ISO 27799 | Medical information security management

To learn more about our services, leave your contact information here, and we will get back to you, or call 03-9450630.

Data protection for IT systems in the Healthcare Sector:

According to a circular letter by the Israeli Ministry of Health director general, all healthcare facilities in Israel must be ISO 27799 certified starting from January 1, 2014.

Institutions that fail to obtain certification cannot renew their licenses.

Starting from January 1, 2016, service providers working with medical institutions must be certified by ISO 27799 or ISO 27001.

Service providers who do not have at least one of those certifications are not permitted to work with healthcare facilities.

The Israeli Ministry of Health conducts compliance audits.

What is ISO 27799?

ISO 27799 came into force in late 2010 as a stricter supplement to ISO 27001, the information security standard for organizations.

ISO 27799 is an international standard for information management in the healthcare sector. Specifically, it outlines requirements for protecting personal health information stored by organizations.

Here at Hermeticon, we rely on our extensive knowledge to provide organizations with the necessary solutions for complying with the standard. Our consultants have vast experience with information security and are CISO-certified.

With our CISO as a service offering, you can get a unique solution tailored to

your needs, resources, and field of business.

Who has to comply with the standard?

ISO 27799 applies to every organization that stores medical data of any sort. This includes all private, public, and government companies that provide medical data processing services.

Why choose Hermeticon?

The certification process is complex and requires professional expertise, which is where we come in.

We will be with you every step of the way, providing all the help and support you need to get certified.

What are the requirements for medical data protection?

• Access to medical databases must require identity authentication.
• All databases must be secure as outlined in the guidelines.
• The Chief Information Security Officer at the Ministry of Health regularly updates a list of approved technologies.

All medical data storage media must be encrypted and/or physically protected.

ISO 27799 requires that specific controls be put in place to improve information security:

• An information security forum must convene periodically to discuss changes to the organization’s information security systems.
• The organization must conduct a risk assessment for accessing medical data from mobile devices.
• All employees with access to medical data must be screened for reliability and sign NDAs.
• Medical data may not be processed for any purpose other than the purposes for which it was collected.
• Access to data and document management practices must comply with the guidelines and procedures for using medical data.
• The organization must have clear procedures regarding backups, confidentiality, and the deliberate destruction or shredding of records if needed.

Information security threats unique to the healthcare sector:

• Hackers accessing systems to steal personal medical data
• Hackers accessing systems to alter medical test results and patient files
• Damage to medical information systems preventing patients from accessing medical care

ISO 27799 helps protect organizations from these threats:

ISO 27799 lists ways for organizations to deal with security vulnerabilities. The standard lists potential threats organizations must prepare for:

• Workforce shortages brought on by budget deficits put pressure on existing employees and cause stress.
• Care providers, patients, and other service providers moving physically on-site at your organization can increase the risk of medical information being unintentionally disclosed.

Organizations in the healthcare sector usually have separate databases for administrative purposes. Those often use older, and therefore more vulnerable, operational systems.

What are the benefits of ISO 27799 certification?

• Complying with the law will help you maximize your information security capabilities and implement new, more efficient backup, recovery and encryption practices.
• Certification will give clients the correct impression that your organization views medical data protection as a top priority.
• Once you are certified, you can enter tenders and foreign markets.
• Getting certified will help prevent personal and organizational data leaks and minimize the damage in the event of a security breach.