This document summarizes a study on the adoption of IT security standards in a Portuguese hospital, Hospital S. Sebastião (HSS). It discusses how the hospital implemented several controls from the ISO 27002 security standard to improve its datacenter infrastructure security. The Chief Information Officer (CIO) led the project to assess security risks and prioritize implementing standards to address high risks areas first. An external auditor conducted a gap analysis and vulnerability scanning. Implementing standards helped structure the hospital's security management practices and increased confidence of patients and partners.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
This is the Module 1 of ISMS implementation course - is a 3 days hands-on course with case studies. This sample module also has an audio attached to the presentation so while running the file please ensure your audio is switched to ON.
Certified Health Informatics Systems Professional offered by American Societ...SioConsulting
The Certified Health Informatics Systems Professional (CHISP™) certification indicates that an individual of high professional integrity has passed a HIT certification examination sponsored by the American Society of Health Informatics Managers (ASHIM™).
For more information, you can visit http://www.ashim.org
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
This is the Module 1 of ISMS implementation course - is a 3 days hands-on course with case studies. This sample module also has an audio attached to the presentation so while running the file please ensure your audio is switched to ON.
Certified Health Informatics Systems Professional offered by American Societ...SioConsulting
The Certified Health Informatics Systems Professional (CHISP™) certification indicates that an individual of high professional integrity has passed a HIT certification examination sponsored by the American Society of Health Informatics Managers (ASHIM™).
For more information, you can visit http://www.ashim.org
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING Akshay Mittal
Emerging Threats and Countermeasures - Digital health is the convergence of digital technology in healthcare. The emerging technology and the use of innovations are needed in healthcare for advancements and better outcomes. With the use of innovations, new threats and challenges are emerging in the industry which needs to be managed for efficient operations.
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
Survey of open source health information systemshiij
Due to the Health Information Technology for Economic and Clinical Health Act (HITECH), the US
medical industry has been given a directive to transition to electronic health records. Electronic Health
Records will enhance efficiency and quality of patient care. In this paper, open-source health information
systems are surveyed.These systems include electronic medical records, electronic health records and
personal health record systems. Their functionality, implementation technologies used, and security
features are discussed.
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
DIGITAL HEALTH: DATA PRIVACY AND SECURITY WITH CLOUD COMPUTING Akshay Mittal
Emerging Threats and Countermeasures - Digital health is the convergence of digital technology in healthcare. The emerging technology and the use of innovations are needed in healthcare for advancements and better outcomes. With the use of innovations, new threats and challenges are emerging in the industry which needs to be managed for efficient operations.
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
Survey of open source health information systemshiij
Due to the Health Information Technology for Economic and Clinical Health Act (HITECH), the US
medical industry has been given a directive to transition to electronic health records. Electronic Health
Records will enhance efficiency and quality of patient care. In this paper, open-source health information
systems are surveyed.These systems include electronic medical records, electronic health records and
personal health record systems. Their functionality, implementation technologies used, and security
features are discussed.
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
Because putting patients’ needs first is essential in the healthcare industries, many healthcare systems
face health information technology (HIT) related challenges and a patient service dilemma.We will firstpresent
the patient service dilemma and provide a high-leveloverview of technologies that have increased the productivity,
efficiency in providing care, and clinical collaboration across their various healthcare campuses. Then, we will
suggest changesto current HIT practice that will enableHealth Systems to be Health Insurance Portability and
Accountability Act (HIPAA) compliant, while meeting the needs of patients, their expectations of care, and the
changing healthcare industry.
