由於資訊科技與網路的普及,造成許多個人隱私資料的外洩情形日益嚴重,對於包含特種個資的醫療業而言,個資外洩之影響更為甚大,若醫療機構未適時的採取保護機制,造成特種個資造成外洩問題,將會面臨民事訴訟最高賠償金2億元之外,更可能產生醫療機構信譽受損的嚴重代價。因此,醫療機構的隱私保護以及資訊安全的措施也越顯重要。 ISO 27001為國際上廣泛使用的資訊安全管理系統標準,而ISO 27799為ISO 27001延伸針對醫療機構制訂的醫療資訊安全管理標準,而在台灣,目前較少醫院採用此標準進行資訊安全管理,且為因應新個資法之施行,醫療機構於資訊安全管理時,也需將個資保護概念融入,減少於醫療資訊系統外洩個資之風險。 本研究透過紮根理論建構出機制雛形,包括4個控制領域、21個控制目標以及70個控制項目,經由12位來自產業界與學術界的相關專家之修正後,以個案實證方式至個案醫院與相關人員進行訪談,了解兩個案醫院目前因應個資法現況與困難,並進行角色責任劃分之認知分析,經由個案實證本研究機制架構在實務上之適用性。本研究所建構之保護機制,期望可用以協助地區中小型綜合醫療機構在因應個資法施行下法令遵循並建立完善醫療資訊安全保護框架。
Since the development of information technology and network increase many personal privacy data divulging and cause legal problems. For special personal medical information industry, the effect of a more even owned Great leak. If the medical institution fails to take timely protection mechanisms, resulting in leakage of privacy issues, will face civil damages up to 200 million NT dollars, more likely to produce serious medical institutions damaged the credibility of the consideration. Therefore, the medical institutions of privacy and information security measures also become more important. ISO 27001 is widely used in international information security management system standards. ISO 27799 is the extension of ISO 27001 for the medical institutions to develop medical information security management standards, while in Taiwan; there is less hospital use this standard for information security management. With response to the implementation of the new Personal Information Protection Act, medical institutions in information security management, they need to incorporate the concept of personal data protection, reducing leakage the privacy of medical information system risks. This research used the groung theory to construct the prototype of the mechanisms, including the four control areas, 21 control objectives and 70 controls, via 12 experts to check and modify it. Then used case study to interview with relevant person to understand two case hospitals how to take responses to the Personal Data Protection Act and what is the current situation and difficulties. After that, this research analyzed the role of division and responsibilities. Through case study can realized for this research institutional architecture of the applicability in practice. The protection mechanism constructed in this research, can be used to assist local SMEs expect comprehensive medical institutions in response to a funded under this Act to establish a sound legal compliance and medical information security protection framework.