N
N
nvgordeev2017-11-08 13:29:14
Personal Information
nvgordeev, 2017-11-08 13:29:14

Do I need to license an information system to work with personal data?

Hello. An information system for a medical organization has been developed. This system stores patient data, diagnoses, examination results, etc.
The system can be accessed via the Internet for both doctors and patients. Patients have limited access only to the history of visits and to the electronic appointment record. To access the system, the patient can register himself.
At the moment, each patient at the first visit signs a consent to the processing of personal data.
It is planned to sell this system in the future with modifications for a specific medical organization.
As I understand it, the data processed in the system belongs to the first category, and the system, respectively, to the class K1.
Question: is it necessary to somehow conduct an examination of this system for compliance with the requirements of the law on the protection of personal data, obtain a license, undergo certification? If so, where to go and where you can find, preferably, a step-by-step description of the procedure. Thank you.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
S
SergeyNN, 2017-11-10
@nvgordeev

You have everything mixed up. And in fact, everything is very simple.
You need an information security system. To do this, invited experts with a FSTEC license for TZKI will conduct a survey, design a protection system using protective equipment. It is precisely the means of protection that can be chosen as certified. If the designed information security system will imply data encryption (for example, traffic from an IS segment to another IS segment), then the invited specialists must also have an FSB license to implement encryption tools.
And actually your information system itself is clean and free. It does not need licenses (and a license is a right to use - why is this concept even here? ..), it does not need certificates (a certificate is a confirmation of any requirements), since its task is to provide business tools, and certify information security tools. To be more precise, you will not certify, but will purchase already certified information security facilities.
It should also be noted that the mandatory use of certified information security facilities is currently defined only for state information systems.
In short, you can divide the task into 2 parts: separate IP, separate IPS.
You can read about protection requirements
- article 19 of the Federal Law 152,
- RF PP 1119,
- FSTEC orders 17 and 21,
- FSB order 378
They are simpler than they seem at first glance.

O
other_letter, 2017-11-08
@other_letter

Need.
Search for yourself, as it will require a deep study of your IP, and this is beyond the scope of free help here.
And it’s better to hire a specialist right away, because. you will still need it to qualify.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question