Delivery in day(s): 4
CIS8018 Strategic Information Security Assignment Sample
This CIS8018 strategic information security assignment sample discuss information system for health information privacy and security, information security program, risk management, information security management role and more help on programming assignments.
The Hospitals are complex institutions in which different departments handle variety of patients and the coordination of all these departments is essential (Olmeda, 2000). The information system of the Hospital should be comprehensive and integrated which can manage the hospital operations and services. It is also essential to defend information of unauthorized access, modification of personal information and to access the risk of unauthorized disclosure (Layton, 2007). The three main principles which are governed for the security of the information at hospital are confidentiality, integrity and availability (Dhillon, 2007). The confidentiality of the information governs the information system should be secured against unauthorized access while integrity explains about safeguarding the information to be updated by unauthorized access (Layton, 2007). The availability of the information should be only to the authorized users and not otherwise. The Nickol Bay Hospital in Australia requires robust environment related to information security with a single homogeneous network that is highly secure and not vulnerable to external threats.
2. Health Information Privacy and Security
The privacy of the patient records is the underlining principle for the relationship that exists between a patient and physician in a healthcare centre (Cate, 2002). It is necessary that patients share the right amount of information which would help them to diagnose properly by the physician, and in some cases, the patients don’t want to share the private information in case of their health problems such as problem with HIV patients is it may lead to social discrimination (Applebaum 2002). Hence it is necessary for the hospital and the physician who looks into the patient to maintain he records of the patient privately. The hospital management may feel tough to manage huge sets of records which get collected over a period of time.
The information security and privacy is necessary and it is required to have the information integrity with reduced transcription errors (Cate, 2002). It would also include the accurate administrative information for finance, patient diet and maintains each and every record of the patient. The information security would be part of the hospital information security program and also helps in decision support system for developing healthcare policies which are important fro maintaining the patient privacy. The increased use of automated technologies has helped in increasing the healthcare privacy in the hospitals, the automated technologies such as medical claims processing, e – subscribing etc (Olmeda, 2000). The movement and sharing of the information of the patient in an electronic format is a challenge, and the challenge is to maintain the privacy of the data. The better management of the information exchange pertaining to the patient records would depend upon the how the healthcare organisation safeguard the confidentiality, integrity and availability of the data (Olmeda, 2000). The Nickol Bay Hospital currently needs to access its security management plan in order to have privacy and security in the patient’s data.
3. The Information Security Program
The designing of the information security management program is essential to provide a proactive approach to the protection of the patients, health system assets or staff. To identify security threats that can affect the privacy of the patients is important to understand and this would help in designing effective security management plan. The elements of security management plan (Layton, 2007):
- Develop a implement and maintain the information security management program
- Develop and identify written security policies & procedures
- Identify different roles and responsibilities for the security personnel
- Train and Monitor Security Staff
The information security management program would include three strategies such as (Peltier, 2002):
- Security and Privacy Program
- Risk Management
The Risk Management Strategy is to be developed which would have the objective of identifying and assessing the data security risks that would be used to develop security controls (Alberts et al, 2002). The appropriate security controls are required to deal with the risks like risk mitigation or risk avoidance. The primary benefit of risk management strategy in the security program would be to allow the hospital to make informed decisions regarding the allocation of the different security resources that are required to improve data protection (Alberts et al, 2002). The accessing of the current security controls and current policies along with different audit logs would be required as part of risk management plan.
3.1 Identifying Security and Privacy Requirements
The healthcare organisation needs to be proactive in dealing with security and privacy instead of being reactive. The technology centric and bottom – up approach is required along with health care organisations to be preventive and proactive at the same time (Payne et al, 2003). The organization’s security and privacy requirements are identified through a method as shown in the figure below which needs to be followed at Nickol Bay
The identification of security and privacy requirement is driven by certain standards such as ISO 27001 and ISO 27002 for Information Systems Management Security and Security Techniques. The Nickol bay should have the ISO 27001 standards and with security and privacy regulation of HIPAA which deals with Health Insurance portability and Accountability Act. Policy is the foundation of the healthcare and it should have approval of the top management along with engagement of all stakeholders (Intel, 2011). The healthcare needs at Nickol Bay should be based on around data classification of the patient’s records and with all this it will help in determining the security policy and risk management. The risk which is a function of probability of vulnerability and threat and hence the risk should be modelled around severity and business impact of the risks (Alberts et al, 2002).
