How to Approach Healthcare IT And Compliance: A Brief Tutorial On ISO 27799

By Roy Peretz, VP of Product Management, Whitebox Security

It’s been said time and again: healthcare regulations are a virtual alphabet/number soup. Entire books can be written about HIPAA regulations alone, so we’ll leave those aside for now.

ISO 27001, ISO 27002, and ISO 27799 are only a few of the regulations required to protect individuals’ healthcare data. Noncompliance doesn’t only risk data loss, it also means you can incur large fines, individual, and class action lawsuits with massive punitive damages – and even be shut down.

According to Verizon’s latest healthcare report, insider and privilege misuse accounted for 15 percent of incidents and 12 percent were under errors – a full 27 percent of breaches came from the inside. Meanwhile, 46 percent came from theft or losses of information assets.

Protecting healthcare records from insider and external threats and maintaining compliance with regulations requires that you take very specific steps:

• Privileges & Permissions: Granting access rights to information systems must be based on a need-to-know basis and must be adapted according to the employee’s individual role within the organization. Meanwhile, permissions need to be easily changed, frozen, or removed, based on the employee’s real-time status – new position within the organization, on vacation, or terminated.
• Segregation of Duties: Organizations processing personal health information need to control access to it. In general, users of health information systems should only access personal health information:
  • When a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed);
  • when the user is carrying out an activity on behalf of patient;
  • when an authorized person (such as a physician or billing agent) needs specific data to support patient activity.
• Audit, forensics, and compliance controls: All system user registrations must be reviewed periodically to ensure access permissions are still valid and relevant 360o forensics of all activities must be available, describing the who, what, when, where, and how of file access. Scheduling, review, and mitigation policies also need to be in effect.
• Activity monitoring: Whenever a user logs in, accesses, creates, updates or archives personal health information, those activities need to be automatically logged, noting who, what, when, where and how for each action, 24/7.
• Data classification: Sensitive patient information needs to be separated from other information.

The Fine Print: ISO 27799
The ISO 27000 family of standards includes more than 30 different standards required for everyone engaged in information security. Of course, each and every one of these consist of its own subset of requirements. We’ll give you the basic overview of the two main IT standards in general, and go more into depth on ISO 27799, which directly affects healthcare secure data governance. ISO 27799 is 68 pages, so we recommend you review it much more in-depth if your job is on the line.

ISO 27001 is the general standard covering information security management in an organization. It defines the principles for the construction, management and maintenance of appropriate organizational information security. Written at a very high level, it covers the theoretical perspective. Focusing on senior management, it explains the importance of information security, their responsibilities in the process and provides methods by which they can assess the organizational situation in language they understand. The first version was released in 2005, and it was updated in October 2013.

ISO 27002 specifically covers best practices for secure data governance, covering topics like access control and information classification. Like 27001, it was created in 2005 and revised in 2013.

ISO 27799 is the technical standard for healthcare organizations. It contrasts and compares the requirements within 27001 and 27002 and how they should be applied specifically within the healthcare industry. It was released in2008, so it is based on the first drafts of 27001 and 27002.

One small section covers 11 security control causes and 39 main security categories. Here are a few specifics for your consideration:

• 7.4.2.1: Information must be classified by class and type.
• 7.4.2.2: Information must be labeled and handled so you can easily find “secret” medical documents – but not access them.
• 7.5.3.2: Access must be eliminated immediately us someone leaving the organization.
• 7.7.1.3: Separation/segregation of duties must be enforced.
• 7.7.10: Inspection – Information procedures must be audited.
• 7.7.10.1: Auditing and ongoing documentation of all activities are most important.
• 7.7.10.2: All activities must be logged and recorded for later audit – identifying the user, patient, task, time and date. Updates should supplement, not replace the information.
• 7.7.10.3:
  • Section A: Individual users’ activities must be logged, with a time stamp and recording of the specific activities performed.
  • Section B: Easily identify accessed and changed patient records, also with a time stamp and recording.
•  7.7.10.4: All audit records must be kept and be kept safe from hacking.
• 7.8.1.1: Access Control – Users can only access the system when:
  • recording medical treatment (doctors, nurses, therapists, etc.);
  • performing activities in the name of the patient (e.g. filing insurance claims); and
  • supporting the above activities.
• 7.8.1.2: Audit policy approach: determined on the basis of pre-defined roles that limit access to other aspects of the system.
•  7.8.2: User access management: users must register with full identification information, i.e. name, birth date, address, professional certifications.
• 7.8.2.2: Management rights and permissions: need to provide role-based and work-group access, which is easily approved and audited.
•  7.8.2.4: Implement regular review of user access rights.
• 7.8.3: User responsibilities: Ensure that relevant information is accessible only to relevant personnel.
•  7.8.4 - Control access to the network and operating systems.

Check your systems. If you aren’t in complete compliance with these basics, you’re going to get a very unpleasant surprise on audit day.

About the author
Roy Peretz is responsible for Whitebox Security's product management, product marketing, and overall product strategy. Roy brings over 12 years of experience in technology, marketing, and business strategy to this role and has gained significant experience serving in various information security roles within the Israel Defense Forces. He holds a bachelor’s degree in computer science from Israel’s College of Management.