Within the working programme of CEN/TC251 (Health Informatics), a standard for Security Categorisation and Protection for Healthcare Information Systems has been developed. This document was formally adopted in 1997 by CEN as pre-standard CEN ENV 12924 [1]. A demonstration and implementation effort, which was to be effected in principle at one location, was planned and executed as part of the MEDSEC project.

The standard CEN ENV 12924 contains a security categorisation model for information systems in Healthcare, distinguishing six categories, plus some refinements. For each category it specifies the required protection measures. The project task consisted of demonstrating and implementing the standard (as far as possible within a limited period) in a real life situation, and providing feedback on these results to the CEN organisation.

To this end, the categorisation scheme, as specified in the standard, was applied to a large part of the information (sub)-systems in the Leiden University Medical Centre. A set of ten sub-systems was then selected for a more detailed investigation. The actual protection status for each sub-system was evaluated on the basis of the recommended protection profiles specified in the standard. For each of the relevant recommendations in the standard, its status was recorded, and remarks were added on its relevance, feasibility, etc. These detailed data have been gathered in separate reports for each sub-system. These reports evidently are confidential, in view of protection of the hospital's information security.

A similar, though more limited exercise has been done at Magdeburg University Hospital (UHM), in order to be able to allow for possible differences in local situations. A thorough comparison of results for different hospitals was beyond the scope of the project, however.

From the overall picture we have tried to draw conclusions on the quality, completeness and applicability of the standard, as well as on the actual level of protection of the systems. As a by-product of the investigation, for all systems out of the small group, implementation plans have been specified to bring the protection in the various (sub)-systems on a higher level, where necessary. Subsequently, these plans have been realised to a large extent.

To facilitate the bookkeeping of the results, we have used the SIDERO model [2], resulting from the SEISMED project [3]. This model has been enhanced, for this purpose, with the recommendations from this standard. A brief description of this database model has been included in Appendix B.

As an overall conclusion, we may state that the standard has proven to be a very useful instrument, providing a good basis for a security review of the types of Healthcare information systems which are encountered in a hospital environment. Some suggestions have been presented, for amending recommendations that were found too unpractical or too heavy in the circumstances considered. Also, we suggest to add one category to the set of six which is being used now. Furthermore, the use of a ‘bookkeeping tool’ (like e.g. SIDERO) is strongly recommended.