Health informatics – Information security management in health using ISO/IEC 27002
Guidelines for organisational information security management practices in the health sector, such as managing, implementing and choosing controls, taking into account the organisation's information security risk environment(s).
BS EN ISO 27799:2016 supports the implementation and interpretation of ISO/IEC 27002 in health informatics systems.
It helps with the selection of the controls described in ISO/IEC 27002, supplementing them where relevant so that they can be used for managing health information security effectively. Healthcare organisations that implement ISO 27799 will be able to offer a minimum level of security that will uphold the confidentiality, integrity and availability of personal health information in their care.
The Standard applies to all aspects of health information in all forms (numbers, sound recordings, words, videos, drawings and medical images), however they are stored (writing on paper, storage electronically or printing), and whatever means are used to transmit it (by fax, over computer networks, by post or by hand), as the information is always suitably protected.
When used together, ISO 27799 and ISO 27002 define the requirements for information security in the healthcare sector. However, it is important to note that one topic not defined by these standards is how these requirements can be met.
ISO 27799 is technology-neutral, which should be considered important because security technology is undergoing rapid development, while international standards are generally expected to remain current for several years. Technological neutrality leaves service providers and vendors free to suggest new technologies that meet the requirements described by ISO 27799.
Outside the scope of ISO 27799 are: