What is ISO/IEC 27001 in Healthcare?
ISO/IEC 27001 in healthcare is a standard for managing the security of confidential data that sets out a framework for establishing, implementing, maintaining, and continually improving an information security management system. Healthcare organizations that achieve ISO/IEC 27001 certification can use the certification to demonstrate a good faith attempt to comply with the HIPAA Security Rule.
Most organizations in the healthcare sector are required to comply with the HIPAA Security Rule – a set of standards and implementation specifications designed to ensure the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). To fulfil the requirement, most organizations implement the necessary security controls and develop emergency preparedness plans.
However, this approach to protecting the confidentiality, integrity, and availability of ePHI is not always effective. In its most recent report to Congress on reported breaches of unsecured PHI, HHS’ Office for Civil Rights received 64,180 notifications of data breaches affecting more than 37,500,000 individuals. The 64,180 notifications represented a 4% decrease on the number of notifications from the previous year.
The reason why this approach to HIPAA compliance is not always effective is that implementing security controls and developing emergency plans can be disorganized and disjointed – i.e., to comply with one specific standard. By comparison, an information security management system is a systematic approach to protecting PHI with people, processes, technology, and a risk management process.
How to Develop an Information Security Management System
To develop an information security management system, it is best to use a framework that provides best practice guidelines for understanding the organization’s security requirements (which may not be limited to HIPAA compliance), developing a holistic information security policy, and conducting an internal security audit. The framework can then be built out to cover components of Security Rule compliance such as data access, device security, and workforce training.
The most recognized framework for developing an information security management system is the ISO/IEC 27001 standard. Depending on the nature of an organization’s activities, ISO/IEC 27001 in healthcare can be built out using other standards in the 27000 family. For example, the ISO/IEC 27701 extension to ISO/IEC 27001 in healthcare provides guidance on establishing, implementing, maintaining, and continually improving a privacy information management system.
Once the information security management system is up and running and operating efficiently, it is possible to apply for an ISO/IEC 27001 in healthcare certification. The process for achieving certification most often consists of complying with the standard’s mandatory requirements, conducting a final internal audit to evaluate the effectiveness of the system, and then engaging an accredited ISO/IEC 27001 certification organization to conduct an external audit.
The Benefits of ISO/IEC 27001 in Healthcare
The benefits of ISO/IEC 27001 in healthcare can vary depending on the nature of an organization’s activities, but for most organizations an ISO/IEC 27001 in healthcare certification demonstrates a good faith effort to comply with the HIPAA Security Rule. This can be a mitigating factor in the event that HHS’ Office for Civil Rights, State Attorney General, or other regulatory authority investigates a breach of unsecured PHI.
For healthcare providers, an ISO/IEC 27001 in healthcare certification can also demonstrate to patients that the confidentiality of their sensitive information is taken seriously. This can lead to patients being more forthcoming about their symptoms, which can help healthcare providers make better informed diagnoses and prescribe more effective courses of treatment, which can lead to better patient outcomes.
For business associates, an ISO/IEC 27001 in healthcare certification demonstrates to prospective clients that they have implemented an effective information security management system and can be trusted with any ePHI disclosed to them during the provision of a service for or on behalf of a HIPAA covered entity. In some circumstances, an ISO/IEC 27001 in healthcare certification can improve a business associate’s reputation and competitive advantage.
Seek Advice Before Pursuing ISO/IEC 27001 Certification
It is important to be aware that an ISO/IEC 27001 in healthcare certification does not guarantee HIPAA compliance, and there may be factors within an organization that make other frameworks more appropriate or realistic (i.e., NIST SP 800-66r2). Organizations unsure whether an ISO/IEC 27001 certification would be appropriate for their needs should seek advice from a compliance professional.
