SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
General practices are increasingly cognizant of their responsibilities in regards to information security, as is evidenced by professional bodies such as the Royal Australian College of General Practitioners (RACGP) who publish the Computer and Information Security Standards (CISS) for General Practices. Information security governance in general medical practice is an emerging area of importance. As such, the CISS (2013) standard incorporates elements of information security governance. The International Organization for Standardization (ISO) released a new global standard in May 2013 entitled, ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information security. The release of this revised ISO standard, which is applicable to organisations of all sizes, offers a framework against which to assess and implement this governance component of information security within general medical practice. This paper reports on an analysis of this standard to determine how it could be applied to Australian general practice. The paper further reports on two qualitative interviews with information security experts relating to the suitability of utilising this standard within general practice. The results confirm that the governance component of information security. which is currently insufficiently addressed within general practice, requires support in the form of standards, however that developing a security culture is crucial to good governance in medical information security.