Carestream recently received ISO 27001 Certification in Europe. We are happy to share that this is an important accomplishment for our Healthcare Information Solutions team, as it is a vital benefit to the customers we serve.
Even if ISO Certification is something you may not hear about often in the IT space, it plays a crucial role in assuring cloud customers that their data are safe, secure, and accessible. In the following paragraphs, I will explain what ISO 27001 certification is, why it is important for cloud vendors to obtain it, and most importantly, what it means for customers to work with ISO certified vendors:
What are the benefits of ISO 27001 certification?
- Security risks are appropriately prioritized and cost effectively managed
- It increases confidence in our Organization as it shows we care for our customer business, and we are committed to protect patient data they entrust to us
- It demonstrates commitment to Information Security Management to third parties and stakeholders and will give them greater confidence to interact with us
- It provides a framework to ensure fulfillment of our commercial, contractual and legal responsibilities
What are the important business value considerations facilities should be aware of?
- This is our commitment to information security management for interested parties verified by BSI, a founding member of the International Organization for Standardization (ISO).
- It protects our business against information security threats and vulnerabilities
- ISO 27001 is becoming a customer requirement in many European countries
- It therefore provides added value to the enterprise and its interested parties
What actions were needed for Carestream to obtain ISO certification?
We had to enhance our ISMS (Information Security Management System), which is a set of procedures, working instructions, dashboards files, reports, and documents that all together define our way to manage information security for the Vue Cloud business in Europe. The ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
Why is Carestream given a certificate?
This is the assurance/confidence that the ISMS (Information Security Management System) is:
- Compliant with ISO 27001 requirements
- Capable to achieve the security policy and objectives declared by enterprise, according to its Information Security Policy and the associated Statement of Applicability.
- Efficient, and designed as continuous improvement
- Delivered by BSI, an independent body based on his audit of the ISMS
Who was involved in these actions?
All HCIS functions were involved in the Vue Cloud business for the selected countries, and more specifically European HCIS managers, cloud operation managers, local HCIS service teams and, the EAMER Vue Cloud Security Officer.
What exactly does certification cover?
It covers our ability to manage information security in our Vue Cloud business, according to our Vue Cloud Information Security Policy document.
This document states the commitment of the top management to the strategic importance of the information security management system (ISMS) and lists the main security objectives for HCIS.
What areas does it cover?
It covers the management of information security for the countries in which Carestream has Vue Cloud business,
Note that it is much more than just technical activities; it also concerns all service activities (implementation and support) as well as support functions, like HR, regulatory, purchasing, and IT infrastructure. It also lists who are the internal and external interested parties.
How will it improve Vue Cloud?
It improves our information technology and security techniques, by implementing recommendations of ISO 27002, Code of Practice for Information Security Controls.
What are the benefits to Carestream?
Implementing the security controls defined as good practice in the ISO 27001 and ISO 27002 standards, allows to better detecting weaknesses or vulnerabilities and fix them. It also helps to answer many security questions asked by customers.
What are the benefits to customers?
It proves to our customers that our ISMS has been controlled by an external auditor (here BSI), making them confident in our ability to manage the service and to handle patient data in a secured way. We are then already prepared when this certification becomes a prerequisite for some tenders.