3.2 Information Security Policy
The information security policy defines the expected behaviours, rules, procedures and responsibilities that are required to safeguard the information (Dhillon, 2007). It includes policies related to the personal health and personal health information of the patients and there is a need of alignment of information security with the business strategy of the hospital. The information security policy would include the importance of information and information security along with messages and accountability of information security (Layton, 2007). Other important things that need to be considered are compliance with the legislature, and other regulatory frameworks needs to be included in the policy so as to maintain the information privacy and security.
3.2.1 Stages of Security Policy Development
There are different stages of security policy development and the different stages of security policy development are (Peltier et al, 2002):
- Obtaining Executive Support: This is required to have support and commitment in policy drafting and its implementation. The engagement of the senior management is essential at every step of policy development.
- Drafting and Engagement: It is to be ensured while drafting the security that all those people who will be affected by the policy are engaged and review the content of the security policy draft.
- Review: All the concerned stakeholders and the senior management should review the security policy draft and ask for changes in the initial draft depending on their concerns.
- Approval & Implementation: The approval of the security policy is required from the approving body, and it is necessary to be communicated to all the people in the organisation. After the approval, it is to be implemented according to the action plan so as to reach compliance and then monitored.
- Maintenance & Review: After the implementation of the policy, the policy should be maintained and reviewed on a periodic basis according to changing environment, technology or business strategy.
3.3 Layered Approach to Security and Privacy
There are three controls that need to be established at Nickol Bay hospital namely administrative, physical and technical controls (Intel, 2011). All the three controls are essential together and each one will be not very effective without the other. The technical control such as encryption of the data would not be very effective without the administrative control which lays emphasises on the maintaining the data confidentially and also lays emphasises on training and education related to the security awareness in the organisation (Peltier et al, 2002). Also, physical control is necessary along with technical and administrative control. The multi layered approach is quite robust and provides high performance hardware assisted security and handles complex vulnerabilities and threats.
Hardware assisted security help in making the system robust and hardening the security controls and this forms the root element while improving the performance of the system at the same time. Some of the features which would be included are (Intel, 2011):
- The Advanced encryption standard of high performance is used to protect the confidentiality of the private information that is sensitive whether in rest or in use.
- The Anti - Theft Technology which is required to mitigate the loss of theft of the sensitive information on different system in the network.
- The Identity Protection Technology which would have strong authentication required for differential access based on varying amount of responsibilities of different users.
- The Virtualization Technology which would be used for high speed virtual computing or the cloud based computing will also form part of the security system at Nickol Bay.
- The execution technology which is required to protect the integrity of the sensitive data in the servers and systems.
- The active management technology for protecting the data while managing the remote desktop and maintaining the same compliance and security measures.
Encryption is effective countermeasure which is used for handling the sensitive data and avoids information theft. The data is healthcare industry should be maintained and protected end – to –end while data is being used, in transit or at rest (Layton, 2007). The hardware assisted technologies which are also robust shout should provide an open foundation for third party software vendors so that they can integrate and make their software’s compatible. This would be helpful for the hospital as it can integrate with third party software’s and also as the technology changes it can upgrade to newer technologies.
3.4 Systems Engineered in accordance with HIPAA Compliance
The systems that will form part information security and privacy at Nickol Bay should be in accordance with the privacy and security rules under HIPAA. HIPAA was enacted to reform health insurance practices and managing health information and as the organisation are moving from paper based to electronic based it will be cheaper for them in a long run with this (Owen, 2000). The Nickol Bay should be HIPAA compliance in which simplification of administrative processes along with protecting of patient’s privacy would be maintained (Choi et al, 2006).
The patient’s confidentiality would be maintained while it will also enable Nickol Bay to pursue initiatives that involves innovation and enhances the patient’s care. Also, risk management and risk assessment are one of the required components of HIPAA which states to conduct accurate assessment of potential risks and also there should be enough security measures to maintain security and deal with varying amount of threats and vulnerabilities (Baumer et al, 2002).
3.5 Risk Management
The risk management is for the management of risk in the hospitals and include security functions, legal issues, and safety concerns (Alberts et al, 2002). The risks are monitored and accessed on the continual basis. The Nickol Bay hospital should follow the process of the risk management which starts with the identification of threats and then selecting the security measures which are appropriate in order to deal with the risks.
Information security risk management is a coordinated activity in which security risks are identified, analysed and are addressed according to the business goals and strategies (Alberts et al, 2002). The risks are to be reduced which breaches the information confidentiality and the information security should enhance privacy legislation.
The risk tolerance should be defined related to the information security and this tolerance line would provide management guidance which explains the acceptable limit of the risk (Alberts et al, 2002). The next phase comes assets identification and valuation. The identification of assets which are important for the healthcare business needs to be identified and evaluated accordingly. The valuation is done according to the business value of each asset, for example, loosing personal health information in accordance to the law (Symantec Corporation, 2009).
