Optimal Information Security Investment In A Healthcare

Information Security Team Description

Dsicuss about the Optimal Information Security Investment In a Healthcare.

Beyond Heath, an Australian company that operates private hospitals, medical centres and internal pathology services; it is very important that security Management Services be installed. The IT security in Information Assurance Department or ISIA that has been appointed by this company is a large organisation having primary responsibilities of designing, planning and creating secure infrastructure. Since organisation has recently suffered a ransomware attack in a data breach incident the Australian Health Organisation has appointed me as a Chief Information Security Officer or CISO. The organisation Beyond Health had suffered data breach and ransomware attacks on account of which they wanted to implement a new information security system replacing the old traditional system for securing the data and information for the organisation. For this they had a pointed IT Security and Information Assurance Department including the designing, planning in creating of a secured infrastructure so that there might not be a repetition of this incident. Beyond Health is an Australian Health Organisation providing healthcare all throughout Australia on accordance of 45 hospitals and 50 medical centres (Wager, Lee and Glaser, 2017). It also has a span of 17000 employees who have been working in different roles under multiple locations. Due to the ransomware attacks and the data breach it is possible that the entire organisation with such vivid and important information was on the verge of being jeopardized (Huang, Behara, and Goo, 2014). Therefore, it is necessary that the older security system must be replaced with a new and improved version that would prevent further data breaches and ransomware attacks in the organization, aiding to the hospitals and medical centres governed by the organization.

Therefore, since it is seen that the previous security system did little or nothing for the organization. It was a faulty system that made the business organization goes through a loss of medical health information of their patients. It is thus proposed that the previous security system be replaced with a new and improved one, with thorough research done about the vulnerabilities of the previous system (Liebler and McConnell, 2016). The new security system would be implemented only after the vulnerabilities of the previous system are identified and the new system has the potential to address all the risks associated with it.

Since there has been a data breach before in the organization, hampering all the hospitals and medical centres under it, the new process should definitely incorporate the security systems that defends all the vulnerabilities that has been present in the previous system (Abdelhak, Grostick and Hanken, 2014). The proposal would be approved by the higher authorities when there would be a clear division of workforce and implementation authorities in a clear way.

Team Division and Description

The team implementation would have people in various roles and accountable to the security system managements in the organization (Pathan, 2016). The team division would include a chief finance officer, a chief Information System manager, the CEO, the senior software architect, the Director of software development, a software developer or a team of software engineers, a Chief Information Security Officer or CISO, an application programming manager, a risk mitigation manager, a software tester, security management trainers, software implementation specialist, quality assurance providers, prototype developer, and code developers. Following would be a table that would have the detailed job description of every person responsible for the implementation of the software system:

Therefore, the responsibilities of the IT head, the CEO and the CISO has been described in details such that the Security Structure of the organization could be replaced with a new and improved management structure to provide more security to the generated information for the organization (Cascio, 2018). The clear description of the above table describing the team division would thus enable the admin to approve of and carry on with the required implementation of the new IS system replacing the faulty traditional IS system that the organization used before.

Information and community technology or ICT deals just not with organizations that are under it related services but also deals with Healthcare Management Services (Pozgar, 2014). It connects the world’s people and creates a variety of ideas and opportunities. Ever since there have been technological advancements there has been a ramp and digitization that had been in work in the Healthcare sector trying to improve the health care services utilizing the changes in the technological world (Peltier, 2016). However it also has some dangerous side effects like the information security risk. In this case as well Beyond Health Hatfield to recognize a ransomware that had reached the organization data causing Havoc over 45 hospitals and 50 medical centers under it. In addition to that 17000 employees and numerous other patient data had been compromised as a result. Therefore in the light of the sensitive nature of Healthcare data and the way that the mounting of information keeps on happening every single day is making it prone to for the security risks. It is critical for Healthcare providers to have a robust and reliable information security service intact (Runciman, Merry and Walton, 2017). Therefore it is required that a policy document is kept at handy for the installation and implementation of new technologically advanced security systems.

