Standards and Guides for Implementing Security and Privacy for Health Information Technology

Introduction

National Institute of Standards and Technology (NIST) defines Health Information System (HIS) as a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of health information (NIST, 2009). Usually, HIS is made up of one central main hospital information system, which covers basic Enterprise Resource Planning (ERP)-like functionality, such as patient registration, billing, documentation, inventory, and other functions required at the corporate level. Also, ancillary systems such as laboratory, pharmacy and x-ray components may be included or connected. Administrative personnel and clinicians (physicians and nurses) use or access HIS by workstations and mobile devices running several applications to view or collect medical and/or administrative information (Luethi & Knolmayer, 2009).

Health information systems improve the quality of healthcare delivery by increasing the timeliness and accuracy of records and administrative information. The information maintained by these systems is often faced with security threats from a wide range of sources including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Security incidents such as computer hacking, malicious code and denial of service attacks have not only become common but also increasingly sophisticated. Organizations, especially healthcare organizations, should devote adequate resources to ensure the protection of their information assets. Many governments demand certain security requirements from healthcare organizations and custodians of personal health information by enacting laws and other regulations (Akowuah, Yuan, Xu, & Wang, 2012). These security requirements levied on healthcare organizations can be achieved by implementing one or more information security standards.

Standards help to ensure an adequate level of security is attained, resources are used efficiently and the best security practices are adopted (HKSAR, 2008). Standard is defined as a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose (ISO, 2013). Information security standards specify security controls that help organizations to attain acceptable level of security. “Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information” (NIST, 2009). In this paper, we survey current security standards applicable to the healthcare industry. For each standard, a brief description of the standard, the background and challenges in applying the standard are discussed. This survey informs the audience currently available standards that can guide the implementation of information security programs in healthcare organizations, and provides a starting point for IT management in healthcare organizations to select a standard suitable for their organizations.

We describe the standards that are generic in nature first and move on to standards that are geared toward the healthcare industry. The standards and guides are summarized in Table 1 including COBIT, ISO/IEC 27001:2005, ISO/IEC 27002:2005, ISO 27799:2008, ISO 17090:2008, ISO/TS 25237:2008, HITRUST Common Security Framework (CSF), NIST Special Publication 800-53, NIST SP 1800, NIST SP 1800-8, and Building Code for Medical Device Software Security. The applicability of these standards, and issues related to the implementation of a security standard are also discussed.