University of Nebraska, Essay Example

Introduction

The University of Nebraska Medical Center (UNMC) is responsible for the protection students’ and patients’ data, as well as of financial and confidential research details. Therefore, creating a well outlined information security framework is necessary to ensure that policies are clearly outlined and adhered to by all the members of the organization.

Organizational objectives

The company’s security plan outlines two aspects of protecting information; the policy needs to ensure the confidentiality of sensitive data, and also creates systems to preserve the integration of data at the same time. (UNMC Information Security Plan, 2007)

Information Security Program Outline

The Information security program does cover both the data related to patients and students. The policy dealing with the rules and guidelines regarding student data protection is the

Gramm-Leach-Bliley Act (GLBA), while the Health Insurance Portability and Accountability Act (HIPAA) covers the security policy for dealing with patients’ information, electronic storage and transfer of data. (UNMC HIPAA Compliance Policy, 2007) It also offers security and privacy protection guidelines and codes. Student education records are protected by the FERPA (Family Educational Rights and Privacy Act); while the protected student financial information handling and disclosure procedures are outlined in the GLBA and PSFI (Protected Student Financial Information) acts. Protected health information is also covered by the HIPAA act. (UNMC Information Security Plan, 2007)

Coverage

The above acts cover employee data, student confidential data, research information, business plans and financial details. The organization currently deals with several type of sensitive information, including financial, student-related, employee-related, and research-related. The different acts are applied to ensure that all employees are aware of the policies and carry out their daily work complying with the regulation.

People

All members of the organization are personally responsible for the protection and adequate handling of personal and confidential data, as the university is regulated by the state. However, it is necessary that the organizational structure would have some appointed security and data protection representatives. The campus security program outlines the responsibilities of system administrations and information custodians. The overseeing body of the compliance is the Information Security Office, and it ensures that all policies are adhered to. An Information Security Plan Coordinator is also appointed, along with a HIPAA Information Security Officer. All members are required to follow the Information Security Incident Reporting guidelines, and training on identifying security risks is also provided for the staff. The training program is developed by the Information Security Officer and the appointed representatives of the Human Resources Department, who – after reviewing the content of the policies – create a statutory training for all colleagues handling data. Students need to complete HIPAA training and sign a confidentiality agreement, as well. (UNMC Information Security Plan, 2007)

Processes

The reporting procedures and data handling guidelines are published in the HIPAA policy, and there are further guidelines regarding computer security, backup and storage of files, disclosure of data and student / employee personal details, network security, system failures, suspicious activity and risks. The regular backup of network servers and the update of security systems, files and CD-s, printed copies and secure filing are also covered by the plan. Password security procedures are clearly communicated and outlined. Student numbers are used instead of social security numbers, to conceal the identity of the person behind the file and make the data less accessible. A “need to know” guideline is applied when providing access to proprietary information. (“information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, patient records, employee records and student records.”). (UNMC Information Security Plan, 2007)

Technologies

Appropriate service providers are identified by strict criteria, outlined in the PHI document. Providers are also required to study and adhere to the relevant policies. A policy is created to support system administrators in dealing with system failures and identifying possible risks. Outside access from the Internet is restricted by the Internal Trusted Area Network platform, and a “Demilitarized Zone” is also created to enhance security.

Strategic fit

The UNMC HIPAA Compliance Policy (2003) provides an outline of the purpose of the policies, and their effect on the whole organization. Several government policies are quoted, such as the Transaction Standards and Privacy Rule, however, the organization needs to ensure that its own policies would protect their interest and reputation as well. Apart from the financial penalties applied on non-compliant universities and health care providers, the reputational loss can have a serious financial implication on the future of the organization.

Conclusion

The Information Security Plan of the UNMC, examined above is in line with the government guidelines and clearly outlines the responsibilities of all employees, the HR department, coordinators and security officers. The training provided is subsequent, and compliance is maintained by appointing the Information Security Office to oversee the processes.

References

UNMC HIPAA Compliance Policy (2003) Online. <http://www.unmc.edu/hipaa/10.htm>, <http://www.nebraska.edu/docs/president/27%20HIPAA%20Compliance.pdf>

UNMC Information Security Plan (2007) Online.