Development of Information

Security Baselines for Healthcare

Information Systems in New Zealand
Lech Janczewski1 Abstract objectives of timely access to quality, cost-
effective healthcare for all people. The health-
and Frank Xinli Shi2 In 1996 New Zealand had introduced security care industry has begun to implement electronic
standard AS/NZCS 4444 based on the British patient records, and has upgraded clinical
Department of Management
Science and Standard BS 7799, which has recently been information systems for managing and sharing
Information Systems accepted as an international standard ISO information among related healthcare providers,
Business School, University of 17799. This standard is very often referred to and also makes use of intranets to distribute
Auckland, Auckland, as the ‘baseline lane approach’ to the issue of health-related information [Smith and Eloff
New Zealand managing information security. On the other 1999]. Healthcare information systems (HIS)
[email protected] hand the health information systems (HIS) are thus becoming an integral part of all aspects
are undergoing rapid development both in the of healthcare. However, the computerization of
[email protected]
number of installed systems as in the law and health information, while offering new
regulations governing HIS developments and opportunities to improve and streamline the
deployment. The project was aimed at healthcare delivery system, also presents new
reviewing the AS/NZCS 4444 standard from challenges to security problems and individual
the HIS requirements point of view. In this privacy interests in personal healthcare data
paper, we began with an overview of [OTA 1997]. Technical capabilities to secure
healthcare information systems (HIS) and maintain confidentiality in data must work
infrastructure in New Zealand and associated along with legislation to preserve those privacy
security issues around privacy and interests, while making appropriate information
confidentiality, followed by a general review of available for approved uses.
the security baseline approach. We analyzed
In the past there were numerous research
each clause of the AS/NZS 4444 with the
projects aimed at solving the issue of security of
information collected about technical and non-
HIS. One of the first attempts to set up a
technical approaches to protecting HIS,
security framework was the European project
consisting of a series of multi-case studies of
Secure Environment for Information Systems in
healthcare organizations that collect, process,
Medicine [SEISMED 2001]. The project was
store and transmit electronic medical records. the forerunner of Implementing Secure Health
Finally, we proposed a new set of information Telematics Applications in Europe (ISHTAR
security baselines based on the research to 2001) and was conducted as part of the
build an information security model for Commission of European Communities
healthcare organizations. Advanced Informatics in Medicine (AIM)
Keywords: healthcare information systems, programme. Work commenced at the beginning
electronic medical records, information of 1992 and lasted around four years. The
privacy, information security baselines, SEISMED Project was set-up to conduct
security model. detailed risk analyses within Europe and to
develop security guidelines for healthcare
Background establishments. It was the first effective
identification, at an European level, of the
Computers & Security
Modern developments in medicine, information issues arising from the increasing clinical use of
Vol. 21, No. 2, 2002, pp.172-192
Copyright ©2002 Elsevier Science Ltd technology and telecommunications are Health Telematics in direct patient care. It was
Printed in Great Britain
All rights reserved
transforming healthcare, and support the not directly related to the British Standard
0167-4048/02US$22.00

172
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

7799 as the standard was developed later (in the government data collection, could threaten
mid 90s). An example of a similar project from patient privacy [Hill 1998]. Privacy and security
the Southern Hemisphere could be a project assurances from hospitals and government
described in [Janczewski 2000]. health agencies are not enough to satisfy 61% of
surveyed doctors. Because of the special features
Overview of Healthcare of health information (e.g. confidentiality of
Information Systems in New collection, sensitivity of information, multiple
Zealand users, duration of retention), New Zealanders
accord a high priority to the confidentiality and
The current healthcare industry in New
privacy of their personal health information
Zealand is characterized by a large number of
[Tan and Gunasekara 2000]. New Zealand has
separate service organizations (e.g. public,
issued a code of practice, the Health Information
private and voluntary healthcare providers),
Privacy Code 1994, specifically to protect the
which are commercially separate but
privacy of personal health information. The
functionally dependent in providing an
essential elements for protecting the privacy of
integrated service to all New Zealanders. In the
personal health information are contained in
past three decades, there has been a continuing
the Code in 12 health information privacy
drive for improvements in the quality and cost-
rules, outlined in Appendix A.
effectiveness of healthcare industry, to which
information infrastructure is poised to make a There are many offshoots of the worldwide
major contribution. By nature, healthcare acceptance of the BS 7799 standard. One of the
organizational structure in New Zealand is best-known projects is the development of an
distributed (being a geographical spread of Information Security Toolbox at PE Technikom,
centres at different levels of complexity) from Port Elisabeth, South Africa [von Solms 1999
the general hospitals down to individual general and 2001]. The Toolbox is a system tool that
practitioners (GP). Therefore, from a national helps IS managers assess their installation from
perspective, healthcare information systems for the viewpoint of adherence to the BS 7799
patient information have been traditionally standard.
associated with medical centres, hospitals, or
government agencies [NZHIS 1997]. Currently Information Security Baseline
however, the healthcare sector is moving Approach
toward linking these institutions through a
proposed information network and The accepted solution to introduce security in
communications networks. Architecturally, this an IT environment is to identify, introduce and
national information network ressembles the maintain an effective set of security controls in
World Wide Web, where a set of discrete and the organization [Barnard and Solms, 2000].
autonomous HIS interact to provide access to Identifying the most effective controls has
patient information. Its objective is to make all always been a problem and many approaches
information (which in many cases already exists and techniques have been developed over time
in today’s HIS) readily available, in order to to work on it in the most objective way as
provide coordinated and integrated care and possible. Risk analysis is probably the most well
treatment for New Zealanders. known approach in this regard, even though it
is usually a very complex and resource intensive
Results from the 1998 IMS/New Zealand
process. Baseline approach has gained a lot of
Doctor poll show 84% of surveyed GPs believe
support in New Zealand and some of the
that the latest developments like hospital and
baseline manuals, for example the Code of
sector-wide intranets, centralized databases, and

173
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

Practive for Information Security Management information security management in an

