Quiz 3 Flashcards
Core Functions of IT Department: Operations and Tech Support
- Manage the IT Infrastructure (servers, networks, operating systems, databases, workstations)
- Troubleshoot and repair infrastructure
- Install new technology
- Update existing software
- Perform backups
- Respond to user problems.
Core Functions of IT Department: Applications Management
- Manage the process of acquiring new systems
- Developing and implementing new systems
- Ongoing Enhancement
- Troubleshooting
- Working with application vendors
Core Functions of IT Department: Specialized Groups
Dependent on the organization, for example:
- Support of research community in academic medical centers
- Process redesign groups
- Decision-support groups
Core Functions of IT Department: IT Administration
- Oversee the development of the IT strategic plan
- Manages contracts with vendors
- Handles the IT budget
- Provides HR support for IT staff
- Manages the space occupied by the IT department
Chief Information Officer (CIO)
An Executive who can successfully lead the organization in its effort to apply IT in its strategic advancement
-Manages the IT department
Chief Technology Officer (CTO)
- Defines technology standards
- Ensures currency of the IT infrastructure
- Ensures the fitness of IT solutions
-Tracks emerging technologies and identifies those which may prove useful to the organization
Chief Security Officer (CSO)
- Ensures the organization has a effective information security plan
- Ensures appropriate procedures are in place to safeguard the system from tampering and misuse
- Disaster recovery protocols are established
Chief Medical Information Officer (CMIO)
A role, typically filled part-time by a physician,that ensures the adoption of appropriate clinical information systems.
Key Attributes of a High-Performing CIO
1) Set vision and strategy
2) Integrates IT for business success
3) Makes changes happen
4) Builds technological confidence
5) Partners with customers
6) Ensures IT talent
7) Builds networks and community
IT Staff Roles: Project Leader
Manages IT projects, such as: implementations and deployment of infrastructure.
IT Staff Roles: System Analyst
Works closely with end users and their managers to:
- Identify IT system needs and problems
- Evaluate workflow
- Determine strategies for optimization
Also, prepares cost-benefit and ROI analyses.
IT Staff Roles: Programmer
Writes, tests and maintains the programs within a system; conceives, designs, and tests logical structures for solving problems via technology.
Two main types:
- Applications
- Systems
IT Staff Roles: Applications Programmer
- Writes programs to handle specific user tasks
- Revises existing packaged software
- Customizes generic applications
IT Staff Roles: Systems Programmer
Writes programs that control the infrastructure’s software.
IT Staff Roles: Database Administrator
Works with database management systems to determine ways to organize and store data, while ensuring optimal performance.
-Plans and coordinates security measures
IT Staff Roles: Network Administrator
Designs, tests, and evaluates data communication systems. (e.g. Internet or LAN networks)
-Performs network modeling: researching related products in order to provide hardware or software recommendations.
Key Attributes of High-Quality IT Staff
- They execute well
- They are good consultants
- They provide world-class support
- They stay current in their field of expertise
Centralization of IT Services: Benefits
- Enforcement of hardware and software Standards
- Efficient Administration of Resources
- Better Staffing
- Easier Training
- Effective Planning of Shared Systems
- Easier Strategic IT Planning
- Tighter Control by Senior Management
Decentralization of IT Services: Benefits
- Better fit of IT-to-Business needs
- Quick response times
- Encouragement of end user development of applications
- Innovative use of information systems.
Core IT Competencies
- A small number of areas are identified by the organization as Core Competencies.
- Affects the formation and focus of an IT department
Departmental Attributes: Agility
The ability to form and disband teams quickly (~3mo) as staff move from project to project.
- Requires flexibility in an organization’s structural and reporting relationships
- Project managers are temporary bosses for IT staff during projects.
Organizations should be project-centered, not job function-centered.
-Allows for team members to assume different roles in each project
Departmental Attributes: Innovative
- Reward systems that encourage new ideas and successful implementation of innovative applications
- Create dedicated research and development groups.
- Permit IT staff to take sabbaticals or work in other departments within the organization to expand their awareness of organizational operations, cultures, and issues.
Outsourced IT
An organization asks a third party to provide IT staff members and be responsible for the management of IT.
Reasons for Outsourcing
- Organizations may not have in-house staff with the skills, time or resources to take on new projects or provide sufficient support
- Organizations may delegate help desk services or website development so that internal staff can focus on implementing and supporting applications.
