ImageVerifierCode 换一换
格式:PDF , 页数:70 ,大小:1.12MB ,
资源ID:726946      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-726946.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(EN ISO 27799-2008 Health informatics - Information security management in health using ISO IEC 27002《健康信息学 ISO IEC 27002用健康的信息安全管理》.pdf)为本站会员(terrorscript155)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

EN ISO 27799-2008 Health informatics - Information security management in health using ISO IEC 27002《健康信息学 ISO IEC 27002用健康的信息安全管理》.pdf

1、BS EN ISO27799:2008ICS 35.240.80NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBRITISH STANDARDHealth informatics Information securitymanagement in healthusing ISO/IEC 27002(ISO 27799:2008)Copyright European Committee for Standardization Provided by IHS under license with CENN

2、ot for ResaleNo reproduction or networking permitted without license from IHS-,-,-This British Standardwas published under theauthority of the StandardsPolicy and StrategyCommittee on 31 July 2008 BSI 2008ISBN 978 0 580 56326 3Amendments/corrigenda issued since publicationDate CommentsBS EN ISO 2779

3、9:2008National forewordThis British Standard is the UK implementation of EN ISO 27799:2008.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publ

4、ication does not purport to include all the necessary provisionsof a contract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunityfrom legal obligations.Copyright European Committee for Standardization Provided by IHS under license with CENNot

5、for ResaleNo reproduction or networking permitted without license from IHS-,-,-EUROPEAN STANDARDNORME EUROPENNEEUROPISCHE NORMEN ISO 27799July 2008ICS 35.240.80English VersionHealth informatics - Information security management in healthusing ISO/IEC 27002 (ISO 27799:2008)Informatique de sant - Gest

6、ion de la scurit delinformation relative la sant en utilisant lISO/CEI 27002(ISO 27799:2008)Medizinische Informatik - Sicherheitsmanagement imGesundheitswesen bei Verwendung der ISO/IEC 27002(ISO 27799:2008)This European Standard was approved by CEN on 15 June 2008.CEN members are bound to comply wi

7、th the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the CEN Management Cen

8、tre or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by translationunder the responsibility of a CEN member into its own language and notified to the CEN Management Centre has the same status as theofficial

9、versions.CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland,France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,Romania, Slovakia, Slovenia,

10、Spain, Sweden, Switzerland and United Kingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMIT EUROPEN DE NORMALISATIONEUROPISCHES KOMITEE FR NORMUNGManagement Centre: rue de Stassart, 36 B-1050 Brussels 2008 CEN All rights of exploitation in any form and by any means reservedworldwide for CEN national M

11、embers.Ref. No. EN ISO 27799:2008: ECopyright European Committee for Standardization Provided by IHS under license with CENNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS EN ISO 27799:2008EN ISO 27799:2008 (E) 3 Foreword This document (EN ISO 27799:2008) has bee

12、n prepared by Technical Committee ISO/TC 215 “Health informatics“ in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or

13、by endorsement, at the latest by January 2009, and conflicting national standards shall be withdrawn at the latest by January 2009. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible f

14、or identifying any or all such patent rights. According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germa

15、ny, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. Endorsement notice The text of ISO 27799:2008 has been approved by CEN as a EN ISO 27799:2008 wit

16、hout any modification. Copyright European Committee for Standardization Provided by IHS under license with CENNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS EN ISO 27799:2008ISO 27799:2008(E) ISO 2008 All rights reserved iiiContents Page Foreword iv Introductio

17、n v 1 Scope . 1 1.1 General. 1 1.2 Scope exclusions 1 2 Normative references . 2 3 Terms and definitions. 2 3.1 Health terms 2 3.2 Information security terms 3 4 Abbreviated terms 5 5 Health information security . 5 5.1 Health information security goals. 5 5.2 Information security within information

18、 governance 6 5.3 Information governance within corporate and clinical governance 7 5.4 Health information to be protected. 7 5.5 Threats and vulnerabilities in health information security 8 6 Practical action plan for implementing ISO/IEC 27002 . 8 6.1 Taxonomy of the ISO/IEC 27002 and ISO/IEC 2700

19、1 standards. 8 6.2 Management commitment to implementing ISO/IEC 27002 . 9 6.3 Establishing, operating, maintaining and improving the ISMS . 10 6.4 Planning: establishing the ISMS . 10 6.5 Doing: implementing and operating the ISMS. 18 6.6 Checking: monitoring and reviewing the ISMS . 19 6.7 Acting:

20、 maintaining and improving the ISMS 20 7 Healthcare implications of ISO/IEC 2700220 7.1 General. 20 7.2 Information security policy 21 7.3 Organizing information security . 22 7.4 Asset management. 25 7.5 Human resources security. 26 7.6 Physical and environmental security . 29 7.7 Communications an