Information Security Policy Document

It is quite natural that the previously implemented Security System had failed to present an impermeable security system that would prevent any kind of data breaches for the organization. Therefore the newest implementation of Chief Information Security Officer or CISO made sure that the information security policy document is absolutely impermeable (Wears, Hollnagel and Braithwaite, 2015). The overall objective of making the information security policy document is to control or guide the human behavior for a belief that it would attempt to reduce the risk to information assets by accidental a deliberate actions of the employees in charge. Information security policies underpin security and well being of information resources (Coombs, 2014). Following would be the information security policy document has prepared for implementation of new technology replacing the older security systems for Beyond Health. The aim of this policy is to establish and maintain the security and confidentiality of information, information systems application and networks owned by or held by the organization (Nepal, Ranjan and Choo, 2015). This would include:

• Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies.
• Describing the principals of security and explaining how they shall be implemented in the organization.
• Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.
• Creating and maintaining within the organization a level of awareness of the need for Information Security as an integral part of the day to day business.
• Protecting information assets under the control of the organization.

The policies that would include in this list would replace the older version of storing of information for the organization of Beyond Health (Lei et al., 2014). The policies would include the following policy framework:

• Management of Security
• Information Security Awareness Training
• Contracts of Employment
• Security Control of Assets
• Access Controls
• User Access Controls
• Computer Access Control
• Application Access Control
• Equipment Security
• Computer and Network Procedures
• Information Risk Assessment
• Information security events and weaknesses
• Classification of Sensitive Information
• Protection from Malicious Software
• User media
• Monitoring System Access and Use
• Accreditation of Information Systems
• System Change Control
• Intellectual Property Rights
• Business Continuity and Disaster Recovery Plans
• Reporting
• Policy Audit
• Further Information

These policy frameworks would further be approved by the head of the security controls and the board of directors and the owner of Beyond Health.

Any incident management plan focuses on managing the incidents occurring in an organization to back to normal operation. It also provides information regarding the structure of the team handling the incident management (Caron et al., 2016). This is the criteria for bringing into play about the business continuity and the management for incident resource requirement and any other necessary staff movement and Critical processes. The document PAS 77 suggest that an incident management structure should be established with its Association with the organizational structure and should be fit to use by both public and the private sector company (Gellman, 2017). Any incident management plan should have few criteria to be presented in a document. These criteria are as follows:

• Background of the incident
• Scope and purpose
• Relationship with any other plan
• Definition of the Incident Response structure
• Handing over from the Emergency Response Team
• Assessing the situation
• Roles of the Incident Management Team
• Responsibilities of the Incident Management Team
• Incident Room location
• Details for accessing Incident Room Location
• Alternate Incident Room
• Invocation criteria
• Invocation procedure including rendezvous points and responsible persons
• Procedure for setting up and managing the Incident Room
• Action plans for implementing the Business Continuity response
• Recovery Profiles
• Resumption Process
• Details of equipment storage
• Maps and directions to all locations mentioned in the Plan
• Site access plans
• Claims management procedure
• Contact information
  • Senior Management Team
  • Incident Management Team
  • Bronze Team Leaders (all departments within the organisation)
  • External suppliers
  • Internal contacts
  • Regulatory bodies
  • Useful local information (e.g. hospital, doctors, plumbers, electrician, local council)
  • Stakeholders
• Communications Matrix
• Incident Log
• Incident Management stand-down procedures
  • Decision to stand down
  • Who to communicate with
  • Filing of paperwork
  • Post incident report

As per the Australian ACS codes of ethics and laws the security system of any organization is of highest priority and especially that of a healthcare organization (Deane et al., 2015). The ethical implications would comply with the following policies for implementation of the new security system by the CIS Officers. These policies would have:

• The primacy of the Public Interest
• Enhancement of Quality of Life
• Honesty
• Competence
• Professional Development
• Professionalism

In addition to that, the unique and confidential individual data of patients are of primary importance (Alexander, Finch and Sutton, 2013). Therefore, that would also be kept in mind while making the new security system as per the Australian laws of ethics.

