University of Nebraska medical center

Name:

Number:

Course:

Lecturer:

Table of ContentsTOC z o “1-3” u hTable of Contents PAGEREF _Toc417232926 h 21PURPOSE PAGEREF _Toc417232927 h 42CORPORATE GOVERNANCE PAGEREF _Toc417232928 h 42.1 RISK MANAGEMENT PAGEREF _Toc417232929 h 42.2 CODE OF CONDUCT PAGEREF _Toc417232930 h 43BUSINESS OPERATIONS PAGEREF _Toc417232931 h 53.1 FACILITY MANAGEMENT & PLANNING PAGEREF _Toc417232932 h 53.2 RECORDS MANAGEMENT PAGEREF _Toc417232933 h 54COMMUNICATIONS PAGEREF _Toc417232934 h 64.1 COMMUNICATIONS PAGEREF _Toc417232935 h 64.2 INFORMATION SHARING PAGEREF _Toc417232936 h 65ASSET MANAGEMENT PAGEREF _Toc417232937 h 65.1 COMPUTER/DEVICE TRANSFERRED BETWEEN PRIMARY USERS WITHIN THE SAME DEPARTMENT PAGEREF _Toc417232938 h 65.2 COMPUTER/DEVICES SOLD/TRANSFERRED TO A DIFFERENT DEPARTMENT PAGEREF _Toc417232939 h 76COMPLIANCE PAGEREF _Toc417232940 h 76.1 COMPLIANCE TRAINING PAGEREF _Toc417232941 h 76.2 FINANCIAL COMPLIANCE AND COST ANALYSIS PAGEREF _Toc417232942 h 87CUSTOMERS PAGEREF _Toc417232943 h 87.1 RED FLAG IDENTITY THEFT PREVENTION PAGEREF _Toc417232944 h 87.2 ASSESSMENT AND REPORTING PAGEREF _Toc417232945 h 88INCIDENT MANAGEMENT PAGEREF _Toc417232946 h 98.1 ROLE OF UNIVERSITY CHIEF INFORMATION SECURITY OFFICER PAGEREF _Toc417232947 h 98.2 PROTECTED HEALTH INFORMATION (PHI) PAGEREF _Toc417232948 h 99APPLICATION DEVELOPMENT PAGEREF _Toc417232949 h 109.1 CONFIGURATION GUIDELINES IN COMPLIANCE WITH HIPAA PAGEREF _Toc417232950 h 10In this case, the configuration will be such that the healthcare plus the additional types of patient information and /or data shall be stored either provisionally or permanently in the back end database outside the control of patient. Data confidentiality is one of the main challenges for patients who use the cloud based services such as it will be for this case. PAGEREF _Toc417232951 h 109.2 ASSESSMENT AND CERTIFICATION GUIDELINES IN COMPLIACE WITH HIPAA PAGEREF _Toc417232952 h 1010IT OPERATIONS PAGEREF _Toc417232953 h 1010.1 UNMC NET ID ACCOUNTS PAGEREF _Toc417232954 h 1010.2 UNMC EMAIL ACCOUNTS PAGEREF _Toc417232955 h 1011OUTSOURCING PAGEREF _Toc417232956 h 1011.1 INFRASTRUCTURE OUTSOURCING: NETWORK SERVICES PAGEREF _Toc417232957 h 1011.2 INFRASTRUCTURE OUTSOURCING: SECURITY SERVICES PAGEREF _Toc417232958 h 1112ACCESS CONTROL PAGEREF _Toc417232959 h 1112.1 ACCESS CONTROL SYSTEM COMPONENTS PAGEREF _Toc417232960 h 1112.1.2 WORKSTATION ACCESS CONTROL PAGEREF _Toc417232961 h 1112.2 PHYSICAL / ENVIRONMENTAL PAGEREF _Toc417232962 h 1112.2.1 HIPPA COMPLIANT ACCESS PHYSICAL SAFEGUARD ACCESS CONTROL PAGEREF _Toc417232963 h 1112.2.2 BARRIERS AND PROCEDURES ESTABLISHING CONTROLLED AREAS AROUND THE BUILDING PAGEREF _Toc417232964 h 1213POLICIES & PROCEDURES PAGEREF _Toc417232965 h 1213.1. DEPARTMENT PERSONNEL RESPONSIBILITIES PAGEREF _Toc417232966 h 1213.2 SECURING CAMPUS BUILDINGS AFTER NORMAL BUSINESS HOURS PAGEREF _Toc417232967 h 1214PRIVACY PAGEREF _Toc417232968 h 1214.1HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT PAGEREF _Toc417232969 h 1214.2GRAMM – LEACH – BLILEY ACT (GLBA – 16 CFR PART 314) PAGEREF _Toc417232970 h 1315SECURITY PAGEREF _Toc417232971 h 1315.1PRIVACY/CONFIDENTIALITY PAGEREF _Toc417232972 h 1315.2COMPUTER USE/ELECTRONIC INFORMATION PAGEREF _Toc417232973 h 1316SUMMARY PAGEREF _Toc417232974 h 1317REFERENCES PAGEREF _Toc417232975 h 14