The Nickol Bay hospital should identify different threats and vulnerabilities which can arise from physical or electronic environment. The different threats and vulnerabilities should be determined with their likelihood and risks needs to be analysed in accordance with their impact. They should be then segregated in accordance with the impact level from very low impact to very high impact (Symantec Corporation, 2009). This would help the hospital to give in severity and priority to the risks. There are four methods in which different risks are treated namely risk mitigation, risk transfer, risk avoidance and risk acceptance. The risk mitigation is the first thing which organisation does in order to minimize the adverse impact of risks. The different procedure such as firewall and introducing one layer of protection helps in achieving risk mitigation (Alberts et al, 2002). The risk can be transferred to other parties which can reduce the severity of the risk and its impact. The risk avoidance is done by changing the business scope or by say changing the technical characteristics of information being handled by the system. Finally, risk acceptance is the plan of accepting the risk and continuing with the operations and planning to take care of the risk in the future.
3.6 Enhancing Information Security Management Roles & Responsibilities
The hospital needs to manage the information security, and for this management it is required different sets of roles and responsibilities to be included and assigned to varying set of people so and to hold them accountable for each security task they handle (eHealth Ontario, 2010). The information security management structure should be in place by assigning different roles and responsibilities, and there should be a clear understanding of what needs to be performed and how while maintaining effectively information security activities.
3.6.1 Information Security Manager
The information security manager in Nickol Bay should be assigned to one of the senior manager and he should be responsible for staff awareness and training for information security. The information security manager is responsible for development of information security policy, objectives and its alignment with the business strategy. The scope of information security management system is identified by him, and he carries out initial risk assessment and risk treatment plan (Peltier et al, 2002). The information security manager works in confidence of its senior management and reports the progress of drafting and implementation of information security program and various issues, threats and incidents to the senior management as and when required.
3.6.2 Compliance Officer
The compliance officer at Nickol Bay should be made independent of the information security management program. The information security policies and procedures are to be monitored and reviewed periodically by the compliance officer in accordance with the security best practises (Cate, 2002). The compliance is to be assured with the legislation and guidelines which govern the health care security regulations.
3.6.3 Information Technology Management
The information technology manager is responsible for identifying possible system and network perimeter threats and reporting different technical vulnerabilities to the senior management as and when they are occurring (eHealth Ontario, 2010). The implementation of security controls, network controls like firewalls etc are also responsibility of the information technology manager along with maintenance of the disaster recovery plans (Cate, 2002). The information technology manager is also responsible for regular updates of the system and application along with planning of the business continuity
3.6.4 Information Technology Users
The information technology users at the Nickol bay would be responsible for following the hospital’s security policy and procedures along with physical security procedures (Dhillon, 2007). They are also responsible for reporting the security incidents to the information technology manager and should understand the organisation code of conduct which details about the information security standards and policies in detail. The information technology users should make security part of their everyday’s business and should always adhere to security procedures.
The information security and privacy is important in healthcare organisation in order to maintain the patient’s confidentiality and privacy. This act as the most essential characteristic of patient and physician relationship and this study analysis the Nickol Bay Hospital in Australia for its information security. The information security program is developed and recommend for the Nickol Bay which covers the risk assessment, compliance and proposing on security solution which is according to with HIPAA compliance. The study also reflects on the varying roles and responsibilities which the organisation has and with the development security programs the enhancement of roles and responsibilities of the different security personal are also discussed. It is also proposed the Nickol Bay should have the ISO 27001 standards and with security and privacy regulation of HIPAA.
- Owen, R.Z. (2000). History and Overview of HIPAA, Hawaii Medical Service Association.
- Olmeda, C.J. (2000). Information Technology in Systems of Care. Delfin Press. ISBN 978-0-9821442-0-6.
- Payne, P.R., Greaves, A.W., and Kipps, T.J. (2003). CRC Clinical Trials Management System (CTMS): an integrated information management solution for collaborative clinical research, AMIA Annu Symp Proc.
- eHealth Ontario. (2010). Guide to Information Security for the Health Care Sector Information and Resources for Complex Organizations. eHealth Ontario.
- Symantec Corporation. (2009). “Security and Privacy for Healthcare Providers: Whitepaper, Best Practices Series for Healthcare,” Symantec Corporation.
- Alberts, CJ, Dorofee, A. (2002) Managing Information Security Risks: An OCTAVE Approach, Boston: Addison Wesley Publications