Security frameworks
The health information security framework defines policies and procedures for establishing and maintaining security of health data and systems.
Pātiki and Waharua Kōpito patterns
On this page
Health Information Security Framework (HISF)
The HISF framework sets guidelines that organisations within the health sector should follow to secure their systems and information. The guidance has been tailored to organisations according to their size and structure (referred to as segments).
In addition to publishing the HSIF, we are also developing tools and templates to help met the requirements and implement controls. We will publish these when they become available.
You can read the full framework here: HISO 10029:2022 Health Information Security Framework (HISF)
Scope
HISF deals with the security of New Zealanders’ health information wherever it is collected, used, and stored within the New Zealand health sector.
Expectations around the privacy of health information is covered by the Health Information Privacy Code 2020.
Segments
HISO 10029.1:2023 Health Information Security Framework Guidance for Hospitals
This includes both private and public hospitals.
HISO 10029.1:2023 Health Information Security Framework Guidance for Hospitals
HISO 10029.2:2023 Health Information Security Framework Guidance for Micro to Small Organisations
These organisations typically fall into two or more of the following categories:
- a stand-alone business/organisation,
- based at a single geographic location with a basic technology setup (e.g., laptops, internet, relevant software),
- staffing of up to approximately 25 personnel,
- manages a population of less than 10,000,
- minimal or no IT support in-house (most IT services and support capability is outsourced to external IT and security vendors),
- is not involved with integrating or developing software systems or web applications in-house.
HISO 10029.2:2023 Health Information Security Framework Guidance for Micro to Small Organisations
HISO 10029.3:2023 Health Information Security Framework Guidance for Medium to Large Organisations
These organisations typically fall into two or more of the following categories:
- may have a presence at one or more geographic locations and supported by technology setup,
- staff of greater than 25 personnel,
- managing population greater than 10,000,
- may have some staff in-house for managing IT that may be further supported by external IT and Security vendors,
- may be involved with health data collection from other regional healthcare providers and may have data warehouses or similar setup,
- may be involved in providing IT support to other healthcare providers,
- may be involved with integrating or developing software systems or web applications in-house.
HISO 10029.3:2023 Health Information Security Framework Guidance for Medium to Large Organisations
HISO 10029.4:2023 Health Information Security Framework Guidance for Suppliers
This includes both health sector suppliers and their sub-contractors.
HISO 10029.4.2023 Health Information Security Framework Guidance for Suppliers