(AS/NZS 4444), have appeared as standards in organization, such as being simple to deploy and
many sectors lately. using baseline controls, easy to establish
policies, maintain security consistency, etc.
Information security baselines are defined as
However, such a set of baseline controls
the minimal set of laws, rules and practices that
addresses the full information systems
are essential to protect the vital information
environment, from physical security to
assets of an organization [Moule 1995].
personnel and network security. And not all
Similarly, a set of security controls can be
controls listed in AS/NZS 4444 will be
described (which are generally accepted by
applicable to every IT environment, because an
experienced large organizations) as good
organization may not operate in certain areas.
security practice for all situations except where
As a set of universal security baselines, one of
environmental or technological constraints
the limitations associated with AS/NZS 4444 is
exist. These are the baseline security controls
that it cannot take account of the local
[Fitzgerald 1995], different from risk assessment,
technological constraints, or be present in a
which have always been recognized as the most
effective approach. It has a set of effective form that suits every potential user in an
controls that provide an acceptable level of organization. It lacks the guidance on how to
protection and can be seen as a bottom-up choose the applicable controls from the listed
approach and is a well-established concept. It ones that will provide an acceptable level of
has gained a lot of support in many countries security for the specific organization as well.
and some of baseline manuals have appeared This can create an insecurity as an organization
as standards in various industries lately. might decide to ignore some controls that were
Various information security baselines have actually required. Finally, it is hard for the
been developed, e.g. the Code of Practice for standard to always catch up with the recent
Information Security Management (British developments and issues of IT and security
Standard 7799) from UK, and the IT Baseline technologies. Another criticism often levelled
Protection Manual from Germany. In New at AS/NZS 4444 is that it cannot take account
Zealand, the Code of Practice for Information of environmental constraints and select, apart
Security Management (AS/NZS 4444) from the obligatory key controls, the security
is probably the best known and most controls which would be most likely to be
widespread. relevant to a particular industry, for e.g. the
healthcare sector and its IT environment.
The Australian/New Zealand Standard of
Obviously, the healthcare sector has some
Information Security Management (AS/NZS
unique characteristics in the information
4444) was prepared by the Joint Standards
security, which includes sensitivity of electronic
Australia/Standards New Zealand Committee
medical record (EMR), large number of small
IT/12, first published in 1996 and revised in
organizations, multiple providers and multiple
1999. This Joint Standard is based on and
locations, relaying health information, data-
identical to BS 7799, and aims to provide: “a
dependent access, status of privacy legislation,
comprehensive reference document for
etc. For example, unlike many other sectors
information security management identifying
where availability and integrity seem to
the range of controls needed in industrial and
dominate in healthcare, confidentiality,
commercial applications” [AS/NZS 4444:1999].
integrity, availability, privacy, and
Like other security baselines, AS/NZS 4444 has accountability all occupy major positions of
many advantages in the implementation of concern but not necessarily in the same

174
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

environment. Consequently, both the inherent To encourage personnel at the various sites to
deficiencies with the existing standards and the share their experiences candidly, the study
unique features of healthcare environment decided to keep the identities of the sites
necessitate an amendment of the standards confidential by naming them Hospitals A, B, C,
when applied to healthcare organizations. These and Labs D and E in the paper.
were the foundation of the research presented
During the site visits all types of employees
in this paper.
were interviewed, including HIS staff, and
Value of BS 7799 has been confirmed by the others such as workers of healthcare
fact that recently the standard has been information management (i.e., medical
recognized as an international standard ISO records), human resources, public relations, and
17799 by the International Standards where possible, doctors and other system users.
Organization. As a result, during 2000, the Additionally, contacts have also been made
AS/NZS 4444 has been upgraded and re- with the officials from the New Zealand Health
branded as AS/NZS ISO/IEC 17799 Information Service (a department of the
Information Security Management Standard Ministry of Health responsible for the
[Mason 2001]. However, to maintain development and maintenance of nation-wide
consistency with the original research, in this health information network and standards) and
text the old name of the standard (AS/NZ Health Funding Authority (a New Zealand
4444) is retained. Government’s unit responsible for distribution
of funds for research and development projects
Research methodology in the healthcare domain). The study was
To conduct the research, a search of academic conducted through relatively formal interviews,
and practical periodicals and Internet materials informal correspondence, telephone interviews,
was carried out in an attempt to locate any and email exchanges, in order to collect
research into the healthcare information comprehensive information. Then, the
systems security, health privacy legislation and collected original data were processed and used
AS/NZS 4444. The implementation side of this in reviewing and amending the criterions of
study is done through a comprehensive AS/NZS 4444, based on which the information
questionnaire that addresses issues in 10 security security baselines applicable to the healthcare
areas based on the clauses of the Standard. The sector are developed.
primary mechanism for gathering information We need to explain the reasons why our study
about technical and organizational approaches was limited to visiting only three hospitals and
to protecting electronic healthcare information two diagnostic labs. Despite its size (New
consisted of a series of site visits to five Zealand: 270 0002 km v UK: 244 0002 km) the
healthcare organizations at Auckland, New population of New Zealand is small (3.9
Zealand, which run extensive HIS. The sites million), and concentrated in major towns.
were selected on the basis of their reputed Well over 1 million people live in Auckland
leadership in the development of electronic and its surrounding regions. By visiting three of
medical records, networked clinical systems, the biggest public hospitals in the region, we
and privacy and security policies. The selected practically covered almost a third of the
sites include three general public hospitals and population of the country. Private hospitals do
two diagnostic laboratories, which, on the exist in Auckland but their size is (with only
whole are fairly representative of the large and one exception) small in comparison with the
medium-sized care-providers in New Zealand. public hospitals. On the other hand, all the

175
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

diagnostic labs form a huge government-owned Security policy

organization, centrally founded and directed. The foundation for a successful information
Hence most of the labs are equipped similarly security programme is comprehensive
(within their specialisation) and visiting a information security policies. These policies
couple of them would give a good knowledge of should define the organization’s philosophy and
the problems they are facing. direction for the protection of information. As
the site visits attest, each of the interviewed
Implementation of information technology at
HCO has developed a number of formal policies
doctors’ clinics in most cases is limited to the
regarding the confidentiality of patient
administrative matters. Some GPs and
information and most of the policies typically
specialists run LANs within their premises but
cover classified data in any form, be it paper-
do not have access to the hospitals’ networks.
based or electronic. It is found that the
Only overall patient statistics could be
organization’s structure, unique mission, culture,
forwarded electronically to the centrally located
and management style significantly influence
databases. However, there are a number of
the policies adopted by a specific HCO to
doctors’ clinics, which cooperate closely with
protect the security of both patient and
major hospitals of the region and which have
administrative information. Therefore, the
facilities to send and receive patients’ and other
content of the security policies will vary, but in
data electronically.
general a HCO will consider the following areas
The health providers evaluated during the as a minimum in its policy: a statement of
study (public hospitals and diagnostic labs) organizational philosophy and goals regarding
will be the foundation stones of the future privacy and security; a classification of
nation-wide health information network, information assets by type; standards for
which was recently launched. All the other administering, controlling, and monitoring
healthcare industry could be connected to the information use by type; standards for
network, subject to stringent verification of information system design, implementation, and
their quality criteria. Hence, we believe that operation; a definition of procedure for
their opinions would have a marginal detecting and handling abuses etc.
influence on this research. Nevertheless, there are also a couple of current
state problems found in this area during the
Establishing the Information investigation, which include a lack of minimum
Security Baselines for HIS policy standard that every HCO should comply
with; minimal or no linkage of security policies;
The information security baselines being
the need for more detailed security policies for
developed must reflect the unique aspects of
specified information systems and security
New Zealand healthcare IT environment and
procedures; the need for clear scope of security
be a response to the needs of healthcare
policy in HCO; lack of the regular review, and
organizations and their patients. The
promulgation of security policy; loosely enforced
following part overviews the major criteria of
and communicated sanction policies etc.
AS/NZS 4444, examines the current security
Therefore, some recommendations for
practices of the five HCO, summarizes the
modifying the existing criteria of AS/NZS 4444
research findings, identifies the vulnerabilities
are presented as follows:
in the existing criteria of AS/NZS 4444, and
finally makes recommendations for the • More detailed security polices to meet basic
modification and establishment of new requirements. Every HCO should develop a
baseline standards. range of formal policies to meet the

