Skip to main content
Information security threats in ISO 27799

Information security threats in ISO 27799

$349.00
How you learn:
Self-paced • Lifetime updates
Your guarantee:
30-day money-back guarantee — no questions asked
When you get access:
Course access is prepared after purchase and delivered via email
Who trusts this:
Trusted by professionals in 160+ countries
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Adding to cart… The item has been added

This curriculum spans the breadth of a multi-workshop governance initiative, addressing the same scope and complexity as an internal healthcare organization’s program to align clinical operations, IT systems, and third-party relationships with ISO 27799’s security requirements.

Module 1: Establishing the Scope and Boundaries of Healthcare Information Security Governance

  • Define which clinical and administrative systems fall under the scope of ISO 27799, including EHRs, PACS, and laboratory information systems.
  • Determine whether third-party hosted applications (e.g., cloud-based telehealth platforms) are included in the governance framework.
  • Map data flows across departments to identify where personal health information (PHI) is created, stored, processed, or transmitted.
  • Decide whether research data containing de-identified patient information requires the same controls as identifiable health records.
  • Establish jurisdictional boundaries for compliance when operating across multiple regulatory regimes (e.g., HIPAA, GDPR, PIPEDA).
  • Document exceptions for legacy systems that cannot meet current encryption or access control standards.
  • Obtain formal sign-off from clinical leadership on the inclusion or exclusion of point-of-care devices (e.g., infusion pumps, monitors).
  • Integrate scope decisions with enterprise risk assessment processes to ensure alignment with organizational risk appetite.

Module 2: Leadership Commitment and Governance Structure Design

  • Assign accountability for information security outcomes to specific executive roles, such as Chief Medical Information Officer or Chief Privacy Officer.
  • Establish a clinical-inclusive security steering committee with representation from nursing, IT, compliance, and risk management.
  • Define escalation paths for security incidents that involve clinical operations disruption.
  • Allocate budget for security controls that require clinical workflow adjustments, such as two-factor authentication at nursing stations.
  • Implement governance mechanisms to resolve conflicts between clinical efficiency and security requirements (e.g., login timeouts in emergency departments).
  • Develop performance indicators for security governance that are reported to the board on a quarterly basis.
  • Define authority levels for overriding access controls during medical emergencies, including audit logging requirements.
  • Ensure that security policies are co-reviewed by legal counsel and clinical leadership before implementation.

Module 3: Risk Assessment Methodology Tailored to Healthcare Environments

  • Select risk assessment methodologies (e.g., OCTAVE, NIST SP 800-30) that account for patient safety implications of system outages or data corruption.
  • Classify health data assets based on sensitivity, criticality, and availability requirements, including life-supporting device data.
  • Assess risks associated with Bring Your Own Device (BYOD) policies in clinical settings, including personal smartphones used for care coordination.
  • Quantify the impact of ransomware on clinical operations using downtime scenarios and patient throughput models.
  • Conduct threat modeling for medical IoT devices that lack patching capabilities or default credentials.
  • Document residual risks that cannot be mitigated due to vendor limitations or clinical workflow constraints.
  • Integrate findings from internal audit and incident response into the risk register on a recurring basis.
  • Validate risk treatment plans with department heads to ensure operational feasibility.

Module 4: Access Control Policies for Clinical and Administrative Roles

  • Define role-based access control (RBAC) models that reflect dynamic care teams, including temporary staff and locum physicians.
  • Implement just-in-time access for specialists who require temporary access to patient records during consultations.
  • Configure automatic session termination on clinical workstations based on department-specific usage patterns (e.g., longer timeouts in radiology).
  • Enforce multi-factor authentication for remote access to EHR systems without disrupting telemedicine workflows.
  • Establish procedures for deactivating access upon staff termination, including locum and contractor roles.
  • Monitor and review access logs for anomalous behavior, such as after-hours record access by non-clinical staff.
  • Address the challenge of shared workstations in nursing units while maintaining individual accountability.
  • Design emergency override mechanisms that allow access during crises while triggering real-time alerts and audit trails.

