The highly sensitive area of personal health information, and how best to protect its confidentiality and integrity, while assuring its availability for healthcare delivery, is the issue addressed by ISO 27799:2008, Health Informatics - Information Security Management in Health using ISO 27002.

ISO 27799 applies to health information in all its aspects - whatever form the information takes, whatever means are used to store it, and whatever means are used to transmit it. The standard specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing ISO 27799, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their size and circumstances.

Health informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures, and denial-of-service attacks. At the same time, the data they contain is confidential and its integrity must be preserved. Because of these critical requirements, and regardless of their size, location, and model of service delivery, all healthcare organizations need to have stringent controls in place to protect the health information entrusted to them.

Further, the increasing use of wireless and Internet technologies in healthcare delivery, and the consequent growth of electronic exchange of personal health information between health professionals, not only makes the need for effective IT security management in healthcare all the more urgent, but also implies a clear benefit to adopting a common reference for information security management in healthcare.

As indicated by its title, ISO 27799:2008 is a companion to ISO 27002:2005, Information Technology - Security Techniques - Code of Practice for Information Security Management. Professionals from the health sector contributed their expertise to define guidelines to specifically support the interpretation and implementation of ISO 27002 in health informatics. An important consideration was the adaptability of the guidelines, bearing in mind that many health professionals work as solo health providers or in small clinics that lack dedicated IT resources to manage information security.

Although all of the security control objectives described in ISO 27002 are relevant to health informatics, some controls require additional explanations with regard to how they can be used to best protect the confidentiality, integrity, and availability of health information. Also, there are some additional requirements that are specific to the health sector. Therefore, ISO 27799 provides additional guidance in a format that persons responsible for health information security can readily understand and adopt.

ISO 27799 contains a practical action plan for implementing ISO 27002 in a health environment. Taken together, these two standards define what is required in terms of information security in healthcare. Three informative annexes are included in the new standard, covering respectively, the general threats to health information; tasks and related documents of the information security management system; and the advantages of support tools as an aid to implementation.

You can order ISO 27799:2008 in e-Standard format at this ANSI web page.

Anyone who uses application software needs accurate information about how the software will help the user accomplish a task. The documentation may be the first tangible item that the user sees and therefore influences the user's first impressions of the software product.

ISO 26514:2008 - Systems and Software Engineering - Requirements for Designers and Developers of User Documentation, covers the phases involved in designing, specifying, and producing user documentation. It is divided in two parts:

1. The first part covers the user documentation process for designers and developers of documentation. It describes how to establish what information users need, how to determine the way in which that information should be presented to the users, and how to prepare the information and make it available. It is not limited to the design and development phase of the life cycle, but includes activities throughout the information management and documentation processes.

2. The second part provides minimum requirements for the structure, information content, and format of user documentation, including both printed and on-screen documents used in the work environment by users of systems containing software. It applies to printed user manuals, online help, tutorials, and user reference documentation.

The standard recommends that development of the user documentation should be part of the development of the software product, and follows the same processes as the software product life cycle.

User documentation remains an essential component of usable software products and ISO 26514 may be helpful for developing the following types of documentation:

• documentation of products other than software
• multimedia systems using animation, video, and sound
• computer-based training packages and specialized course materials intended primarily for use in formal training programs
• documentation produced for installers, computer operators, or system administrators who are not end users
• maintenance documentation describing the internal operation of systems software
• documentation incorporated into the user interface itself

ISO 26514 is the first of a new suite of standards planned to address software user documentation. While ISO 26514 was developed to address the needs of user documentation designers and developers, three further standards are being developed that will address the needs of managers, acquirers and suppliers, and testers and assessors of software user documentation.

You can order ISO 26514:2008 in e-Standard format at this ANSI web site:

The new ISO/TR 90005:2008, Systems Engineering - Guidelines for the Application of ISO 9001 to System Life Cycle Processes, will be a valuable tool for applying the ISO 9001:2000 requirements to the acquisition, supply, development, operation, and maintenance of IT systems and related support services.

ISO/TR 90005 adopts the IT system life cycle processes of ISO 15288 as a starting point for system development, operation, or maintenance, and identifies the equivalent requirements in ISO 9001:2000 that have a bearing on the implementation of ISO 15288.

ISO/TR 90005 identifies the issues that should be addressed independent of technology, life cycle models, development processes, sequence of activities, or organizational structure. It discusses each activity in ISO 15288 in terms of how it relates to sections of ISO 9001:2000.

The tables of ISO/TR 90005 enable a quick comparison of the different treatment of systems in ISO 15288 and ISO 9001, and explanatory texts help the user to understand why a particular relationship is cited. The guidelines do not in any way add or change the requirements of ISO 9001:2000 and are not intended to be used as assessment criteria in quality management system certification.

