The European Union's “Information Society Initiative in Standardisation” [ISIS] programme addressed the standardisation issues associated with the developing Information Society in various sectors. There were two projects dealing with various aspects of information security in Healthcare. They were
• MEDSEC Healthcare Security and Privacy in the Information Society
• SEMRIC Secure Medical Record Information Communication
The outlines of both projects are available on the ISIS web site at the URL http://europa.eu.int/ISPO/isis/isishome.htm. As can be seen, the SEMRIC was concerned with the developing standards in Healthcare communications while the MEDSEC project was rather but not exclusively concerned with the more general issues of existing standards in Healthcare security and their validation. The MEDSEC project explored the security standards available for Medical Information Systems and it was funded for the two years 1997-98. The EU Project Officers were successively, Simon Smith and Erkki Laakso. However, Dr Petra Wilson, project officer for the Health Telematics ISHTAR project kept in close contact as the MEDSEC project developed.
Many of the participants in the project had been involved in the earlier AIM SEISMED [Secure Environment for Information Systems in MEDicine] which published Healthcare Security Guidelines in IOS “Studies in Health Technology and Informatics” series volumes 27 and 31 - 33 and the HT ISHTAR [Implementing Secure Health Telematics Applications in Europe] published in volume 66 and outlined on the web at http://www.ishtar.org.uk. The object in participating in the MEDSEC project was to move on from the general investigation and development of security activities to the elucidation of the support which these activities could get from the standards community. The detailed list of the actual participants is given at the back of the book but the participant organisations were:
• Expertnet, the project co-ordinator from Greece,
• the Universities of the Aegean and of Thessaloniki from Greece
• the University of Magdeburg from Germany
• the University Hospital of Leiden [now the Leiden University Medical Centre] from The Netherlands
• HISCOM from The Netherlands
• Research in Advanced Medical Informatics and Telematics vzw [RAMIT] from Belgium
• IGNIS Technologies Ltd from Ireland
• CENBIOTECH, Dijon from France [taking over the contract of the NHS Executive in England and sub-contracting Health Data Protection Ltd to carry out the work]
The work of the project focused on important aspects related to standards for security and privacy in the Information Society and was deployed along four main axes:
• Taxonomy of relevant standards
• Identification of gaps in standards
• Proposal of requirements and specifications for emerging standards
• Application, demonstration and validation of selected standards
• Awareness and promotion on the existence and usefulness of standards for privacy and security in Healthcare.
Most user organisations are unaware of on-going or existing standardisation work, a fact that justifies the need for both the first and the last directions of the proposed work. On the other hand, existing standards specific to Healthcare security and privacy are still quite young (hence untried) and require validation through actual trials in user organisations. Moreover, even though some technical standards exist, there is a definite need for developing standards for the management of security (i.e. standard security policies) within user organisations. It is believed that the results of the project will be very useful to user organisations, Healthcare Information System (HIS) developers and standardisation bodies such as CEN TC251 WG III and ISO 215 WG 4 as well as to “de facto” standardisation bodies such as HL7.
The work started with an examination of the available standards in Healthcare Security and a Handbook of Standards for Security and Privacy in Healthcare was developed. It is intended to make this document available either on the IOS or the ASSIS web sites. ASSIS, Association pour la Sécurité des Systèms d'Information de Santé, is the association that has been founded to provide continuing support for this work following the end of the SEISMED, ISHTAR and MEDSEC projects. It is hoped that the ASSIS web site which will take over from the ISHTAR web site noted above will continue to provide a valuable resource for Healthcare Security matters and activities.
The project itself continued with a review of the SEISMED High Level Security Policy, an extensive piece of work on Secure Medical Databases with a draft standard and some validation of the CEN TC 251 WG III pre-standard ENV 12924. A considerable amount of work was done on communications security which was absorbed into the international thinking and into HL7 standards in particular. Finally, a training package was developed on the basis of the standards listed in the Handbook. There were many other issues that were addressed by the project, and which can be found in the project deliverables, but the key matters have been included in the following chapters. Throughout, the emphasis has been on the draft standards that were developed rather than on the processes of developing them. It is hoped that the text will be of value to all those involved in developing security standards in Health Informatics, whether in the formal standards bodies or in the other networks of informal standards development.