The Role of Standards in Medical Information Security: An Opportunity for Improvement

Abstract – Standards are an essential feature in an unregulated field such as computing. Thus, when computing and the healthcare environment are combined, the requirement for standards is imperative. For instance, the combination of sensitive information and mobile technology presents increased complexity in information security. Whilst we have many worldwide standards for information security including OSI 17799, little has been done in interpretation of these to ensure quality. Standards are written for specialists in the field and in the case of information security, for security specialists, yet we expect them to be read and implemented by non-technical healthcare staff. This results in the limitation of standards to be easily applied. This paper suggests that a more holistic approach is taken to the development of standards, in which standards and associated context specific guidelines are developed. Keywords: medical data; standards; security, information security. 1 Introduction

[1]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[2]  Sebastiaan H. von Solms,et al.  Information Security governance: COBIT or ISO 17799 or both? , 2005, Comput. Secur..

[3]  Patricia A. H. Williams Where are the Policies for PDA Usage in the Australian Healthcare Environment? , 2005, ECIW.

[4]  Alan R. Dennis Networking in the Internet Age , 2002 .

[5]  Tatjana Welzer,et al.  Medical diagnostic and data quality , 2002, Proceedings of 15th IEEE Symposium on Computer-Based Medical Systems (CBMS 2002).

[6]  J. Johnston Health information strategy for New Zealand. , 1992, New Zealand health & hospital.

[7]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[8]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[9]  Patricia A. H. Williams,et al.  Securing PDAs in the Healthcare Environment , 2004, AISM.

[10]  Reeva M. Lederman The medical privacy rule: can hospitals comply using current health information systems? , 2004, Proceedings. 17th IEEE Symposium on Computer-Based Medical Systems.

[11]  Rajshekhar Sunderraman,et al.  Health Level-7 compliant clinical patient records system , 2004, SAC '04.

[12]  Dimitris Gritzalis,et al.  Why we need standardisation in Healthcare security. , 2002, Studies in health technology and informatics.

[13]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[14]  Robert S. H. Istepanian,et al.  Securing a medical wireless LAN system , 2001, 2001 Conference Proceedings of the 23rd Annual International Conference of the IEEE Engineering in Medicine and Biology Society.

[15]  Bernd Blobel,et al.  Security standards for healthcare information systems: a perspective from the EU ISIS MEDSEC project , 2002 .

[16]  V. R. Christie,et al.  Metrics Based Security Assessment , 2004 .