176
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

minimum requirements with regard to It is the opinion of one interviewee from

information security and patient privacy set hospital C that the role of the IT department is
by public policy, accreditation and privacy to coordinate the implementation of security
law. These policies should be an open controls in the HCO. It should support the
statement covering the major points of organization-wide information security
information security in a brief and readable initiatives, e.g. security awareness programme,
form and should be updated as needs arise and coordinate the methodologies and processes
and displayed in a prominent position. for information security, e.g. risk assessment.
• More comprehensive policy scope. While Meanwhile, the respective departments, such as
the majority of the information maintained the laboratory, radiology, patient administration
by HCO consists of patient records, the and finance, are responsible for authorizing
organization also maintains sensitive and their users and to enforce the information
valuable business records. The security policies at their own level.
confidentiality, integrity, and availability of
In the site visits, most HCOs (hospitals A, B,
these business records must be protected, to
C, and lab E) have a security policy in place to
enable the continued successful functioning
provide general guidance on the allocation of
of the organization.
security roles and responsibilities within the
• Distribution and promulgation of security
organizations. Authorization always comes
policies. Security policy must be documented
along with allocation of responsibility. The
and promulgated throughout the entire
authorization of IT facilities in many HCOs
HCO. All persons being granted access to
which were interviewed (hospitals A and B, lab
the HCO’s patient and business information
D) contains two steps: business approval and
should formally acknowledge an
technical approval. Many HCOs (hospitals A,
understanding of the policies and make a
C and lab D) do employ external security
formal written commitment to comply with
specialists to offer advice and to conduct
those policies prior to being entrusted with
independent review of organizational
access to the information. Once formulated,
information security. Generally, there is a need
security policies should receive broad review
for third parties to access HCO’s IT facilities for
and endorsement by governing bodies.
different purposes. One of them (hospital A)
Security Organization has linked up with more than 400 GPs
The organization of information security throughout Auckland to provide electronic
management in healthcare facilities should be discharge and referral information with Health
clarified by creation, in each healthcare facility, Level 7 (HL7) standards. The HL7 standard is a
of information security groups and users who telecommunication protocol developed specially
should be given specific responsibilities for the for the health sector, based on the 7-layer Open
security and privacy of health information. For System Interconnection Reference Model.
example, a formal management information While the HIS and EMR are being developed
security forum, which is needed to review, and implemented quickly nowadays, more
approve and enforce policies regarding privacy access from the outside will be expected. All
and security, takes on a variety of forms, this access, however, should be controlled. The
depending largely on the nature and culture of controls are usually agreed and defined in a
the HCO in which it operates, and serves as a contract with the third party.
focal point for both management and technical Nevertheless, some current state problems
issues related to the safeguarding of privacy and found in the area of security organization during
security in paper and electronic health records. the site visits include: lack of support from top

177
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

management to commit to information security the security of systems and the privacy of
forum, need of coordination of information health information.
security efforts from all the divisions of the • More external security advice, cooperation
HCO, need of clearly defined responsibility of and review. Contacts with external security
security and information ownership, lack of specialists should be developed in the HCO
external security advice, cooperation and review to work along with in-house IT personnel in
to the HCO, and weaknesses in security of third order to keep up with industrial trends,
party access and outsourcing. According to all monitor standards and assessment methods,
these problems found in the research, some and provide suitable liaison points when
recommendations for modifying the criteria in dealing with security incidents. Meanwhile,
the section of Security Organization in the the cooperation on the security issues
Standard are made as follows: between different HCOs should be
encouraged and strengthened.
• Getting support from senior executives for
• Establish the chain of Trust Partner
information security forum. One of the most
Agreements. If data are processed through a
critical components of an effective
third party, the parties are required to enter
management information security forum is
into a chain of trust partner agreements.
ongoing support from senior executives in
Ensuring that the same level of security will
the HCO. This support translates into
be maintained across the continuum of EMR
organizational commitment for almost every-
transmission, a chain of trust partner
thing, from effective security policy, budget
agreements should be instituted between
development, to personnel training time.
HCOs and those third parties with whom
• Clearly define responsibility of security and
electronic health information is exchanged.
information ownership. The security of the
Such contracts will provide the legal basis
HIS and EMR should be the responsibility of
for maintaining consistent levels of data
the owner of that system and information. It
integrity and confidentiality.
is essential to clearly define the ownership of
• Careful identification of risks from third
health information and the local responsibil-
party access and outsourcing. While there
ities for both physical and information assets.
are many reasons (administrative, research,
Owners of HIS and EMR, e.g. HCOs and
and business ones) for granting a third party
patients, may delegate the security authority
the right to access IT facilities and patient
to individual users; e.g. doctors and nurses,
records in a HCO, a risk analysis should be
managers, and IT experts. Nevertheless, they
carried out to identify any requirements for
remain ultimately accountable for protecting
specific security measures. The analysis
Figure 1 should take into account the types and rea-
sons of the access, the classification of acc-
essible information, the controls employed
by the third party and implications of this
access to the information security of the
HCO.

