The use of information systems in Health Care Establishments is essential in providing proper treatment and care for patients, and in managing the people and the organisation. However, as improper functioning of those systems can influence the well being of the patient, people and the organisation, it is important to have the best systems one can acquire. The decision what system to acquire is taken, given the budget and the required level of quality and security to be built into the system.
Apart from the pure functionality of these systems, there is the security of those systems at issue. Security aspects range from confidentiality of information, correctness of information and the availability of information at the right time for the right person.
These Guidelines provide a means of helping the supplier of information systems, be they an in-house developer or an outside contractor, to cover all these security aspects which the organisation needs within the purpose of the information system to be built.
However, top management must be aware that there can be no secure information systems without the proper attitude of all people involved. To have this attitude throughout the organisation, it is strongly suggested to have a High Level Security Policy adopted within the organisation [SEIS_4]. Only with proper awareness, and people, well educated on security, it is possible to have secure information systems.
We take it that a certain minimum level of security must be present in order to term the information system ‘basically secure’, it is called the Baseline security. Applying the indicated, basic, measures mentioned in these Guidelines, will produce software that is secure in a basic sense. It must be stressed however, that research indicates that Baseline security is not sufficient for systems involving patient data. These measures imply a strict, regulated and well-documented control over the whole process of procuring secure software. Installing the new software in the secure environment using the Guidelines on Secure Implementation [SEIS_I] will result in a secure system with new or changed functionality.