Skip to main content
Security Awareness Training in ISO 27799

Security Awareness Training in ISO 27799

$299.00
Who trusts this:
Trusted by professionals in 160+ countries
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
When you get access:
Course access is prepared after purchase and delivered via email
How you learn:
Self-paced • Lifetime updates
Your guarantee:
30-day money-back guarantee — no questions asked
Adding to cart… The item has been added

This curriculum spans the design and operationalization of a healthcare-specific security awareness program, comparable in scope to a multi-phase advisory engagement that integrates governance, risk management, and behavioral change across clinical and technical teams.

Module 1: Establishing Governance Frameworks Aligned with ISO 27799

  • Define scope boundaries for healthcare information systems covered under the organization’s ISO 27799 compliance program, including EHR, PACS, and telehealth platforms.
  • Select and document roles and responsibilities for data stewards, system custodians, and privacy officers in accordance with ISO 27799 Section 5.1.1.
  • Map existing organizational policies to ISO 27799 control objectives, identifying gaps in coverage for health information protection.
  • Integrate ISO 27799 requirements into the enterprise information security governance charter, ensuring executive sponsorship and accountability.
  • Establish a formal process for periodic review and approval of security policies by the healthcare compliance committee.
  • Develop escalation paths for non-compliance incidents involving protected health information (PHI) as defined in ISO 27799.
  • Implement a documented process for maintaining alignment between national health regulations (e.g., HIPAA, PIPEDA) and ISO 27799 controls.
  • Design audit trails for governance decisions related to access authorization and data handling in clinical systems.

Module 2: Risk Assessment and Treatment Specific to Health Data

  • Conduct threat modeling exercises focused on clinical workflows, such as emergency room data entry or remote diagnostics, to identify exposure points.
  • Classify health data assets by sensitivity level (e.g., genetic data, mental health records) to prioritize risk treatment efforts.
  • Perform vulnerability assessments on medical devices connected to hospital networks, considering limitations in patching and update cycles.
  • Apply ISO 27799 risk treatment options (avoid, modify, share, retain) to high-risk scenarios like third-party cloud hosting of patient registries.
  • Document residual risks associated with legacy systems that cannot be fully compliant with current encryption standards.
  • Establish thresholds for acceptable risk in time-critical care environments where security controls may delay access.
  • Coordinate risk assessment findings with clinical leadership to validate impact assumptions on patient safety and care delivery.
  • Integrate risk treatment plans into change management procedures for new health IT deployments.

Module 3: Designing Role-Based Access Control in Clinical Environments

  • Define role matrices for healthcare personnel (e.g., nurses, residents, billing staff) based on actual job functions and minimum necessary data access.
  • Implement context-aware access controls that adjust permissions based on location, time, and patient assignment (e.g., on-call physician access).
  • Enforce separation of duties between users who can view diagnoses and those who can modify billing codes.
  • Configure emergency override access with automatic logging and post-event review requirements per ISO 27799 Section 8.2.2.
  • Integrate RBAC with identity providers using HL7 FHIR standards for seamless provisioning across departments.
  • Establish procedures for temporary access grants during staff shortages or disaster response, with automatic expiration.
  • Review access logs quarterly to detect role creep or privilege accumulation among long-tenured staff.
  • Address conflicts between clinical efficiency demands and least privilege principles in fast-paced settings like ICUs.

Module 4: Secure Handling of Health Information Across Care Settings

  • Define data handling procedures for removable media used in transporting imaging studies between facilities.
  • Implement encryption standards for mobile devices used by home health nurses accessing patient records offline.
  • Establish secure print release mechanisms for sensitive documents in shared clinical workstations.
  • Design workflows for secure disposal of paper records containing PHI in decentralized clinics.
  • Enforce screen privacy settings on devices located in patient-facing areas to prevent unauthorized viewing.
  • Specify protocols for verbal communication of health data in shared spaces to minimize eavesdropping risks.
  • Implement audit controls on USB port usage in radiology and lab departments where data export is common.
  • Develop procedures for secure handover of patient data during inter-facility transfers using encrypted channels.

Module 5: Third-Party and Vendor Risk Management

  • Conduct security assessments of SaaS providers hosting electronic health record modules before contract finalization.
  • Negotiate business associate agreements (BAAs) that explicitly reference ISO 27799 control adherence.
  • Validate encryption practices of cloud backup vendors storing archived patient data.
  • Monitor third-party access to production environments through privileged access management tools.
  • Require vendors providing remote maintenance for medical devices to comply with organization-specific access protocols.
  • Perform annual reassessments of vendor security posture, including penetration test results and incident response history.
  • Establish data residency requirements for health information processed by offshore support teams.
  • Define exit strategies for terminating vendor relationships, including data extraction and destruction verification.

Module 6: Incident Response and Breach Notification in Healthcare

  • Classify security incidents by impact level (e.g., single record vs. systemic breach) using ISO 27799 guidance for escalation.
  • Activate incident response teams with defined roles for IT, legal, communications, and clinical operations.
  • Preserve logs from clinical systems involved in a suspected breach while minimizing disruption to patient care.
  • Conduct root cause analysis for insider threats involving authorized users exfiltrating patient data.
  • Coordinate with legal counsel to determine mandatory reporting timelines under applicable health privacy laws.
  • Document breach details in accordance with regulatory requirements, including number of records affected and data types exposed.
  • Implement containment measures such as network segmentation without disrupting critical care delivery systems.
  • Conduct post-incident reviews to update training content and controls based on lessons learned.

Module 7: Security Awareness Content Development for Healthcare Roles

  • Develop role-specific training modules for clinical, administrative, and IT staff based on actual data interaction patterns.
  • Create simulations of phishing attacks using healthcare-themed lures (e.g., fake lab results, vaccine updates).
  • Produce short video demonstrations showing secure vs. insecure handling of patient records on mobile devices.
  • Incorporate real breach case studies from healthcare organizations into training scenarios.
  • Design interactive content for staff with limited technical background using clinical workflow contexts.
  • Translate training materials into languages spoken by frontline healthcare workers in multilingual facilities.
  • Update content annually to reflect new threats, such as ransomware targeting hospital systems.
  • Integrate compliance tracking with HR systems to enforce completion deadlines for mandatory training.

Module 8: Measuring Effectiveness of Security Awareness Programs

  • Track click-through rates on simulated phishing emails by department to identify high-risk units.
  • Conduct unannounced audits of workstation locking behavior in nursing stations and outpatient clinics.
  • Measure reduction in repeat policy violations after targeted refresher training.
  • Compare incident reporting rates before and after launching anonymous reporting channels.
  • Administer knowledge assessments with scenario-based questions tied to actual hospital workflows.
  • Analyze help desk tickets related to password resets and malware reporting for behavioral trends.
  • Use control effectiveness metrics to justify increased training frequency for high-turnover roles.
  • Correlate training completion data with department-level security incident frequency over time.

Module 9: Continuous Improvement and Audit Readiness

  • Schedule internal audits of ISO 27799 controls with clinical and IT leadership participation.
  • Maintain evidence files for access reviews, training completion, and risk treatment plans for external auditors.
  • Update security policies in response to audit findings, regulatory changes, or technological shifts.
  • Conduct management review meetings quarterly to evaluate performance of the security awareness program.
  • Revise control objectives when new healthcare delivery models (e.g., virtual care) introduce novel risks.
  • Align internal audit checklists with ISO 27799 control statements for consistency and traceability.
  • Implement corrective action tracking for deficiencies identified during accreditation assessments.
  • Document continuous improvement initiatives, such as automated policy acknowledgment systems, in governance reports.
!