Security plays an integral part in the world of ecommerce, computers and the internet. Since, technology has its own evils; laws are implemented to protect the individual users, groups and organizations, who are exposed to this threat. The interaction of legal system with information security is in view of the ever changing and rapidly developing world of technology. It can be noticed in several occasions that the technological vulnerabilities are not easily found unless a major exploitation occurs. However, the laws to be implemented needs time to make sure that the data exploitation is thoroughly addressed and the breach has been justified. The Australian laws regarding the ethics for data breaches and other ethical concerns in healthcare would most likely solve further issues and help in implementing an impermeable Security System.

According to the Regulation of Health Information Privacy in Australia, the NHMRC represents a working committee with the major tasks as follows:

• Undertaking an analysis of the privacy framework in Australia, as it relates to health information.
• Undertaking consultation with NHMRC’s stakeholders to document their attitudes towards and perceptions of the privacy framework as well as their experiences.
• Preparing a submission to the review of the privacy legislation when the review is announced.

Therefore, the entire legal and ethical issues would be handled by the CISO or Chief Information Security Officer team keeping all these implications in mind. The organizational policies and the major vulnerabilities of the system would be addressed, as well as the new policies would be made depending on these vulnerabilities to make the newly implemented system absolutely permeable.

Reference

Abdelhak, M., Grostick, S. and Hanken, M.A., 2014. Health Information-E-Book: Management of a Strategic Resource. Elsevier Health Sciences.

Alexander, D., Finch, A. and Sutton, D., 2013, June. Information security management principles. BCS.

Caron, X., Bosua, R., Maynard, S.B. and Ahmad, A., 2016. The Internet of Things (IoT) and its impact on individual privacy: An Australian perspective. Computer law & security review, 32(1), pp.4-15.

Cascio, W., 2018. Managing human resources. McGraw-Hill Education.

Coombs, W.T., 2014. Ongoing crisis communication: Planning, managing, and responding. Sage Publications.

Deane, F.P., Gonsalvez, C., Blackman, R., Saffioti, D. and Andresen, R., 2015. Issues in the Development of e?supervision in Professional Psychology: A Review. Australian Psychologist, 50(3), pp.241-247.

Gellman, R., 2017. Fair information practices: A basic history.

Gostin, L.O. and Wiley, L.F., 2016. Public health law: power, duty, restraint. Univ of California Press.

Hall, M.A., Orentlicher, D., Bobinski, M.A., Bagley, N. and Cohen, I.G., 2018. Health care law and ethics. Wolters Kluwer Law & Business.

Huang, C.D., Behara, R.S. and Goo, J., 2014. Optimal information security investment in a Healthcare Information Exchange: An economic analysis. Decision Support Systems, 61, pp.1-11.

Lei, J., Guan, P., Gao, K., Lu, X., Chen, Y., Li, Y., Meng, Q., Zhang, J., Sittig, D.F. and Zheng, K., 2014. Characteristics of health IT outage and suggested risk management strategies: An analysis of historical incident reports in China. International journal of medical informatics, 83(2), pp.122-130.

Liebler, G. and McConnell, C.R., 2016. Management principles for health professionals. Jones & Bartlett Publishers.

Nepal, S., Ranjan, R. and Choo, K.K.R., 2015. Trustworthy processing of healthcare big data in hybrid clouds. IEEE Cloud Computing, 2(2), pp.78-84.

Pathan, A.S.K. ed., 2016. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Pozgar, G.D., 2014. Legal and ethical issues for health professionals. Jones & Bartlett Publishers.

Runciman, B., Merry, A. and Walton, M., 2017. Safety and ethics in healthcare: a guide to getting it right. CRC Press.

Wager, K.A., Lee, F.W. and Glaser, J.P., 2017. Health care information systems: a practical approach for health care management. John Wiley & Sons.

Wears, R.L., Hollnagel, E. and Braithwaite, J. eds., 2015. Resilient health care. Ashgate Publishing, Ltd.

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order