← Frameworks / Health Informatics

ISO 27799:2016 Health Informatics — Information Security Management in Health

International standard providing implementation guidance for ISO 27002 controls in the health informatics context. 48 control areas addressing health-specific requirements including patient data confidentiality, clinical system availability, health information exchange security, consent management, audit trail requirements for clinical systems, mobile health device security, telemedicine security, medical device integration, health cloud security, and cross-border health data transfer. Applies to all organisations holding or processing health information regardless of size.

Clauses: 48

Avg Coverage: 81.4%

Publisher: ISO/IEC Version: 2016

ISO 27799 → SP 800-53 SP 800-53 → ISO 27799 Coverage Analysis

Clause	Title	SP 800-53 Controls
5.1	Health organisation information security policy	PL-01 PM-01 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 PT-01 SR-01
5.2	Review of health information security policies	PL-01 PM-01 PM-06 CA-07
5.3	Health data classification policy	RA-02 AC-16 MP-03 PT-02 PT-03
6.1	Internal organisation for health information security	PM-01 PM-02 PM-10 PM-29 PS-01 PS-09
6.2	Health information security roles and responsibilities	PM-02 PS-01 PS-02 PS-09 PL-01
6.3	Mobile devices and teleworking in clinical contexts	AC-17 AC-19 AC-20 PE-17 SC-28 CM-07
7.1	Before employment in health settings	PS-01 PS-02 PS-03 PS-06
7.2	During employment in health settings	AT-01 AT-02 AT-03 AT-04 AT-06 PS-06 PS-07 PL-04 PM-13
7.3	Termination and change of employment in health settings	PS-04 PS-05 AC-02 IA-04
8.1	Health information asset inventory and ownership	CM-08 PM-05 CM-12 CM-13 RA-02
8.2	Classification of health data	RA-02 AC-16 MP-03 PT-02 PT-03 PT-06 PT-07
8.3	Acceptable use and return of health assets	PL-04 AC-20 MP-07 PS-04 PS-05
9.1	Business requirements for health data access control	AC-01 AC-02 AC-03 AC-06 AC-24 AC-25
9.2	Break-glass and emergency access procedures	AC-02 AC-14 CP-02 CP-10 AU-02 AU-06 AU-12
9.3	User access management for clinical systems	AC-02 AC-05 AC-06 IA-04 IA-05 IA-02 IA-12 PS-03
9.4	Clinical user responsibilities and shared workstations	AC-11 AC-12 IA-02 IA-05 IA-11 PL-04 PE-05
9.5	System and application access for EHR and clinical systems	AC-03 AC-04 AC-06 AC-07 AC-08 AC-10 AC-17 SC-10 SC-23
10.1	Cryptographic controls for PHI	SC-12 SC-13 SC-28 SC-08
10.2	Key management for health data encryption	SC-12 SC-17
11.1	Secure areas in clinical environments	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-18
11.2	Equipment security for medical devices and mobile clinical devices	PE-01 PE-14 PE-18 PE-23 AC-19 CM-08 MA-01 MA-02 MA-05
12.1	Operational procedures for health IT systems	PL-02 SA-05 CM-01 CM-02 CM-06
12.2	Protection from malware in clinical systems	SI-03 SI-04 SI-08 SC-44
12.3	Backup and clinical data continuity	CP-09 CP-06 MP-04 MP-05 SC-28
12.4	Clinical audit trails and logging	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12 AU-14
12.5	Vulnerability management for clinical systems	RA-05 SI-02 SI-05 CM-03 CM-04
13.1	Network security for health information exchange	SC-07 SC-08 SC-32 AC-04 CA-03 CA-09 SC-46
13.2	Information transfer for health data sharing and referrals	SC-08 AC-04 AC-20 CA-03 MP-05 SC-12 SC-13
14.1	Security requirements for health IT procurement	SA-04 SA-08 SA-09 SA-03 SR-01 SR-02 SR-03
14.2	Security in EHR development and customisation	SA-03 SA-08 SA-10 SA-11 SA-15 SA-17 CM-04
14.3	Test data and use of clinical data in testing	SA-11 SA-15 SI-19 PT-06 PT-07
15.1	Health IT supplier management	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06
15.2	Medical device supply chain and cloud services for health data	SA-09 SR-01 SR-03 SR-05 SR-06 SR-11 AC-20
16.1	Health data breach response planning	IR-01 IR-02 IR-03 IR-04 IR-07 IR-08 PM-15
16.2	Clinical safety incidents and information security	IR-04 IR-05 IR-06 IR-09 SI-04 SI-05
16.3	Reporting to health regulators and data subjects	IR-06 PM-15 PM-26 PT-04 PT-05
17.1	Clinical service continuity planning	CP-01 CP-02 CP-03 CP-04 CP-05 PM-08 PM-11
17.2	Information security continuity for patient care	CP-02 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13
17.3	Redundancy for critical clinical systems	CP-06 CP-07 CP-08 SC-36 PE-09 PE-11
18.1	Legal and regulatory requirements for health data	PL-04 PM-01 SA-04 PT-01 PT-02 PT-04 PT-05
18.2	Patient consent and health data sharing controls	PT-04 PT-05 PT-02 PT-03 PT-06 PT-07 PM-25 PM-26 PM-27
18.3	Health information security reviews and audits	CA-01 CA-02 CA-05 CA-07 CA-08 PM-06 PM-14
18.4	Technical compliance for health systems	CA-02 CA-08 RA-05 SI-02 CM-06
H.1	Patient safety integration with information security	PM-01 PM-09 PM-11 RA-03 PL-02
H.2	Health information exchange security	CA-03 SC-07 SC-08 SC-12 SC-13 AC-04 AC-20 SC-46
H.3	Medical device security management	CM-08 RA-05 SI-02 SC-07 MA-01 MA-02 MA-06 SR-11
H.4	Research data and biobank security	AC-03 AC-04 AC-06 SI-19 PT-04 PT-06 PT-07 SC-28 AU-02 AU-03
H.5	Telehealth and remote clinical services security	AC-17 SC-08 SC-13 SC-23 IA-02 IA-08 AU-02