PURPOSEThe purpose of this paper is to prepare security plan that offers security awareness policy framework outline according to the critical infrastructure which concentrates on identifying, protecting, detecting, responding and recovering of disasters.

CORPORATE GOVERNANCE2.1 RISK MANAGEMENTRisk management will involve identification of the possible risk factors by the University medical IT team. Risks will also have to be detected once they occur, followed by response against the risk by the relevant team of expert from the It department. However, the issue of risk management will involve corporate participation of all system users together with the executive management team of the medical center. The management will also involve the design of medical devices through consideration of security and privacy from the initial phases of requirements specifications and all through the development lifecycle of the medical software. The whole process of risk management will thus various processes such as constant monitoring of information security which in turn requires maintenance of the continuing awareness for privacy and security controls, threats and vulnerabilities. The main aim is to carry out constant checking of the security for the university medical center’s network together with information, the IT systems in place. This will be followed by timely response, avoidance or risk alleviation strategy as circumstances continues to vary. Risk assessment will also be carried out as part and parcel of risk management process. The extra control of procedures, processes and equipment used will have to be employed for the sake of minimizing risks on medical information.

2.2 CODE OF CONDUCTThe code of conduct will apply to all staff and the users of health records within the university medical center. Some of the codes of conduct will include the following: Limitation of use whereby patient data and other personal and confidential data are not allowed to be disclosed, made accessible or used for different purposes which differs from the ones specified except with the permission from the relevant subject or through the right of law. Security defense must be observed where patient and other sensitive data should be safeguarded by means of sensible security safeguards against risks like loss or illegal access, destruction, data disclosure, alteration or even use of data. Openness: As part of conduct, there should be broad policy concerning medical center operations, policies and practices in relation to personal data. The medical data controller should also be accountable for complying with measures which give effect to the principles such as openness, limitation of use, security safeguard and others. In the case of any disclosure of individual information about patient, a notice or awareness should be given to those concerned in advance.

The concerned medical staff should ensure that there is no leakage or loss of patient data or records. Therefore, the data clerks, database administrator together with the chief information officer should ensure that the stored data records are accurate and secure. In addition, they should ensure high integrity of data. The medical information staff should also ensure that information is made available where necessary to the concerned stakeholder within the shortest time possible. The purpose for which individual data gathered should be specified at a time not later than the time of data gathering and the succeeding use constrained to the achievement of those purposes. The users and data administrators should also follow practice principles that govern electronic medical record and guidelines with respect to patient care according to HIPAA rules. In other words, fair information practices should be followed by the medical staff members. The staff should also report any perceived incident of risk in advance before the actual happening takes place. Disasters should be reported to the disaster recovery manager and to the administration at large within the shortest time possible. In addition, the data controller should be accountable for meeting the key principles.

BUSINESS OPERATIONS3.1 FACILITY MANAGEMENT & PLANNINGThis will involve management of University medical center network which in general will comprise of traffic management, delay and distortion management, security management and the management of network equipment used. The traffic management shall have the role of achieving high quality of service across the medical network during the process of sending and receiving data/information. Traffic management shall include the use of traffic security design for media aware control. The media aware traffic control architecture used shall consists of key management for scalable and non-scalable scheme, batch keying for periodic, leave rekeying and join rekeying, authentication which include group, source and single sender authentication measures and watermarking for single and multiple copies.

