ISO/IEC 27001 is the international standard on managing information security. It sets out the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), helping organizations to make their information assets more secure.
An effective ISMS brings together information security controls and formalizes processes, not only around IT systems but for paperwork, connectivity, supply chain and many other associated elements including, critically, behaviours.
Few organizations – whatever their size or the sector in which they operate – can afford to be lax when it comes to information and cyber security. Those in the healthcare sector certainly cannot.
The effects of a security incident on any organization can range from inconvenience to business interruption, revenue/value loss, reputational damage, regulatory non-compliance and litigation. In the most extreme circumstances, it can lead to organizational failure.
In the healthcare sector, however, there are additional dimensions including people’s health and even their lives.
What can result from an information or cybersecurity incident?
As mentioned above, the results of a security incident can be very serious for any organization. But what about the healthcare sector, in particular?
Much is at stake.
Patient data is amongst the most sought-after information amongst criminals, unscrupulous competitors and even hostile nation states. If compromized, it can have a massive negative impact on both the organization and its patients.
Espionage is also up there, with perpetrators constantly seeking a way into, for example, the hugely precious R&D and product data of pharmaceutical and medical device companies.
Depending on the target, sabotage can also be a major motive for unwelcome activity. With many clinical, analytical and treatment systems being online, the desire to access them to change settings and functionality is particularly sinister.
The most infamous of all security incidents in recent years was WannaCry, the global ransomware attack launched in May 2017 which brought our NHS – amongst many other organizations – to a standstill for several days. In the UK, this affected at least 80 of the 236 trusts as well as 603 primary care and other organizations including nearly 600 GP practices. The disruption is understood to have cost the already cash-stricken NHS £92 million, plus untold further mopping up costs and replacing the obsolete tech that was actually one of the main vulnerabilities enabling the attack’s success.
However, the consequences went far beyond financial losses. Operations were delayed, patient health suffered further and in Düsseldorf, Germany, a woman tragically passed away because an ambulance had to be re-routed away from a hospital whose systems had been paralyzed.
In the first quarter of 2021, healthcare organizations accounted for 17% of all security breaches with 65 publicly disclosed security incidents being reported.
Financially, reputations can be ruined and revenues put on the line from any information security incident, not only from lost business but potentially, from regulatory fines (such as sector-specific and GDPR), and private law suits.
Why ISO/IEC 27001?
Put simply, this internationally recognized standard helps to protect your organization by improving the defences required to reduce the risk of security breaches such as those mentioned above.
The ensuring processes and culture introduce a number of key improvements including error reduction (by minimising the chance of accidental data leakage), damage limitation (financial and reputational), return to business as usual and compliance with laws, regulations and contractual obligations.
In business terms, certified organizations gain competitive advantage in the areas of tendering and business development /retention as they can:
-
Produce, make available and regularly update effective security policies
-
Reduce data maintenance volumes, including redundant data
-
Achieve and demonstrate secure exchange of data
-
Clearly communicate security requirements to employees, contractors, supply chain partners and other relevant stakeholders, holding regular compliance reviews against these requirements
-
Create and improve a security culture throughout the organization
-
Ensure business, legal, contractual and regulatory compliance
-
Ensure consistently high quality in the delivery of products and/or services
-
Maintain customer/patient confidence
ISO/IEC 27001 may well be a requirement that you are increasingly encountering in order to win new business, or even remain in your current business. However, as we have hopefully demonstrated above, there are many reasons for organizations in the healthcare sector to proactively seek certification and a conversation with an audit partner such as SGS United Kingdom Ltd is the first step.
Ray Woodford
UK Product Manager - ISO 27001, ISO 22301, & ISO 20000
ISO 27001, ISO 22301, C&CCC Standard 55, Adisa & ISO 9001 Lead Auditor
ISO 20000 Auditor
Inward Way,
Rossmore Business Park, CH65 3EN,
Ellesmere Port, Cheshire, United Kingdom