766 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environmentframework for assessing, managing and reducing IT risks. We aim at applying theISO27002 standards to HSS taking advantage of its comprehensiveness inimplementation details. One must recognise that each framework has their ownweaknesses and strengthens; e.g. ISO27002 has a complete level of security, but doesnot contain product-oriented measures, such as those used on COBIT .1. The IT Security Standards in the Healthcare EnvironmentThe use of standards can be viewed from legal and IT architecture perspectives .From the legal perspective, there are ranges of standards that either recommendsgeneral or specific scenarios in healthcare. In the USA, HIPAA is a legal requisite andcomprehensive health information protection policy, which promotes the developmentof electronic healthcare transactions and specifically addresses the issues of privacy andsecurity for health related information . The security element specifically distinguishthe innate problems in using electronic forms of records keeping and the changingnature of the technology upon which such records are recorded, used and stored.HIPAA has suffered many delays but it had a clear impact on services feasibility .From IT standards perspective, we refer to ISO27002 (former British Standard Institute(BSI) 7799-1:1999) to assist in the development of security plans. It is a “Code ofPractice” purposeful on high-level security management, revised in 2005 to covercurrent technology and business practices. ISO 27002 is intended as a common basisand practical guideline for developing organizational security standards and effectivesecurity management practices based on 11 main sections. As a code of practice itcannot be used for certification, so another standard has been developed ISO 27001(information security management system requirements) which is certifiable . Thisstandard specifies the requirements for security implementation that is customizable forindividual organizations. ISO standards are only a starting point, as they do not containwidespread information on how security measures should be implemented ormaintained. Other standards exist for specific proposes of health information,particularly for use in e-health information exchange, like HL7  developed as astandard for clinical information exchange and based predominantly on the HIPAAguiding principles. In addition, the CEN (European Committee for Standardization) isputting significant effort into development of healthcare information systems securityin Europe. However, this has resulted in an assorted range of standards being developedfor specific instances of technology use. Many standards do not include sufficientsecurity-related provision and given the complex nature of standards, it has resulted ina large number of providers selling security management solutions for interpretation ofthe standards and also to explore its implementation.2. The Process of Adoption of IT Security Standards: The role of the CIOIt is now accepted that healthcare is one of the most complex businesses with a largediversity of types of interactions [11, 12]. The possibility of using IS to support theservices delivery also opens new opportunities. Smith  and others  haveproposed that only Information Systems (IS) could bridge the information “chasm”.Interoperability of healthcare systems can play a critical role in this process. TheInstitute Of Medicine reports [14, 15] identified weaknesses in the design and safety of
R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 767healthcare IS whereas interoperability rules’ utilization can provide additional pressureto help the proper use of technology in that regard . Both technical and semanticinteroperability require a wide organizational agreement on standards. Both representhuge tasks to be accomplished and require people in the organization to deal with it.Specialized groups such as IHE are pushing the debate and developing interoperabilityprofiles to tighten areas of ambiguity en route to stronger interoperability. The HL7’sElectronic Health Record (EHR) group has produced many reports and other materialsto guide technology managers towards interoperability. But before going into thissophisticated processes there are many other basic areas that need to be properlycovered, being security issues one of them. The human and organizational side of theinteroperability has been mostly forgotten [17, 18]. For a long time healthcare processengineering was also not taken very seriously . In order to take advantage of an ISit is necessary a leadership to promote the alignment of business with IS. In thiscomplex environment the role of the Chief Information Officer (CIO) is critical toensure good focus on organizational specificities. It was recognized that bestperforming HIS departments were related with department heads that matched CIOattributes , like openness to suggestions and excellent relationship with otherhealthcare professionals; leadership skills, which help them to address challenges;meaningful negotiation skills which are used in their relationships with the vendors,openness to bolder projects with new technologies; etc. Healthcare CIOs are a kind of“special people” that push the organization further through an innovative use oftechnology [18, 20]. They know that pushing for interoperability will allow theorganization to be more productive and less inefficient. Interoperability in anorganization can also mean data access safety and security.3. The Hospital S. Sebastião Information Security CaseHSS is integrated in the National Health Service providing tertiary health care servicesfor all citizens of its geographical area. Built in 1999, it covers an area with 367 000inhabitants. HSS was chosen to become involved in an innovative managementframework, supported by the Ministry of Health, to show the evidence of the improvingefficiency of the new framework.3.1 HSS Information System ArchitectureHospital owns today a unified IS platform that aims to serve not only administrativeand management purposes but mainly patients needs, helping professionals doing theirjob correctly. This middle management application provides approximately 320physicians and 510 nurses with an integrated view of all clinical information relatedwith the patients, from exams to surgery reports. Since 1999, those physicians createand stores medical records through the hospital’s datacenter storage bank. The ISarchitecture is showed below (Figure 1.), where all the exclusively solutions contributeto grow the datacenter databases on consolidate and concentred ness philosophy.
