ISO-27799 What is it?

ISO 27799:2008 Health informatics — Information security management in health using ISO/IEC 27002

?This standard was published in June 2008 by ISO technical committee TC215, responsible for health informatics.

?"ISO 27799:2008 defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that standard.

ISO 27799:2008 specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing this International Standard, healthcare organizations and other custodians of health information can ensure a minimum required level of protection appropriate to their organization's circumstances, maintaining the confidentiality, integrity and availability of personal health information.

?ISO 27799:2008 applies to health information in all its aspects. Whatever form the information takes (words and numbers, sound recordings, drawings, video and medical images), whatever means are used to store it (printing or writing on paper or electronic storage), and whatever means are used to transmit it (by hand, via fax, over computer networks or by post), as of the fact, information must always be protected.

?The purpose:?

"This International Standard guides healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC 27002. Specifically, this International Standard addresses the health sector's special information security management needs and its unique operating environments. While the protection and security of personal information are important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of care subjects is to be maintained. The integrity of health information must be protected to ensure patient safety, and an important component of that protection is ensuring that the information's entire life cycle is fully auditable. The availability of health information is also critical to effective healthcare delivery. Health informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. Protecting the confidentiality, integrity and availability of health information, therefore, requires health-sector-specific expertise ... It is not intended to supplant ISO/IEC 27002 or ISO/IEC 27001. Rather, it complements these more generic standards ... Annex A describes the general threats to health information. Annex B briefly describes other standards that apply to specific aspects of health information security. Annex C discusses the advantages of support tools to aid implementation."?