This is an important milestone which promotes greater security in the hospital’s work on behalf of patients, their relatives and employees”, says Magnús Pétursson, CEO of Landspítali-University Hospital.

Three departments in the IT Division of the Hospital have received security certification in accordance with the BS 7799 security standard from the British Standards Institution (BSI).

DEMANDS

• Of internal customers
• External customers (patients)
• Continuous access to service
• Up to 100% system uptime
• Net available all the time – “Medical grade network”
• Uptime 99.997% or 99.9999%
• Servers and data storage – double
• Working stations active and access to systems
• Backup, virus protection, preventive maintenance
• Data security and access issues

A milestone of great importance for international co-operation.
Landspítali-University Hospital is the largest health institution in Iceland and among the country’s largest workplaces, employing 5000 employees. The Hospital provides medical services in many different fields and is engaged in research in clinical and nursing specialities. Three departments in the IT division of Landspítali-University Hospital received certification in accordance with BS 7799 in February 2006. This is the first time that an IT Division in a university hospital in the Nordic countries has received such certification. This milestone is of great importance for the Hospital’s international co-operation and increases its credibility and competitive position.

IT is a key component in the operation of the Hospital
The IT Division of LSH (UTS) is a part of the Office of Technology and Assets (STE). IT is seen as one of the Hospital’s most decisive factors for achieving results in its operation, second only to human resources. Electronic clinical records, integration of systems and information security are among the IT Division’s most important projects. In addition, there are numerous information systems for accounting and the operation of the Hospital. IT is involved in almost all fields within the Hospital. There are over 20 information systems used in the clinical operations in the Hospital, and the goal is to merge the majority of these systems into one electronic clinical records system.

Why security certification?
The clients of the Hospital, i.e. the patients, their relatives and employees, require continuous access to services, up to 100% system uptime, security of personal information and access controls on information. In order to ensure that these issues are managed effectively, the decision was made to seek certification from professionals in this field.

The professional and specialised consultancy of Stiki ehf. made all the difference
In the autumn of 2002, the Icelandic Ministry of Health established a large pilot project for the implementation of information security in Icelandic health institutions. The project participants were LSH, the State Social Security Institute, the East Iceland Health Care Institute and the health care service centres in the Reykjavík metropolitan area. Stiki ehf. was asked to be the Ministry’s consultant on the project. Stiki specialises in consultancy services in the field of information security. Soon thereafter, the decision was made at LSH to apply for certification in accordance with the BS 7799 security standard under the guidance of Stiki. In September 2005, an application was submitted to the BSI, which was confirmed for the aforementioned departments in March 2006. The professional and specialised consultancy services provided by Stiki were crucial to the success of the project. Another decisive factor was the determination evidenced by the hospital's management and the support provided by the Government.

Active participation of employees is a key issue
Information security depends on the active participation of all employees, and this was the key to success. The employees of the IT Division of the Hospital fully understood the importance of the project. The employees played their part in ensuring that the project advanced quickly and surely, and their commitment and passion was evident in the successful implementation. Moreover, the benefits of the implementation for the Hospital are already in evidence: services are now more uniform, and more efficient, than before.

A milestone of importance to all Icelanders
The benefits that the hospital has gained from the certification include a more secure operating environment, confirmation that approved security rules are used, improved awareness of security, more effective management and rules of procedure, less likelihood of damaging incidents and, last but not least, more effective utilisation of funds.

An independent audit has also confirmed to third parties that the appropriate methods are being used to protect information, attesting that the operation of the Division is trustworthy with regard to information security.

Data protection laws taken seriously
Certification pursuant to BS 7799 is also a general confirmation that the protection of information is taken seriously by the institution. In business relations, the BS 7799 certification can ensure an advantage over competitors and increase the confidence of customers. Although the Act on the Protection of Privacy contains no requirement for certification, certification in accordance with BS 7799 confirms that the institution endeavours to protect sensitive information. The Act also specifies that “security assessment and security measures taken in the processing of personal data shall be in accordance with standards that the Data Protection Authority decides shall be followed”.

This milestone and the Hospital's decision are, of course, of great importance to all Icelanders, as it promotes increased security and improved health care services as economically as possible.