Statement of applicability describes the control objectives and controls that are relevant and applicable to the organization’s ISMS scope based on the results and conclusions of the risk assessment and treatment process.
Published in Chapter:
Information Security Management in Picture Archiving and Communication Systems for the Healthcare Industry
Carrison K.S. Tong (Pamela Youde Nethersole Eastern Hospital, Hong Kong) and Eric T.T. Wong (The Hong Kong Polytechnic University, Hong Kong)
Copyright: © 2009
|Pages: 9
DOI: 10.4018/978-1-60566-014-1.ch092
Abstract
Like other information systems in banking and commercial companies, information security is also an important issue in the health care industry. It is a common problem to have security incidences in an information system. Such security incidences include physical attacks, viruses, intrusions, and hacking. For instance, in the USA, more than 10 million security incidences occurred in the year 2003. The total loss was over $2 billion. In the health care industry, damages caused by security incidences could not be measured only by monetary cost. The trouble with inaccurate information in health care systems is that it is possible that someone might believe it and do something that might damage the patient. In a security event in which an unauthorized modification to the drug regime system at Arrowe Park Hospital proved to be a deliberate modification, the perpetrator received a jail sentence under the Computer Misuse Act of 1990. In another security event (The Institute of Physics and Engineering in Medicine, 2003), six patients received severe overdoses of radiation while being treated for cancer on a computerized medical linear accelerator between June 1985 and January 1987. Owing to the misuse of untested software in the control, the patients received radiation doses of about 25,000 rads while the normal therapeutic dose is 200 rads. Some of the patients reported immediate symptoms of burning and electric shock. Two died shortly afterward and others suffered scarring and permanent disability. BS7799 is an information security management standard developed by the British Standards Institution (BSI) for an information security management system (ISMS). The first part of BS7799, which is the code of practice for information security, was later adopted by the International Organization for Standardization (ISO) as ISO17799. The ISO 27002 standard is the rename of the existing ISO 17799 standard. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented. The second part of BS7799 states the specification for ISMS which was replaced by The ISO 27001 standard published in October 2005. The Picture Archiving and Communication System (PACS; Huang, 2004) is a clinical information system tailored for the management of radiological and other medical images for patient care in hospitals and clinics. It was the first time in the world to implement both standards to a clinical information system for the improvement of data security.