Authors:
Carlos Eduardo Ribas
1
;
Marcelo Nascimento Burattini
2
;
Eduardo Massad
2
and
Jorge Futoshi Yamamoto
1
Affiliations:
1
Academic Network at Sao Paulo, Brazil
;
2
School of Medicine and University of Sao Paulo, Brazil
Keyword(s):
Information security, ISO standards, ISMS, Assessment, Success factors.
Related
Ontology
Subjects/Areas/Topics:
Biomedical Engineering
;
Confidentiality and Data Security
;
Health Information Systems
;
Healthcare Management Systems
Abstract:
ISO 27001 is the international standard for an Information Security Management System (ISMS) that helps to address the triad of information security: Confidentiality, Integrity, and Availability (CIA). An ISMS is a systematic approach focused on managing information security within an organization. It encompasses all the information assets, such as: people, processes and IT systems. This paper describes the implementation process of an ISMS in a Brazilian healthcare organization. We use an information system based on ISO standards as an indicator to assess the information security. Using Chi-square with Yates' correction or Fisher's exact test to compare the proportion of adequacy to the requirements of reference standard used, our case study showed positive results in the first ten months of implementation with significant results on multiple items analysed. However, in an environment of limited budgets, better results were not achieved in the following months due to the financial p
roblems to implement specific controls in the organization. The aim of this paper is to present the experience obtained during the implementation of an ISMS in a healthcare organization and to discuss some critical success factors.
(More)