Health information is an important asset for health providers. This asset needs to be adequately protected. The primary focus of health information security is the protection and safeguarding of patient information and the requirements to protect the privacy of patients. In addition to this need for protection, health providers must ensure that information is accurate and available when required. 

The protection of information involves the preservation of the following:

• Confidentiality – information should only be accessible and available to those authorized to have access.
• Integrity – Information should be stored, used, transferred and retrieved in manners such that there is confidence that the information has not been tampered with or modified other than as authorized.
• Availability – Ensures that information is accessible to authorized individuals when and where required.

Information security is achieved by implementing a suitable set of controls. A control may constitute a policy, a practice, a set of procedures, or perhaps a software function. These controls need to be established in order to ensure that the specific security objectives of the organization are met.

The IT-014-04 Information Security subcommittee develops standards to implement and manage information security in the health sector. Its members are drawn from a wide range of stakeholder groups and offer a wealth of technical expertise. Its role is to monitor the health information security environment and advise IT-014 of any standardization developments in ISO, CEN, HL7 and other international forums.