Tuesday, September 23, 2008

Health information security standard issued

In an effort to help protect personal health care information, the International Organization for Standardization (ISO) has published a new standard that specifies controls for managing health information security and utilizing best practices.

According to an ISO statement, the new standard - ISO 27799:2008 - applies to all health information in “whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it.”

This new standard, announced in late August, addresses the use of internet and wireless technologies to share personal medical information, and the need to better protect confidentiality and keep data private.

 “An important consideration was the adaptability of the guidelines, bearing in mind that many health professionals work as solo health providers or in small clinics that lack dedicated IT resources to manage information security,” the statement said.

Richard Rushing, CSO at wireless security firm AirDefense, told SCMagazineUS.com on Wednesday that the standard shows that many organizations have the same issues and that similar guidelines should be followed.

“If followed, it would make information more secure,” Rushing said, “but there is usually nothing that specifically states that it is to be followed, except for maybe an audit that may have occurred sometime in the past.”

The ISO standard will do things that Health Insurance Portability and Accountability Act (HIPAA)-related laws cannot do, said Rani Osnat, vice president for marketing with Sentrigo, a database security company.

“HIPAA protects privacy, but it is not an IT standard,” Osnat told SCMagazineUS.com. “It doesn't do anything to protect data from an IT standpoint. This ISO [standard] will provide a much-needed benchmark for health organizations to follow to encourage better IT security.”

Source: http://www.scmagazineus.com

No comments: