Health Sector Authentication and Security Framework standards

HISO PROJECT 10029

The draft Authentication and Security standards have now been released for public comment and we request you and/or your organisation to peruse the standards and provide comment.

AUTHENTICATION AND SECURITY FRAMEWORK SCOPE

An all-of-sector security and authentication standard is required to ensure that health information is produced, stored, disposed of and shared in a way that ensures the information’s confidentiality, integrity and availability.

There is no one answer to keeping information secure and no set of controls that can achieve complete security.  This standard aims to put in place a broad range of measures to safeguard information based on the international methodology ISO 17799.

Health Information can exist in many forms.  This standard is wholly concerned with the way information is held, transferred and retrieved using electronic healthcare systems, however many of the same practices are also applicable to paper records and oral communication.

We want to design a standard which is practical and understandable especially by the small healthcare businesses which make up the bulk of health sector organisations.  This means pruning the available controls and options down to those which are absolutely essential and which every organisation from the sole practitioner to the large healthcare provider must follow.  We have also identified a number of recommended controls for those who wish to follow best practice or for organisations of greater size or for those with a greater need to reduce their risk.

ISSUES OF SPECIAL NOTE

The standard has tried to find the right balance of policies, procedures and technical controls to ensure an across-the-board improvement in health sector security.  It recognises that a sector-wide security standard is only as good as its weakest link especially when health information is shared.  It recognises the threat of new technologies and the disasters waiting to happen as in other countries where removable mass storage media holding personal information eg DVDs and USB sticks have gone missing or have been misplaced.

The committee is especially interested in public feedback on the following topics.

1.        The standard claims to be easily understood and applicable to small organisations with little background in security.  Does it meet this requirement or is further simplification necessary?
2.        Where is the standard not explicit or prescriptive enough?  Are there any significant omissions?
3.        The standard is a set of policies and procedures leading to best security practice.  Should it then be labelled as a code of practice, or a guide rather than a standard?  On the whole the committee’s view was that it would have more teeth if labelled as a standard.
4.        There were differing views on password standards; how long they should be, and how often they should be changed?  One member was of the view that once you had a strong password you should not give it up unless compromised and that weak passwords should be weeded out using a password cracker.  Other members took a more conventional approach of specifying a minimum password length of 6 (8 for administrators), and a maximum of 12 months before being forced to change password. Despite what some best practice guides state, all members rejected the view that passwords should be changed frequently (more than 2-4 times per annum) because this would lead to worsening security with users writing down their passwords and thus openly compromising them.
5.        In some instances, for example, connection to external networks and use of health applications, the committee has chosen to transfer the security risk by asking that these products and services be certified as meeting the security standards and thus removing the burden of proof away from the health organisation.
6.        Not all samples in the appendix have been completed and neither have they been refined much by the committee.  The committee welcomes comments on these samples and invites readers to provide other samples if they know of more appropriate ones.

These standards are made up of four components, as follows:

(a)        Essential requirements and recommendations (normative);
(b)        Templates and samples (informative);
(c)        Essential requirements: a condensed version of (a) above (normative), to be released upon finalisation of (a);
(d)        A security standards register, detailing technical requirements (normative), currently in development.

HEALTH INFORMATION STRATEGY ACTION COMMITTEE (HISAC)

HISO, a sub-committee of the Health Information Strategy Action Committee (HISAC), champions and facilitates the development of New Zealand Health Information Standards including, most recently, the New Zealand Pathology Observation Code Sets (Orders and Results) Information Business Process and the Health Practitioner Index (HPI) Code Set and Data Set.  A copy of this and the other standards that HISO has helped develop can be found at www.hisac.govt.nz.

PUBLIC COMMENT

The following documents are now available for public comment.

1.        10029.1 Authentication and Security Framework - Essentials and recommendations
2.        10023.2 Authentication and Security Framework - Templates and samples

These documents are available from the HISAC website: http://www.hisac.govt.nz/moh.nsf/pagescm/7442

Comments on this project are due by 8 September 2008.  Comments should be provided in electronic form using the comment form provided and sent to standards@hisac.govt.nz

I would be grateful if you could circulate this notice to anyone who you think may be interested in commenting on the draft.

Tony Cooke

Chair of HISO Expert Advisory Committee 10029