2019 14th Iberian Conference on Information Systems and Tech.docxjesusamckone
2019 14th Iberian Conference on Information Systems and Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3
How ISO 27001 can help achieve GDPR compliance
Isabel Maria Lopes
Polytechnic Institute of Bragança, Bragança, Portugal
UNIAG, Polytechnic Institute of Bragança, Portugal
ALGORITMI Centre, Minho University, Guimarães,
Portugal
[email protected]
Pedro Oliveira
Polytechnic Institute of Bragança, Bragança, Portugal
[email protected]
Teresa Guarda
Universidad Estatal Península de Santa Elena – UPSE, La
Libertad, Ecuador
Universidad de las Fuerzas Armadas – ESPE, Sangolqui,
Quito, Equador
ALGORITMI Centre, Minho University, Guimarães,
Portugal
[email protected]
Abstract — Personal Data Protection has been among the most
discussed topics lately and a reason for great concern among
organizations. The EU General Data Protection Regulation
(GDPR) is the most important change in data privacy regulation
in 20 years. The regulation will fundamentally reshape the way in
which data is handled across every sector. The organizations had
two years to implement it. As referred by many authors, the
implementation of the regulation has not been an easy task for
companies. The question we aim to answer in this study is how far
the implementation of ISO 27001 standards might represent a
facilitating factor to organizations for an easier compliance with
the regulation. In order to answer this question, several websites
(mostly of consulting companies) were analyzed, and the aspects
considered as facilitating are listed in this paper.
Keywords - regulation (EU) 2016/679; general data protection
regulation; ISO/IEC 27001.
I. INTRODUCTION
In recent years, data protection has become a forefront issue
in cyber security. The issues introduced by recurring
organizational data breaches, social media and the Internet of
Things (IoT) have raised the stakes even further [1, 2]. The EU
GDPR, enforced from May 25 2018, is an attempt to address
such data protection. The GDPR makes for stronger, unified data
protection throughout the EU.
The EU GDPR states that organizations must adopt
appropriate policies, procedures and processes to protect the
personal data they hold.
The International Organization for Standardization (ISO)
/International Electrotechnical Commission (IEC) 27000 series
is a set of information security standards that provide best-
practice recommendations for information security management
[3].
This international standard for information security, ISO
27001, provides an excellent starting point for achieving the
technical and operational requirements necessary to reduce the
risk of a breach.
Not all data is protected by the GDPR, since it is only
applicable to personal data. This is defined in Article 4 as
follows [4]:
“personal data” means any information relating to an
identified or identifiable natural person (’data subject’); an
identifiable.
2019 14th Iberian Conference on Information Systems and Tech.docxRAJU852744
2019 14th Iberian Conference on Information Systems and Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3
How ISO 27001 can help achieve GDPR compliance
Isabel Maria Lopes
Polytechnic Institute of Bragança, Bragança, Portugal
UNIAG, Polytechnic Institute of Bragança, Portugal
ALGORITMI Centre, Minho University, Guimarães,
Portugal
[email protected]
Pedro Oliveira
Polytechnic Institute of Bragança, Bragança, Portugal
[email protected]
Teresa Guarda
Universidad Estatal Península de Santa Elena – UPSE, La
Libertad, Ecuador
Universidad de las Fuerzas Armadas – ESPE, Sangolqui,
Quito, Equador
ALGORITMI Centre, Minho University, Guimarães,
Portugal
[email protected]
Abstract — Personal Data Protection has been among the most
discussed topics lately and a reason for great concern among
organizations. The EU General Data Protection Regulation
(GDPR) is the most important change in data privacy regulation
in 20 years. The regulation will fundamentally reshape the way in
which data is handled across every sector. The organizations had
two years to implement it. As referred by many authors, the
implementation of the regulation has not been an easy task for
companies. The question we aim to answer in this study is how far
the implementation of ISO 27001 standards might represent a
facilitating factor to organizations for an easier compliance with
the regulation. In order to answer this question, several websites
(mostly of consulting companies) were analyzed, and the aspects
considered as facilitating are listed in this paper.
Keywords - regulation (EU) 2016/679; general data protection
regulation; ISO/IEC 27001.
I. INTRODUCTION
In recent years, data protection has become a forefront issue
in cyber security. The issues introduced by recurring
organizational data breaches, social media and the Internet of
Things (IoT) have raised the stakes even further [1, 2]. The EU
GDPR, enforced from May 25 2018, is an attempt to address
such data protection. The GDPR makes for stronger, unified data
protection throughout the EU.
The EU GDPR states that organizations must adopt
appropriate policies, procedures and processes to protect the
personal data they hold.
The International Organization for Standardization (ISO)
/International Electrotechnical Commission (IEC) 27000 series
is a set of information security standards that provide best-
practice recommendations for information security management
[3].
This international standard for information security, ISO
27001, provides an excellent starting point for achieving the
technical and operational requirements necessary to reduce the
risk of a breach.
