Efficiency and security of the Norwegian National Health Network

Janicke WeumHalvor Bjørnsrud

Office of the Auditor General of Norway

Beijing, April 2010

2

Content

• Background information

• Methodological approach

• Adopted process of investigation

• Preliminary findings

• Lessons learned

3

Background

• The Norwegian National Health Network

technical infrastructure for electronic interchange of individual health data

a main ICT-policy instrument in achieving superior political objectives on health-IT

Helse Nord

Helse Midt-Norge

Helse Sør-Øst

Helse Vest

Svalbard

4

Figure: The National Health Network

5

Background• The Network is operated by the public owned

enterprise Norwegian Health Net (NHN)

• NHN established in 2004 shall provide for an adequate technical infrastructure which

allows for efficient and secure electronically communication among main health partners

6

Background• Main health partners are e.g.: hospitals, general practitioners (GP's), medical

specialists, municipalities, laboratories, pharmacies and the National Social Security Agency

• National goal: by 2012, all main health partners are to be connected to the National Health Network

• Connected users by the end of 2009: app. 2050

Users Connected % of total national population

Hospitals 212 100

GP’s 1130 69,5

Municipalities 204 47,5

Others app. 500 -

7

Why investigate?• Health data

defined as sensitive information national infrastructure must be in accordance with legislation and

expectations concerning information security requires a sufficient Information Security Management System (ISMS)

for operating the Network responsibility of NHN

• Risk incidents demonstrate defects in the ISMS, e.g. September 2008. Indicates that privacy and protection measures may not be

consistently and effectively built into the ISMS

• Objective of investigation investigate the efficiency and security of the ISMS for operating the

National Health Network

8

How to investigate?• Methods

specific risk-analysis and document analysis interviews on-site inspections

• Measurement tools national legislation and regulation international standards and frameworks such as

ISO / IEC 27001, ISO / IEC 27002, COBIT and ITIL

9

Adopted process

1. Included ICT-audit expertise in the project team

2. Obtained basic documentation on the ISMS

3. Performed analysis on risks to the ISMS in relation to the National Health Network

4. Obtained additional documentation from the NHN

10

5. Defined 8 topics of focus assessment of risk- and security training of clients on information security monitoring of activity in the Network handling of derogations and security incidents in the Network handling of planned changes in the different services accessible

to clients encryption of individual health data handling of breakdowns in the Network administration of access control

6. Performed interviews and on-site inspections

Adopted process

11

Preliminary findings

• NHN executive handling is potentially less efficient due to the lack of adequate routines for handling of derogations and security incidents

• The National Heath Network is exposed to external threats: NHN haven’t provided for sufficient monitoring and security

barriers NHN risk-assessments are not sufficiently adapted to the

responsibility of the enterprise, and threats to the Network

12

Lessons learned

• Scope Investigations concerning information security may also be

integrated as part of more comprehensive performance audits

• Include ICT-audit experts

13

Contact information

• Halvor BjornsrudE-mail: halvor.bjornsrud@riksrevisjonen.noTelephone: +47 22 24 14 15

• Janicke WeumE-mail: janicke.weum@riksrevisjonen.noTelephone: +47 22 2412 04