Efficiency and security of the Norwegian National Health Network
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Efficiency and security of the Norwegian National Health Network

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Efficiency and security of the Norwegian National Health Network Janicke Weum Halvor Bjørnsrud Office of the Auditor General of Norway Beijing, April 2010
  • 2. Content
    • Background information
    • Methodological approach
    • Adopted process of investigation
    • Preliminary findings
    • Lessons learned
  • 3. Background
    • The Norwegian National Health Network
      • technical infrastructure for electronic interchange of individual health data
      • a main ICT-policy instrument in achieving superior political objectives on health-IT
    Helse Nord Helse Midt-Norge Helse Sør-Øst Helse Vest Svalbard
  • 4. Figure: The National Health Network
  • 5. Background
    • The Network is operated by the public owned enterprise Norwegian Health Net (NHN)
    • NHN
      • established in 200 4
      • shall provide for an adequate technical infrastructure which allows for efficient and secure electronically communication among main health partners
  • 6. Background
    • Main health partners are e.g.: hospitals, general practitioners (GP's), medical specialists, municipalities, laboratories, pharmacies and the National Social Security Agency
    • National goal: by 2012, all main health partners are to be connected to the National Health Network
    • Connected users by the end of 2009: app. 2050
    - app. 500 Others 47,5 204 Municipalities 69,5 1130 GP’s 100 212 Hospitals % of total national population Connected Users
  • 7. Why investigate?
    • Health data
      • defined as sensitive information
      • national infrastructure must be in accordance with legislation and expectations concerning information security
      • requires a sufficient Information Security Management System (ISMS) for operating the Network
      • responsibility of NHN
    • Risk
      • incidents demonstrate defects in the ISMS, e.g. September 2008.
      • Indicates that privacy and protection measures may not be consistently and effectively built into the ISMS
    • Objective of investigation
      • investigate the efficiency and security of the ISMS for operating the National Health Network
  • 8. How to investigate?
    • Methods
      • specific risk-analysis and document analysis
      • interviews
      • on-site inspections
    • Measurement tools
      • national legislation and regulation
      • international standards and frameworks such as
      • ISO / IEC 27001, ISO / IEC 27002, COBIT and ITIL
  • 9. Adopted process
    • Included ICT-audit expertise in the project team
    • Obtained basic documentation on the ISMS
    • Performed analysis on risks to the ISMS in relation to the National Health Network
    • Obtained additional documentation from the NHN
  • 10.
    • Defined 8 topics of focus
      • assessment of risk- and security
      • training of clients on information security
      • monitoring of activity in the Network
      • handling of derogations and security incidents in the Network
      • handling of planned changes in the different services accessible to clients
      • encryption of individual health data
      • handling of breakdowns in the Network
      • administration of access control
    • Performed interviews and on-site inspections
    Adopted process
  • 11. Preliminary findings
    • NHN executive handling is potentially less efficient due to the lack of adequate routines for handling of derogations and security incidents
    • The National Heath Network is exposed to external threats:
      • NHN haven’t provided for sufficient monitoring and security barriers
      • NHN risk-assessments are not sufficiently adapted to the responsibility of the enterprise, and threats to the Network
  • 12. Lessons learned
    • Scope
      • Investigations concerning information security may also be integrated as part of more comprehensive performance audits
    • Include ICT-audit experts
  • 13. Contact information
    • Halvor Bjornsrud
      • E-mail: halvor.bjornsrud@riksrevisjonen.no
      • Telephone: +47 22 24 14 15
    • Janicke Weum
      • E-mail: janicke.weum@riksrevisjonen.no
      • Telephone: +47 22 2412 04