Updating the Health Information Security Framework

Te Whatu Ora/Health New Zealand is now in a process of re-writing and replacing the existing HISO 10029 to better suit the new operating environment of health organisations in New Zealand and making it easier to understand and adopt across the broad spectrum of health organisations.

More than 40 stakeholders from a range of health sector organisations including Districts, PHOs, suppliers, primary care, private/NGOs have so far participated in the consultation process and prototype development.

A sector engagement kick-off workshop was held on 22 July 2021 in Wellington, followed by numerous one-on-one discussions and survey feedback sessions on the prototype. The overall perception of the prototype was positive, and suggestions have been made for further design development and refinement. 

Following some updates to the HISF and an initial focus on three cyber security domains, a second round of District consultations was kicked off online on the 7 September 2022, followed by multi-participant workshops across the Northern, Waikato, Southern and Central regions. Overall feedback on the draft HISF was positive and suggestions were made to further develop the Framework.    

The new HISF will adopt a co-design approach with Māori in reviewing the strategy and developing the supporting tools for implementation. Embedding Te Tiriti principles into the HISF guiding principles, as well as developing Māori Health segment-specific guide will be two key outcomes of the co-design leading to subsequent co-governance.

After the launch of Te Whatu Ora and the Te Aka Whai Ora / Maori Health Authority, the sector segmentation definition will be finalised. Segment-specific consultations will then be held with end-user representative groups, including front-line clinical personnel. Several iterations of this process will result in the development of implementation guides tailored to each segment (e.g., primary care).

Once the implementation guide for each segment is agreed and published, change management activities will commence.

For the purpose of understanding and implementation of this framework, the relevant implementation guidance is divided into multiple segments. These segments i.e., government agencies, districts (previously known as DHBs), primary & community care, NGO's and private practices and suppliers, are based on various information security risk profiles. These segments have specific assertions that they must comply with, along with requirements and detailed guidance.

The current version of the updated framework contains details on assertions, requirements, and guidance for the 'Districts' segment in the areas of Human Resource Security, Asset Lifecycle Security and Health Information Security Incident Management only. Assertions, requirements and guidance for the other cyber security areas are to follow. 

Due to the complexity and size of the document, it is proposed to separate the document as below and present this in an online searchable format: 

• 10029:2022 - HISF
• 1:202x - HISF for Districts
• 2:202x - HISF for Primary care
• 4:202x - HISF for Suppliers
• 5:202x - HISF for NGO's and private practices

To support the health care providers with a lower cyber security maturity rating, toolkits and templates will be provided by Te Whatu Ora to support the providers to uplift their cyber security to minimise the people, process and technology risks across the sector within New Zealand.