Efficiency and security of the Norwegian National Health Network

1. Efficiency and security of the Norwegian National Health Network Beijing, April 2010 Janicke Weum Halvor Bjørnsrud Office of the Auditor General of Norway

2. Content • Background information • Methodological approach • Adopted process of investigation • Preliminary findings • Lessons learned

3. Helse Nord Svalbard Helse Midt-Norge Helse Vest Helse Sør-Øst Background • The Norwegian National Health Network • technical infrastructure for electronic interchange of individual health data • a main ICT-policy instrument in achieving superior political objectives on health-IT

4. Figure: The National Health Network

5. Background • The Network is operated by the public owned enterprise Norwegian Health Net (NHN) • NHN • established in 2004 • shall provide for an adequate technical infrastructure which allows for efficient and secure electronically communication among main health partners

6. Background • Main health partners are e.g.: hospitals, general practitioners (GP's), medical specialists, municipalities, laboratories, pharmacies and the National Social Security Agency • National goal: by 2012, all main health partners are to be connected to the National Health Network • Connected users by the end of 2009: app. 2050

7. Why investigate? • Health data • defined as sensitive information • national infrastructure must be in accordance with legislation and expectations concerning information security • requires a sufficient Information Security Management System (ISMS) for operating the Network • responsibility of NHN • Risk • incidents demonstrate defects in the ISMS, e.g. September 2008. • Indicates that privacy and protection measures may not be consistently and effectively built into the ISMS • Objective of investigation • investigate the efficiency and security of the ISMS for operating the National Health Network

8. How to investigate? • Methods • specific risk-analysis and document analysis • interviews • on-site inspections • Measurement tools • national legislation and regulation • international standards and frameworks such as ISO / IEC 27001, ISO / IEC 27002, COBIT and ITIL

9. Adoptedprocess • Included ICT-audit expertise in the project team • Obtained basic documentation on the ISMS • Performed analysis on risks to the ISMS in relation to the National Health Network • Obtained additional documentation from the NHN

10. Adopted process • Defined 8 topics of focus • assessment of risk- and security • training of clients on information security • monitoring of activity in the Network • handling of derogations and security incidents in the Network • handling of planned changes in the different services accessible to clients • encryption of individual health data • handling of breakdowns in the Network • administration of access control • Performed interviews and on-site inspections

11. Preliminary findings • NHN executive handling is potentially less efficient due to the lack of adequate routines for handling of derogations and security incidents • The National Heath Network is exposed to external threats: • NHN haven’t provided for sufficient monitoring and security barriers • NHN risk-assessments are not sufficiently adapted to the responsibility of the enterprise, and threats to the Network

12. Lessons learned • Scope • Investigations concerning information security may also be integrated as part of more comprehensive performance audits • Include ICT-audit experts

13. Contact information • Halvor Bjornsrud • E-mail: halvor.bjornsrud@riksrevisjonen.no • Telephone: +47 22 24 14 15 • Janicke Weum • E-mail: janicke.weum@riksrevisjonen.no • Telephone: +47 22 2412 04