Strategic Information Security Analysis: Royal Adelaide Hospital
VerifiedAdded on 2020/03/04
|23
|4579
|195
Report
AI Summary
This report provides a strategic analysis of the information security systems at Royal Adelaide Hospital (RAH) in Australia. The report begins with an introduction to the hospital's need for robust information security, emphasizing the principles of integrity, confidentiality, and availability. It then delves into health information privacy and security, highlighting the importance of patient data protection and the impact of automated technologies. The core of the report outlines a proposed information security program, including risk management, security and privacy programs, and compliance strategies, with a focus on ISO 27001 standards and HIPAA compliance. The report details the identification of privacy and security needs, the development of an information security policy, and the implementation of a layered approach to privacy and security, including technical, administrative, and physical controls. It also discusses systems engineered according to HIPAA compliance and suggests improvements to the roles and responsibilities of information security management, including the information security manager, compliance officer, and IT management and users. The report concludes with recommendations for enhancing RAH's information security posture.
Running head: STRATEGIC INFORMATION SECURITY
Strategic Information Security
Name of the Student:
Name of the University:
Author’s Note:
Course ID:
Strategic Information Security
Name of the Student:
Name of the University:
Author’s Note:
Course ID:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1STRATEGIC INFORMATION SECURITY
Abstract:
The current report aims to select an Australian-based organisation by describing its
existing state of security systems along with making suggestions for improving the same. Hence,
in order to fit this purpose, Royal Adelaide Hospital has been selected as the organisation, as
hospitals are complex institutions where various departments manage different types of patients.
The privacy and security of information is necessary for the healthcare organisations for
maintain the confidentiality and privacy of the patients. This acts as the necessary characteristic
of the patient-physician association and this study evaluates the Royal Adelaide Hospital in
Australia for the security of information.
The program of information related to security is recommended and developed for the
hospital that covers the assessment of risk, conformance and proposing on security solution in
accordance with the compliance of HIPAA. The report also signifies on the different roles and
responsibilities, which the hospital possesses and with the growth of security programs, the
improvement of responsibilities and roles of the various security personnel have been discussed
as well. It is recommended that RAH needs to have ISO 27001 standards along with privacy and
security regulation of HIPAA.
Abstract:
The current report aims to select an Australian-based organisation by describing its
existing state of security systems along with making suggestions for improving the same. Hence,
in order to fit this purpose, Royal Adelaide Hospital has been selected as the organisation, as
hospitals are complex institutions where various departments manage different types of patients.
The privacy and security of information is necessary for the healthcare organisations for
maintain the confidentiality and privacy of the patients. This acts as the necessary characteristic
of the patient-physician association and this study evaluates the Royal Adelaide Hospital in
Australia for the security of information.
The program of information related to security is recommended and developed for the
hospital that covers the assessment of risk, conformance and proposing on security solution in
accordance with the compliance of HIPAA. The report also signifies on the different roles and
responsibilities, which the hospital possesses and with the growth of security programs, the
improvement of responsibilities and roles of the various security personnel have been discussed
as well. It is recommended that RAH needs to have ISO 27001 standards along with privacy and
security regulation of HIPAA.
2STRATEGIC INFORMATION SECURITY
Table of Contents
1. Introduction:................................................................................................................................3
2. Health information privacy and security:....................................................................................3
3. Information security program:.....................................................................................................4
3.1 Identification of privacy and security needs:.........................................................................5
3.2 Information security policy:..................................................................................................6
3.2.1 Phases of security policy development:..........................................................................7
3.3 Layered approach to privacy and security:............................................................................8
3.4 Systems engineered according to HIPAA compliance:.......................................................10
3.5 Risk management:...............................................................................................................10
3.6 Improving the roles and responsibilities of information security management:.................13
3.6.1 Information security manager:......................................................................................13
3.6.2 Compliance officer:......................................................................................................14
3.6.3 Information technology management:..........................................................................14
3.6.4 Information technology users:......................................................................................14
4. Conclusion:................................................................................................................................15
References:....................................................................................................................................17
Appendix:......................................................................................................................................21
Table of Contents
1. Introduction:................................................................................................................................3
2. Health information privacy and security:....................................................................................3
3. Information security program:.....................................................................................................4
3.1 Identification of privacy and security needs:.........................................................................5
3.2 Information security policy:..................................................................................................6
3.2.1 Phases of security policy development:..........................................................................7
3.3 Layered approach to privacy and security:............................................................................8
3.4 Systems engineered according to HIPAA compliance:.......................................................10
3.5 Risk management:...............................................................................................................10
3.6 Improving the roles and responsibilities of information security management:.................13
3.6.1 Information security manager:......................................................................................13
3.6.2 Compliance officer:......................................................................................................14
3.6.3 Information technology management:..........................................................................14
3.6.4 Information technology users:......................................................................................14
4. Conclusion:................................................................................................................................15
References:....................................................................................................................................17
Appendix:......................................................................................................................................21
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3STRATEGIC INFORMATION SECURITY
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4STRATEGIC INFORMATION SECURITY
1. Introduction:
The current report aims to select an Australian-based organisation by describing its
existing state of security systems along with making suggestions for improving the same. Hence,
in order to fit this purpose, Royal Adelaide Hospital has been selected as the organisation, as
hospitals are complex institutions where various departments manage different types of patients.