Module 5: Asset Management in a Heterogeneous Healthcare IT Environment

  • Maintain an inventory of all devices that process or store PHI, including mobile carts, wearable monitors, and diagnostic equipment.
  • Classify medical devices based on security criticality and patchability, prioritizing those connected to hospital networks.
  • Implement asset tagging and tracking for portable devices used across multiple departments (e.g., ultrasound machines).
  • Establish ownership accountability for each system, assigning responsibility to clinical or administrative leads.
  • Integrate asset data with vulnerability management tools to prioritize patching efforts.
  • Manage end-of-life systems that no longer receive security updates but remain in clinical use due to procurement cycles.
  • Enforce encryption on all portable media, including USB drives used for transferring imaging studies.
  • Develop procedures for securely decommissioning devices that contain residual PHI in onboard storage.

Module 6: Secure System Acquisition, Development, and Maintenance

  • Include ISO 27799 compliance requirements in RFPs for new clinical information systems and medical devices.
  • Conduct security reviews of software updates from vendors before deployment in production environments.
  • Define change control procedures that require joint approval from IT security and clinical operations.
  • Implement secure coding standards for in-house applications that interface with EHRs or medical devices.
  • Verify that third-party APIs used for health data exchange comply with authentication and encryption standards.
  • Test disaster recovery procedures for clinical systems with actual clinical staff participation.
  • Ensure that software development lifecycles for health apps include privacy-by-design and security-by-default principles.
  • Address the risks of shadow IT by providing approved alternatives for clinical workflow automation tools.

Module 7: Incident Management and Response in Clinical Contexts

  • Develop incident response playbooks specific to healthcare threats, such as ransomware targeting imaging systems.
  • Define thresholds for declaring a security incident that also triggers clinical continuity protocols.
  • Integrate the incident response team with hospital command centers during major disruptions.
  • Preserve forensic evidence from medical devices while minimizing patient care impact.
  • Coordinate breach notification timelines with legal, PR, and clinical leadership to meet regulatory deadlines.
  • Conduct tabletop exercises involving clinical staff to test response effectiveness under stress.
  • Implement real-time monitoring for indicators of compromise on critical care systems (e.g., ventilators, dialysis machines).
  • Establish post-incident review processes that result in updated controls and policy changes.

Module 8: Business Continuity and Availability of Clinical Systems

  • Define recovery time objectives (RTOs) for critical systems based on clinical impact, such as pharmacy or lab systems.
  • Test failover procedures for EHR systems during off-peak hours to minimize patient care disruption.
  • Maintain paper-based fallback procedures for medication ordering and patient identification during outages.
  • Store backup data in geographically separate locations to protect against regional disasters.
  • Validate that backup restoration processes preserve data integrity for longitudinal patient records.
  • Coordinate with external partners (e.g., reference labs, radiology groups) on mutual continuity expectations.
  • Ensure that emergency generators and UPS systems support critical IT infrastructure during power failures.
  • Review and update business continuity plans annually with input from clinical department heads.

Module 9: Compliance Monitoring, Audit, and Continuous Improvement

  • Conduct internal audits of access control logs in high-risk departments such as oncology and psychiatry.
  • Align ISO 27799 controls with HIPAA Security Rule requirements for joint compliance reporting.
  • Use automated compliance tools to continuously monitor configuration settings on clinical workstations.
  • Respond to audit findings with remediation plans that include timelines and responsible parties.
  • Perform periodic reviews of third-party vendor compliance with contractual security obligations.
  • Track key security metrics such as patch latency, incident response times, and access review completion rates.
  • Integrate audit outcomes into staff performance evaluations for IT and clinical leadership roles.
  • Update policies and controls based on emerging threats, regulatory changes, and post-incident reviews.

Module 10: Third-Party and Supply Chain Risk Management

  • Assess security practices of medical device vendors during procurement, including patch management and incident response support.
  • Negotiate contractual terms that require vendors to report security vulnerabilities within defined timeframes.
  • Monitor third-party access to hospital networks, especially for remote maintenance of imaging equipment.
  • Validate that cloud service providers hosting health data comply with ISO 27799 and regional privacy laws.
  • Conduct on-site security assessments of business associates that process large volumes of PHI.
  • Implement network segmentation to isolate third-party systems from core clinical networks.
  • Require evidence of penetration testing and vulnerability management from software vendors.
  • Establish exit strategies for terminating relationships with non-compliant or high-risk vendors.
!