Asset classification and control

Accountability for assets helps to ensure that
appropriate protection is maintained. It is
essential to a HCO to identify the owners of
major IT facilities and health information as

178
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

there are increasing uses of HIS and EMR both • Establish centralized inventory management
within and outside the organization in the of assets. The HCO should establish
recent years. All the interviewed HCOs did a centralized inventory management of all
pretty good job in the inventory of physical and assets categorized by enhancing the
software assets. Each department in the public cooperation and coordination of asset
hospitals is responsible for the usage and management across the organization.
maintenance of its own hardware and software, Adequate precaution against damage or
while the relatively small diagnostic labs usually unauthorized entry to places where health
have the centralized inventory management of information is centrally stored is essential.
their assets. Health information, like other • Develop scheme and policies for health
information assets in a HCO, has varying information classification. The policies of
degrees of sensitivity and criticality. There are the HCO with regard to the classification of
certainly many classification schemes of health health information on the basis of its
information, one of which suggested by the sensitivity and patient-identifiably should be
authors may divide the information into four defined. The classification categories should
categories (see Figure 1) also be consistent with legal requirements
and sector standards. In addition, care must
Obviously, specific security controls and
be taken to protect the anonymity of
guidance should be set for each of these
patients during software demonstrations to
categories respectively. For instance, the first
colleagues. Use fictitious names or non-
category of health information covers the most
identifiable data for presentations. Patient
sensitive information at the HCO and requests
records used for education and training
the greatest security safeguards at the user level.
should be de-identified.
To the second and third category, a record of
electronic access to patient-specific information Personnel security
should be logged. They should be protected The major security weakness of most HISs is
against acts that are considered to be malicious not the technology but the people involved.
and destructive. Finally, in the last category, the Many reports indicate that danger of an
information could be used by researchers and internal security attack (i.e. an attack initiated
other authorized personnel with the minimum by their own employee from within the
of protection. company) is very high, at present around 50%
[CSI/FBI 2001]. All healthcare professionals
To summarize the findings, in practice, the vul-
and other employees in a HCO should be
nerabilities in the area of asset classification and
adequately screened at the recruitment stage,
control may include lack of centralized control
and their responsibilities on information
on the asset management across the organiza-
security and patient privacy should be included
tion; a need to clearly define the ownership of
health information assets and custodian respon- in the job contracts and monitored during their
sibilities for these assets; lack of unique employment. They should also be trained,
standards for health information classification; through the HCO, in the principles and
the need of procedures for information labelling practices of healthcare information security,
and handling in accordance with the given the rapid development of EMR and HIS.
classification scheme. To overcome these During the site visits, all the HCOs interviewed
problems found in the research, some claimed to have the strict verification checks
recommendations specific for HCOs in the on the potential recruits. The procedures are
criteria of asset classification and control are usually tougher than many other recruitments,
presented as follows: because a HCO employee may get access to

179
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

confidential health information and systems, According to the above problems found in the
and therefore have more responsibilities on research, some recommendations for improving
information security and patient privacy. In the area of personnel security in the HCO are
addition to informing employees of the presented as follows:
organization’s expectations with regard to
• Establish a comprehensive set of personnel
keeping health information confidential,
security policy. According to the experiences
organizations need to hold them responsible for
of other industries, for e.g. banking, a formal
their behaviour. As to personnel security policy,
personnel security policy that support
however, only one out of all five HCOs
privacy and confidentiality is also a critical
interviewed (hospital B) has developed the
component of the HCO’s information
formal documents in this area. And there was
security infrastructure. The major contents
little implementation or use of termination
may include: a statement of purpose;
security found in the HCO in practice.
references to relevant institutional policies
Information and system security can only be concerning access to personal health
maintained if all personnel involved in their use information and general information
know, understand and accept the necessary security; a definition of confidential
precautions. Most large HCOs (hospitals A, C, information, including patient, business, and
and lab D) claimed to have formal seminars or employee data; responsibilities of employees;
programmes to educate employees about patient responsibility and procedures for reporting
privacy and system security. Many provide such security incidents and violations;
training in an orientation session before they investigation and appeal processes; and
are given access to patient information. consequences and penalties for inappropriate
Similarly, refresher courses serve to remind access, release, modification, or removal of
long-time users about existing policies, update patient health information.
them on changes, and discuss strategies for real- • Develop the appropriate termination proced-
life situations that they may encounter on the ures. Each HCO is required to implement
job. Mistakes and incidents in HCOs are killing termination procedures, which are formal,
1500 people a year, according to a research documented instructions (including appro-
paper dated 4 October 2000 by Martin priate security measures) for the ending of an
Johnston, a health reporter of the New Zealand employee’s employment or an internal/exter-
Herald [Johnston 2000]. Many of the incidents nal user’s access. Included in the termination
are IT-related, including errors in EMR, procedures should be provisions for:
negligence by individuals or HIS failures. four of changing locks or combinations to protect
the five HCOs interviewed (hospitals A, B, C, IT facilities or HIS; removal from access
and lab E) stated that they had implemented a lists; removal of user accounts granting
formal process to deal with identification, access privileges to patient information,
reporting, and the ensuing response to real or services and sensitive systems for which they
potential violations of established security currently have clearance; and turning in of
policy, including security incidents, weaknesses keys, tokens or cards that allow access to
and malfunctions of IT facilities, even though buildings or equipment, preferably prior to
the reporting and response procedures of termination;
security incidents in some organizations were • Develop the organization-wide security
still conducted on an ad hoc basis, with no training programme. A security training
formally documented and communicated steps programme should be established in the
to be followed. HCO for all employees and third parties

180
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

with access to health information. Such security practices. The machines that provide
training should include: awareness education centrally controlled services — mainframes and
covering the organizational security policy, other production servers — were identified,
password maintenance, incident reporting, located in very secure settings, and well
and viruses; periodic security reminders controlled at the sites visited. Most of the
conducted as updates to the basic security organizations put much effort in the protection
education; user education concerning virus of their IT facilities in order to reduce the risk
protection, including identification, of unauthorized access to sensitive health data
reporting and prevention measures. and to safeguard against loss or damage. Servers,
• Make use of multiple training tools. routers, network cable and some support equip-
Innovative training methods have been ment are usually key targets under security pro-
evaluated in studies dealing with changing tection. Many protective measures, such as fire
clinical practice behaviours and may be of and smoke detectors, gutters and down pipes,
use for training in confidentiality and UPS and multiple electrical power suppliers,
security as well. A variety of tools may be have become the standard associated facilities
developed to support or enhance formal for computing sites of more and more HCOs.
training programmes. These include Compared to large organizations, the smaller
attractive pamphlets, enhancements to ones may face even more challenges in physical
computer systems, self-study modules security. Police statistics show that more than
available for use in the computer training 10% of GPs in New Zealand have had their
centre which they can take home, and computers stolen and other hazards include
posted reminders in elevators and cafeterias. excessive heat, dust, fire and lightning [Hill
• Develop the patient education based on legal 1998].
requirements. Based on the requirements of
the Privacy Code, the patient must be at the To summarize the findings in the practices,
centre of the decision-making process the vulnerabilities in the area of physical and
regarding access to, storage and disclosure of environmental security could include lack of
his or her own identifiable healthcare formal physical security policy, the need of
information. The HCO should provide a full scientific decision-making procedure of
explanation to the patient of both the health physical security, inadequate coordination in
information or medical record and his/her the implementation of physical controls, the
privileges in dealing with the information. weaknesses in logical access controls and
equipment disposal. Some recommendations
Physical and environmental security
for optimizing the physical security in a health
The generally open nature of HCOs and their
IT environment are made as follows:
high degree of public access dictate that
physical security measures are the very first • Establish appropriate physical security poli-
stage of protection to prevent unauthorized cies. Management should establish rules and
access to computing equipment and facilities. procedures to ensure that all staff maintain
The information systems must also be a secure work area; i.e., one in which
safeguarded against a variety of environmental physical security helps to protect the
hazards that may adversely affect the operation confidentiality and privacy of health
and management of these systems. All of the information. For instance, computer screens
HCOs visited were found to have moderate on the consultation desk should not display
physical security in place for their information patient information from previous
systems; two of them had somewhat stronger consultation. The use of screen savers and

