Information Security Management and Regulatory Compliance in the South African Health Sector

Information security is becoming a part of core business processes in every organization. Companies are faced with contradictory requirements to ensure open systems and accessible information while maintaining high protection standards. In addition, contemporary management of organizations’ information security requires various approaches in different areas, ranging from technology to organizational issues and legislation. These approaches are often isolated while security management requires an integrated approach. Information Technology promises many benefits to healthcare organizations. By helping to make accurate information more readily available to health care providers and workers, researchers and patients, advanced computing and communication technology can improve the quality and lower the cost of health care. However, the prospect of storing health information in an electronic form raises concerns about patient privacy and security. To ensure an appropriate and consistent level of information security for computer-based patient records, both within individual healthcare organizations and throughout the entire healthcare delivery system, healthcare organizations are required to establish formal information security programs, for example through the adoption of the ISO 17799 standard. However, proper information security management practices alone, do not necessarily ensure regulatory compliance. South African health care organizations have to comply with the South African National Health Act (SANHA) and the Electronic Communication Transaction Act (ECTA). It is arguably necessary to consider compliance with the Health Insurance Portability and Accountability Act (HIPAA) in order to meet international industry standards. The main purpose of this paper is to propose a compliance strategy, which ensures full compliance with regulatory requirements while at the same time guarantees customers that international industry standards are being used. This is preceded by a comparative analysis of the requirements posed by the ISO 17799 standard and the HIPAA, SANHA and ECTA regulations.