Security is an ongoing concern for most health care providers — witness the recent fight over electronic health care records (EHRs) in the debate over the stimulus bill as it wended its way through Congress. Those in favor of EHRs talked up the cost savings and improvements in health care that better recordkeeping would offer. Those opposed voiced significant (and well-founded) concerns over health care information privacy.
Now that that the stimulus package has passed, health care information security moves from an objection to a requirement. There is growing acceptance that, like it or not, electronic medical records will play a more important role in health-care service delivery. With billions of dollars approved, you can be sure that EHRs will be implemented in some fashion. It is now up to the health care IT professional to balance access with security in new ways. A formal information security management system becomes necessary.
IT investments in security have often been implemented on an ad-hoc basis, without the benefit of a formal process or security management system. There is, however, a set of standards available to IT professionals looking to formalize their information security process: ISO 27001. These standards provide the framework for an organization to systematically protect itself by managing risk, comply with relevant legislation, and have a mechanism to validate that their supply chain and business partners have secure systems.
Information security management system
Generally speaking, an information security management system (ISMS) is a top-down risk based framework, the goal of which is to preserve the confidentiality, integrity, and availability of physical and electronic assets. Information security management systems provide process and controls for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the system as well as managing documents and records. ISO 27001 is among the most specifically defined standards defining an ISMS.
Yet ISO 27001 has not found its way into routine use in the United States. Just 85 U.S.-based firms have implemented an ISMS based on the relevant ISO 27001 standard — compared with nearly 3,000 Japanese firms. ISO 27001 provides some context on what constitutes an ISMS, and could provide health-care providers with the formal approach needed for security management.
As with any set of standards, the ISO 27000 standards have evolved over time. The original concept was initiated in the United Kingdom in 1995, as the Information Security Code of Practice. That document specified best practices for common security controls, and eventually became ISO 27002. Another document that focused on the processes required for implementing an ISMS was first published as “BS7799 part 2” and it later evolved into ISO 27001. Together, these documents provide a roadmap for development of an information security system for business enterprises of all types.
Implementation of ISO 27001 requires leadership from the top. Ideally the CEO should be a driving force behind the program and its achievement must be a stated goal for the organization. Without that kind of leadership, the ISMS cannot be used to properly recognize and address the risks to the organization.
Change management is critical. Implementing ISMS requires a lot of change and complete clarity among senior managers and the team driving the project forward. Those whose work practices will be affected will always be wondering why the change is necessary, what the end result will be and why that result is required.
The threats that are encountered by organizations are getting more sophisticated while regulatory requirements are increasing in number as well as complexity. As these trends continue, for many organizations, it will become necessary to have an information security management system with solid processes in place to assess and manage risk, as well as to implement and monitor the necessary security controls. ISO 27001 provides the necessary framework for organizations to systematically protect themselves.
Brian Wolfe is a partner with Laurus Technologies, an Itasca, Ill. consulting firm. He heads their Security and Compliance practice, and can be reached at firstname.lastname@example.org.