768 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment Figure 1. HSS information System Architecture Overview. The architecture definition was a long working process. The hospital board haverecognized that a huge effort was carried out to minimise risks concerning theinformation management, data privacy and protection. This level of maturity wasachieved in 2003, though these good principles are still not enough. These firstsuccesses encouraged the CIO, the IT personnel and top managers to be more focusedon the improvement of the information security management.3.2 CIO Role in the HSS IT Security ApproachThe CIO created a team to address the IT security at the HSS. After relevant literatureand practices review, it was selected the ISO27002 rather then COBIT. COBIT’sentirety would make implementation onerous and if one compared it with ISO27002, itis easy to see that it focuses more on efficiency and effectiveness of IT environmentrather than information security linked to business issues. It was recognized thatISO27002 represents a good mix of international acceptance level and fullcomprehensiveness, as well as it is dedicated most exclusively for information securitypractices built around policy and process management. However, in the future it couldbe necessary to implement some COBIT measures to accomplish ISO27002 goodpractices. The applications servers and databases are all concentrated and beneath acontrolled physical habitat, and what concerns securing and managing information, theprerequisites surround ISO27002 were recognized as an excellent point of reference tostarting managing the information security. Some of controls of this standard have beenimplemented over a hospital datacenter infrastructure area and the focus has been ITand security policies as a best practice for information security management in the dailybasis procedures operation. ISO27002 provides best practice recommendations oninformation security management for use by those who are responsible for initiating,implementing or maintaining information security management systems. 11 mainsections border physical and logical preservation of confidentiality, integrity andavailability properties. Making analogy with ISO quality standards and their way ofmanaging and improving hospital made process of ISO27002 implementation as easyas possible. Analogically to quality manager, information security manager observessituation, gives regular assessments, and then recommendations for improvement,afterwards business managers determine to what issues investments should be put in aswell as their priority. All 11 ISO27002’s control chapters have subset elements. To
R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 769provide performance measurement HSS rated the 39 main security categories, based onISO27002 structures and according to a simple level of risk scale H-M-L (High-Medium/Moderate-Low/Tolerable). The following table 1., concisely shows the risklevels for each control area helping the CIO to rapidly overview the whole picture ofinformation security and to identify priority actions. Table 1. Risk Levels in the ISO 27002 Risk Level # ISO 27002 Section (control objective) H M L 1 Security Policy 0 1 0 2 Organizing Information Security 0 1 1 3 Asset Management 2 0 0 4 Human Resources Security 0 1 2 5 Physical and Environmental Security 1 1 0 6 Communications & Operations Management 8 2 0 7 Access Control 5 2 0 8 Information Systems Acquisition, Development and Maintenance 0 4 2 9 Information Security Incident Management 0 2 0 10 Business Continuity Management 0 0 1 11 Compliance 0 1 2 The application of this framework has been quite successful at HSS. For instance,section 3, 5, 6 and 7 were well accomplished in the datacenter infrastructure whereasthe security assessment sections were based on the most relevant high-risk level controlobjective.3.3 IT Security Project IssuesCEO and CIO have assumed the project and the relevance of a security auditing and it’simplications: for instance, the obligation to up-grade, both physically and logically, thedatacenter, and to change the daily modus operandi. The hospital board decided to hirean auditor (named by SINFIC, a BSI certificated partner). The auditor applied a GapAnalysis with five major steps: 1. Project planning, to ensure that expectations,timelines and deliverables are appropriately managed. 2. During the Information-gathering phase many players were interviewed to determine the business environmentand current security management and system administration processes through in-depthdiscussions with key players in the organization. 3. At the Review and Analysis stageSecurity Policies, Procedures and Practices were addressed to evaluate the existingsecurity policies, procedures and practices, and compare it with the ISO27002international security standard and industry best practices. 4. The Review and Analysisstage results help to write down a concise, detailed technical and ISO27002 SecurityAssessment Executive Summary Report. 5. External and Internal vulnerabilityscanning to discover all devices and applications across the datacenter, and to identifyand eliminate the security threats that make datacenter infrastructure attacks possible.
