A Study of the Integrated Application of ISO 27001, ISO 27799 and Personal Information Protection Act in Medical Institutions—Hospital M as an Example

• Main Authors: Ying-Ling Lo, 羅尹伶
• Other Authors: I-Long Lin
• Format: Others
• Language: zh-TW
• Published: 2013
• Online Access: http://ndltd.ncl.edu.tw/handle/80203706728399254824

碩士 === 國立宜蘭大學 === 多媒體網路通訊數位學習碩士在職專班 === 101 === The Personal Information Protection Act went into law on Oct 1, 2012. However, a survey on “Hospital Response to the Personal Information Protection Act” conducted by Taiwan Hospital Association shows that only 4.73% of the surveyed hospitals have implemented measures to comply with the Act. Those which have not complied with the Act were mainly constrained by unfamiliarity with the law (72.78%) and lack of awareness of personal information protection among employees (70.41%). In line with the government’s promotion of e-government services, Bureau of National Health Insurance has implemented numerous measures, including use of Health Insurance IC Card, electronic medical history exchange, training of seed hospital specialists in charge of information security, and certification of ISO 27001:2005. As of Feb 8, 2013, 93 hospitals islandwide have passed the certification. Based on ISMS:ISO 27001:2005 and Gowin’s Vee Model, this study first obtained key criteria in ISO 27001 (133 items in total) and ISO 27799: 2008 established to specifically regulate health informatics using the grounded theory and then combined them with 11 “adequate security protection measures” prescribed in Article 12 of Enforcement Rules of the Personal Information Protection Act. Later, this study applied P-D-C-A cycle and PLSE Model introduced by Dr. I-Long Lin to build key tasks of personal information protection for medical institutions. According to the methodological side of Gowin’s Vee Model, this study used modified Delphi method to find items commonly agreed by experts and constructed “The Personal Information Protection Guideline and Evaluation Scale for Medical Institutions”. Finally, this study evaluated the feasibility and effectiveness of the Personal Information Protection Guideline and Evaluation Scale for Medical Institutions through a case study. This study built a Plan-Do-Check-Act procedure of personal information protection for hospitals based on the 11 measures prescribed in Article 12 of Enforcement Rules of the Personal Information Protection Act. For medical institutions that have implemented ISMS, results of this study can also be a basis for adjustment and evaluation of ISM. They can also use the proposed guideline and evaluation scale to identify security gaps earlier.