the previous list) may not be confidential, but protecting its integrity may be important. Likewise, audit trail data (number 7 in the previous list) may not require high availability (frequent archiving with a retrieval time measured in hours rather than seconds may suffice in a given application), but its content may be highly confidential.
Risk assessment can properly determine the level of effort needed to protect confidentiality, integrity and availability. The results of regular risk assessment must be fitted to the priorities and resources of the implementing organization.
The types of information security threats and vulnerabilities vary widely, as do their descriptions. While none is truly unique to health care, what is unique in health care is the array of factors to be considered when assessing threats and vulnerabilities.8
By their nature, health organizations operate in an environment in which visitors and the public at large can never be totally excluded. In large health organizations, the sheer volume of people moving through operational areas is significant. These factors increase the vulnerability of systems to physical threats. The likelihood that such threats will occur may increase when emotionally or mentally ill subjects of care or relatives are present.
Many health organizations are chronically underfunded and their staff members are sometimes obliged to work under significant stress. This can often result in heightened error rates, including the performance of incorrect procedures. Other consequences of such resource constraints include systems designed, implemented and operated in an overly casual manner or systems kept in service long after they ought to have been retired. These factors can increase the potential for certain types of threats and can exacerbate vulnerabilities. On the other hand, clinical care is still a process that involves a range of professional, technical, administrative, ancillary and voluntary staff, many of whom see their work as a vocation. Their dedication and diversity of experience can often reduce exposure to vulnerabilities. The high level of professional training received by many health professionals also sets health care apart from many other industrial sectors in reducing the incidence of insider threats.
The critical importance of correctly identifying subjects of care and correctly matching them to their health records leads health organizations to collect detailed, identifying information. Regional or jurisdictional patient registries (i.e., registries of subjects of care) are sometimes the most comprehensive and up-to-date repositories of identifying information available in a jurisdiction. This identifying information is of great potential value to those who would use it to commit identity theft and, therefore, must be rigorously protected.
The health environment, with its unique threats and vulnerabilities, should be considered with special care.
Data protection legislation in Bosnia and Herzegovina, for example,9 as well as in many other countries, governs the treatment of certain types of information, broadly defined as information about individuals, described as “personal data” in the legislation. This article will reflect on the relevant legislation of Bosnia and Herzegovina as an example, but most countries have similar legislation in place.
These laws aim to impose minimum standards on those handling such information, with a view toward protecting the privacy of the individuals involved. Bosnia and Herzegovina’s data protection law is based on the European Union (EU) Data Protection Directive.10
Many data protection laws as well as the EU Directive require that the data controller implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures need to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.11
Special categories of personal data include all personal data that, among other things, reveal state of health and genetic code.12 The data controller must take additional technical and organizational measures in processing the special categories of personal data.13
International health-related applications may require personal health data to be transmitted from one nation to another across national borders. This is evident in telemedicine or when data are electronically dispatched, for example, in an e-mail or as a data file to be added to an international database. It also occurs, but less obviously, when a database in one country is viewed from another, for example, over the Internet. Such an application may appear passive, but the act of viewing involves disclosure of data and, thus, is processing. Moreover, such viewing of data requires a download that may be automatically placed in a cache and held there until emptied; this is also processing and involves a particular security hazard.14
Under the Directive, personal data may not be transferred outside the European Economic Area (EEA)15 unless the data controller assures an “adequate level of privacy protection.”16 The data protection law in Bosnia and Herzegovina (Article 18) sets the same requirement for transfer of personal data outside the country.17
A data controller transferring personal health data to another country will need to be assured that the data importer has in place the necessary organizational and technical security measures to protect the transferred data.
Compliance with industry standards is no guarantee of compliance with legal obligations. Yet, for companies seeking a shortcut to global compliance with security obligations, the ISO 27001 international standard is worth considering. Although compliance with ISO 27001 does not guarantee legal compliance (i.e., it is not a safe harbor),18 it may offer companies a good starting point on the road to addressing international legal requirements for security.19
ISO/IEC 27001 provides normative requirements for the development and operation of an information security management system (ISMS), including a set of controls for the control and mitigation of the risks associated with the information assets that the organization seeks to protect by operating its ISMS. Organizations operating an ISMS may have their conformity audited and certified.20 This is, in essence, similar to the concept of a comprehensive information security program as defined in many security statutes and regulations. The ISO 27001 process approach includes all of the elements that appear in the various legal requirements, although it organizes them somewhat differently.21
An organization needs to undertake the following steps in establishing, monitoring, maintaining and improving its ISMS:22
To ensure that the ISMS is effectively protecting the organization’s information assets on an ongoing basis, it is necessary for these steps to be continuously repeated to identify changes in risks or in the organization’s strategies or business objectives.
Health-informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. At the same time, the data they contain are confidential and their integrity must be preserved. Because of these critical requirements, and regardless of their size, location and model of service delivery, all health care organizations need to have stringent controls in place to protect the health information entrusted to them.
ISO 27799:2008 and ISO/IEC 27002 taken together define what is required in terms of information security in health care; they do not define how these requirements are to be met. That is, to the fullest extent possible, ISO 27799:2008 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development, and the pace of that change is now measured in months rather than years.
In the health context, information about individuals needs to be collected, stored and processed for many purposes, the main being:
Data protection laws in many countries require that the data controller implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing of the personal data. Health information is considered a special category of personal data, for which an extra level of protection is required under data protection rules.
Application of best practices proposed by the international industry standard ISO 27799:2008 is no guarantee of compliance with legal obligations, but it may offer health care organizations a good starting point on the road to addressing international legal requirements for security in health.
1 International Organization for Standardization, ISO 27799:2008, Information security management in health using ISO/IEC 27002, 20082 Ibid.3 Ibid.4 Ibid.5 ISACA, CISM Review Manual 2011, USA, 20106 Op cit, ISO 20087 Ibid.8 Ibid.9 Bosnia and Herzegovina, “The Law on Personal Data Protection,” Official Gazette of Bosnia and Herzegovina, no. 49/0610 European Union, The Data Protection Directive, Directive 95/46/EC11 Ibid.12 Ibid.13 Council of Ministers of Bosnia and Herzegovina, Regulation on storage and specific technical measures of personal data protection, 200914 International Organization for Standardization, ISO 22857:2004, Health informatics—Guidelines on data protection to facilitate trans-border flows of personal health information, 200415 The EEA is the European Union together with Iceland, Liechtenstein and Norway.16 Op cit, European Union17 Op cit, Bosnia and Herzegovina18 ISO 27001 specifically states that “compliance with an international standard does not in itself confer immunity from legal obligations.”19 Smedinghoff, Thomas J.; Information Security: The Emerging Standard for Corporate Compliance, IT Governance Ltd., 200820 International Organization for Standardization and International Electrotechnical Commission, ISO/IEC 27001:2005, Information security management system— Requirements, 200521 Op cit, Smedinghoff22 International Organization for Standardization and International Electrotechnical Commission, ISO/IEC 27000:2009, Information security management systems— Overview and vocabulary, 2009
Haris Hamidovic, CIA, ISMS IA, ITIL-F, IT Project+is chief information security officer (CISO) at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North American Treaty Organization (NATO)-led Stabilization Force (SFOR) in Bosnia and Herzegovina. He is the author of five books and more than 70 articles for business and IT-related publications.
Jasmina Kabilis a teaching and research assistant for the Faculty of Education and Rehabilitation Sciences, University in Tuzla, Bosnia and Herzegovina. Prior to her current assignment, Kabil worked as database manager and interpreter for United Nations’ International Police Task Force (IPTF) in Bosnia and Herzegovina.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.