770 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment4. ConclusionsFrom the case presented one should conclude that rules code of practice or standardsare essential to ensure the delivery of benefits to the patient and healthcare providers ininformation interoperability. This is only part of a bigger effort to implement acomprehensive strategy that allows consistency of information collection and sharingwithin the healthcare sector. This effort will establish a secure infrastructure betweenorganizations over which to share patient secure information. It is required acomprehensive set of standards that define practical guidelines for the healthcarecommunity, for which ISO27002 is a good benchmarking. Its area of application is aset of diverse and heterogeneous organizations like public hospitals, private, specialistsand general practitioners. It means that specific targeted standards should be developedor established for the protection of sensitive information, and not left to individualinterested parties to build up. It also means that we are facing a rather new field yet tobe proven, implying that the CIO responsible for the implementation of an IS securityframework will have to deal with its many variables and barriers. The CIO role andunderstanding of the organization’s environment is key to deliver real interoperabilitypotential to the organization to patients’ benefit.References Thompson T. US Former secretary of Health and Human Services Keynote Speech at the 2007 CDHC Expo, Business Wire, Nov. 13, 2006. Bell K. “HIT and Pay for Performance”. Acting Deputy, US Office of the National Coordinator for Health Information Technology Keynote Speech at the HIT Symposium at MIT, July 17, 2006. COSO. "Committee Of Sponsoring Organizations of the Treadway Commission" controls financial processes. COBIT. Control Objectives for Information and related Technology”, control focuses on IT. HIPAA. “Health Insurance Portability and Accountability Act”, to insurance protection and promoting communications standards in healthcare, HHS Report 1997. ISO/IEC 27002:2005 Information technology -Security techniques - Code of practice for information security management, International Standards Organization, 2005. The Role of Standards in Medical Information Security: An Opportunity for Improvement. P. A. H. Williams , School of Computer and Information Science Edith Cowan University Joondalup, Western Australia HHS (2007), Health Information Privacy Act (HIPAA). http://www.hhs.gov/ocr/ (accessed on the 21st October 2007). ISO/IEC 27001:2005 Information technology Security techniques - Information security management systems - Requirements, International Standards Organization, ISO/IEC 2005. Health Level 7 - ANSI - application layer 7 in the OSI model accredited standards for electronically defining clinical and administrative data in the healthcare industry: www.hl7.org, accessed on the 3rd November 2007. Plsek P and Wilson T. Complexity Sciences: Complexity, leadership, and management in healthcare organisations. BMJ 2001; 323: 746-9. Lapão LV. Survey on the Status of the Hospital Information Systems in Portugal, Methods of Information in Medicine, 2007 46 4: 493-499. Smith R. The future of health care systems. BMJ, 314:1495 (24 May) 1997. IOM Report, Crossing the Quality Chasm: A New Health System for the 21st Century, Institute of Medicine, 2001. IOM Report, To Err is Human. Institute of Medicine, 1999. Lenz, R and Kuhn, KA. Integration of Heterogeneous and Autonomous Systems in Hospitals, Data Management & Storage Technology 2002. Lorenzi N and Riley R. Organizational Aspects of Health Informatics, Springer-Verlag, 1995. Ash JS, Stavri PZ, Kuperman GJ. A Consensus Statement on Considerations for a Successful CPOE Implementation. J Am Med Inform Assoc. 2003 May-Jun;10(3):229-34. Mango PD, Shapiro LA. Hospitals get serious about operations, The McKinsey Quarterly 2001 No.2. Broadbent M, Kitzis E. The New CIO Leader: Setting the Agenda and Delivering Results. Harvard Business School Press (December 2004).