A Comparative Study of Three Standards of Data Security in Health Systems

The increasing influence of ICT on health and changing information systems to electrical form makes using the information, data transmission, and also preparation printouts of information so easy that the importance of internal and external disclosure policy, data security, and confidentiality standards in these systems have been doubled. At the beginning of research, all the combinations of key words were searched, then the history and importance of the health data security standards were studied. So the most prevalent and reliable standards were selected to perform the full text. For the next step the researchers extracted the properties which were used to be compared with the selected standards and finally the comparison was discussed. PCI-DSS, HIPAA, and ISO-27799:2008 properties were classified in 8 groups and 25 subgroups. ISO-27799:2008 was attended to all properties in Encryption group, but HIPAA was just attended to Encryption in storage, and asymmetric key, and PCI-DSS was considered on Encryption in storage, using Hash algorithm and use of asymmetric key. Operation system security was considered only in HIPAA. Only PCI-DSS standard considered RFID and DNS security and cell phone security, and PCI-DSS as well as ISO-27799:2008 considered wireless networks security. One can use the standard that is stronger in context. So, it is recommended to use PCI-DSS for cell phone or PDA systems, and ISO-27799:2008 or PCI-DSS for wireless networks. It is better for security in operation systems to use HIPAA. Combined standard with all these three standards aspects can be used as the safest approach.