Compliance with Information security rules
The MRI is a medical device that involves PHI (Protected Health Information) that requires special handling according to local and international laws.
The MRI results, which contain private health information need to be transmitted and interpreted by a Radiology doctor. Once this is done, the results are sent to the attending physician and possibly shown in the patient medical case – online.
This all contains risks to the PHI (such as unauthorized disclosure, lack of information integrity or availability, etc.), leading to devastating consequences for the Individual and the organization (financial loss due to enormous legal fines and loss of reputation).
Handling PHI means that the organization needs to establish compliance with Information and privacy security laws.
When the business organization takes place in the U.S it shall be obliged to comply with The HIPAA Health Insurance Portability and Accountability Act of 1996.
When the business organization takes place in Europe (EU), it shall be obliged to comply with The GDPR (General Data Protection Regulation) and/or any other applicable laws in the organization environment.
In this special case of Individual medical information, ISO 27001 and the complementary 27799 provide you with a framework and guidelines for security information standards and management security information, including the implementation and organization of security controls applicable to the surrounding organization’s information security risks.
By implementing ISO 27001:2013 and the complementary 27799 ISO 27799:2016, healthcare organizations, medical device companies and other facilities using protected health information shall be able to ensure a necessary level of security that is suitable to their organization’s environments and that will maintain Confidentiality, Integrity, and Availability (CIA) requirements of personal health information under their scope.
PHI can be in all aspects of health information and in any form (numbers, words, drawings, audio recordings, video, medical images such as MRI), whatever means are used to store it (hard and/or soft copies) and whatever means are used to transmit it (by mail, through facsimilia, over computer networks, etc.), as the information shall always be suitably protected.