ISO 27002與ISO 27799之比較分析──以醫療機構為例

Comparative Analysis of ISO 27002 and ISO 27799 Medical Institutions ― A Case Study

隨著時代進步及電腦資訊科技的發達，在日常生活中醫療產業的運用許多不同的資訊系統，醫療院所進行相互間的資料交換已經是時代的趨勢，醫療衛生機構不斷的使用電腦與網路來增加工作的績效，以減少紙上作業與人力成本的浪費，但相對也為醫療院所增加了很多資訊安全的問題，因此資訊安全管理變成相關單位所重視的課題，且資訊系統的成敗往往影響一個組織的生存與競爭能力，如何建立一個優良、適用的醫院資訊系統（Hospital Information System, HIS）以提升醫院的服務效率與醫療品質，是各級醫療機構所必須面對的課題。健保局因應電子化政府的推動，建置健保IC卡及電子病歷交換等技術，並輔以培訓醫院資訊安全種子人員，提供ISO 27001:2005資訊安全管理國際標準驗證服務，截至2013年2月8日全國已有93家通過驗證。建立資訊安全管理系統（簡稱：ISMS）的一套標準規範，其中詳細說明瞭建立、實施和維護資訊安全管理系統的要求，該27K系列擴大了在資訊安全的範圍，不僅僅包含隱私，保密以及資訊科技層面，更包含了包括法律，人員管理，物資管理等諸多方面，從而可以使其可以適合各種大小的組織。其最終目的，在於建立適合醫療院所需要的資訊安全管理系統。因此，本文以ISO27001及ISO 27002為基礎，彙整控制要項並與為醫療照顧產業制定特殊屬性的ISO 27799:2008相互比較，建立資訊安全管理措施要項應用於醫療資訊。

With the advancement and development of computer information technology era , in the use of daily life of Chinese medicine treatment industry in many different information systems , medical institutes to conduct data exchange between them is already a trend of the times , medical and health institutions continuously use the computer and network success to increase the performance of the work , in order to reduce paperwork and human costs of waste , but also relatively to medical institutions increased by a lot of information security issues, so information security management becomes relevant units are an important issue , and information systems are often affected survival and competitiveness of an organization , how to build a good , appropriate hospital information system (Hospital Information System, HIS) to improve service efficiency and quality of care hospitals , medical institutions at all levels must face. NHI response to e-government push to build NHI IC cards and electronic medical records exchange technology , supplemented by information security training hospital personnel seeds provide ISO 27001:2005 international standards for information security management certification services by 2013 February 8 date the country has 93 verified. Establishing information security management system ( referred to as : ISMS) is a set of standards, which details the establishment , implementation and maintenance of information security management system requirements, the 27K series expands the scope of information security , not only contains the privacy , confidentiality and information technology level, but also includes many aspects , including legal , personnel management, materials management , etc., so that it can be suitable for the organization of various sizes . Its ultimate aim is to establish the need for enterprise information security management system. Therefore, this integration of ISO 27001 & 27002,27799 international standards such as ISO , ISMS management security measures be discussed , is expected to provide a multiplier effect for the medical information.