21、d operations management 30 7.8 Access control 36 7.9 Information systems acquisition, development and maintenance 39 7.10 Information security incident management . 41 7.11 Information security aspects of business continuity management 42 7.12 Compliance 42 Annex A (informative) Threats to health in

22、formation security 45 Annex B (informative) Tasks and related documents of the Information Security Management System . 50 Annex C (informative) Potential benefits and required attributes of support tools 54 Bibliography . 57 Copyright European Committee for Standardization Provided by IHS under lic

23、ense with CENNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS EN ISO 27799:2008ISO 27799:2008(E) iv ISO 2008 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bo

24、dies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental an

25、d non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives,

26、 Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies cas

27、ting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 27799 was prepared by Technical Committee ISO/TC 215, Health informatics. Copyright

28、European Committee for Standardization Provided by IHS under license with CENNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS EN ISO 27799:2008ISO 27799:2008(E) ISO 2008 All rights reserved vIntroduction This International Standard provides guidance to healthcare

29、 organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC 270021). Specifically, this International Standard addresses the special information security management needs of the

30、health sector and its unique operating environments. While the protection and security of personal information is important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity

31、, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of subjects of care is to be maintained. The integrity o

32、f health information must be protected to ensure patient safety, and an important component of that protection is ensuring that the informations entire life cycle be fully auditable. The availability of health information is also critical to effective healthcare delivery. Health informatics systems

33、must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. Protecting the confidentiality, integrity and availability of health information therefore requires health-sector-specific expertise. The need for effective IT security man

34、agement in healthcare is made all the more urgent by the increasing use of wireless and Internet technologies in healthcare delivery. If not implemented properly, these complex technologies will increase the risks to the confidentiality, integrity and availability of health information. Regardless o

35、f size, location and model of service delivery, all healthcare organizations need to have stringent controls in place to protect the health information entrusted to them. Yet many health professionals work as solo health providers or in small clinics that lack the dedicated IT resources to manage in

36、formation security. Healthcare organizations must therefore have clear, concise and healthcare-specific guidance on the selection and implementation of such controls. This guidance must be adaptable to the wide range of sizes, locations, and models of service delivery found in healthcare. Finally, w

37、ith increasing electronic exchange of personal health information between health professionals, there is a clear benefit in adopting a common reference for information security management in healthcare. ISO/IEC 27002 is already being used extensively for health informatics IT security management thr

38、ough the agency of national or regional guidelines in Australia, Canada, France, the Netherlands, New Zealand, South Africa and the United Kingdom. Interest is growing in other countries as well. This International Standard (ISO 27799) draws upon the experience gained in these national endeavours in

39、 dealing with the security of personal health information and is intended as a companion document to ISO/IEC 27002. It is not intended to supplant ISO/IEC 27002 or ISO/IEC 27001. Rather, it is a complement to these more generic standards. This International Standard applies ISO/IEC 27002 to the heal

40、thcare domain in a way that carefully considers the appropriate application of security controls for the purposes of protecting personal health information. These considerations have, in some cases, led the authors to conclude that application of certain ISO/IEC 27002 control objectives is essential

41、 if personal health information is to be adequately protected. This International Standard therefore places constraints upon the application of certain security controls specified in ISO/IEC 27002. This in turn has led to the inclusion in Clause 7 of several normative statements stating that the app

42、lication of a given security control is mandatory. For example, 7.2.1 states that Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and

43、 relevant external parties. 1) This guideline is consistent with the revised version of ISO/IEC 27002:2005. Copyright European Committee for Standardization Provided by IHS under license with CENNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS EN ISO 27799:2008IS

44、O 27799:2008(E) vi ISO 2008 All rights reservedIn the health domain, it is possible for an organization (a hospital, say) to be certified using ISO/IEC 27001 without requiring certification against, or even acknowledgement of, this International Standard. It is to be hoped, however, that as healthca

45、re organizations strive to improve the security of personal health information, conformance with this International Standard, as a stricter standard for healthcare, will also become widespread. All of the security control objectives described in ISO/IEC 27002 are relevant to health informatics but s

46、ome controls require additional explanations with regard to how they can be used best to protect the confidentiality, integrity and availability of health information. There are also additional health-sector-specific requirements. This International Standard provides additional guidance in a format

47、that persons responsible for health information security can readily understand and adopt. This International Standards authors do not intend to write a primer on computer security, nor to restate what has already been written in ISO/IEC 27002 or in ISO/IEC 27001. There are many security requirement

48、s that are common to all computer-related systems, whether used in financial services, manufacturing, industrial control, or indeed in any other organized endeavour. A concerted effort has been made to focus on security requirements necessitated by the unique challenges of delivering electronic heal

49、th information that supports the provision of care. Who should read this International Standard? This International Standard is intended for those responsible for overseeing health information security and for healthcare organizations and other custodians of health information seeking guidance on this topic, together with their security advisors, consultant

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1