efficiency and security of the norwegian national health network janicke weum halvor bjørnsrud...
Post on 19-Dec-2015
212 views
TRANSCRIPT
Efficiency and security of the Norwegian National Health Network
Janicke WeumHalvor Bjørnsrud
Office of the Auditor General of Norway
Beijing, April 2010
2
Content
• Background information
• Methodological approach
• Adopted process of investigation
• Preliminary findings
• Lessons learned
3
Background
• The Norwegian National Health Network
technical infrastructure for electronic interchange of individual health data
a main ICT-policy instrument in achieving superior political objectives on health-IT
Helse Nord
Helse Midt-Norge
Helse Sør-Øst
Helse Vest
Svalbard
4
Figure: The National Health Network
5
Background• The Network is operated by the public owned
enterprise Norwegian Health Net (NHN)
• NHN established in 2004 shall provide for an adequate technical infrastructure which
allows for efficient and secure electronically communication among main health partners
6
Background• Main health partners are e.g.: hospitals, general practitioners (GP's), medical
specialists, municipalities, laboratories, pharmacies and the National Social Security Agency
• National goal: by 2012, all main health partners are to be connected to the National Health Network
• Connected users by the end of 2009: app. 2050
Users Connected % of total national population
Hospitals 212 100
GP’s 1130 69,5
Municipalities 204 47,5
Others app. 500 -
7
Why investigate?• Health data
defined as sensitive information national infrastructure must be in accordance with legislation and
expectations concerning information security requires a sufficient Information Security Management System (ISMS)
for operating the Network responsibility of NHN
• Risk incidents demonstrate defects in the ISMS, e.g. September 2008. Indicates that privacy and protection measures may not be
consistently and effectively built into the ISMS
• Objective of investigation investigate the efficiency and security of the ISMS for operating the
National Health Network
8
How to investigate?• Methods
specific risk-analysis and document analysis interviews on-site inspections
• Measurement tools national legislation and regulation international standards and frameworks such as
ISO / IEC 27001, ISO / IEC 27002, COBIT and ITIL
9
Adopted process
1. Included ICT-audit expertise in the project team
2. Obtained basic documentation on the ISMS
3. Performed analysis on risks to the ISMS in relation to the National Health Network
4. Obtained additional documentation from the NHN
10
5. Defined 8 topics of focus assessment of risk- and security training of clients on information security monitoring of activity in the Network handling of derogations and security incidents in the Network handling of planned changes in the different services accessible
to clients encryption of individual health data handling of breakdowns in the Network administration of access control
6. Performed interviews and on-site inspections
Adopted process
11
Preliminary findings
• NHN executive handling is potentially less efficient due to the lack of adequate routines for handling of derogations and security incidents
• The National Heath Network is exposed to external threats: NHN haven’t provided for sufficient monitoring and security
barriers NHN risk-assessments are not sufficiently adapted to the
responsibility of the enterprise, and threats to the Network
12
Lessons learned
• Scope Investigations concerning information security may also be
integrated as part of more comprehensive performance audits
• Include ICT-audit experts
13
Contact information
• Halvor BjornsrudE-mail: [email protected]: +47 22 24 14 15
• Janicke WeumE-mail: [email protected]: +47 22 2412 04