Case study: information securityIT Governance helps Healthcode pass its information security 'medical'
Protecting patient confidentiality is a priority for health services. Mandated by increasing strictures around protecting the confidentiality of patient information and enabling appropriate information sharing, a general cultural commitment to data protection is growing. In this context, any supplier trying to work with a health service needs to have a clearly demonstrable and transparent commitment to best practice and have the most effective industry standards in place. This is especially true for the UK’s largest electronic health billing specialists in private medical insurance, Healthcode, which enables individual hospitals and specialists to securely bill insurers for medical services. Among other services, Healthcode helps practitioners handle electronic transactions involving sensitive and confidential information such as patient name, treatments received and when and where they were treated. The company also routinely processes other sensitive information within various applications such as its secure email service or its practice software for specialists and clinics, EPracticeManager. Access to good information management and controls to ensure compliance with information security standards, such as BS7799 (the forerunner of ISO 27001), had always been a priority at Healthcode, but the organisation had not been through a formal audit process. “Security is at the heart of what we do,” said Steve Carroll, the firm's managing director, “and we’ve always taken security seriously. But we had previously stopped short of being audited because of the overhead involved.” That was starting to become an issue as ISO 27001 has increasingly become accepted as the 'gold standard' for larger organisations and governments around the world. “We’ve grown and want to demonstrate to one and all that we deliver world class security and the best way to do that was to get the formal ISO 27001 endorsement and let the world see we’ve got it,” said Carroll. “For example, in our core billing business it's a way to underline our commitment to customer care; for the new services we plan to introduce in future, it is about giving Healthcode a competitive advantage to win further business. It’s a signal that a small private company like ours can truly compete on equal terms with larger operators.” Implementing ISO 27001 To get the process of building an ISO 27001-compliant Information Security Management System (ISMS) under way, Healthcode turned to risk management and compliance specialists IT Governance. The remit was to: raise information security awareness for staff even further; provide a framework to enable the business to review, and where necessary improve internal processes and the documentation relating to them; additionally, to generally assist the business in its readiness for audit. To meet these client goals IT Governance's team of experts outlined a step-by-step plan, clearly outlining to the company what and who was involved at each stage in order for the client to make appropriate commitments in a timely manner. Healthcode gave the project the senior backing from management required to achieve success by appointing a dedicated project manager to oversee the process. The manager assigned to lead the project had no previous experience of information security, so a combination of training and onsite fixed term/days consultancy was seen as the best way forward to overcome the limited resources typically seen in a small company. This bespoke combination of services enabled the company to formulate the policies and procedures appropriate to the firm's specific requirements and character. A further resource was the use of vsRisk, IT Governance’s preferred ISO27001 risk-assessment tool. vsRisk helps to simplify the process by which risks are identified and appropriate control measures prescribed. The implementation team drew on input from across the business, supported (so as to ensure that they were equipped with the necessary knowledge and skills) by a special accelerated information security management system (ISMS) internal auditor course for them on all they needed to know. IT Governance then conducted a pre-certification audit — essentially a dress rehearsal — in March 2009 that gave the team an idea of what to expect during the actual audit. The company says this was particularly useful as a way to focus effort on the best outcome. “I’ve been through ISO 9001, but this was much more thorough,” says Carroll. “The rehearsal basically put you on notice that you were going to be asked some fairly searching questions.” The hard work paid off: the two-day second stage of the audit in April this year passed off remarkably smoothly, without any non-conformance being reported by the external auditors. Furthermore, Healthcode’s risk assessment was singled out as 'noteworthy' by the independent assessors. Thus, thanks to an extremely positive joint effort between the two companies, the company has won the right to call itself truly world-class when it comes to information and data security management. It believes that, overall, ISO 27001 is not so much a means to derive competitive advantage as, increasingly, part of the cost of doing business. In more and more tenders, potential clients want to see what information security controls are in place. Healthcode finds it invaluable that these can be easily
referenced and appropriate supporting documentary evidence can be
supplied. The verdict's clear for Carroll about what all this process has meant for his company. “IT Governance has helped us create an information security management system that’s compliant with ISO 27001 and yet totally appropriate for us as a small business. In terms of value for money, expertise and a non-bureaucratic approach, IT Governance definitely came up with what we wanted.” 
|
Please allow
scripts in your browser so that Google ads will show — the ads
are safe and give information on useful IT products.
|
||||||||||||||
|
|
|||||||||||||||