Organizational and law aspects of medical information systems

Research article
Issue: № 4 (142), 2024


The article describes the systematization of the approach to the formation of a list of organizational and distribution documents (ODD) on information security (IS) that need to be developed for medical information systems (MIS) with new goals and objectives. It is proposed a unique list of ORD for MIS, which are created to implement new complex functionality. For the writing of this scientific article, the lists of ODD were taken as a research material, which were created for the MIS of the «Netrika Medicine» company. The necessary and sufficient list of ODD for MIS is presented in the format of a table. The practical result shows that in newly developed MIS, the composition of the ODD can be formed based on the results of an analysis of the IS requirements. There were identified, as theoretical results, classification similarities in the composition of ODD for new MIS. It is concluded that the systematization of formation of a list ORD for MIS, developed for the implementation of digital health, is recommended for use.

1. Introduction

Public and private medical organizations process a great deal of confidential information on an ongoing basis. Such confidential processing may include personal data (PDt)

, information from government systems
, as well as information about critical information infrastructure (CII)
. Information, the processing of which in the IMS has a high level of importance, protection class and significance category. It cannot be denied that information transmitted to MIS needs enhanced protection, as it is a tasty morsel for cybercriminals.

In previous publication, which presented for portal of the educational and information-methodological «»

, it is demonstrated a detailed story about the protection of PDt, from the point of view of understanding the specifics of IS for MIS, the list of threats, the probability of which is high during theft, modification and uncontrolled leaks into the hands of attackers of information of medical properties. The article about methodology of forming list of PDt processed in MIS, which are developed to perform new functionality, have been confirmed
. In this scientific article is supplemented that data processed in MIS is also parts of government IS and CII. In order to understand the need to implement measures to carry out technical and, of course, important organizational manipulations to ensure information security, it is necessary to analyze the IS requirements. It is important to underline the types of IS requirements for MIS. During the discussion, the importance of organizational and law aspects of protecting PDt, government information systems and CII will be described.

Analyzing the existing challenges and threats to IS in healthcare, it is important to underline that the proposed list of ODD satisfies the IS requirements for the protection of PDt, government systems and CII. This versatility of the ODD set can significantly reduce the cyber threats described above that are characteristic of MIS.

The purpose of this article is to systematize the approach to creating a list of ODD for the digitalization of healthcare by means of using MIS.

Based on the methods used in the development of MIS, created by «Netrika Medicine» company

, in order to achieve goals, the task was formulated to present a list of ODD for MIS, which are developed to perform new possibilities.

There were used methods of search and cognition, logical inference, methodological design, as well as system analysis at the moment of preparation materials for writing this scientific article.

The novelty of the scientific research is in the fact that a universal list of ODD for MIS with new functionality was developed. The versatility noted above is due to the fact that ODD for MIS have to satisfy the IS requirements for protecting PDt, government information systems and CII. The list of ODD was compiled based on the results of a study of various information systems, however, it was identified unique features of the composition of ODD that are applicable specifically in MIS.

The relevance of the study is in the points that identified the dependence of the types of ODD for MIS on the species, qualitative and quantitative indicators of MIS located in various data processing centers. It is known that most of these data centers have a certificate of compliance

with IS requirements for the protection of PDt, government information systems and CII. The resulting indicators were systematically achieved in the form of a tabular presentation (Table 1), which certainly has practical originality at the moment when developing a list of ODD for MIS with new functionality. The most originality composition of ODD for MIS could be described as a situation that this list is satisfied the IS requirements for protecting PDt, government information systems and CII.

For the creating this scientific article, the composition of ODD for the MIS of the «Netrika Medicine» company was analyzed as a research data. It is becoming possible because limited liability company «Netrika Medicine» specializes in the secure integration and creation MIS for regional services, doctors, patients and healthcare organizers. The IS system is a subsystem and is developed on the functions, goals, threat modeling and objectives for medical organizations.

It is obvious that IS systems have two most important clusters: technical equipment and organizational measures. Many information technology companies often do not pay due attention to ODD concentrating on the technical components of protection. It is understanding, because IS specialists are associated with real hardware and often organizational measures are given to technical documentation department. However, representatives of IS department «Netrika Medicine» company are convinced, that for achieving long-term goals for the digitalization of healthcare it is constantly necessary to renovate ODD for MIS.

The methodological value of the research described in this scientific article lies in the systematization of practices for forming a list of ODD, which are important to consider as potential when it is necessary to develop new MIS.

2. Research methods and principles

Guided by the principle of the inalienability of the organizational component, according to production needs ODD were created for MIS deployed in different data processing centers, certified according to various IS requirements.

There were needed certified data processing centers according to IS requirements of protecting PDt, first of all. That is why using manuals about PDt protecting, in particular government decree about the protection of PDt processed in PDt information systems

, representatives of IS department developed necessary ODD for MIS, which were created in period decade of tenths of years.