181
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

automatic time logout can assist with of systems applications. All have local area
protection of privacy. networks as well as wide area networks that
• Optimize the decision and implementation span different buildings at the same location as
of physical security. A good physical security well as those over different geographic
management also needs a scientific decision- locations. These hospitals operate a wide variety
making mechanism. The level of physical of hardware, running multiple operating systems
access control for any area containing such as Unix and Windows NT as servers.
confidential or restricted health data and Servers form the backbone of the network
facilities must be consistent with the level of system, providing files and database access.
risk and exposure. Meanwhile, the Each server may provide one or more services,
implementation of physical security controls such as patient information, payroll, billing, test
should depend on the coordination of all results, and administration. Meanwhile, a
divisions of the HCO, including the security, variety of communication technologies like
IT and clinical departments. X.25, ISDN, microwave and optical fibre have
• Strengthen the security of computing equip- been deployed. These technologies enable
ment. Servers, routers, and other equipment, internal network connection within the
which contain or communicate patient organization as well as allowing other organiza-
information, must be protected from damage, tions, e.g. diagnostic laboratories, GPs, and
theft, and misuse — and not only because of government agencies, to exchange information.
their monetary worth. There are many ways
Concerns about computer and network security
to provide equipment control. These may
have been voiced for decades in the healthcare
include assignment of liability, property pass,
sector, like most other sectors, and the proce-
desktop lock, and property alarm device.
dural and technological solutions have been
Facility security may include access cards,
worked out for all but the most assiduous kinds
cipher locks or just a lock on the door.
of attacks. More recently, with the growth of
• Carefully deal with information and equip-
the Internet and distributed computing, these
ment disposal. Physical security also
issues have been felt more widely, and a whole
requires that outdated IT facilities, which
new class of problems centred on powerful new
contain sensitive personal health
means of remote access to HIS, and their
information, be disposed of properly. Paper
networks of all kinds, has raised additional
records are best disposed of by shredding.
security challenges. Again procedural and
This applies to copies of test results and
technological solutions have been devised that
brief notes. Electronic records disposal may
offer prudent protection but recognize that
be either done through physical methods,
concerted, directed, professional attacks on
e.g. CD-ROM destruction, or electronically
almost any computer and network facilities are
through magnetic erasure (floppy and hard
likely to succeed, despite the most rigorous
disks).
protection. However, these ‘prudent practice’
Computer and network management solutions have not been adopted uniformly,
The computers and networks implemented in partly because the number of affected computers
the surveyed HCOs are of different models from and networks in HCOs have grown
different companies. But their architecture and exponentially and partly because people
management in the same types of care-provider responsible for these systems are not trained to
are quite similar. For example, in the three select and apply these solutions, or are unable
public hospitals interviewed, they all make use to enforce workable solutions within the
of the client/server architecture with a variety organization. To summarize the findings in the

182
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

practices, the current state problems in the area requested software services in a healthcare
of computer and network management during environment.
the research include unclear segregation of • Data backup in a network environment.
duties in IT professions, lack of integrated Some of the issues for making the data
system planning management, the need of backup work well in a HCO network
comprehensive software disciplines, issue of environment should be considered. Backup
software availability, ignorance of data backup data should be stored in a secure location
in a network environment, lack of the formal other than the HCO. Paper records should
policies for health data handling process, and not be kept in a public area but in a lockable
the security weaknesses of the applications of area when the staff is away.
email, HL7 and Value Added Networks, • Establish the mechanism of network
Internet, etc. in a health environment. In fact, management. The network management in
many of the above problems have not been the HCO should be an integrated process
described clearly in the criteria of the Standard. including at least the following steps: risk
Therefore, some suggestions for modifying the analysis, identification of security
criteria in the section of Computer and requirements, establishing security
Network Management in AS/NZS 4444 are mechanisms regulations, selecting network
made as follows: security controls, and installation and
maintenance.
• Establish integrated system planning • Develop a formal health data handling
management. The planning policies and
process. HCOs should maintain a formal
procedures for system development should be
mechanism for processing records, that is,
established in HCOs to reduce the risk of
documented policies for the routine and
system failures due to the problems of system
non-routine receipt, manipulation, storage,
capacity, integration, interconnection,
dissemination, transmission, and/or disposal
feasibility and growth.
of health information, according to the rules
• Comprehensive software disciplines for
of Privacy Code.
security. HCOs should exercise and enforce
• Develop security policy on email. HCOs
comprehensive disciplines over user software.
should draw up a clear policy regarding the
At a minimum, they should immediately
install virus-checking programs on all servers use of electronic mail, which may cover the
and limit the ability of users to download or guidelines on the sensitive contents (e.g.
install their own software. Census software personal health information) in the
or regular audits can be used to ensure messages, the protection and check of email
compliance with such policies. attachments, the knowledge of attacks on
• Availability of software services. The email, the use, storage and disposal of email,
availability of the software services in the etc.
HIS ensures that accurate and up-to-date • Health Level 7 (HL7) and value added
health information services are available to network (VAN). The issues of Health Level
end user (e.g. doctors and nurses), when 7 and value added network should be studied
needed, at appropriate places. There are four and implemented by each HCO, which has
main components which support the health data exchange with outside parties.
software availability, namely, application All the sensitive healthcare messages sent
software, network systems, client computers should be encrypted or scrambled at one
and server computers. [Sakamoto 1998] end, decrypted at the other and receipt
suggested a prototype to structure these four acknowledged — this is achieved by using a
components so as to provide the minimum VAN.

