Your partner in clinic management. Discover the beat of the future.

Information Security Part 2 – The Organization

Read this blog post to find out how you can best organize the topic of information security in your company.

16. September 2024

Information Security Part 2 – The Organization

Rolf Grube

In this article, we look at the organization in the context of information security management. As with all management systems that apply the PDCA (Plan-Do-Control-Act) cycle in any way, it takes people to embark on the journey.

The possibilities for organization are manifold

If you look at the different standards, there is a great deal of scope for mapping the topic in the organization:

  • ISO 27001:2024 requires a clear organization, but leaves the design up to the company
  • ISO 27779:2016, which has been specially adapted for the healthcare sector, requires at least one person who is professionally qualified or has received appropriate training from the company management
  • In basic protection (2023, module ISMS.1.A4) and the B3S standard (ANF-MN 8), the appointment of an information security officer is a MANDATORY requirement
  • The American NIST-SP800 standards also specify the appointment of an Information Security Officer (NIST SP800-53r5 Control PM-2)
  • The various standards also call for various staff and responsible persons, albeit mainly as target specifications

Different focuses of the various standards

While COBIT places particular emphasis on anchoring in the organization and alignment with the corporate strategy, basic protection focuses strongly and in detail on the technical infrastructure.

These degrees of freedom are understandable, as a laboratory with 50 employees does not have the economic and organizational resources of a university hospital with 18,000 employees or a multinational company within the scope of various laws. The organization of information security management must be able to adapt to the company and its objectives.

So, what do you need?

  • In any case, you need an information security officer in the hospital , this results from the B3S standard, or better §391 para. 4 SGB V. The ISB can be employed internally or contracted externally, but must be professionally qualified and be provided with the time and resources for their work by the company. In other healthcare companies, it depends on whether there is an industry standard and whether the company is above or below the KRITIS threshold. In principle, it is always advisable to consider appointing an ISB.
  • As an interface to the organization, it is a good idea to form a team that deals with the topic of information security. This should be made up of members of the relevant professional groups. The data protection officer should also be involved.
  • In small organizations in particular, you can consider assigning the task to existing staff or teams or combining tasks, for example a crisis team and an information security team.

As you can see, there is a lot of room for manoeuvre in the organization of information security as long as you are not a KRITIS company. But it has to be done, so give those responsible the space to do so.

The next posts will focus on the content work and we’re going full risk!
Click here for the article “Information inventory and risk management”, part 3 of our blog series.

Cyber risk check – a new service from Oberender AG

Do you want to know where you stand in terms of information security right now? Great – then let’s do the cyber risk check together. You can find more information here.

Oberender - Krankenhausberatung - Klinikberatung - Klinikmanagement - Signet - braun

Talk to our experts.

With our expertise, we do not provide you with pretty colorful pictures, but with actionable strategies that will make your hospital fit for the future.

Rolf Grube

Digitalization Manager and Certified Information Security Manager

rolf.grube@oberender.com
+49 89 8207516-0
If you would like to share the article.
Oberender - Krankenhausberatung - Klinikberatung - Klinikmanagement - Signet - braun

Here you can find similar articles.

Browse our blog and benefit from our expertise and experience.

25. January 2024

Vera Horn

Opportunity for digitization in the healthcare sector or excessive demands on the healthcare landscape – a critical contribution to the legal innovations

18. December 2023

Ralf Suchart

The operating theater is indisputably a central service area of a hospital. This is where the quality of the service provided is decided to a considerable extent.

18. December 2023

Jochen Baierlein

, Prof. Dr. Andreas Schmid

No matter how different they are, all municipalities in Bavaria are affected by the massive upheavals in the healthcare system. 90 out of 96 districts or independent cities are directly responsible for a hospital, two others are at least indirectly involved.