Published in late 2010, the ISO 27799 is an international standard for securing information systems in the health sector. The ISO 27799 is based on the general information security standard ISO 27001 and its expansion to the field of securing medical information.
The standard scope includes the relevant information security officials at the health sectors, in addition to other entities holding medical information that seek to act according to international rules, including Information security consultants, audit personal and suppliers. It provides means to deal with inherent weaknesses of health organizations. The standard lists variety of security threats which organizations need to consider when assessing risks, such as:
- Large volumes of individuals (personal and visitors) passing through the operational areas expose the IT system to physical threats
- Constant budget gaps lead health teams to work on unsecure environment, for example- operational systems that are not updated or replaced on time
- Administrative needs require health organizations to manage databases (such as the prescription database). These databases are a tempting target for criminals and fraudsters who wish to steal identities
According to Health Ministry director general circular from September 2012:
- The standard will become mandatory regulation for health organizations from the end of year 2013
- Suppliers with this certification should be prioritized
In addition, this certification has number of important added values:
- Detailed mapping of organizational critical information assets and characterizing their importance level based on the CIA (Confidentiality , Integrity , Availability) model
- Creating an inherent, built-in and organized mechanism for information security management, and especially for the routine and daily conduct of the organization while maintaining the confidentiality of critical information, availability of information and computer systems and ensuring the integrity and correctness of information
- Reducing exposure to risks, that reproduce at exponential rate- reputation damage, legal exposures and financial implications
- Creating a practical mechanism for proper planning of information security budgets and prioritization of resources allocation for information security
IPV Security has a team of experts with extensive and vast experience in ISO 27799 certification, which is in continuous contact with representatives of the regulatory organizations and the leading global information security firms. The result - Adaptation of the information security risk management system to the organization's needs (standards, regulatory) in an efficient, yet focused process on the one hand, transparent and applicable at all levels of the organization, from management to the level of the employee, on the other hand.
This unique experience allows, within a few weeks, to build a management system that includes information security policy and procedures in order to deal with the threat origins (internal, external, partners, etc.) which vary and increase frequently.