Not all data is protected by the GDPR, since it is only
applicable to personal data. This is defined in Article 4 as
follows [4]:
“personal data” means any information relating to an
identified or identifiable natural person (’data subject’); an
identifiable.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
Healthcare Information Technology (IT) has made great advances over the past few years and while these advances have enable healthcare professionals to provide higher quality healthcare to a larger number of individuals it also provides the criminal element more opportunities to access sensitive information, such as patient protected health information (PHI) and Personal identification Information (PII). Having an Information Assurance (IA) programallows for the protection of information and information systems andensures the organization is in compliance with all requires regulations, laws and directive is essential. While most organizations have such a policy in place, often it is inadequate to ensure the proper protection to prevent security breaches. The increase of data breaches in the last few years demonstrates the importance of an effective IA program. To ensure an effective IA policy, the
policy must manage the operational risk, including identifying risks, assessment and mitigation of identified risks and ongoing monitoring to ensure compliance.
Him500 Milestone 3Precious Teasley Southern New SusanaFurman449
Him500 Milestone 3
Precious Teasley
Southern New Hampshire University
Him500
Professor Jon McKeeby
February 20,2022
Him500 Milestone 3
Organization Needs
Government laws and regulations have been broken because of Featherfall Medical Center's outdated technology. Staffs are not only out of date in terms of skills, but the technology itself is also outdated. Discrepancies in government regulations, operational problems, and ethical dilemmas stemming from poor technology implementation have all cost the organization money. Featherfall's technological needs have been whittled down to Alert (Admission, Discharge, and Transfer ADT') and Intel, two eligible vendors (SOA Expressway for Healthcare). These systems need to satisfy three key goals: to meet personnel demands, protect the integrity of healthcare, and meet government standards. Concerns about the expense of implementing and maintaining a new system are high because Featherfall contains consequences for earlier infractions. Choosing a new computer system for Featherfall Medical Center is the right decision. Due to legislative rules, the medical center's obsolete system has severely impacted the organization's finances. In addition, they have problems maintaining the accuracy of their medical records. Some sectors suffer from a lack of training and clear communication channels. The medical center's new system must meet HIPAA compliance rules, communicate effectively amongst itself, be user-friendly for the personnel, and be under governmental regulations to be accepted.
Technology System Recommendations
In my opinion, Intel is the best new technology for Featherfall Medical Center (SOA Expressway for Healthcare). For Featherfall Medical Center, I feel Intel is an attractive choice because the system is simple to use and can be rapidly adopted into regular tasks. The technology will also allow for more outstanding communication between the staff. It will be easier to manage patient care with Intel since the system will produce discharge and transfer lists. In addition, the system can produce records of patients by their doctors and patients by their departments. The system is password-protected and features multiple levels of security. HIPAA compliance has not yet been achieved, but UHDDS is in place and working as intended. The next release will meet HIPAA regulations (Durcevic, 2019). Because of Intel's size and wealth of knowledge, you can be assured that your health information is in good hands.
Financial Resources
Intel is more expensive than the Alert (ADT) system, but it has the greater experience. As a company around for 30 years, Intel has 364 medical systems in use. There was a total cost of $2,028,000 for Intel and $1,587,000 for Alert. Compared to Alert, Intel was $441,000 more expensive (SNHU, 2019). Featherfall Medical Center will benefit from Intel's knowledge and resources as a larger firm. System costs more, but it will help with compliance, ethics, and govern ...
Top 5 Challenges of Health Informatics Implementation | The Lifesciences Maga...The Lifesciences Magazine
Here are the Top 5 Challenges of Health Informatics Implementation; 1. Interoperability 2. Data Quality 3. Confidentiality and safety 4. Change Management 5. Cost
Similar to The adoption of it security standards in a healthcare environment (20)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
2. 766 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment
framework for assessing, managing and reducing IT risks. We aim at applying the
ISO27002 standards to HSS taking advantage of its comprehensiveness in
implementation details. One must recognise that each framework has their own
weaknesses and strengthens; e.g. ISO27002 has a complete level of security, but does
not contain product-oriented measures, such as those used on COBIT [4].
1. The IT Security Standards in the Healthcare Environment
The use of standards can be viewed from legal and IT architecture perspectives [7].
