The overall objective of the SEISMED (a Secure Environment for Information Systems in MEDicine) project was to develop a consistent, harmonised framework for the protection of medical data throughout Europe. This document presents guidelines for the security of existing European health care systems based upon work conducted by SEISMED workpackage SP07 (Security in Existing Systems).

Information technology has had a significant impact upon Health care Establishments (HCEs) in Europe, with information systems now affecting most aspects of their operation. As a result, health care professionals are becoming increasingly dependent upon the availability and the correctness of systems and data. Unfortunately, many existing systems current operate without security having been properly addressed, making them vulnerable to a variety of accidental and deliberate threats. As a result there is a requirement to add or enhance protection in many cases.

In many ways the security requirements in health care environments are fundamentally different from other domains and hence many aspects of existing standards were considered inappropriate. The problem has been addressed by the development of information security guidelines specifically targeting the health care community.

A comprehensive set of baseline security recommendations have been developed for use by all HCEs within Europe, representing a minimal acceptable standard for the security of operational health information systems and their associated environments. The guidelines are intended to provide a straightforward means of identifying security weaknesses and validating existing systems to ensure compliance. The guidelines were developed in close consultation with the medical community, with input from both the SEISMED Reference Centres and other independent health care professionals.

The guidelines are grouped under ten key principles of protection, which are considered to represent the main areas that must be considered in securing existing systems. Coverage includes policy and administration issues, physical and environmental protection, personnel security procedures and logical / system security controls.

The guidelines are relevant to and will affect all categories of HCE personnel. However, certain issues are not appropriate to all staff and, therefore, three separate sets of guidelines are available, each focusing on different classes of HCE personnel.

• General guidelines are available for day-to-day reference by the majority ofHCE staff (including clinicians, administrators and general system users).

• Management guidelines target those responsible for determining HCE security policy and also serve to explain the need for a number of more technically based measures.

• IT & Security Personnel guidelines present the most detailed information relating to the implementation and validation of security and address personnel such as IT staff and system administrators.

These documents provide extensive information on what aspects of security should be considered, with appropriate guidelines in each case, as well as general suggestions on implementation. It is envisaged that the guidelines may be used as either a detailed source of reference during the introduction of security or, alternatively, as a simple means of validating existing arrangements.