183
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

• Build Internet and E-commerce security policies and practices; and lack of access
solutions. Internet services, as well as E- controls to mobile computing and telemedicine.
commerce, in health provision is vulnerable According to these problems found in the
to a number of network threats which may research, some recommendations for improving
result in fraudulent activity, contract dispute the area of system access controls in the health
and disclosure or modification of sensitive computing environments are presented as
personal health information. The follows:
appropriate security solutions should be
• Establish the appropriate rules for access
applied to protect Internet services from
controls. The appropriate rules provide the
such threats.
basis for access control policy in an
System access control organization. Generally, the access rules in a
It is essential that IT systems and health HCO should be based on the principles of
information be protected by comprehensive Privacy Code and the need-to-know
logical access controls implemented by the principle. And access is restricted to
HCO. Access should be guaranteed for healthcare professionals working within the
legitimate users (e.g. doctors and nurses) and HCO. EMR permit differential access to
denied to all others. All classes of users must be health information, which can be used as a
identified and authenticated before any access is tool to protect privacy.
granted and further mechanisms must control • Consistency between access control and
subsequent reading, writing, modification and information classification policies. All the
deletion of applications and data. There should HCOs are suggested to develop an
be no method for bypassing any authentication appropriate classification scheme of health
or access controls. HCO users are unlikely to be information (see the section of Asset
satisfied with controls that intrude upon Classification and Control) consistent with
working practices and the chosen schemes legal requirements and sector standards. E.g.
should be transparent and convenient in order access control lists should separate clinical
to gain acceptance. However, we found in the users from administrative users.
site visits that a serious threat to the security • Specifying Patient access in the access
and privacy of personal health information in control policy. Patients’ access right to their
HCOs is the poor design and lax administration electronic and paper health records are
of access control mechanisms. In many HCOs, protected by the Privacy Code. The HCOs
all users may access all medical records; it is also should include the patient access into their
common to find poor password management, or access control policy and specify its access
terminals permanently logged on for the use of process and procedure. Sharing information
everyone in a ward. This causes a breakdown of is integral to good communication in the
clinical and medico-legal accountability, and doctor patient relationship and to high
may lead to direct harm to patient’s privacy. quality care.
Vulnerabilities found in this area include ad hoc • Optimize the user authentication
practices, and/or incomplete policies and mechanism. The HCOs should optimize its
procedures for authorizing and establishing user authentication mechanism by
access to organizational systems; broken combining login-password authentication
processes to address modification and with the advanced authentication
revocation of user access following job changes technologies. Some potential candidates may
or termination; failure to include smaller, include biometric identifiers (e.g. fingerprint,
departmental applications in access control hand geometry pattern, retinal scan,

184
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

voiceprint, etc.) and smart card token. an issue to be considered. Security aspects
Specific policies within the organization range from confidentiality, correctness and
should specify the disciplinary actions and availability of information at the right time to
penalties for sharing any unique identifier the right person. Unauthorized or uncontrolled
with other individuals. changes to any aspect of an operational system
• Implement comprehensive network access could potentially compromise security and, in
controls. Effective access controls should be some cases, endanger life. The system develop-
a prerequisite for the HCO’s networking. ment and maintenance must, therefore, be
The network and system administers should carried out in accordance with well-defined
pay attention to combining the technical procedures. The major problems found in the
controls, e.g. firewalls, limited links, strong area of systems development and maintenance
authentication technologies and audit trails, during the site visits include lack of
with the non-technical approaches, e.g. documented process and policy of security
security trainings and ethical considerations. requirement specification during the system
• Establish network connection management development; the need of integration concerns
in HCO. HCO should establish appropriate of health system development; lack of system
connection controls to manage not only the quality assurance and data integrity mech-
links to the external networks but also the anism; the security weaknesses in system main-
contents of exchanging information. For tenance; and immaturity of the use of crypto-
example, the network should limit the trans- graphic technologies. We made some
ferring of sensitive patient health recommendations here for improving the
information without the protection of current situation in the HCO and modifying
encryption. the criteria in this area:

System development and maintenance • Formalize the security requirements analysis

The use of information systems and and specification. The HCO should
applications in HCOs is essential in providing establish the standard of minimum level of
proper treatment and care services to patients, security for the development of the
and in managing the staff and the information systems and applications. All
organizations. For example, hospital A is security and privacy requirements should be
investing more than $20 million in new identified at the requirement stage of the
information systems as part of its overall $90 development and justified, agreed and
million redevelopment package. According to documented as part of the overall business
its management, the current paper-based case for the systems.
patient information system is inadequate and it • Enhance the integration of system develop-
wants to give specialists instant access to ment. An enterprise-wide healthcare infor-
complete information about a patient’s treat- mation system will require the integration
ment. The new electronic patient records of all these applications within a HCO and
replace paper systems and clinicians will be the systems of all the different HCOs that
able to view x-rays, scans and blood tests on share patient health information securely
terminals in the wards and clinics. System with one another. The common security
development and maintenance activities merit standards and controls for HIS should be
special consideration, given the opportunities agreed upon and documented across the
that exist to affect the operation of the systems health sector.
in the HCO. Apart from the pure functionality • Establish system quality assurance
of these systems, the security of the systems is mechanism. There should be a documented

185
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

system for the quality assurance of system damage, minimize disruption, ensure stability,
development in the HCO. Strong controls and provide for orderly recovery. It is essential
must be placed upon the developers of HIS that business contingency plan (BCP) be made
to ensure high quality development, and to ensure the level of availability needed by
compliance with the security and privacy the HCO be maintained in the event of any
requirements should be expected as a system outage or disaster. There should be a
minimum. Effective software development reporting structure and a team in place to
tools must be used to design application ensure that the system outage is kept to a
systems. Maintaining separate hardware minimum. In the site visits, the majority of
domains for the operating system and large HCOs (hospitals A and C) already have
application programs is essential for the documented plans and procedures of
protecting critical code and data structures disaster recovery and data backup for physical
from external interference. disasters and systems failure. Compared with
• Develop comprehensive data integrity the large HCOs, the smaller ones (e.g.
measures for health application systems. The diagnostic labs and GP offices) were found to
HCO should develop a data integrity control be generally more lax in the business
policy, which has at least the process and continuity management. For example, only 5%
procedures of four essential components: sec- of GPs have contingency plans to deal with
urity measures, procedural controls, assigned any problems, according to a survey carried out
resonsibility, and audit trails [Anderson by the Ministry of Health [NZHIS 1997].
1996]. For example, to ensure the integrity of
Some other vulnerabilities in this area might
information, unauthorized, deliberate or
include the need of risk analysis and business
accidental modification or entry of data must
continuity and impact analysis during the
be prevented. Moreover, the source, date,
development of BCP, lack of BCP in effect in
time and content of any alterations must be
the small organizations, or some disaster plan in
known.
effect covering only major enterprise systems;
• Create security and privacy protection in
contingency plans left to the discretion of de-
system outsourcing. Outsourcing may lead to
partment managers to cover their departments,
reduction in security and privacy protection.
with no comprehensive plan in effect for the
The HCO should carry out the rigorous
entire organization; or contingency plans in
contract management through a formal set of
place that have not been updated recently and
outsourcing security policy and contractual
therefore fail to cover all parts of the
terms, which aim at extending privacy
organization, including remote sites, the need of
protection to patient information handled by
built-in BCP-compliant measure. According to
contractors. The organizations also pay
these problems found in the research, some
attention to any proposal involving off-shore
recommendations for improving the area of
processing as this may carry additional
business continuity management in the health
privacy risks.
computing environments are presented as
Business continuity planning follows:
The continuous availability of information
• Carry out business continuity and risk
systems is essential to the operation of a
analysis. The HCO should begin the
modern HCO. Many health IT departments
business continuity management by
never experience a disaster. But should a
assessing the sensitivity, vulnerability and
disaster occur, a well-designed action plan
security of the key business operations and
would protect health information from
health information assets in the

