Applying data protection part of ISO 27001 to patient and user data produced by medical devices – Case: disease specific quality registers

Abstract

Data protection may be considered a subset of information security, consisting of the rules that define who may have access to what data and under what conditions. Rules concerning the handling of personally identifiable information have also become a major topic of discussion with regulation such as the GDPR by the European Union. To improve data protection of personally identifiable information, initiatives such as MyData and IHAN have been developed. In the field of information security, standards such as ISO 27001 exist to improve and unify information security in organizations.

This thesis studies the requirements that the data protection initiatives MyData and IHANimpose on organizations processing personally identifiable information, as well as the requirements imposed by the ISO 27001 standard. The requirements of MyData and IHAN are compared to the ISO 27001 standard, along with a case study that looks at the requirements of both in the context of patient data stored and processed in disease specific quality registers. A gap analysis of the ISO 27001 - security controls is performed to evaluate the current situation against the standards requirements. Suggestions for measures to meet the different potential requirements of MyData and IHAN are also given, along with discussion of their relevance to disease specific quality registers. Considerations of legal aspects of the protection of patient data related to these are however omitted.