Thus, it is necessary to maintain coordination amongst these departments (Ab Rahman and Choo
2015). In addition, it is necessary for the hospital to protect information from unauthorised users,
modification of personal information and accessing the threat of unauthorised disclosure.
In case of Royal Adelaide Hospital, the three primary principles related to security
include integrity, confidentiality and availability (New Royal Adelaide Hospital 2017). Thus, it
needs robust environment associated with information security with a homogeneous network,
which is tightly secured to protect from external threats.
2. Health information privacy and security:
Maintaining the privacy of patient information is the fundamental principle for the
association existing between a physician and a patient in a hospital (Abdelhak, Grostick and
Hanken 2014). The patients need to share the correct information with their physicians for proper
diagnosis; however, in certain instances, they often fear to share the same due to their health
issues like HIV patients. This is because they are of the view that such disclosure might lead to
social discrimination. Thus, it is crucial for Royal Adelaide Hospital (RAH) and its physicians to
maintain private information of the patients effectively and the management might feel tough in
handling large sets of records, which become collected over a specific timeframe.
1. Introduction:
The current report aims to select an Australian-based organisation by describing its
existing state of security systems along with making suggestions for improving the same. Hence,
in order to fit this purpose, Royal Adelaide Hospital has been selected as the organisation, as
hospitals are complex institutions where various departments manage different types of patients.
Thus, it is necessary to maintain coordination amongst these departments (Ab Rahman and Choo
2015). In addition, it is necessary for the hospital to protect information from unauthorised users,
modification of personal information and accessing the threat of unauthorised disclosure.
In case of Royal Adelaide Hospital, the three primary principles related to security
include integrity, confidentiality and availability (New Royal Adelaide Hospital 2017). Thus, it
needs robust environment associated with information security with a homogeneous network,
which is tightly secured to protect from external threats.
2. Health information privacy and security:
Maintaining the privacy of patient information is the fundamental principle for the
association existing between a physician and a patient in a hospital (Abdelhak, Grostick and
Hanken 2014). The patients need to share the correct information with their physicians for proper
diagnosis; however, in certain instances, they often fear to share the same due to their health
issues like HIV patients. This is because they are of the view that such disclosure might lead to
social discrimination. Thus, it is crucial for Royal Adelaide Hospital (RAH) and its physicians to
maintain private information of the patients effectively and the management might feel tough in
handling large sets of records, which become collected over a specific timeframe.
5STRATEGIC INFORMATION SECURITY
The security and privacy of information is essential and it is needed to have the integrity
of information with minimised errors of transcription (Ahmad, Maynard and Park 2014). This
would comprise of effective administration information for finance, patient diet along with
maintaining each patient record. The security of information would be a portion of the program
related to hospital information security and it enables in decision support system to prepare
healthcare policies necessary to maintain patient privacy. With the growing utilisation of
automated technologies like processing of medical claims and e subscribing, the healthcare
privacy in RAH has increased. The sharing and movement of patient information in an electronic
format is an issue and the issue is to maintain the data privacy (Baskerville, Spagnoletti and Kim
2014). Thus, RAH needs to access its plan of security management for ensuring security and
privacy in the data of the patients.
3. Information security program:
The development of the program pertaining to information security management is
necessary in providing a proactive approach to the overall patient protection. For the
identification of security threats affecting the patient privacy, effective security management plan
is to be developed. The following are the major constituents of security management plan:
Developing, implementing and maintaining program related to information security
management
Developing and identifying written procedures and policies related to security
Identifying various responsibilities and roles for the security personnel
Training and monitoring security staffs (Cassidy 2016)
The security and privacy of information is essential and it is needed to have the integrity
of information with minimised errors of transcription (Ahmad, Maynard and Park 2014). This
would comprise of effective administration information for finance, patient diet along with
maintaining each patient record. The security of information would be a portion of the program
related to hospital information security and it enables in decision support system to prepare
healthcare policies necessary to maintain patient privacy. With the growing utilisation of
automated technologies like processing of medical claims and e subscribing, the healthcare
privacy in RAH has increased. The sharing and movement of patient information in an electronic
format is an issue and the issue is to maintain the data privacy (Baskerville, Spagnoletti and Kim
2014). Thus, RAH needs to access its plan of security management for ensuring security and
privacy in the data of the patients.