To the second type of certified data processing centers it possible to describe according to IS requirements of protecting government information systems. Due to these needs using manuals about protecting state networks, namely order of the FSTEC of Russia № 17 about IS in government information systems

, representatives of IS department developed necessary ODD for MIS, which were created in period of the late tenth years.

During the current period of difficult situation, when most CII facilities are constantly being attacked by intruders, medical information and analytical centers in various regions of our country are gradually acquiring the category of CII. Representatives of IS department «Netrika Medicine» directly take part in format of consultation in this labour-intensive process. The main management document in this movement is methodology about categorization of CII subjects


The hardest moment to date, part of the MIS software has been implemented for the Microsoft SQL server database management system. In view of the fact that in the near future many customers will be subjects of CII or already are, and also plan to carry out certification work, the software for MIS have to be implemented under the special-purpose operating system «Astra Linux Special Edition» (Voronezh release)

. Also, CII subjects are starting to use the secure database management system «PostgreSQL», which is also certified as part of the above operating system in the certification systems of the Russian Ministry of Defense, FSTEC of Russia and the FSB of Russia for compliance with IS requirements. The task of switching to Linux-like OS is also complicated by the need to develop a database converter from «SQL Server» to «PostgreSQL». As part of import substitution, developers are working on the transition to a Linux-like operating system and database management systems. At the same time, the development of new software components for MIS have to be carried out for Linux-like systems. The pilot region where the software for the MIS of limited liability company «Netrika Medicine» has been deployed is the Rostov region. Certification work is tentatively scheduled for November 2024.

Studying scientific articles of the IS specifics for healthcare, the advantages of the ODD set described in this article were confirmed in review materials MIS as objects of evaluation

. It is identified a constant development of the IS subsystem for MIS, including the renovating of the list of ODD. At different periods of time, MIS first became the PDt information system, the government system and CII. Considering that at these stages of development, financial for the modernization of ODD, and a single study was carried out for each MIS, systematization for the development of ODD set described in this article looks like a clear advantage. Possible disadvantages of the systematization compared to other methods include the fact that the list of ODD described in this article is not relevant for the Ministry of Defense.

An innovation in the field of IS for MIS could be artificial intelligence, which would generate a list of ODD. Thus, as in the MIS itself, where artificial intelligence is currently not applicable, so in the IS subsystem this is still unlikely.

A real-life example of the use of ODD list is MIS developed Netrika Medicine company, which deployed in more than 10 regions of our country. In particular, these are such software products

as «Telemedicine», «Patient Flow Management», «Patient Portal», «Access Management System» and «Integrated Electronic Medical Record».

It is generally analyzed the different requirements of regulators for ensuring IS in various information systems

. It would seem that each of these guidance documents includes its own set of specific requirements. One gets the feeling that ensuring IS for different MIS will be carried out in parallel, and not together. In fact, any IS specialist will say that most of the requirements are partially repeated. In this case, it is clearly that 85-95% of requirements are repeated at least once. In this regard, there are only 5-15% of the requirements are unique. In conclusion analysis of regulatory documents, it is clear that the MIS consist of requirements for CII, government systems and information systems of PDt.

At the same time, the contract for the development of MIS in the Rostov region was successfully completed and agreed upon by the receiving authorities, including acceptance tests of the IS subsystem. To complete the stages of work, it was necessary to develop ODD for the protection of PDt, state information systems, as well as CII subjects. In this regard, it was decided to develop complex operational ODD that satisfy the above properties. That is why, when it is necessary to form technical specifications and projects for newly developed MIS, it is recommended taking as a basis the list of ODD for IS given in Table 1.

Table 1 - Composition of ODD for MIS




IS policy


Order, instruction about localization of information


Order, instruction, magazine of computer storage media


Order, regulation about control


Order about the list of protected information


Order approving the assessment of harm


Order and instructions on access procedures


Order and magazine about storage locations of protected information


Order on the procedure for considering appeals


Order and instructions about storage periods


Order about instructions for users and personnel in case of emergency situations, organization of password protection, anti-virus control, backup

3. Main results

Using the example of the MIS of the «Netrika Medicine» company, the results of implementation of the developed ORD for MIS in the following regions were identified: St. Petersburg, Leningrad Region, Rostov Region, Stavropol Territory. Other regions of coverage have not yet completed the stage of categorizing CII, but there is one certainty that for their needs the also developed ORD will be in demand and relevant.

The practical recommendations for using the ODD list include work on designing a secure MIS. That is why, at the stage of forming IS threat model for the above-mentioned MIS, developed by the «Netrika Medicine» company, attention is focused on the procedure for forming configuration of ODD. Additionally, the types of ODDs being created were identified and the need for additional information security measures when processing sensitive data was processed.

4. Conclusion

Summing up the results of the research, it is important to underline that the relevance, scientific nature, methodological and practical value of the materials describing a systematic approach to the formation of a list of ODD for information security for new MIS have been confirmed. Thus, when developing the ODD composition for MIS, it is necessary to use the method of their formation described in this scientific article.

Article metrics