Experiences with a new security standard for healthcare information systems.

This article describes the results of the implementation and demonstration of the Standard CEN ENV 12924 (Security Categorisation and Protection of Health Care Information Systems), that was performed as part of the ISIS/MEDSEC project of the EU. The categorisation scheme given in the standard was followed through for almost all information systems or sub-systems in the Leiden University Medical Centre. The status of the security measures was evaluated for ten systems; further implementation plans were then drawn up for these systems, and partly effectuated. Findings are reported, both on the present security level, and on the applicability of the standard (which in general was found to be very positive). In the course of this work, use was made of a database support tool, developed in an earlier EU project (SEISMED).