3. Information security program:
The development of the program pertaining to information security management is
necessary in providing a proactive approach to the overall patient protection. For the
identification of security threats affecting the patient privacy, effective security management plan
is to be developed. The following are the major constituents of security management plan:
Developing, implementing and maintaining program related to information security
management
Developing and identifying written procedures and policies related to security
Identifying various responsibilities and roles for the security personnel
Training and monitoring security staffs (Cassidy 2016)
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6STRATEGIC INFORMATION SECURITY
The program pertaining to security management program would comprise of three strategies,
which are depicted as follows:
Risk management
Security and privacy program
Compliance
The risk management strategy needs to be developed, which would have the intention of
detecting and evaluating data security risks used in preparing security controls (Crossler et al.
2013). Such pertinent security controls are needed to deal with various kinds of risk. The initial
benefit of this program would be to enable RAH in making informed decisions about the
apportionment of various security resources needed in improving data protection. The access of
existing security controls and policies coupled with various audit logs would be required as a
portion of risk management plan.
3.1 Identification of privacy and security needs:
The privacy and security needs are identified with the help of a method, which RAH
needs to follow and it is depicted in the form of a figure as follows:
The program pertaining to security management program would comprise of three strategies,
which are depicted as follows:
Risk management
Security and privacy program
Compliance
The risk management strategy needs to be developed, which would have the intention of
detecting and evaluating data security risks used in preparing security controls (Crossler et al.
2013). Such pertinent security controls are needed to deal with various kinds of risk. The initial
benefit of this program would be to enable RAH in making informed decisions about the
apportionment of various security resources needed in improving data protection. The access of
existing security controls and policies coupled with various audit logs would be required as a
portion of risk management plan.
3.1 Identification of privacy and security needs:
The privacy and security needs are identified with the help of a method, which RAH
needs to follow and it is depicted in the form of a figure as follows:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7STRATEGIC INFORMATION SECURITY
Figure 1: Identification of privacy and security needs
(Source: D'Arcy, Herath and Shoss 2014)
Certain standards like ISO 27001 and ISO 27002 help in driving the identification of
privacy and security needs. RAH needs to have ISO 27001 standard and the privacy and security
regulation of HIPAA, which deals with the “Health Insurance Portability and Accountability
Act”. The healthcare requirements at RAH needs to be developed on around data categorisation
of the records of the patient and with such assistance, it would enable in ascertaining risk
management and security policy.
The privacy and security policy of the hospital needs to seek consent from top
management and it enables in fostering the risk treatment and risk assessment. The handling and
treatment of risks is to be made depending on the severity and priority with the help of risk
mitigation measures (Flores, Antonsen and Ekstedt 2014). After that, the countermeasures
related to privacy and security need to be identified and implementation needs to be carried out
with the help of security services based on encryption and robust standard. Such standard needs
to be able in protecting information along with maintaining the confidentiality of the same.
3.2 Information security policy:
In the words of Galliers and Leidner (2014), the information security policy explains the
anticipated behaviours, procedures, rules and responsibilities needed to protect information. This
takes into account the policies associated with the personal health information of the patients and
there is a necessity of aligning information security with the business strategy of the hospital.
The other factors that RAH need to consider include conformance to legislation and other legal
frameworks to be included in the policy for maintaining the information security and privacy.
Figure 1: Identification of privacy and security needs
(Source: D'Arcy, Herath and Shoss 2014)
Certain standards like ISO 27001 and ISO 27002 help in driving the identification of
privacy and security needs. RAH needs to have ISO 27001 standard and the privacy and security
regulation of HIPAA, which deals with the “Health Insurance Portability and Accountability
Act”. The healthcare requirements at RAH needs to be developed on around data categorisation
of the records of the patient and with such assistance, it would enable in ascertaining risk
management and security policy.
The privacy and security policy of the hospital needs to seek consent from top
management and it enables in fostering the risk treatment and risk assessment. The handling and
treatment of risks is to be made depending on the severity and priority with the help of risk
mitigation measures (Flores, Antonsen and Ekstedt 2014). After that, the countermeasures
related to privacy and security need to be identified and implementation needs to be carried out
with the help of security services based on encryption and robust standard. Such standard needs
to be able in protecting information along with maintaining the confidentiality of the same.
