Security frameworks
The Health Information Security Framework defines policies and procedures for establishing and maintaining security of health data and systems.
Pātiki and Waharua Kōpito patterns
On this page
Health Information Security Framework (HISF)
The HISF framework sets guidelines that organisations within the health sector should follow to secure their systems and information. The guidance has been tailored to organisations according to their size and structure (referred to as segments).
The HISF guidelines were refreshed in 2023, and we’ve put together a short video explaining what you need to know, and what’s changed.
Video transcript
Person 1:
Another busy day.
Appointments are backing up.
Doctor Lee is out, and we need a laptop and system access for our locum quickly.
Can you help? By the way the medical practise down the road just had a cyber attack.
They haven’t been able to open their practise since it happened.
I hear patient data was stolen too.
Person 2:
Yeah, I heard.
We’ve started working with practises and pharmacies to become HISF compliant.
Person 1:
We definitely want to make sure that this doesn’t happen to us.
Are you HISF compliant?
Person 2:
Actually, yeah, we are.
Person 1:
So how does HISF apply to our organisation?
Person 2:
HISF, the Health Information Security Framework, helps make sure your security doesn’t become a talking point for the wrong reasons.
Person 1:
I’m pleased that’s your problem! We don’t have to worry about that then… Or do we?
Person 2:
Well, whether you’re a health care provider, or a supplier to a health care provider, HISF applies to you.
Actually, there’s HISF guidance tailored to small organisations, just like yours.
It covers the things you should be doing to keep information safe.
We’ll do our part but you need to do your part too.
Person 1:
It sounds difficult and time consuming.
What do we have to do?
Person 2:
Well, security guidance has been tailored to your organisation size and structure.
The Health New Zealand Cyber Hub has all the details, but in a nutshell HISF involves making sure everyone understands their responsibility towards keeping information private and secure, like only being accessed by people who are authorised to use that information and using MFA.
Also ensuring information is available if needed by having regular encrypted data backups, and making sure information and systems are kept up to date.
Person 1:
I’m glad we’re doing this together, but what about the practices who don’t have an IT supplier?
Person 2:
The HISF document provides information for health care providers on how to secure their information whether they do it themselves, or through an external provider.
You should also ask all your health systems providers if they’re HISF compliant.
In addition to HISF, we’ve developed tools and templates to help micro to small organisations (defined by HISF as 25 staff or less) meet the guidance and implement controls.
You will find these on the Cyber security resources for Primary Healthcare providers' page.
You can read the full framework here: HISO 10029:2022 Health Information Security Framework (HISF)
Scope
HISF deals with the security of New Zealanders’ health information wherever it is collected, used, and stored within the New Zealand health sector.
Expectations around the privacy of health information is covered by the Health Information Privacy Code 2020.
Segments
HISO 10029.1:2023 Health Information Security Framework Guidance for Hospitals
HISO 10029.1:2023 Health Information Security Framework Guidance for Hospitals
This includes both private and public hospitals.
HISO 10029.1:2023 Health Information Security Framework Guidance for Hospitals
HISO 10029.2:2023 Health Information Security Framework Guidance for Micro to Small Organisations
HISO 10029.2:2023 Health Information Security Framework Guidance for Micro to Small Organisations
These organisations typically fall into two or more of the following categories:
- a stand-alone business/organisation,
- based at a single geographic location with a basic technology setup (e.g., laptops, internet, relevant software),
- staffing of up to approximately 25 personnel,
- manages a population of less than 10,000,
- minimal or no IT support in-house (most IT services and support capability is outsourced to external IT and security vendors),
- is not involved with integrating or developing software systems or web applications in-house.
HISO 10029.2:2023 Health Information Security Framework Guidance for Micro to Small Organisations
HISO 10029.3:2023 Health Information Security Framework Guidance for Medium to Large Organisations
HISO 10029.3:2023 Health Information Security Framework Guidance for Medium to Large Organisations
These organisations typically fall into two or more of the following categories:
- may have a presence at one or more geographic locations and supported by technology setup,
- staff of greater than 25 personnel,
- managing population greater than 10,000,
- may have some staff in-house for managing IT that may be further supported by external IT and Security vendors,
- may be involved with health data collection from other regional healthcare providers and may have data warehouses or similar setup,
- may be involved in providing IT support to other healthcare providers,
- may be involved with integrating or developing software systems or web applications in-house.
HISO 10029.3:2023 Health Information Security Framework Guidance for Medium to Large Organisations
HISO 10029.4:2023 Health Information Security Framework Guidance for Suppliers
HISO 10029.4:2023 Health Information Security Framework Guidance for Suppliers
This includes both health sector suppliers and their sub-contractors.
HISO 10029.4.2023 Health Information Security Framework Guidance for Suppliers