תקן אבטחת מידע
ISO 27001
ISO 27799 Medical Information Security Standard
The ISO 27799 standard for health information security management is an international standard that provides guidance to healthcare organizations regarding personal health information and guides how to best protect the confidentiality, integrity and availability of such information. The standard is based on and expands the general guidelines provided by ISO / IEC 27002 and provides an answer to the special information security management needs of the health sector and its unique operating environments.
Health information is considered by many to be the most confidential of all types of personal information. Protecting this confidentiality is essential and patients' privacy must be maintained. The integrity of health information must be protected in order to ensure patient safety, and an important component of this protection is ensuring a full audit of the entire life cycle of the information.
Protecting the confidentiality, integrity and availability of health information therefore requires specific expertise in the health field. As a result of implementing this international ISO 27799 standard, healthcare organizations can expect to see the number and severity of their security incidents reduced.
The standard provides the rules for managing information security in the organization, and guidelines on the following topics:
Determining the security policy, and managing the information assets.
Protection of the computing environment and facilities.
Observing hacking events, and managing an appropriate response.
Security aspects for existing employees and hiring new employees.
Limiting access rights to networks, systems, applications, and data.
Establishing control systems and technical management.
Protection measures, saving and recovery management in the event of a crash of the information.
?How It Works
The steps of the process
Information gathering
Meetings with people, familiarization with processes and technologies: familiarization with organizational structure, business processes in the company, work procedures and information systems used in the company.
1
3
Correction and update
Treatment of gaps by a professional team with specializations in the relevant fields such as: content experts to write information security procedures, professional testers who will perform penetration tests.
2
Information analysis
Analysis of the existing situation in the company against the requirements of the standard for each of the sections. Presentation of gaps in a summary report with recommendations and prioritization for treatment.
4
External audit
An external audit is performed by one of the authorized institutes. The auditor goes through the SOA, the statement of applicability and supporting references and at the end issues a certificate of certification for compliance with the standard.