Protección de datos personales en la historia clínicaEl documento de seguridad en la norma ISO/IEC 27 002

  1. Tamayo Vivanco, Miren
Supervised by:
  1. Juan Peire Arroba Director
  2. Elena García-Cuevas Roque Co-director

Defence university: UNED. Universidad Nacional de Educación a Distancia

Fecha de defensa: 11 January 2016

  1. Pablo Orduña Fernández Chair
  2. Elio San Cristóbal Ruiz Secretary
  3. Mohamed Tawfik Committee member

Type: Thesis


The Auditory on Personal Data Treatment driven either by the National Criptological Center, or either by the National Regulatory Agencies in their respectives Autonomical Communities and with their specific regulations, meets its support both on the publication of a profuse list of Guides, in the first case, and on a pair of documents which lead the possible implementations of the Security Document, SD , in the second one, when , besides, we recognize the SD as a juridic instrument on the specification and organization of the Technical Safeguard Measures based on the data of the Informatic System, SI. On the scope of the Clinical History, and due to different premises (High level classification for the clinical data, and the complexity of the Codes Types of the Professionals who take part in), the Approximation Analysis of the System Management Security Information , SGSI, is associated with the elaboration of the respective Taxonomies of the resulted Groupes, the identification of Scenaries attached with their Actors, and, furthermore, with the integration of the Data Diccionary. The oriented application that the Spanish Legislation develops around the Security Document is supported in comformance with the National Security Scheme recommendation , by using an international standard on 'Information Security' such as ISO/IEC 27001 and the controls within it that are extended in ISO/IEC 27002. These standards propose the execution of a P(Plan). D(Do).C(Check).A(Act) Cycle whose followment gives us the possibility of reaching a new Control definition or Safeguard Measure explained over the ISO/IEC 27002 controls with the goal both of maintaining the equilibrium between the published Taxonomies, and converting the new control in a component for the Information Security Management System or ISMS. The introduction and supervision of the new component serves us to remark the help derived from the perspective of Risk Management with its metric MAGERIT in the Spanish Electronic Administration or e-Administration. By this way, the Excellence Framework results no an exigency, but a necessary recommendation from the point of view of Project Management with the objective of practising a Viability Study of the System on dependence of the Security Document Change Management.On the consideration of the International Transferences of Data and on the scope of the Clinical History, the European Data Protection Supervisor, EDPS, is classified as the unique responsable of Monitoring the Data on the different european electronic administrations, who gives also counsel on Security Policies. In order to response to this legitimate supervision, it has been taken into account the Workshop Documents with corresponds to the Data Treatment Working Group named as Gt29, and to possibilitate the specification of the new component , the Document numbered as WP195 has been applied.