II

In this chapter we examine the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 17799:2000 security standard and compare it to the categories established in the HIPAA security rule. Whereas HIPAA security establishes requirements across five categories (domains), the ISO/IEC 17799 standard includes ten domains that organizations must address for a secure infrastructure. There is significant overlap between these two specifications, although they are organized very differently. Also, major differences include the fact that the HIPAA security rule is closely tied into the HIPAA privacy rule and its scope is limited to electronic Protected Health Information (ePHI) only.