标准摘要
[中文适用范围]: 本文件为卫生组织提供信息安全控制措施及实施指南。该文件基于ISO/IEC 27002:2022。除了广泛应用于多种环境的通用信息通信技术(ICT)设备和软件外,本文件的范围还包括专为医疗保健设计的软件和系统,例如电子健康记录系统和集成健康软件的医疗设备。此类医疗设备可以是可编程或可编程的,并包含软件、固件或两者。其他数字设备(如用于环境和感染控制、建筑管理和物理安全的设备),只要可用于提供医疗服务的场所,也在本文件范围内。本文件适用于以各种形式存在的的所有信息,无论其形式如何(包括文本和数字、录音、绘图、图像和视频),无论其通过何种手段获取或捕获,无论其通过何种手段存储(如打印、书面记录或电子存储),也无论其通过何种手段传输或交换(口头、手写、邮寄、存储介质移动、直接链接或联网)。本文件适用于提供医疗服务或因其他原因保管个人健康信息的所有类型和大小的组织。这些组织负责的信息可以以多种方式和地点存储和处理,包括在本机构内部或云端,但仍属于本文件范围。本文件适用于所有打算提供医疗服务的物理场所,如医院、诊所和其他指定用于医疗目的的场所(如救护车和移动影像或诊断单元)。它还适用于在其他地方提供的护理,如住宅场所。除上述场所外,本文件还适用于所有服务提供方式,包括远程或虚拟医疗保健。 [外文原描述]: This document provides information security controls, including implementation guidance, for health organizations. It is based on ISO/IEC 27002:2022 In addition to generic ICT equipment and software used in many other environments, the scope of this document includes software and systems specifically for healthcare, such as electronic health record systems and medical devices incorporating health software. Such medical devices can be programmed or programmable and can contain software, firmware or both. Other digital equipment (such as that for environmental and infection control, building management, and physical security), which can be used in premises where healthcare is provided, is also in scope. This document applies to information in all its aspects, whatever form the information takes (including text and numbers, sound recordings, drawings, images and video), by whatever means it has been acquired or captured, whatever means are used to store it (such as printing or writing on paper or storage electronically), and whatever means are used to transfer or exchange it (orally, by hand, by post, movement of storage media, direct links or networking). This document is for organizations of all types and sizes that provide healthcare or are custodians of personal health information for other reasons. The information that they are responsible for can be stored and processed in many possible ways and locations, including on premises or in the cloud, but remains in scope. This document applies to all physical settings where healthcare is intended to be delivered, such as hospitals, clinics and other locations or facilities designated for healthcare purposes such as ambulances and mobile imaging or diagnostic units. It also applies to care provided elsewhere, such as in residential premises. In addition to the range of settings, this document applies to all methods of service provision including remote or virtual healthcare.
英文名称Health informatics — Information security controls in health based on ISO/IEC 27002