The management of delay and distortions shall use algorithms for traffic management to control and minimize the effect of both transmission delay and signal distortion. The facility management and planning shall make use of firewall for packet filtration to ensure that invalid packets do not pass through the nodes of the network. There shall also be management of potential malicious attack by viruses and cyber criminals for the purpose of keeping transmission of patient related information safe and secure. The management of leaked and modified information shall also be carried out to maintain the integrity of patient medical records.

3.2 RECORDS MANAGEMENTThe medical electronic records shall be concealed from the management staff, insurance providers, researchers and other individual personnel who do not have any suitable privilege for the access of such records. Several electronic health records shall not be linked to the same owner to stop patient profiling. The access of medical records shall also be restricted by means of password, access controls and other possible authentication measures. The management and access of patient’s health records shall be done in accordance with the HIPAA rules, regulations and guidelines that guides that defines patient care and treatment procedures.

COMMUNICATIONS4.1 COMMUNICATIONS Communication process within the university medical center shall be made possible through the use of both software and appropriate hardware. Web browsers will serve as clients with any suitable server software. The hardware to be used will include personal computers for both clients and servers. Firewalls in addition to virtual private network will also be used to enhance secure communication between communicating nodes. The medical center network will thus use the services of the internet such as transfer control protocol/internet protocols and the World Wide Web to get the services of the internet within its internal network. The communication infrastructure as whole will employ the use of both guided and unguided transmission mediums. The guided mediums shall include optic fiber cable for quick transmission at several terabytes of data second. The CAT5 network cables shall also be used within the network layout to get data signals from the source. The network Switches will data signal sources where the batch codes will link the switch to the batch panel. The batch panel is a network hardware device where all other CAT 5 network cables from the access points shall be terminated. Microwave transmission will be used as non-guided medium based on the line of sight of points of communication.

4.2 INFORMATION SHARINGThe hybrid share generation and distribution system shall be used to attain dependable and fault tolerant original data storage through offering redundancy for the innovative components of data depending on the principle of secret sharing and erasure coding. Information sharing shall also take place through the use of server computers to provide internet services to various client computers within the university medical center. The information sharing shall also be regulated to ensure that users can only access particular parts or section of health information at a given time. The efficient data integrity verification system which exploits the methods of algebraic signatures shall be employed in order to guarantee the dynamic integrity of the distributed data sharing for the health medical records information.

ASSET MANAGEMENT5.1 COMPUTER/DEVICE TRANSFERRED BETWEEN PRIMARY USERS WITHIN THE SAME DEPARTMENTAny transfer of computing device between primary users within the same department shall be done with the approval from the IT manager. The process of transfer shall also ensure that the reasons behind such transfer are well documented. If the transfer involves the change in the use of the computer, then the existing files shall be backed up in other removal storage devices and/or other computers to avoid free access of the same information by different users of the same department. The transfer of the computer or device will also be transferred with the condition that the transfer process does not compromise both the logical and physical security of the entire network system within the university medical center.

5.2 COMPUTER/DEVICES SOLD/TRANSFERRED TO A DIFFERENT DEPARTMENTThe transfer of computers and/or other communication or internetworking devices to a different department will also be done through the approval of both It manager and network administrators. This kind of device transfer shall also be done according to rules and regulations that governs the use of IT equipment within the medical center. The transfer process of computers and related devices shall be carried out if at all there is need to transfer the entire system files from one department to another for use in that new department. In case one department has computers and other devices in excess supply of what it needs, then the IT manager shall also have the responsibility of recommending the transfer of the excess devices or hardware resources to the another department which lacks sufficient resources.

The sale of computer or devices to another department shall take place in case the two departments are completely separate and do not operate or function for a common goal. On department may also decide to sell devices and other IT equipment to a different department if the buying department has few resources. The selling of devices and computers will also be subject to the fact that every department is responsible for buying its own IT equipment. In this case, the department which has managed to buy sufficient number of computers and devices shall be permitted to sell extra resources to the medical center department that is willing to buy. The sale will also be permitted only with the condition that the equipment to be sold are still fresh are thus are not subject to breakdown in the near future. The specifications of the devices and computers being sold will have to meet those of the ones used as nodes within the existing computer network to allow the buying department to get an easy way of connecting to the network. The issue of similarity in specification will be considered very crucial to ease the IT maintenance process of the network and the connected devices. Last but not least, the sale of computers and devices shall be permitted under conditions that devices needed by the other department are not easily available in the market or at the vendor shops.

