ISO 27002與ISO 27799之比較分析―以醫療機構為例

隨著時代進步及電腦資訊科技的發達，在日常生活中醫療產業的運用許多不同的資訊系統，醫療院所進行相互間的資料交換已經是時代的趨勢，醫療衛生機構不斷的使用電腦與網路來增加工作的績效，以減少紙上作業與人力成本的浪費，但相對也為醫療院所增加了很多資訊安全的問題，因此資訊安全管理變成相關單位所重視的課題，且資訊系統的成敗往往影響一個組織的生存與競爭能力，如何建立一個優良、適用的醫院資訊系統（Hospital Information System, HIS）以提升醫院的服務效率與醫療品質，是各級醫療機構所必須面對的課題。健保局因應電子化政府的推動，建置健保IC卡及電子病歷交換等技術，並輔以培訓醫院資訊安全種子人員，提供ISO 27001:2005資訊安全管理國際標準驗證服務，截至2013年2月8日全國已有93家通過驗證。建立資訊安全管理系統（簡稱：ISMS）的一套標準規範，其中詳細說明瞭建立、實施和維護資訊安全管理系統的要求，該27K系列擴大了在資訊安全的範圍，不僅僅包含隱私，保密以及資訊科技層面，更包含了包括法律，人員管理，物資管理等諸多方面，從而可以使其可以適合各種大小的組織。其最終目的，在於建立適合醫療院所需要的資訊安全管理系統。因此，本文以ISO27001及ISO 27002為基礎，彙整控制要項並與為醫療照顧產業制定特殊屬性的ISO 27799:2008相互比較，建立資訊安全管理措施要項應用於醫療資訊。

關鍵字

資訊安全管理；醫療資訊；醫療機構

並列摘要

With the advancement and development of computer information technology era, in the use of daily life of Chinese medicine treatment industry in many different information systems, medical institutes to conduct data exchange between them is already a trend of the times, medical and health institutions continuously use the computer and network success to increase the performance of the work, in order to reduce paperwork and human costs of waste, but also relatively to medical institutions increased by a lot of information security issues, so information security management becomes relevant units are an important issue, and information systems are often affected survival and competitiveness of an organization, how to build a good, appropriate hospital information system (Hospital Information System, HIS) to improve service efficiency and quality of care hospitals, medical institutions at all levels must face. NHI response to e-government push to build NHI IC cards and electronic medical records exchange technology, supplemented by information security training hospital personnel seeds provide ISO 27001:2005 international standards for information security management certification services by 2013 February 8 date the country has 93 verified. Establishing information security management system ( referred to as : ISMS) is a set of standards, which details the establishment, implementation and maintenance of information security management system requirements, the 27K series expands the scope of information security, not only contains the privacy, confidentiality and information technology level, but also includes many aspects, including legal, personnel management, materials management, etc., so that it can be suitable for the organization of various sizes . Its ultimate aim is to establish the need for enterprise information security management system. Therefore, this integration of ISO 27001 & 27002, 27799 international standards such as ISO, ISMS management security measures be discussed, is expected to provide a multiplier effect for the medical information.