How to become a HIPAA compliant digital health solution

ISO 27001 provides a best-practice framework for how an organisation should manage the security of their information and data. This includes all processes and policies relevant to the control and use of data. Certification to ISO 27001 affirms that your Information Security Management System (ISMS) follows all internationally acknowledged best practices to manage risks and preserve the Confidentiality, Integrity and Availability (CIA) of information.

A systematic and holistic approach to risk management

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the recognised system for worldwide standardisation.

'ISO/IEC 27001:2013 certified for managing information security risks' is the central standard in the ISMS family (ISO/IEC 27000), and a standard to which organisations can be audited and certified.

ISO 27001 is technology-neutral, so does not mandate specific tools or solutions. Instead it acts as a checklist for a systematic and holistic approach to risk management, addressing the three key areas for information security: people, processes, and technology.

Managing information security risks

For certification, all areas of security management are audited to ensure the organisation's processes are in line with best practice. This includes:

Information security organisation, policies, and responsibilities – Covering the management framework to ensure information security within the organisation; how policies should be written in the ISMS; and guidance on ensuring all employees and contractors are aware of and fulfil their responsibilities regarding information security

Asset management - covering the processes for managing, protecting and securing data assets, as well as methods to ensure data integrity

Access control - so that authorised persons can get access to information whenever it is needed, whilst ensuring that information cannot be accessed by unauthorised persons

Encryption – methods and levels of encryption to ensure the data is unusable even if security is breached

Physical and environmental security - to prevent unauthorised access and loss, damage or theft of information

Operations and communications security - to ensure secure collection and storage of data, and the protection of information in networks and the supporting information processing facilities

Information systems security - to ensure security of information systems across their entire lifecycle

Supplier relationships - to ensure security is part of all supplier service agreements so that any data accessible to or affected by suppliers is protected

Incident management and business continuity management - ensuring appropriate measures are in place to respond to security issues and deal with business disruptions or major changes

Compliance - to ensure the organisation is in compliance with all applicable legal, statutory, regulatory, and contractual obligations related to information security

ISO 27701: Integrating privacy with security controls

ISO 27701 is the most recent addition to the ISO 27000 series, and covers requirements for implementation of a Privacy Implementation Management System (PIMS).

The standard sets out guidance on the appropriate technical and organisational measures to meet the requirements of the General Data Protection Regulation (GDPR) for protection of personal data.

In the context of digital healthcare, ISO 27701 has particular relevance regarding medical device quality management systems.

Extra Horizon: the foundation for your regulatory compliance

Extra Horizon is certified to ISO 27001 and ISO 27701, as well as many further relevant international standards. In this capacity, the Extra Horizon platform provides the ideal regulatory foundation for faster development and reliable deployment of digital health applications.

Extra Horizon cloud infrastructure uses medical software and services to capture, transmit and analyse data from connected medical devices and apps, all in compliance with security, privacy and regulatory requirements.

Furthermore, to help our customers with compliance and reporting, we share information, best practices, and provide easy access to documentation. This takes most of the burden of MDR/IVDR, GDPR and HIPAA compliance off your shoulders.

To discuss your project, or for further details about the Extra Horizon platform, contact us today.