From the legal perspective, there are ranges of standards that either recommends
general or specific scenarios in healthcare. In the USA, HIPAA is a legal requisite and
comprehensive health information protection policy, which promotes the development
of electronic healthcare transactions and specifically addresses the issues of privacy and
security for health related information [5]. The security element specifically distinguish
the innate problems in using electronic forms of records keeping and the changing
nature of the technology upon which such records are recorded, used and stored.
HIPAA has suffered many delays but it had a clear impact on services feasibility [8].
From IT standards perspective, we refer to ISO27002 (former British Standard Institute
(BSI) 7799-1:1999) to assist in the development of security plans. It is a “Code of
Practice” purposeful on high-level security management, revised in 2005 to cover
current technology and business practices. ISO 27002 is intended as a common basis
and practical guideline for developing organizational security standards and effective
security management practices based on 11 main sections. As a code of practice it
cannot be used for certification, so another standard has been developed ISO 27001
(information security management system requirements) which is certifiable [9]. This
standard specifies the requirements for security implementation that is customizable for
individual organizations. ISO standards are only a starting point, as they do not contain
widespread information on how security measures should be implemented or
maintained. Other standards exist for specific proposes of health information,
particularly for use in e-health information exchange, like HL7 [10] developed as a
standard for clinical information exchange and based predominantly on the HIPAA
guiding principles. In addition, the CEN (European Committee for Standardization) is
putting significant effort into development of healthcare information systems security
in Europe. However, this has resulted in an assorted range of standards being developed
for specific instances of technology use. Many standards do not include sufficient
security-related provision and given the complex nature of standards, it has resulted in
a large number of providers selling security management solutions for interpretation of
the standards and also to explore its implementation.
2. The Process of Adoption of IT Security Standards: The role of the CIO
It is now accepted that healthcare is one of the most complex businesses with a large
diversity of types of interactions [11, 12]. The possibility of using IS to support the
services delivery also opens new opportunities. Smith [13] and others [14] have
proposed that only Information Systems (IS) could bridge the information “chasm”.
Interoperability of healthcare systems can play a critical role in this process. The
Institute Of Medicine reports [14, 15] identified weaknesses in the design and safety of
3. R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 767
healthcare IS whereas interoperability rules’ utilization can provide additional pressure
to help the proper use of technology in that regard [16]. Both technical and semantic
interoperability require a wide organizational agreement on standards. Both represent
huge tasks to be accomplished and require people in the organization to deal with it.
Specialized groups such as IHE are pushing the debate and developing interoperability
profiles to tighten areas of ambiguity en route to stronger interoperability. The HL7’s
Electronic Health Record (EHR) group has produced many reports and other materials
to guide technology managers towards interoperability. But before going into this
sophisticated processes there are many other basic areas that need to be properly
covered, being security issues one of them. The human and organizational side of the
interoperability has been mostly forgotten [17, 18]. For a long time healthcare process
engineering was also not taken very seriously [19]. In order to take advantage of an IS
it is necessary a leadership to promote the alignment of business with IS. In this
complex environment the role of the Chief Information Officer (CIO) is critical to
ensure good focus on organizational specificities. It was recognized that best
performing HIS departments were related with department heads that matched CIO
attributes [12], like openness to suggestions and excellent relationship with other
healthcare professionals; leadership skills, which help them to address challenges;
meaningful negotiation skills which are used in their relationships with the vendors,
openness to bolder projects with new technologies; etc. Healthcare CIOs are a kind of
“special people” that push the organization further through an innovative use of
technology [18, 20]. They know that pushing for interoperability will allow the
organization to be more productive and less inefficient. Interoperability in an
organization can also mean data access safety and security.
3. The Hospital S. Sebastião Information Security Case
HSS is integrated in the National Health Service providing tertiary health care services
for all citizens of its geographical area. Built in 1999, it covers an area with 367 000
inhabitants. HSS was chosen to become involved in an innovative management
framework, supported by the Ministry of Health, to show the evidence of the improving
efficiency of the new framework.