COMPLIANCE6.1 COMPLIANCE TRAININGAll the staff, both IT and the medical staff members in the university medical center shall be subject to training by the medical center concerning the various codes of conduct for the use of electronic health records. The in-house training approach will be employed. The main aim of this training is to ensure that every staff follows rules and regulations that govern the use of medical health records in the university medical center. This also means that those employed as the users or administrators of the electronic health system will have to meet certain qualifications before they can use the IT medical records. Failure by any member of staff to comply with the stipulated rules and regulations, then the concerned member faces discipline committee or consequences of the law. The compliance training shall be carried out by the top management of the IT department with the help of executive management team.

6.2 FINANCIAL COMPLIANCE AND COST ANALYSISThe implementation of this policy is subject to financial compliance by the medical center to budget and invest in the security system for the management of parent’s records. Nevertheless, the cost of implementing this policy may not be that expensive given that it is to complement the existing cybersecurity framework of the program. The university medical center management system is therefore to use its existing processes and procedures for leveraging the framework in order to identify the opportunities to be strengthened. Therefore, the cost of compliance in this case will be considerably low since the policy plan is to be subjected to the already existing network infrastructure framework.

CUSTOMERS7.1 RED FLAG IDENTITY THEFT PREVENTIONThe maintenance of data using portable computers , removable media and embedded devices are prone to more risk of theft and loss of data and / information as compared to when the same data are upheld and processed within public cloud which on the other hand is characterized by less risk. As a result, this policy plan considers the use of cloud service providers for identification of theft and prevention. The use of cloud service providers thus is more convenient because it will also help in the cost minimization of the operational expense than when the university medical center installs and operate the entire IT infrastructure on their own (Jansen & Grance, 2011).

The customer’s data or information will thus be prevented from theft by cyber criminals or man in the middle. This prevention shall be carried out by identifying the possible existence of theft and raising the red flag concerning the situation. The cloud service providers shall help in the theft identification as well as prevention processes. However, any staff has the responsibility of identifying the existence of possible theft of customer’s sensitive data from the medical center. An example of information theft is the risk of images being run by consumers (Jansen & Grance, 2011).

7.2 ASSESSMENT AND REPORTINGThe assessment of risk shall take place after the identification. The assessment shall be carried out for the purpose of knowing the magnitude of the risk in terms of its possible effect or havoc in the case where it is not alleviated. The risk assessment shall be conducted primarily to find out if there is considerable risk of harm to the customer (patient’s data) due to the breach of information according to HITEC act. The HITEC act sets forth fresh standards for notification of information breach within the health care industry and which requires covered entities to give notifications to the individuals affected (Hirsch & DEIXLER, 2013). The risk assessment shall also be used to examine the effectiveness or inefficiencies of the infrastructure security system installed by the university medical center in order to remain safeguarded from the cyber threats that are emerging. As a result, these permits shall permit the medical center to install patches and accept the needed measures of security for the purpose of protecting the medical center from the probable cyber attacks (Shah & Mehtre, 2013).

The two risk assessment approaches shall be employed, that is exploratory testing and systematic testing. The exploratory testing makes the use of Vulnerability Assessment and Penetration testing (VAPT) as an evaluation tool that guarantees cyber security. The VAPT tool is significant in scanning of every system component for the existing risk without any particular test plan and previous experience. The systematic testing shall involve the use of testers which follows the predefined plan of test instead of exploring (Shah & Mehtre, 2013).

INCIDENT MANAGEMENT8.1 ROLE OF UNIVERSITY CHIEF INFORMATION SECURITY OFFICERThe University Chief information security officer shall be responsible for handling all the information security incidents that are under the security rule. Any breach of vulnerable health information shall be reported to him/her as required through the breach notice rule. The chief information security officer shall use the organized available approach in order to tackle the results of the attack against safety of the computer network system in the university medical center. His/her responsibility shall involve making sure that the risk incidence case is reported to the cloud service provider who are in turn expected to take action within the shortest time possible. Once the incident is reported, the cloud provider shall be responsible for carrying out incident response activities which also includes verification of incidents analysis of attack, data gathering, containment, problem solution, and finally restoration of service. The Chief information security officer will thus ensure that the service operations in the medical center are appropriately restored within the acceptable time limit according to the service level agreement between the university medical center and the cloud service providers. The Chief information security officer shall handle a variety of risks ranging from data transmission errors, information theft, loss of data and/or information, hacking and all other kinds of cyber security attacks, whether internal or external the medical center.

