My question was regarding that, what is the difference between 27001 and our ’Security and Privacy’ protection for patients’ data? I am trying to understand if we get ISO 27001 certificate, do we still need to obtain separated privacy and security protection or not?
ISO 27001 is a management framework for the protection of information in general, and does not cover specifics related to privacy and medical data, depending upon the defined requirement (e.g., GDPR, HIPAA, etc.).
Considering that ISO 27001 may not be enough to ensure fulfillment of privacy requirements. In this case, you should consider using additional ISO 27001 supporting standards, like ISO 27701 (for privacy protection) and ISO 27799 (for health organizations).