3.2 Information security policy:
In the words of Galliers and Leidner (2014), the information security policy explains the
anticipated behaviours, procedures, rules and responsibilities needed to protect information. This
takes into account the policies associated with the personal health information of the patients and
there is a necessity of aligning information security with the business strategy of the hospital.
The other factors that RAH need to consider include conformance to legislation and other legal
frameworks to be included in the policy for maintaining the information security and privacy.
8STRATEGIC INFORMATION SECURITY
3.2.1 Phases of security policy development:
There are certain phases associated with the department of security policy and these are
briefly discussed as follows:
Obtaining executive support:
This is needed to obtain support and commitment in policy drafting and its
implementation (Haux et al. 2013). Hence, it is necessary for the senior management of RAH to
engage in each step pertaining to the development of policy.
Drafting and involvement:
It is of utmost importance for RAH to ensure that the individuals having impact from the
policy are involved along with reviewing the content of the draft pertaining to security policy.
Review:
All the associated stakeholders and top-level management need to review the draft
associated with security policy along with asking for modifications in the initial draft based on
the concerns.
Approval and implementation:
It is necessary to seek approval from the approving body of RAH about the security
policy and it is crucial to communicate this information across all the departments in the
organisation. After the approval, it needs to be implemented in accordance with the plan of
action for arriving at compliance and finally, monitoring (Webb et al. 2014).
Maintenance and review:
3.2.1 Phases of security policy development:
There are certain phases associated with the department of security policy and these are
briefly discussed as follows:
Obtaining executive support:
This is needed to obtain support and commitment in policy drafting and its
implementation (Haux et al. 2013). Hence, it is necessary for the senior management of RAH to
engage in each step pertaining to the development of policy.
Drafting and involvement:
It is of utmost importance for RAH to ensure that the individuals having impact from the
policy are involved along with reviewing the content of the draft pertaining to security policy.
Review:
All the associated stakeholders and top-level management need to review the draft
associated with security policy along with asking for modifications in the initial draft based on
the concerns.
Approval and implementation:
It is necessary to seek approval from the approving body of RAH about the security
policy and it is crucial to communicate this information across all the departments in the
organisation. After the approval, it needs to be implemented in accordance with the plan of
action for arriving at compliance and finally, monitoring (Webb et al. 2014).
Maintenance and review:
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9STRATEGIC INFORMATION SECURITY
After the policy has been implemented in RAH, it needs regular maintenance and review
periodically based on the changing environment, business strategy and technology.
3.3 Layered approach to privacy and security:
Three types of controls are required to be developed in RAH, which take into account
physical, administrative and technical controls. These controls are necessary together and hence,
absence of a single control might minimise the effects of the other two controls (Henson and
Garfield 2016). The technical control like the data encryption would not be suitable in the
absence of administrative control, as emphasis is laid on maintaining the confidentiality of data
along with education and training associated with security awareness in the organisation.
Moreover, there is necessity of physical control as well along with technical control and
administrative control. There is robustness in the multi-layered approach, which provides greater
performance hardware assisted security along with managing complex threats and
vulnerabilities.
After the policy has been implemented in RAH, it needs regular maintenance and review
periodically based on the changing environment, business strategy and technology.
3.3 Layered approach to privacy and security:
Three types of controls are required to be developed in RAH, which take into account
physical, administrative and technical controls. These controls are necessary together and hence,
absence of a single control might minimise the effects of the other two controls (Henson and
Garfield 2016). The technical control like the data encryption would not be suitable in the
absence of administrative control, as emphasis is laid on maintaining the confidentiality of data
along with education and training associated with security awareness in the organisation.
Moreover, there is necessity of physical control as well along with technical control and
administrative control. There is robustness in the multi-layered approach, which provides greater
performance hardware assisted security along with managing complex threats and
vulnerabilities.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10STRATEGIC INFORMATION SECURITY
Figure 2: Multi-layered approach to privacy and security
(Source: Kolkowska, Karlsson and Hedström 2017)
The hardware assisted security enables in making the system robust along with tightening
the controls related to security and this establishes the root element while enhancing the overall
system performance at the same time. Some of the primary features that need to be included in
the information security of RAH are described as follows:
The superior encryption standard associated with greater performance could be used for
maintaining the confidentiality of personal information, which is sensitive whether in use
or in rest.
The anti-theft technology is needed to minimise the chances of loss from theft of the
sensitive information on the various systems in the network.