- May be cost-controlling
- May serve as a solution to mismanaged IT staff
Evaluating IT Effectiveness: Governance
Are IT strategies aligned with the overall strategic goals?
Evaluating IT Effectiveness: Budget Development and Resource Allocation
Benchmark: Are we spending too much or too little on IT?
Evaluating IT Effectiveness: System Acquisition and Implementation
How effective are the system’s acquired?
Are new applications delivered on time, within budget, and according to specifications?
How do participants in the implementation view the IT staff?
Evaluating IT Effectiveness: IT Service Levels
What is the quality of everyday IT service?
IT Service Levels: Infrastructure
Are the information systems reliable?
Are response times fast?
IT Service Levels: Day-to-Day Support
Does the help desk quickly, patiently, and effectively resolve my problems?
Do technological requests get answered in a reasonable time frame?
IT Service Levels: Consultation
Does the IT staff help me think through my IT needs?
Is IT capable of making people understand what technology will and will not do for them?
Evaluating IT Effectiveness: Infrastructure Metrics
Benchmarks for the quality of IT infrastructure and day-to-day support.
Infrastructure Metrics: Reliability
Percentage of time that systems experience downtime
Infrastructure Metrics: Response Time
How quickly an application moves from one screen tot he next.
Infrastructure Metrics: Resiliency
How quickly a system can recover once it has gone down.
Infrastructure Metrics: Software bugs
The number of bugs detected in an application per line or per hour of use.
Core IT Processes for Effective IT Department: Human Capital Management
The development of IT staff skills and the attraction/retention of talent
Core IT Processes for Effective IT Department: Platform Management
A series of activities that designs the IT architecture and constructs and manages the resulting infrastructure.
Core IT Processes for Effective IT Department: Relationship Management
Developing and maintaining relations between the IT function and the rest of the organization
Also, partnerships with IT vendors.
Core IT Processes for Effective IT Department: Strategic Planning
Linking the IT agenda to the organization’s strategy
Core IT Processes for Effective IT Department: Financial Management
Encompasses a wide range of management processes, such as:
- Developing the IT budget
- Defining the business case for IT investments
- Benchmarking IT costs
Core IT Processes for Effective IT Department: Value Innovation
Identifying new ways for IT to improve business operations and ensuring that IT investments deliver value
Core IT Processes for Effective IT Department: Solutions Delivery
The selection, development, and implementation of applications and infrastructure
Core IT Processes for Effective IT Department: Services Provisioning
Day-to-day support of applications and infrastructure.
Privacy
An individual’s right to be be left alone and limit access to his/her health information.
Confidentiality
Addresses the expectation that information shared with a health care provider during the course of treatment will be used only for its intended purpose and not disclosed otherwise.
Security
The systems in place to protect health information and the systems within which it resides.
Legal Protection of Health Information
- Federal HIPAA privacy, Security, and Breach Notification rules.
- State privacy laws. Usually more stringent on info for conditions such as HIV/AIDS, mental & reproductive health.
- Federal Trade Commission (FTC) Act: Protects consumers from unfair or deceptive practices.
- The Privacy Act of 1974
- Confidentiality and Substance Abuse Patient Records
The Privacy Act of 1974
Protected patient confidentiality only in federally operated health care facilities.
Confidentiality and Substance Abuse Patient Records
Set stringent release of information standards, designed to protect confidentiality of patients seeking alcohol or drug treatment.
HIPAA Timeline
1996: Signed into law [First comprehensive federal regulation to offer special protection to private health information.]
2003: HIPAA Privacy Rule
2005: HIPAA Security Rule. [Defines Covered Entities(CE)]
HIPAA Privacy Rule: Protected Health Information defined
- Relates to a person’s physical/mental health, the provision of care, or the payment for care.
- Identifies the person who is the subject of the information.
- Is created or received by a CE
- Is transmitted or maintained in any form.
HIPAA Privacy Rule Major Components: Boundaries
PHI may be disclosed for health purposes only, with very limited exceptions.
HIPAA Privacy Rule Major Components: Security
PHI should not be distributed without patient authorization unless there is a clear basis for doing so and the individuals who receive the information must safeguard it.
HIPAA Privacy Rule Major Components: Consumer Control
Individuals are entitled to access and control their health records and are to be informed of the purposes for which information is being disclosed and used.
HIPAA Privacy Rule Major Components: Accountability
Entities that improperly handles PHI can be charged under criminal law and punished and are subject to civil recourse as well.