186
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

Figure 2

organization. Security measures should be presentation of computer-based patient

designed for each HCO based on the actual record information. To ensure the safety and
result of the risk analysis. One method that prevention of the potential loss of data,
has been applied successfully in several areas these systems and applications in a HCO
of healthcare in Europe is the Risk need to support the organization’s detailed
Assessment and Management Method disaster recovery plan.
(CRAMM).
Compliance
• Develop a comprehensive BCP for the
All relevant statutory, regulatory and
HCO. Every HCO should develop a
contractual requirements should be explicitly
comprehensive BCP for responding to a
defined and documented for each information
system emergency that will facilitate the
system in a HCO. Principal among the legal
assurance of continuity of key health
requirements presented by the computerization
information systems and operations. The
BCP should include a set procedure for of health data information is how to protect
identifying problems, listing emergency individual privacy interests in personal health
contacts, and accessing backup medical information. Modern computer applications in
data. the healthcare system threaten individual
• Awareness and training of BCP. The HCO privacy although it offers significant benefits to
should place great emphasis on ensuring its patients and practitioners. With little more
employees are made fully aware of and are than basic information about a person, private
trained in BCP that has been developed. or commercial actors through online networks,
The training should cover the Internet, and retrieval services can quickly
responsibilities for developing, maintaining, assemble detailed medical profiles of the same
and testing the BCP, as well as actual individual. Strong legal protection for
recovery operations. personally identifiable health data is necessary
• Build BCP-compliant systems. Health in- to facilitate the processing of electronic data
formation systems include all the elements through health applications and networks.
that facilitate the capture, storage, process- New Zealand is fortunate in having a developed
ing, communication, security, and and implemented Privacy Act and Health

187
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

Figure 3

Information Privacy Code, which provide and to spread the awareness of privacy issues
adequate guidance on such issues in the health and with the support of management and IT
sector. One of the most important legislations staff, facilitate the privacy plan and codes
regarding health information privacy and throughout the organization.
security is the Health Information Privacy Code
One of the important tools to ensure
1994 (see Figure 2).
compliance with legislative and operational
In summary, compliance with the Privacy requirements in an organization is the system
Code and other relevant data protection audit trail. In a health IT environment, audit
legislation requires appropriate management trail records contain identification of the user,
structure and controls. Often this is best data source (for automated devices), person
achieved by the development and about whom the health information is
implementation of privacy plan and codes of recorded, provider facility, and other
practice, based on the privacy principles and participant users if applicable. Audit trail
legislative rules, in the HCO. Privacy officers records also contain the date/time and location
should be appointed to provide the guidance of the activity, and the nature of the activity

188
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

(i.e., function performed and information • Develop the Code of Practice for the
accessed). Some vulnerabilities in system audit management of health information. The
found in the site visits could include lack of HCO should develop the Code of Practice
internal audit capability in the organization for the management of health information,
(no internal audit department), constrained which aims to provide clear advice to all the
audit resources, or lack of skills to review audit internal users and other interested parties
logs generated from organizational systems; lack about the way in which health information,
of follow-up once irregular activities are particularly personal health information,
recognized; and lack of participation by the should be managed on an ethical and legal
internal audit staff in the design and planning basis. While privacy concerns have been
of systems that will comply with the security particularly highlighted by the advent of
policy; and inadequate or non-existent audit information technology and its capacity to
logs from one or more applications that process facilitate information transfer, this Code
health information. Some recommendations for should establish minimum safeguards and
improving the area of compliance in the health processes that must be followed by the users,
if their use of manual and computerized
computing environments are presented as
records is to meet appropriate legal and
follows:
ethical standards.
• Develop the constructive privacy plan.
Because there are so many dimensions of Developing a proposed
the patient privacy interest and so many Healthcare Information
competing interests of health information Security Framework based on
at so many levels of society, it is essential baseline approach
for a HCO to develop a constructive
Although most key controls in the 10 aspects
privacy plan based on the legislative
of the information security baselines described
requirements of the Health Information
in the last section were observed in at least
Privacy Code 1994.
one site visited, no other HCO had
• Establish the general principles of health
implemented all, and some had paid only
information privacy. Based on the 12 rules of
minimal attention to a few security measures.
Health Information Privacy Code 1994, the
From our point of view, they could have made
health sector in New Zealand should
significantly more effective use of current
establish a set of general principles that
technologies in practice. The HCOs that we
provide the guideline of protections, which
interviewed often demonstrated a lack of clear
should be considered when implementing
leadership on the part of security management,
comprehensive patient policies and codes of
thus employees were uncertain of what to do
practices. These principles should cover the
or where responsibility lay. Instances were
issues such as recognizing the unique status
observed in which managers had made isolated
of personal health information, providing
efforts to improve information security within
privacy safeguards based on fair information
their departments but without sufficient
practices, empowering patient with
authority and management support these
information and rights to consent, limiting
efforts remained limited in scope and had little
the disclosure of health data, incorporating
impact on the overall organization. Therefore,
industry-wide protections, establishing a data
as HCOs are becoming increasingly dependent
privacy and security board, and providing a
on IT and expanding their boundaries, they
minimum level of national privacy
need to develop a comprehensive framework to
protection.