3.1 HSS Information System Architecture
Hospital owns today a unified IS platform that aims to serve not only administrative
and management purposes but mainly patients needs, helping professionals doing their
job correctly. This middle management application provides approximately 320
physicians and 510 nurses with an integrated view of all clinical information related
with the patients, from exams to surgery reports. Since 1999, those physicians create
and stores medical records through the hospital’s datacenter storage bank. The IS
architecture is showed below (Figure 1.), where all the exclusively solutions contribute
to grow the datacenter databases on consolidate and concentred ness philosophy.
4. 768 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment
Figure 1. HSS information System Architecture Overview.
The architecture definition was a long working process. The hospital board have
recognized that a huge effort was carried out to minimise risks concerning the
information management, data privacy and protection. This level of maturity was
achieved in 2003, though these good principles are still not enough. These first
successes encouraged the CIO, the IT personnel and top managers to be more focused
on the improvement of the information security management.
3.2 CIO Role in the HSS IT Security Approach
The CIO created a team to address the IT security at the HSS. After relevant literature
and practices review, it was selected the ISO27002 rather then COBIT. COBIT’s
entirety would make implementation onerous and if one compared it with ISO27002, it
is easy to see that it focuses more on efficiency and effectiveness of IT environment
rather than information security linked to business issues. It was recognized that
ISO27002 represents a good mix of international acceptance level and full
comprehensiveness, as well as it is dedicated most exclusively for information security
practices built around policy and process management. However, in the future it could
be necessary to implement some COBIT measures to accomplish ISO27002 good
practices. The applications servers and databases are all concentrated and beneath a
controlled physical habitat, and what concerns securing and managing information, the
prerequisites surround ISO27002 were recognized as an excellent point of reference to
starting managing the information security. Some of controls of this standard have been
implemented over a hospital datacenter infrastructure area and the focus has been IT
and security policies as a best practice for information security management in the daily
basis procedures operation. ISO27002 provides best practice recommendations on
information security management for use by those who are responsible for initiating,
implementing or maintaining information security management systems. 11 main
sections border physical and logical preservation of confidentiality, integrity and
availability properties. Making analogy with ISO quality standards and their way of
managing and improving hospital made process of ISO27002 implementation as easy
as possible. Analogically to quality manager, information security manager observes
situation, gives regular assessments, and then recommendations for improvement,
afterwards business managers determine to what issues investments should be put in as
well as their priority. All 11 ISO27002’s control chapters have subset elements. To
5. R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment 769
provide performance measurement HSS rated the 39 main security categories, based on
ISO27002 structures and according to a simple level of risk scale H-M-L (High-
Medium/Moderate-Low/Tolerable). The following table 1., concisely shows the risk
levels for each control area helping the CIO to rapidly overview the whole picture of
information security and to identify priority actions.
Table 1. Risk Levels in the ISO 27002
Risk Level
# ISO 27002 Section (control objective)
H M L
1 Security Policy 0 1 0
2 Organizing Information Security 0 1 1
3 Asset Management 2 0 0
4 Human Resources Security 0 1 2
5 Physical and Environmental Security 1 1 0
6 Communications & Operations Management 8 2 0
7 Access Control 5 2 0
8 Information Systems Acquisition, Development and Maintenance 0 4 2
9 Information Security Incident Management 0 2 0
10 Business Continuity Management 0 0 1
11 Compliance 0 1 2
The application of this framework has been quite successful at HSS. For instance,
section 3, 5, 6 and 7 were well accomplished in the datacenter infrastructure whereas
the security assessment sections were based on the most relevant high-risk level control
objective.
3.3 IT Security Project Issues
CEO and CIO have assumed the project and the relevance of a security auditing and it’s
implications: for instance, the obligation to up-grade, both physically and logically, the
datacenter, and to change the daily modus operandi. The hospital board decided to hire
an auditor (named by SINFIC, a BSI certificated partner). The auditor applied a Gap
Analysis with five major steps: 1. Project planning, to ensure that expectations,
timelines and deliverables are appropriately managed. 2. During the Information-
gathering phase many players were interviewed to determine the business environment
and current security management and system administration processes through in-depth
discussions with key players in the organization. 3. At the Review and Analysis stage
Security Policies, Procedures and Practices were addressed to evaluate the existing
security policies, procedures and practices, and compare it with the ISO27002
international security standard and industry best practices. 4. The Review and Analysis
stage results help to write down a concise, detailed technical and ISO27002 Security
Assessment Executive Summary Report. 5. External and Internal vulnerability
scanning to discover all devices and applications across the datacenter, and to identify
and eliminate the security threats that make datacenter infrastructure attacks possible.
