The importance of ISO/IEC 27001 certification in the healthcare sector


ISO/IEC 27001 is the international standard on managing information security. It sets out the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), helping organisations to make their information assets more secure. An effective ISMS brings together information security controls and formalises processes, not only around IT systems but for paperwork, connectivity, supply chain and many other associated elements including, critically, behaviours.

Few organisations – whatever their size or the sector in which they operate – can afford to be lax when it comes to information and cyber security. Those in the healthcare sector certainly cannot.

The effects of a security incident on any organisation can range from inconvenience to business interruption, revenue/value loss, reputational damage, regulatory non-compliance and litigation. In the most extreme circumstances, it can lead to organisational failure.

In the healthcare sector, however, there are additional dimensions including people’s health and even their lives.

What can result from an information or cybersecurity incident?

As mentioned above, the results of a security incident can be very serious for any organisation. But what about the healthcare sector, in particular?

Much is at stake.

Patient data is amongst the most sought-after information amongst criminals, unscrupulous competitors and even hostile nation states. If compromised, it can have a massive negative impact on both the organisation and its patients.

Espionage is also up there, with perpetrators constantly seeking a way into, for example, the hugely precious R&D and product data of pharmaceutical and medical device companies.

Depending on the target, sabotage can also be a major motive for unwelcome activity. With many clinical, analytical and treatment systems being online, the desire to access them to change settings and functionality is particularly sinister.

The most infamous of all security incidents in recent years was WannaCry, the global ransomware attack launched in May 2017 which brought our NHS – amongst many other organisations – to a standstill for several days. In the UK, this affected at least 80 of the 236 trusts as well as 603 primary care and other organisations including nearly 600 GP practices. The disruption is understood to have cost the already cash-stricken NHS £92 million, plus untold further mopping up costs and replacing the obsolete tech that was actually one of the main vulnerabilities enabling the attack’s success.

However, the consequences went far beyond financial losses. Operations were delayed, patient health suffered further and in Düsseldorf, Germany, a woman tragically passed away because an ambulance had to be re-routed away from a hospital whose systems had been paralysed.

In the first quarter of 2021, healthcare organisations accounted for 17% of all security breaches with 65 publicly disclosed security incidents being reported.

Financially, reputations can be ruined and revenues put on the line from any information security incident, not only from lost business but potentially, from regulatory fines (such as sector-specific and GDPR), and private law suits.  
Why ISO/IEC 27001?

Put simply, this internationally recognised standard helps to protect your organisation by improving the defences required to reduce the risk of security breaches such as those mentioned above.

The ensuring processes and culture introduce a number of key improvements including error reduction (by minimising the chance of accidental data leakage), damage limitation (financial and reputational), return to business as usual and compliance with laws, regulations and contractual obligations.

In business terms, certified organisations gain competitive advantage in the areas of tendering and business development /retention as they can:

• Produce, make available and regularly update effective security policies
• Reduce data maintenance volumes, including redundant data
• Achieve and demonstrate secure exchange of data
• Clearly communicate security requirements to employees, contractors, supply chain partners and other relevant stakeholders, holding regular compliance reviews against these requirements
• Create and improve a security culture throughout the organisation
• Ensure business, legal, contractual and regulatory compliance
• Ensure consistently high quality in the delivery of products and/or services
• Maintain customer/patient confidence

ISO/IEC 27001 may well be a requirement that you are increasingly encountering in order to win new business, or even remain in your current business. However, as we have hopefully demonstrated above, there are many reasons for organisations in the healthcare sector to proactively seek certification and a conversation with an audit partner such as SGS United Kingdom Ltd is the first step.

Ray Woodford
UK Product Manager – ISO 27001, ISO 22301, & ISO 20000
ISO 27001, ISO 22301, C&CCC Standard 55, Adisa & ISO 9001 Lead Auditor
ISO 20000 Auditor

For further information please contact:

Yemisi Olutogun
Business Support
t: +44 (0)1276 697715