189
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

ensure that the message of commitment to management, regarding the implementation of

patient privacy and information security is security requirements, should treat it as
pervasive and implemented in policies, business decisions and involve a balance
procedures, and everyday behaviour, both between securing health data against risks and
within their organizations and across the the cost of doing so in a specified HCO’s
health sector. environment. The lack of direction in the
proposed recommendations is consistent with
Such a framework should include an overall
the (AS/NZS 4444) Standard’s intent that the
baseline assessment and risk analysis, specific
rules be technology neutral and flexible, and to
policy development, measure implementation,
recognize the inherent risk/benefit trade-off in
and monitoring and reporting action. It
every decision. It is clear that each HCO must
enables the personnel involved in developing
decide the methods it will use and the extent
policies and procedures to understand the
to which the requirements and development
ultimate goal of their efforts, as well as how
features are implemented.
those efforts complement parallel efforts
elsewhere within the organization. Through The proposed Healthcare Information Security
early, careful, and precise planning, Framework depicted in Figure 3 is not
information security management serving as a significantly different from a security
coordinator can help ensure that policies are framework for any organization relying heavily
not in conflict, lines of authority are clear, and on their information resources. The framework
gaps in security are avoided. If implemented was developed using the baseline approach and
appropriately, the framework can serve as an one may expect that general conclusions
integrated management model for protecting should be the same. The objective of the
patient privacy and health information research was therefore not to suggest a
security in the HCOs. Figure 3 shows the drastically new Healthcare Information
major modules, as well as the associated key Security Framework but rather formulate
steps of the proposed health information possible adjustments of the baseline standards
security framework. (particularly AS/NZ4444) to make the
Generally speaking, the effectiveness of the standard more applicable in HIS.
development and implementation of the
proposed health information security Summary
framework within an HCO is limited by the
Security baseline is an effective approach to
ineffectiveness of the security management and
introduce information security management to
monitoring of the use of health information
the organizations that have not addressed
systems in the organization as a whole. All the
security at all, or more likely have not
HCOs should step up to the challenges of
addressed it in a structured manner. AS/NZS
health information security through the
4444, as a security standard, is a comprehensive
establishment of their security management
Code of Practice for IT security and has been
framework. With the exception of some GP
implemented, supported and promoted in many
offices and group practices, which do not have
organizations. This Standard will be very useful
much IT applications, most HCOs should start
to healthcare organizations to place
with the baseline assessment and planning.
foundations under the surface security, which
Nevertheless, the information security
has already been in place. However, obviously
framework of each HCO may vary greatly
its current contents, format and level of detail
according to its own organizational structure,
are not sufficient and suitable to a healthcare
culture, technical and staff resources. And the

190
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

IT environment because of the inherent 5. Information is protected by security

technological and environment constraints. safeguards against loss, unauthorized access,
Therefore, this research aims to develop a new use, disclosure or modification.
set of security baselines specified for the 6. The individual concerned shall be entitled
protection of healthcare information in HCO. to obtain confirmation that information and
The health information security baselines access to information is held.
presented in the paper provide a minimal set of 7. The individual concerned shall be entitled
rules or codes of practice that have been to request that correction be made to
indicated to be essential so that the vital information held, or a statement that such a
health information assets of a HCO are request for change has been made.
protected. In order to implement these rules 8. The holder of personal information must
and codes of practice and deploy the check its accuracy before use.
appropriate security measures in the HOC, 9. The holder of personal information may not
it has to develop a security framework and keep that information for longer than
take a series of critical steps based on the necessary.
10. Information may only be used for the
baseline approach. These baselines are not
purpose for which it was originally
presented as a standard in this framework,
intended.
but as guidelines for the individual HCO to
11. The holder of personal information may not
utilize when designing and/or building upon
disclose that information to any other
their organization’s existing security
person or agency.
environment.
12. The holder of personal information may not
assign a unique identity (key) unless it is
Appendix A necessary to carry out its function, nor may
Summary of the basic privacy rules from the another holder use that identifier.
Privacy Act and Health Information Privacy
Code: References
Anderson, R., 1996. Security in Clinical Information Systems,
1. Personal information is only to be collected work paper, Computer Laboratory, University of Cambridge, UK,
for a lawful purpose connected with a 12 January 1996.
function or activity of the agency. AS/NZS 4444:1999, Australian/New Zealand Standard:
Information Security Management, Standard Australia &
2. Information should be collected directly Standard New Zealand, 1999.
from the individual concerned.
Barnard L. and von Solms, R. A., 2000. Formalized Approach to
3. The individual concerned should be aware the Effective Selection and Evaluation of Information Security
Controls, Computers & Security, Vol. 19, 2000, pp. 185-194.
that information is being collected and
should know: CSI/FBI, 2001. CSI/FBI Computer Crime and Security Survey
2001, Computer Security Institute, 2001.
• the purpose for which the information is
Fitzgerald, K.J., 1995. Information Security Baselines,
being collected; Information Management & Computer Security, Vol. 3, No. 2,
• who are the intended recipients of the 1995, pp. 8-12.

information; Hill, S., 1998. GPs Say Data Transfer a Threat to Patient Privacy,
New Zealand Doctor, 19 August 1998.
• the consequences for the individual if the
ISHTAR, 2001, B. Barber, K. Louwerse, J. Davey, White Paper on
information is not provided; Health Care Information Security,
• the rights of access to and correction of http://ted.see.plym.ac.uk/ishtar/

personal information provided. Janczewski, L., 2000. Information Security Framework For Health
Information Systems, in A. Armoni, A. (ed.) Health-care
4. Personal information shall not be collected Information Systems: Challenges of the New Millennium,
by unlawful or unfair or intrusive means. Harrisburg, PA, USA, IDEA Group Publishing,

191
 L. Janczewski & F.X. Shi
Development of Information Security Baselines

Johnston, M., 2000. Blunders kill hundreds in hospitals, The New Smith, E. and Eloff, J.P.H., 1999. Security in Health-care
Zealand Herald, 4 October 2000. Information Systems, Current Trends, International Journal of
Medical Informatics, Volume 54, Issue 1, April 1999, pp. 39-54.
Mason, A. and Tipping, L., 2001. Understanding & Implementing
Security Standards into Your Business, Proceedings of the SEISMED, 2001, Secure Environment for Information Systems in
SECURE.NZ conference, Auckland, New Zealand, 2001. Medicine Project, http://www.semper.org/sirene/
projects/seismed/
Moule, B. and Giavara, L., 1995. Policies, Procedures and
Standards: an Approach for Implementation, Information Tan, F.B. and Gunasekara, G., 2000. Health Information
Management & Computer Security, Vol. 3, No. 3, 1995, Management and Individual Privacy: Application of New
pp. 7-16. Zealand’s Privacy Legislation, Chapter IV of Health Information
Systems: Challenges of the New Millennium, edited by Adi
NZHIS 1997 NZHIS, Issues in Developing and Implementing a Armoni, Ideal Group Publishing, 2000.
Health Information System, New Zealand Health Information
Services, Ministry of Health, New Zealand, 1997. Von Solms, R., 1999. The Information Security Toolbox, in
Managing Information Technology Resources in Organizations in
OTA 1997. Office of Technology Assessment, Protecting Privacy the Next Millenium, ed M. Khosrowpour, Idea Group Publishing,
in Computerized Medical Information, report for US Congress, 1999.
OTA-TCT-576, September 1997.
Von Solms, et al., 1999. The Information Security Management
Sakamoto, N., 1998. Availability of Software Services for a Toolbox, Proceedings of the 1st Annual Information Security four
Hospital Information System, International Journal of Medical South Africa Conference, Rand Afrikaans University, August
Informatics, Vol. 49, 1998, pp. 89-96. 2001.

192