New Zealand HISF 2022 — Health Information Security Framework
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
The New Zealand Health Information Security Framework (HISF) 2022 is a national security framework that establishes requirements for protecting health information within the New Zealand health and disability sector.
Why it Matters
HISF 2022 establishes a consistent security baseline for protecting health information across the NZ health sector. Key benefits include:
- Strengthen health information security governance
Establish consistent security policies and oversight structures across health sector organizations and their systems.
- Enhance regulatory compliance
Support alignment with New Zealand health sector security and privacy requirements, including the Health Information Privacy Code.
- Improve data protection practices
Implement controls that protect sensitive patient and health information from unauthorized access or disclosure.
- Increase audit readiness
Maintain documentation and evidence of security control implementation to support assessments and reviews.
How it Works
HISF 2022 is organized around security control domains covering governance, risk management, access control, data protection, incident management, and business continuity tailored to the health sector context.
Key Elements
- Health Sector Security Controls
Organizes security requirements into domains addressing risks specific to health information environments.
- Risk Management Framework
Provides guidance for identifying and managing security risks in health information systems and processes.
- Privacy and Data Protection Requirements
Specifies controls for protecting personal health information in alignment with New Zealand privacy legislation.
- Incident Response and Continuity
Defines requirements for responding to security incidents and maintaining continuity of health services.
Framework Scope
HISF 2022 is implemented by health sector organizations in New Zealand handling health information, including hospitals, health providers, and their technology systems.
Framework Objectives
HISF 2022 establishes security requirements to protect health information and support safe digital health services in New Zealand.
- Protect sensitive health information through appropriate security controls and governance
- Support compliance with NZ health sector privacy and security requirements
- Strengthen risk management practices across health information environments
- Enable audit readiness through structured control implementation and documentation
- ClassicifationCategoryData Protection & PrivacyDomainFramework FamilyOther
- Regulatory ContextTypeFrameworkLegal InstrumentFrameworkSectorHealthcare SectorIndustryHealthcare & Life Sciences
- Region / PublisherRegionAsia-PacificRegion DetailNew ZealandPublisherHealth New Zealand | Te Whatu Ora
- VersioningVersion2022Effective Date23 December 2022Issue Date23 December 2022
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
The Health Information Security Framework (HISF 2022) is published by HISO under Te Whatu Ora and is freely available on the Te Whatu Ora website. License included with platform
How SmartSuite Supports NZ HISF 2022
Manage New Zealand Health Information Security Framework (HISF 2022) requirements by organizing healthcare security controls, tracking risk management activities, and maintaining evidence supporting protection of sensitive health information.
Health Information Security Control Framework
Structure HISF control domains with ownership, scope, and implementation tracking.
Clinical Data Protection and Privacy Controls
Manage safeguards for patient data confidentiality, integrity, and secure access.
Risk Assessment and Security Governance
Track healthcare-specific risks, mitigation actions, and governance processes.
Access Control and Identity Management
Manage user access, authentication, and role-based permissions across clinical systems.
Health Data Breach Monitoring and Response
Monitor security incidents and manage response workflows for health data breaches.
HISF Compliance Monitoring and Healthcare Reporting
Provide dashboards showing control coverage, risk posture, and HISF compliance readiness.
Related frameworks
COBIT 2019 is a governance framework that helps organizations govern and manage IT to meet business goals, risks, and compliance.
CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
Frequently Asked Questions For New Zealand HISF 2022 (Health Information Security Framework)
The HISF 2022 is designed to help healthcare organizations identify, address, and manage cybersecurity risks to health information systems. Its controls safeguard sensitive patient data and support compliance with New Zealand health sector privacy and security regulations.
While HISF 2022 is not a formal certification, adherence is expected for organizations delivering healthcare services in New Zealand, especially those subject to regulatory oversight by Te Whatu Ora – Health New Zealand. Compliance is often mandated by government contracts, sector guidelines, or required for integration with other health providers.
The HISF 2022 applies to healthcare providers, government health agencies, and third-party IT service partners managing health data or supporting health information systems in New Zealand. The framework is relevant to any entity that stores, processes, or transmits sensitive patient information in the health sector.
Key requirements include documented risk assessments, comprehensive cybersecurity policies, incident response plans, and regular reviews of security controls. Organizations must establish privacy governance measures and maintain evidence demonstrating adherence to security practices.
Implementation involves integrating HISF requirements into organizational risk management processes, conducting regular threat and vulnerability assessments, and operationalizing technical and administrative controls. Ongoing education, incident response readiness, and continual improvement are also important.
The HISF 2022 aligns with international best practices, such as ISO 27001 and NIST guidelines, but is tailored to the specific regulatory and operational context of the New Zealand healthcare sector. Organizations may map HISF controls to other frameworks to ensure comprehensive security coverage and compliance with multiple standards.
Healthcare organizations must conduct periodic risk assessments, monitor the effectiveness of implemented controls, update security policies, and maintain detailed compliance documentation. Incident response plans and continuous staff training are also required to address emerging threats and maintain resilience.
SmartSuite supports HISF 2022 compliance by enabling organizations to track cybersecurity risks, manage and document required security controls, collect evidence for audits, and generate compliance reports. Its platform helps maintain audit readiness, monitor security program maturity, and centralize policy and incident documentation to support ongoing regulatory adherence.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.