6. 770 R. Gomes and L.V. Lapão / The Adoption of IT Security Standards in a Healthcare Environment
4. Conclusions
From the case presented one should conclude that rules code of practice or standards
are essential to ensure the delivery of benefits to the patient and healthcare providers in
information interoperability. This is only part of a bigger effort to implement a
comprehensive strategy that allows consistency of information collection and sharing
within the healthcare sector. This effort will establish a secure infrastructure between
organizations over which to share patient secure information. It is required a
comprehensive set of standards that define practical guidelines for the healthcare
community, for which ISO27002 is a good benchmarking. Its area of application is a
set of diverse and heterogeneous organizations like public hospitals, private, specialists
and general practitioners. It means that specific targeted standards should be developed
or established for the protection of sensitive information, and not left to individual
interested parties to build up. It also means that we are facing a rather new field yet to
be proven, implying that the CIO responsible for the implementation of an IS security
framework will have to deal with its many variables and barriers. The CIO role and
understanding of the organization’s environment is key to deliver real interoperability
potential to the organization to patients’ benefit.
References
[1] Thompson T. US Former secretary of Health and Human Services Keynote Speech at the 2007 CDHC
Expo, Business Wire, Nov. 13, 2006.
[2] Bell K. “HIT and Pay for Performance”. Acting Deputy, US Office of the National Coordinator for
Health Information Technology Keynote Speech at the HIT Symposium at MIT, July 17, 2006.
[3] COSO. "Committee Of Sponsoring Organizations of the Treadway Commission" controls financial
processes.
[4] COBIT. Control Objectives for Information and related Technology”, control focuses on IT.
[5] HIPAA. “Health Insurance Portability and Accountability Act”, to insurance protection and promoting
communications standards in healthcare, HHS Report 1997.
[6] ISO/IEC 27002:2005 Information technology -Security techniques - Code of practice for information
security management, International Standards Organization, 2005.
[7] The Role of Standards in Medical Information Security: An Opportunity for Improvement. P. A. H.
Williams , School of Computer and Information Science Edith Cowan University Joondalup, Western
Australia
[8] HHS (2007), Health Information Privacy Act (HIPAA). http://www.hhs.gov/ocr/ (accessed on the 21st
October 2007).
[9] ISO/IEC 27001:2005 Information technology Security techniques - Information security management
systems - Requirements, International Standards Organization, ISO/IEC 2005.
[10] Health Level 7 - ANSI - application layer 7 in the OSI model accredited standards for electronically
defining clinical and administrative data in the healthcare industry: www.hl7.org, accessed on the 3rd
November 2007.
[11] Plsek P and Wilson T. Complexity Sciences: Complexity, leadership, and management in healthcare
organisations. BMJ 2001; 323: 746-9.
[12] Lapão LV. Survey on the Status of the Hospital Information Systems in Portugal, Methods of
Information in Medicine, 2007 46 4: 493-499.
[13] Smith R. The future of health care systems. BMJ, 314:1495 (24 May) 1997.
[14] IOM Report, Crossing the Quality Chasm: A New Health System for the 21st Century, Institute of
Medicine, 2001.
[15] IOM Report, To Err is Human. Institute of Medicine, 1999.
[16] Lenz, R and Kuhn, KA. Integration of Heterogeneous and Autonomous Systems in Hospitals, Data
Management & Storage Technology 2002.
[17] Lorenzi N and Riley R. Organizational Aspects of Health Informatics, Springer-Verlag, 1995.
[18] Ash JS, Stavri PZ, Kuperman GJ. A Consensus Statement on Considerations for a Successful CPOE
Implementation. J Am Med Inform Assoc. 2003 May-Jun;10(3):229-34.
[19] Mango PD, Shapiro LA. Hospitals get serious about operations, The McKinsey Quarterly 2001 No.2.
[20] Broadbent M, Kitzis E. The New CIO Leader: Setting the Agenda and Delivering Results. Harvard
Business School Press (December 2004).