ISO/TR 90005:2008 is appropriate to systems that are

• part of a commercial contract with another organization
• a product available for a market sector
• used to support the processes of an organization
• embedded in a hardware product, or
• related to software services.

The technical report recognizes that while some organizations may be involved in all of the above activities; others may specialize in only one area. Whatever the situation, an organization's quality management system should cover all aspects of the business - both systems related and non-systems related.

For the development, operation, and maintenance of software, guidance is given in the companion document ISO 90003:2004, Software Engineering - Guidelines for the Application of ISO 9001:2000 to Computer Software. And, organizations with quality management systems for developing, operating, or maintaining systems based on ISO/TR 90005 may choose to use processes from both ISO 15288 and ISO 12207, Systems and Software Engineering - Software Life Cycle Processes, to support or complement the ISO 9001:2000 process model.

ISO/TR 90005:2008, Systems Engineering - Guidelines for the Application of ISO 9001 to System Life Cycle Processes, is available at this ANSI web page.

NOTE: ISO 15288, Systems and Software Engineering - System Life Cycle Processes, offers a portfolio of generic processes for the optimal management of all stages in the life of any product or service, in any sector. ISO 15288 has been revised in 2008. However, the change in content is not related to technical aspects, but rather to harmonization with ISO 12207, Systems and Software Engineering - Software Life Cycle Processes.

The first meeting of ISO's new project committee PC 242, which is developing an International Standard on energy management, was held last month in Washington, DC, USA.

The future ISO 50001 will establish a framework for industrial plants, commercial facilities, or entire organizations to manage energy. Targeting broad applicability across national economic sectors, the standard could influence up to 60% of the world's energy use.

The meeting was attended by delegates from the ISO national member bodies of 25 countries from all regions of the world, as well as, representation from the United Nations Industrial Development Organization (UNIDO), which has liaison status with PC 242. All the participating countries have existing activities on energy management and have a strong interest in developing a harmonized solution at the international level.

As part of the proceedings, delegates described their various initiatives in detail. For example, a presentation was given by UNIDO on the preparatory work the organization has carried out to support the ISO process by researching energy management needs in developing countries.

This gave PC 242 an insight into the different policies and situations around the world which need to be taken into account in the development of a globally relevant International Standard for energy management.

Excellent progress was reported in the technical discussions and a first working draft was created. A major point of discussion was the need to ensure compatibility with the existing suite of ISO management system standards. The committee therefore made the key decision to base the draft on the common elements found in all of ISO's management system standards.

This will ensure maximum compatibility with key standards such as ISO 9001 for quality management and ISO 14001 for environmental management. The project committee is committed to an ambitious schedule and aims to have ISO 50001 ready for publication by the end of 2010.

According to research by Secure Computing, 80% of IT directors said in a recent survey that insider threats were their biggest security danger.

Security problems created by employees are far more serious than the threats posed by external hackers and criminals, the new research reports.

Less than one in five respondents said external threats from hackers are more dangerous. This could be due in part to 37 % of respondents saying they have experienced a leak of sensitive information in the past year.

Email was identified by 34 % of respondents as the biggest current security risk to organizations, followed by VoIP (25 %), and browser-related threats (21 %). Despite this apparent confidence, however, four in five respondents feel they could be better prepared for web-borne threats.

Viruses topped the list of external threats for 31 % of respondents, followed by spam (18 %), and data leaks (14 %).

When asked to rank their biggest external security concerns, hackers are surprisingly the area of least concern. Less than a quarter of respondents feel that hacking is the biggest threat. Malware appears to be the major headache, with 56 % identifying it as their biggest worry.

For more information, see the article written by Robert Jaques at VNUNET.com, titled, "Staff More Dangerous than Hackers".

For more information about our ISO 27001 Information Security courses, see their descriptions at our web site:

ISO 27001 - Understanding an ISMS

ISO 27001 - ISMS Implementation

ISO 27001 - ISMS Internal Auditor

ISO 27001 - ISMS Lead Auditor

ISO 9001:2000
Understanding ISO 9001:2000
Implementing ISO 9001:2000
Quality System Documentation
ISO 9001:2000 Internal Auditor
ISO 9001:2000 Lead Auditor

ISO 14001:2004
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 27001 / ISO 17799
ISO 27001 - Understanding an ISMS
ISO 27001 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 20000
Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor

ISO 22000
Understanding ISO 22000
ISO 22000 Internal Auditor
Understanding HACCP
Implementing SQF Systems
Advanced HACCP

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Capability Maturity Model Integration
Introduction to CMMI v1.2

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

Books
See our list of ISO 9001, Auditing, and Six Sigma books. Includes book descriptions and links to Amazon.

© 2000-2008 Whittington & Associates, LLC

email: larry@whittingtonassociates.com

phone: 770-517-7944

web: http://www.whittingtonassociates.com