8.2 PROTECTED HEALTH INFORMATION (PHI) The illegal acquisition, access, use or exposure of protected health information (PHI) compromises the safety and privacy of protected health information. Therefore, any attempt to disclose the PHI is considered as information breach. In the case of suspected breach of PHI, the nature and the scope of HPI shall be evaluated. This implies that entities that are covered will have to take in to an account the kind of HPI concerned. Secondly is to consider the person to whom the impermissible exposure of HPI was made. Third, is the investigation of whether the protected health information was actually gotten, viewed or whether it was just an opportunity that was available for acquiring or viewing information. The forth step of assessment is to consider the scope to which the vulnerability to the HPI has been alleviated. The associated risks, for example, shall be alleviated by means of getting the satisfactory assurance of the recipient that the information will not be used again in future or will not be exposed or destroyed. This can also involve the considering the scope and effectiveness of the of the risk alleviation when finding out the probability that the protected health information has been compromised (Hirsch & DEIXLER, 2013).

APPLICATION DEVELOPMENT9.1 CONFIGURATION GUIDELINES IN COMPLIANCE WITH HIPAAIn this case, the configuration will be such that the healthcare plus the additional types of patient information and /or data shall be stored either provisionally or permanently in the back end database outside the control of patient. Data confidentiality is one of the main challenges for patients who use the cloud based services such as it will be for this case.9.2 ASSESSMENT AND CERTIFICATION GUIDELINES IN COMPLIACE WITH HIPAAThe assessment and certification here will include some of the best practices and agreement frameworks. The practices include the general criteria for security evaluation for IT according to ISO 15408 certification which is a technical standard that certifies the degree of security presented by the safety measures in the implementation of information systems. The second practice is the control objective for IT which is an international standard for administration of IT that looks for to bringing together the models of business controls together with the models of IT controls. Other practices shall include guidelines for the IT security administration under ISO 13335, Information technology library infrastructure and critically operational threat, asset and susceptibility assessment and others (Saint-Germain, 2005).

IT OPERATIONS10.1 UNMC NET ID ACCOUNTSThe NET Id accounts will be assigned only to the medical and technical staff of the university medical center. This will be used as a way of restricting access to the university medical site freely by unauthorized persons. Nevertheless, every staff shall have different and unique ID accounts that will be relevant only to that particular staff as a user.

10.2 UNMC EMAIL ACCOUNTSEvery staff will also have unique e-mail accounts that will be relevant to that particular staff. However, that shall be one general email account that will belong to the medical center management through the office of human resource. The general email account will used by clients to communicate with the management of the medical center. His general email will be valid for use all the time. However, the individual staff emails will only be valid for use at restricted times of the day.

OUTSOURCING11.1 INFRASTRUCTURE OUTSOURCING: NETWORK SERVICESThere shall be outsourcing of network services from the cloud computing service providers such as Amazon. The cloud service providers shall be responsible for the management of the medical center network infrastructure. The roles of outsourced cloud service provider shall include risk identification and, assessment and solution through provision of business continuity and disaster recovery. This is basically information security services to the medical center. They will also be responsible for the management of software such as installation and maintenance of operating systems and other hardware equipments used for computer network infrastructure. The roles offered shall be based on the service level agreement to be signed between the university medical center and the service provider. The three main types of services to be provided via outsourcing comprise of information as a service, platform as a service and software as a service. The three services offered are considered relatively cheap as compared to the infrastructure installed and managed by the medical center itself.

11.2 INFRASTRUCTURE OUTSOURCING: SECURITY SERVICESThe security services to be outsourced from the cloud service provider include information security, hardware security and software security. The security of information shall be implemented by assigning the users of medical center different levels of log in privileges such that there will be high level users, low level users and middle level users.

