Information systems security survey
The University of Nebraska, Medical Center is a public university in the state of Nebraska that offers training and research on health care programs. This is the only public academic institution that deals with health sciences in Nebraska. The motivation of the institution is to offer training for healthcare staff so that they are able to handle the challenges posed by today’s healthcare staff. The hospital also has the mission to provide solutions for diseases that are devastating to the public. They strive to offer services to the state and to the general public through outreach programs that are considered to be award-winning. The university has six colleges and two institutes. The chancellor is Harold Maurer, who leads an institution that has more than 3600 students enrolled in more than 25 programs. The primary care programs offered by the institution are ranked at position six in the United States. The institution also has developed an assistant physician program that was ranked at position 16 in the News and World report. They have competitive programs like physical therapy, pharmacy and masters program in nursing; these have been ranked among the top programs in the United States.
The information security program of University of Nebraska, Medical Center has been developed in terms of an information security policy for the university. The information security plan has been developed based on the HIPAA plan. There is a training that is done in all the departments of the university so that they comply with the information security plan. The information security plan has been developed so that there is information confidentiality and integrity of all the patient data. The information security plan has defined the types of information that is stored in the organization. There are patient data, employee data, research information, business plans, financial data, student education records, protected health information, and protected student financial information. This data needs to be protected so that there is access control for this information. It is only the interested parties who are required to access the information. This is done so that there is confidentiality of information. The health information that needs to be protected has been defined. This information needs to be protected so that they remain with their integrity. The business data should be confidential, maintain their integrity. The plan addresses the issues of availability of the data, integrity, confidentiality, and have risk management plans for the data in case there is a breach of these plans. The student data are protected under the FERBA and GLBA. The patient and other health care information are protected under the HIPAA plan.
The information security plan of UNMC also has risk management plan. The university has put in place risks management plan for internal and external risks. The plan is guided under close monitoring of security groups that operate worldwide. These groups include Internet2 Security Working Group, Federal Computer Incident Response Center which is under the department of homeland security. There are also associated and partnerships with vendor sites like those of Microsoft, and Symantec. The university has developed an Information Security Incident Reporting and Response Plan. This is used to undertake the management process of any risk that has been reported by the company. There is also an external audit that is performed by an external entity so that the vulnerabilities from the internet are shown and pinpointed.
There are different staff members who have been employed to ensure that the information security program of the campus is fully implemented. There is the HIPAA Information Security Officer who also doubles up as the Information Security Plan coordinator for University of Nebraska Medical Center campus. There are policies and procedures that have been developed by the campus and should be understood by all the security officers and custodians of data within the campus.
The information security plan ensures that there is training for all the human resource that handle the data at one point. This is important so that the confidentiality of the data is assured at any stage of the information processing stage. There is workforce training and management in the campus to ensure that this is undertaken and achieved.
Information systems have access controls so that only those who have the access rights can access the information. This has been designed so that it is only in the bid to know this information that the user will be given access to the information.
There is the definition of the procedures that are meant to ensure availability of information in the campus. The computer failures have been factored to the security plan so that in case there is a computer failure, this will be addressed. This is done to ensure that there is continued service delivery in the campus. With this procedure, the objective is to ensure that there is reliability of access to information, eradication of redundancy, availability of information throughout the processing of information, and high performance of the information systems within the campus.
The information security plan has been developed so that it also involves the service provides. The service providers are required to comply with the Protected Health Information and UNMC Policy 8009 which is the contract policy. This ensures that all the procedures of information handling are protected.
The information security program fits the strategic plan of the institution. One of the objectives of UNMC is to have a state-of-the-art health care. This is achieved through continuous research and innovations. This will only be possible if there is research that can be relied upon. The data should be protected and available to the researchers and should comply with international standards of health information. Security is an important part of this objective. Without security of information in an organization, it will be hard to achieve this objective. The research data should be available, safe, confidential, and have integrity. This security plan fits the strategic plan of the campus in that it has plans to ensure that there is safe data in the campus.
The information security plan scope covers the student data, patient data, financial information, international security requirements, and access procedures of the information systems in the campus. All these have been addressed so that the business data is also defined on how they will be defined and accessed. There are technical controls on the users who have the permission to access the data. There are access controls that have been set up so that the people with the right access controls information can access the data.
There are gaps that are noted in the information security of UNMC. One notable gap is the lack of security definition of the data while they are being exchanged. There are no clear standards that need to be followed while transmitting data between the providers of health information within the campus. The campus has other colleges that will need the data about some patient or a similar disease. The transmission process has not been defined well in the information security program. Another gap is that there is no clear definition of authorization procedures for the cases when there are users who want to use information. This should be defined in the security plan. There are instances that information is needed urgently. This requires a way in which it will be addressed without compromising the security and privacy of information.
There are many benefits that come with the program. One of the benefits is that there is a clear definition of the procedures of handling data to ensure data confidentiality. All the processes of processing information have been included in the information security plan so that information security is covered in all these areas. Another benefit is that the plan will help the organization attain its strategic plan of achieving its goal.
The cost of implementing the information security plan in the campus is approximately US$230000. This cost covers training, hardware cost, contractor services, software that needs to be purchased, security that will be implemented, and other miscellaneous costs. Hardware will cost approximately US$5000 which will cover server, and host computers. The software will also cost approximately US$5000. The contractor services are the most expensive which approximately US$100,000 is. There will be training and security which will cost approximately US$15000. Compared to the benefits, it is better to pay for these services but have security compliance of the data.
References
Krager, C. (2008). HIPAA for health care professionals. New York: 2008.
United States Government Accountability Office. (2010, February). Electronic personal health information exchange. Retrieved January 27, 2014, from United States Government Accountability Office: http://www.gao.gov/new.items/d10361.pdf
