Health Information Security Framework (HISF)
The HISF framework sets guidelines that organisations within the health sector should follow to secure their systems and information. The guidance has been tailored to organisations according to their size and structure (referred to as segments).
The HISF guidelines were refreshed in 2023, and we’ve put together a short video explaining what you need to know, and what’s changed.
In addition to HISF, we’ve developed tools and templates to help micro to small organisations (defined by HISF as 25 staff or less) meet the guidance and implement controls.
You will find these on the Cyber security resources for Primary Healthcare providers' page.
You can read the full framework here: HISO 10029:2022 Health Information Security Framework (HISF)
Scope
HISF deals with the security of New Zealanders’ health information wherever it is collected, used, and stored within the New Zealand health sector.
Expectations around the privacy of health information is covered by the Health Information Privacy Code 2020.
Segments
HISO 10029.1:2023 Health Information Security Framework Guidance for Hospitals
HISO 10029.1:2023 Health Information Security Framework Guidance for Hospitals
This includes both private and public hospitals.
HISO 10029.1:2023 Health Information Security Framework Guidance for Hospitals
HISO 10029.2:2023 Health Information Security Framework Guidance for Micro to Small Organisations
HISO 10029.2:2023 Health Information Security Framework Guidance for Micro to Small Organisations
These organisations typically fall into two or more of the following categories:
- a stand-alone business/organisation,
- based at a single geographic location with a basic technology setup (e.g., laptops, internet, relevant software),
- staffing of up to approximately 25 personnel,
- manages a population of less than 10,000,
- minimal or no IT support in-house (most IT services and support capability is outsourced to external IT and security vendors),
- is not involved with integrating or developing software systems or web applications in-house.
HISO 10029.2:2023 Health Information Security Framework Guidance for Micro to Small Organisations
HISO 10029.3:2023 Health Information Security Framework Guidance for Medium to Large Organisations
HISO 10029.3:2023 Health Information Security Framework Guidance for Medium to Large Organisations
These organisations typically fall into two or more of the following categories:
- may have a presence at one or more geographic locations and supported by technology setup,
- staff of greater than 25 personnel,
- managing population greater than 10,000,
- may have some staff in-house for managing IT that may be further supported by external IT and Security vendors,
- may be involved with health data collection from other regional healthcare providers and may have data warehouses or similar setup,
- may be involved in providing IT support to other healthcare providers,
- may be involved with integrating or developing software systems or web applications in-house.
HISO 10029.3:2023 Health Information Security Framework Guidance for Medium to Large Organisations
HISO 10029.4:2023 Health Information Security Framework Guidance for Suppliers
HISO 10029.4:2023 Health Information Security Framework Guidance for Suppliers
This includes both health sector suppliers and their sub-contractors.
HISO 10029.4.2023 Health Information Security Framework Guidance for Suppliers