The identity protection technology is necessary, as it has greater authentication needed
for differential access depending on the varying amount of responsibilities of various
users (Law, Buhalis and Cobanoglu 2014).
The virtualisation technology would be utilised for greater speed virtual computing or
cloud-based computing, which would become a portion of the security system in RAH.
The technology pertaining to active management would help in protection of data at the
time of handling the remote desktop while maintaining the identical security and
compliance measures.
Encryption is suitable countermeasure that is utilised to manage the sensitive data along
with avoiding the theft related to information. As RAH falls in the healthcare industry of
Australia, data needs to be maintained and protected end-to-end at the time of using the same in
Figure 2: Multi-layered approach to privacy and security
(Source: Kolkowska, Karlsson and Hedström 2017)
The hardware assisted security enables in making the system robust along with tightening
the controls related to security and this establishes the root element while enhancing the overall
system performance at the same time. Some of the primary features that need to be included in
the information security of RAH are described as follows:
The superior encryption standard associated with greater performance could be used for
maintaining the confidentiality of personal information, which is sensitive whether in use
or in rest.
The anti-theft technology is needed to minimise the chances of loss from theft of the
sensitive information on the various systems in the network.
The identity protection technology is necessary, as it has greater authentication needed
for differential access depending on the varying amount of responsibilities of various
users (Law, Buhalis and Cobanoglu 2014).
The virtualisation technology would be utilised for greater speed virtual computing or
cloud-based computing, which would become a portion of the security system in RAH.
The technology pertaining to active management would help in protection of data at the
time of handling the remote desktop while maintaining the identical security and
compliance measures.
Encryption is suitable countermeasure that is utilised to manage the sensitive data along
with avoiding the theft related to information. As RAH falls in the healthcare industry of
Australia, data needs to be maintained and protected end-to-end at the time of using the same in
11STRATEGIC INFORMATION SECURITY
transit or at rest. In addition, due to the robustness of the hardware assisted technologies, it needs
to provide an open foundation for the vendors of third party software for ensuring the integrity
and compatibility of the software. This would be immensely beneficial for RAH, since it could
make integration with the above-mentioned vendors and with the change in technologies, it could
upgrade to advanced technologies.
3.4 Systems engineered according to HIPAA compliance:
The systems that would develop part information privacy and security in RAH need to be
in accordance with the security and privacy rules under HIPAA. This law has been enacted in
Australia for reforming the practices pertaining to health insurance along with handling health
information. In addition, since the organisations are shifting from paper-based record to
electronic-based record, it would be cheaper in the long-run with this act (Layton 2016). RAH
needs to comply with HIPA, in which the administrative procedures would be simplified along
with maintaining and protecting the privacy of the patient information.
In this way, the confidentiality of the patient information could be maintained, while it
would help the hospital in pursuing initiatives involving innovation along with enhancing patient
care. In addition, managing as well as assessing risk is one of the needed components of HIPAA
that depicts to carry out correct evaluation of potential risks and adequate security measures need
to be put in place for ensuring security and dealing with different kinds of vulnerabilities and
threats.
3.5 Risk management:
The risk management in the context of RAH is for managing risk in the hospital and it
comprises of legal issues, security functions and safety issues. There would be access and
transit or at rest. In addition, due to the robustness of the hardware assisted technologies, it needs
to provide an open foundation for the vendors of third party software for ensuring the integrity
and compatibility of the software. This would be immensely beneficial for RAH, since it could
make integration with the above-mentioned vendors and with the change in technologies, it could
upgrade to advanced technologies.
3.4 Systems engineered according to HIPAA compliance:
The systems that would develop part information privacy and security in RAH need to be
in accordance with the security and privacy rules under HIPAA. This law has been enacted in
Australia for reforming the practices pertaining to health insurance along with handling health
information. In addition, since the organisations are shifting from paper-based record to
electronic-based record, it would be cheaper in the long-run with this act (Layton 2016). RAH
needs to comply with HIPA, in which the administrative procedures would be simplified along
with maintaining and protecting the privacy of the patient information.
In this way, the confidentiality of the patient information could be maintained, while it
would help the hospital in pursuing initiatives involving innovation along with enhancing patient
care. In addition, managing as well as assessing risk is one of the needed components of HIPAA
that depicts to carry out correct evaluation of potential risks and adequate security measures need
to be put in place for ensuring security and dealing with different kinds of vulnerabilities and
threats.
3.5 Risk management:
The risk management in the context of RAH is for managing risk in the hospital and it
comprises of legal issues, security functions and safety issues. There would be access and
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 23
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.