HomeResourcesCase StudiesBangladesh Healthcare ISO 27001
ISO 27001HealthcareHealthcare · Bangladesh

Bangladesh Private Hospital Achieves ISO 27001 for Patient Data Protection

A leading Dhaka private hospital group implemented ISO 27001:2022 to protect over 400,000 patient records — certifying in 9 months and qualifying for international health insurance network membership.

ISO 27001:2022 · DGHS Compliant
9mo
Patient Data Certified
400K+
Records
280
Staff Trained
2
Campuses
1
Network App
Industry
Healthcare
Service
ISO 27001:2022 Certification
Timeline
9 months
Technology
Complio Platform
The Challenge

Electronic Health Records, No Information Security Framework

A leading Dhaka private hospital group — operating two campuses and a telemedicine platform — had completed a major electronic health record (EHR) system migration. The EHR now contained over 400,000 patient records accessible to 280 medical and administrative staff across both campuses.

The Directorate General of Health Services (DGHS) had issued guidance recommending ISO 27001 for healthcare institutions managing electronic patient data. While not yet a mandatory requirement, the guidance signalled the direction of regulatory expectations — and early adopters would be better positioned when mandatory requirements arrived.

More immediately, the hospital was in discussions with an international health insurance network that required ISO 27001 certification as a prerequisite for network membership. This network membership would allow the hospital to directly bill international health insurers — a revenue opportunity estimated at 15–20% increase in international patient admissions.

The hospital's IT team managed the EHR system and network infrastructure competently, but had no experience with formal information security management systems. The gap was not in technical capability but in governance: there were no documented information security policies, no formal risk assessment process, and no structured approach to managing the security of patient data across the organisation's 280 staff members — many of whom were clinical staff with limited IT security awareness.

  • 400,000+ patient records in newly migrated EHR system
  • 280 staff across 2 campuses and telemedicine platform
  • DGHS guidance recommending ISO 27001 for healthcare institutions
  • International health insurance network requiring certification for membership
  • No existing information security policies or formal risk assessment process
EIC's Approach

Healthcare-Specific ISMS with Patient Data Focus

EIC deployed a healthcare-adapted ISMS implementation focusing on patient data protection, clinical workflow integration, and staff awareness across both medical and administrative teams.

Phase 01 · Months 1–2

Scope & Gap Analysis

ISMS scope: both campuses + telemedicine platform. Patient data classified. 28 control gaps identified. Physical security at nursing stations and pharmacy flagged as critical gaps.

Phase 02 · Months 2–5

Control Implementation

28 gaps addressed. EHR access controls (role-based, MFA for admin), medical device network segmentation, physical access. 280 staff trained — DGHS-specific module.

Phase 03 · Months 5–8

Evidence & Audit Prep

Complio evidence packs maintained. Internal audit conducted. 4 observations cleared. Particular focus: audit trail for all EHR access.

Phase 04 · Months 8–9

Certification Audit

Stage 1: zero major NCs. Stage 2 (2-day on-site): 1 minor observation (incomplete training record for 3 contract staff — closed in 7 days). Certificate issued.

Healthcare-Specific Detail

Protecting Patient Data Across Clinical and Administrative Workflows

Healthcare ISO 27001 implementations require attention to the intersection of information security and clinical workflows. The hospital's 280 staff included doctors, nurses, pharmacists, lab technicians, billing staff, and administrative personnel — each with different levels of EHR access and different operational contexts for handling patient data.

EIC's gap analysis identified physical security at nursing stations as a critical gap. Nursing stations on patient wards had EHR terminals that were frequently left unlocked during shift changes and ward rounds. A clear desk policy adapted for clinical settings was implemented: automatic screen lock after 2 minutes of inactivity, badge-tap authentication for quick re-access, and physical positioning of monitors away from patient and visitor sight lines.

The pharmacy was another critical area. The pharmacy information system connected to the EHR for prescription verification and drug interaction checking. This system contained patient medication histories — particularly sensitive data that required both access control and audit trail capabilities. Role-based access was implemented to ensure pharmacists could view medication-relevant patient data without accessing full medical records.

The staff awareness training programme was delivered to all 280 staff members across both campuses, with a healthcare-specific module covering patient data confidentiality, social engineering scenarios relevant to healthcare settings (e.g., callers claiming to be family members requesting patient information), and the specific requirements of the DGHS guidance. Clinical staff received shorter, workflow-integrated training sessions rather than traditional classroom-style IT security training.

Results

Measurable Outcomes

400K+
Patient records protected under certified ISMS
280
Staff trained on information security (including healthcare-specific module)
9
Months to ISO 27001:2022 certificate from engagement start
1
International health insurance network membership application progressed
"
Patient data protection is not just compliance — it's a clinical trust issue. ISO 27001 gave us a framework that our board, our patients, and our insurance partners could all understand and rely on.
Chief Medical Officer, Private Hospital Group, Dhaka
Services & Technology in This Engagement

Protecting Patient Data Under DGHS or Healthcare Regulations?

Schedule a 30-minute scoping call and we'll assess your healthcare data protection requirements and recommend an ISO 27001 pathway.