Development of information security baselines for healthcare information systems in New Zealand

In 1996 New Zealand had introduced security standard AS/NZCS 4444 based on the British Standard BS 7799, which has recently been accepted as an international standard ISO 17799. This standard is very often referred to as the 'baseline lane approach' to the issue of managing information security. On the other hand the health information systems (HIS) are undergoing rapid development both in the number of installed systems as in the law and regulations governing HIS developments and deployment. The project was aimed at reviewing the AS/NZCS 4444 standard from the HIS requirements point of view. In this paper, we began with an overview of healthcare information systems (HIS) infrastructure in New Zealand and associated security issues around privacy and confidentiality, followed by a general review of the security baseline approach. We analyzed each clause of the AS/NZS 4444 with the information collected about technical and none technical approaches to protecting HIS, consisting of a series of multi case studies of healthcare organizations that collect, process, store and transmit electronic medical records. Finally, we proposed a new set of information security baselines based on the research to build an information security model for healthcare organizations.