How ISO 27001 and ISO 27799 complement each other in health organizations

More and more hospitals are interested in protecting their patient information, but they see ISO 27001 as not being specific enough. Although it covers many general aspects about information security, you can integrate it with other standards to cover specific aspects – for example, ISO 27799 for the protection of personal health information. This integration is similar to ISO 27001 and ISO 27002.

The basics of ISO 27799

The main objective of ISO 27799 is to provide security controls to protect personal health information. It’s actually using the ISO 27002 controls, adapted to a health environment. But, you will also need ISO 27001. Let me explain that in the next point. (See also: ISO 27001 vs ISO 27002.)

One more thing should be clarified – the latest version of the ISO 27799 standard is not aligned with the current versions of ISO 27001:2013 and ISO 27002:2013, because ISO 27799 (last version is from 2008) explicitly refers to ISO 27002:2005, but mapping can be made, because there are few changes between ISO 27002:2005 and ISO 27002:2013. This article can help you: Main changes in the new ISO 27002.

By the way, in the USA there is HIPAA (Health Insurance Portability and Accountability Act), which regulates the use and disclosure of protected health information. This regulation has many common points with ISO 27799, so you can use this standard to be compliant with HIPAA, but you need to fulfill more specific requirements to be HIPAA compliant (for example, rules specifically related to privacy). And, vice versa: if you have implement HIPAA you need to fulfill a few more requirements to be ISO 27799 compliant (for example, information security incident management).


Main similarities and differences

The main similarity between both standards is that they talk about an ISMS and security controls, but the main difference is that ISO 27799 does not define ISMS requirements (it’s ISO 27001 that defines requirements for the risk assessment & treatment, SoA, etc.). ISO 27799 is only a code of best practices – like ISO 27002 – and is mainly focused on the security controls. By the way, in ISO 27001 the security controls are included in an Annex, while in ISO 27799 the security controls are a fundamental part of the standard.

Therefore, in a health environment you can implement an Information Security Management System (based on ISO 27001), and implement the ISO 27799 security controls (which, as you just learned, really are the ISO 27002 controls but adapted to a health environment).

Why implement ISO 27001 together with ISO 27799?

Hospitals, as well as any other type of organization, also have a technological infrastructure, information systems and applications that may be vulnerable, and they manage personal health information, so there are also risks that must be managed.

ISO 27001 is a standard that establishes requirements for an Information Security Management System, and can be integrated with other standards like ISO 27002 to implement security controls, but in a health environment ISO 27799 provides specific security controls, so in this case the integration of ISO 27001 and ISO 27799 makes sense.

Threats

ISO 27001 and ISO 27002 are not specifically developed for a health environment (or any other environment), but in ISO 27799 we have a list of specific threats for this sector, which can be found in Annex A. They are listed below:

  1. Masquerade by insiders
  2. Masquerade by service providers
  3. Masquerade by outsiders
  4. Unauthorized use of a health information application
  5. Introduction of damaging or disruptive software
  6. Misuse of system resources
  7. Communications infiltration
  8. Communications interception
  9. Repudiation
  10. Connection failure
  11. Embedding of malicious code
  12. Accidental misrouting
  13. Technical failure of the host, storage facility or network infrastructure
  14. Environmental support failure
  15. System or network software failure
  16. Application software failure
  17. Operator error
  18. Maintenance error
  19. User error
  20. Staff shortage
  21. Theft by insiders
  22. Theft by outsiders
  23. Willful damage by insiders
  24. Willful damage by outsiders
  25. Terrorism

The consequences of the materialization of these threats can be disastrous, not only for the image of the hospital, but also for the health of the patient. We can imagine what would happen in a hospital where everything depends on information systems (generation and storage of radiographs, health systems connected to the network, etc.), and if they stop working due to technical failures, or do not work properly. Imagine a patient who has suffered a serious accident and urgently needs an x-ray, but the system does not work due to a failure related to malicious software.

Protecting the people and their personal health information is compatible

Hospitals worry about the health of the patients because its main mission is to cure diseases or medical conditions, but should also be concerned about personal health information, since as we have seen in this article, there are many of threats, which if realized could damage the image of the hospital, or in the worst cases, even irreparable damage to the health of their patients.

So, the health sector should be happy, because it can use an international standard with the prestige of ISO 27001 to implement the ISO 27799 security controls, in order to protect the personal health information. Obviously, the health of the people and the information related to their health are very important.

If you would like to learn more about ISO 27001 and its requirements, use our free online courses  ISO 27001 Online Courses.

Advisera Antonio Jose Segovia
Author
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.