ISO 27799 is an international standard for information security management in the healthcare industry. It provides guidelines for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) specifically for healthcare organizations. The standard is based on the ISO 27001 standard, but includes additional requirements and controls that are specific to the healthcare industry.
ISO 27799 covers the protection of sensitive healthcare information, including personal health information (PHI), electronic health records (EHRs), and medical images. It includes requirements for risk assessment, incident management, business continuity management, and compliance with legal and regulatory requirements.
The standard includes controls for:
- Access control
- Network security
- Mobile device security
- Incident management
- Business continuity management
- Compliance with legal and regulatory requirements
ISO 27799 is intended to help healthcare organizations protect sensitive patient information and comply with relevant regulations and laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). Compliance with the standard can also help organizations to protect their reputation, demonstrate their commitment to information security and provide assurance to their patients, customers, and other stakeholders.
Like ISO 27001, the certification process for ISO 27799 includes an initial assessment and a surveillance audit to ensure that the organization continues to meet the requirements of the standard. Organizations can achieve certification to ISO 27799 by demonstrating that their ISMS meets the requirements of the standard and passing an assessment by an accredited certification body.