ACCESS CONTROL12.1 ACCESS CONTROL SYSTEM COMPONENTSAccess control is a kind of safety characteristic used to control the right of entry into systems and network resources. The main aim is to safeguard information from loss, damage, deletion, theft or alteration either accidentally or intentionally by illegal access users. The components include network access components, system access components and data access components. The network access component will allow network users to access every resource on the network, thus needs to be protected, checked and restricted. System access component allows users to access the system within the network. This may include servers printers and others devices which can be shared on the network. This call for the restriction, protection and monitoring on the access of the devices. Data access components will permit users to access data o the resource of the network continuously. Users can access, modify files, database and other documents which all require protection, monitoring and restriction (Rao & Nayak, 2014).

12.1.2 WORKSTATION ACCESS CONTROLThe workstation access control components provide an area of computing where access control measures are configured through the central server system. It can be used to solve de-authentication problems in hospital or medical center by deployment of a group of workstations with unique sensors designed for the detection of human closeness. The close sensors can thus detect the human’s departure as the person walks away and signs the person out where possible. Nevertheless, this kind of system is not completely efficient since it has no minimum distance for detection, implying that it is prone for manipulation (Sinclair, 2014).

12.2 PHYSICAL / ENVIRONMENTALThe physical /environment include the hardware equipment such as computers, cables and even the building room where the medical computer network is set up or where the entire network is controlled. The physical/ environment shall be safeguarded by use of method such as computer locks and room locks to keep the physical devices from an attack or from theft.

12.2.1 HIPPA COMPLIANT ACCESS PHYSICAL SAFEGUARD ACCESS CONTROLThe medical center shall employ the use of HIPAA compliance rules that governs all medical transactions and sets of code to be maintained by Medicare and Medicaid center services. The HIPAA rules are mainly concerned with software vendors, health plans, and data clearing houses which are used irrespective of the environment where computation is carried out. The access to personal medical data and related information shall be monitored, protected and restricted from unauthorized access according to HIPAA rules (Regola & Chawla, 2013).

12.2.2 BARRIERS AND PROCEDURES ESTABLISHING CONTROLLED AREAS AROUND THE BUILDINGThe medical center perimeter shall be secured, the unsuitable and improper access restricted to the resources of the medical center, the controls shall include the use of microwave barriers, CCTV cameras, electrical fences in addition to the system of intrusion detection that is sensor based. This shall also include the use of security guards to offer guarantee for the physical control access by making sure that the entry as well as exit controls are suitably offered and checked. Other will include the use of badge systems and biometric control access (Rao & Nayak, 2014).

POLICIES & PROCEDURES13.1. DEPARTMENT PERSONNEL RESPONSIBILITIESThe IT department personnel shall include Chief information officer, data manager, system analyst, It technicians and data clerks. The Chief information officer shall be responsible for overseeing the overall management of IT infrastructure ranging from the information security, network security, infrastructure security and many others. The data manager will ensure that the medical data meets the standards in terms of integrity, completeness, redundancy, error free and that all the reports are from data are available within the acceptable limits of time. The system analyst shall be responsible for assessing or evaluation the electronic medical center system for weakness, error or for any malfunction from time to time. The IT technician will be responsible for repair and maintenance of all computing devices, maintenance of computer network, repair and problem troubleshooting. The data clerks will be responsible for entering data into the computer systems of the university medical center by typing.

13.2 SECURING CAMPUS BUILDINGS AFTER NORMAL BUSINESS HOURSAfter normal business hours, the campus building shall be manned by security guards. In addition, there shall be CCTV installed at various positions from outside the building to keep track of any persons who may be responsible for physical attacks to external communication equipment like microwaves.

PRIVACYHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACTThe medical center policy shall conform to the HIPAA privacy rule which may subject business associates to HIPAA penalties in case they happen to go against the needed terms of agreements for business associates. The ultimate rule under this act states that the associates may be directly accountable under privacy rule for disclosures and use of protected health information in violation of agreement for the business associates or rule of privacy; failing to disclose protected health information to the secretary of HHS to evaluate the compliance of business associates with the rule of privacy; failure to make sensible effort to constrain the use and disclosure of protected health information, and the protected health information requested from a covered entity, to the suitable minimum for the accomplishment of the planned purpose; failure to disclose protected health information to confor