HIPAA Privacy Rule Major Components: Public Responsibility
Individual interests must not override national priorities in public health, medical research, preventing health care fraud, and law enforcement in general.
HIPAA Patient Authorization: Defined
Written authorization required for all nonroutine uses of diclosure of PHI.
HIPAA Patient Authorization: Exceptions
PHI can be released without consent in the following instances:
- Presence of a communicable disease
- Suspected child or adult abuse
- Legal duty to warn of a clear and imminent danger from a patient.
- Bona fide medical emergency
- Valid court order
HIPAA Patient Authorization: Elements of a Valid Release Form
1) Patient identification (Name, DOB)
2) Name of person/entity to whom the information is being released
3) Description of specific health information authorized for disclosure.
4) Statement of reason/purpose of disclosure.
5) Date, event, or condition for expiration of authorization, unless revoked sooner.
6) Statement that authorization is subject to revocation by patient/legal representative.
7) Patient/Legal rep’s signature
8) Signature date
HIPAA Security Rule: Defined
Governs ePHI
- PHI maintained or transmitted in electronic form
- May be stored on any type of electronic media
HIPAA Security Administrative Safeguards: Security Management functions
CE must implement policies and procedures to prevent, detect, contain, and correct security violations.
HIPAA Security Administrative Safeguards: Assigned Security Responsibility
CE must identify the individual responsible for overseeing development of the organization’s security policies and procedures.
HIPAA Security Administrative Safeguards: Workforce Security
CE must ensure that all members of its workforce have appropriate access to ePHI.
HIPAA Security Administrative Safeguards: Information Access Management
CE must implement policies and procedures for authorizing access to ePHI.
HIPAA Security Administrative Safeguards: Security Awareness and Training
CE must install awareness/training programs for all members of its workforce.
HIPAA Security Administrative Safeguards: Security Incident Reporting
CE must implement policies and procedures for addressing security incidents.
HIPAA Security Administrative Safeguards: Contigency Plan
Procedures for disaster recovery.
HIPAA Security Administrative Safeguards: Evaluation
CE must periodically perform technical and nontechnical evaluations in response to changes that may affect ePHI security.
HIPAA Security Administrative Safeguards: Business Associate Contracts and other arrangements
CE must have formal agreement with business associates in order to exchange ePHI.
HIPPA Security Physical Safeguards: Facility Access Controls
CE must limit physical access to its electronic information systems, and the facilities in which they are housed, to authorized users.
HIPPA Security Physical Safeguards: Workstation Use
CE must specify the functions to be performed and the manner in which they are to be performed on a specific workstation or class of workstation that can be used to access ePHI and that also specify the physical attributes of the surroundings of such workstations.
HIPPA Security Physical Safeguards: Workstation Security
CE must arrange the physical safeguards for all workstations that are used for ePHI access and limit access to authorized users.
HIPPA Security Physical Safeguards: Device and Media Control
CE must arrange for the movement of hardware and electronic media that contain ePHI into and out of a facility and within a facility.
HIPPA Security Technical Safeguards: Access Control
CE must establish who may or may not be able to utilize ePHI
HIPPA Security Technical Safeguards: Audit Controls
CE must implement hardware, software, and procedures that record and examine activity in the information systems containing ePHI.
HIPPA Security Technical Safeguards: Integrity
CE must protect ePHI from improper alteration or destruction
HIPPA Security Technical Safeguards: Person or Entity Authentication
CE must require verification process for those attempting access of ePHI
HIPPA Security Technical Safeguards: Transmission Security
CE must implement technical measures to guard against unauthorized access to ePHI.
HIPAA Policies and Procedures
CE must establish protocol to comply with standards. implementation specifications and other requirements.
HIPAA Documentation
CE must establish policies that comply with the Security Rule in written form.
HIPAA Breach Notification Rule
Requires CE’s and their business associates to provide notification following a breach of UNSECURED PHI.
- Unsecured: Info that has not been encrypted
- Secured: Encrypted data or data that has been deemed, “Destroyed”
HIPAA Breach Notification Rule: WHO?
- Affected individuals
- Health and Human Services (via Office for Civil Rights)
- Major media outlets
HIPAA Enforcement
- Office for Civil Rights (OCR) enforces Privacy and Security rules
- State Attorney Generals were given authority by HITECH to bring civil actions on behalf of the residents of their state when involved in a HIPAA violation.
HIPAA Violation Penalties
- Tiered criminal penalties:
- I: Reasonable cause or no knowledge (~1yr)
- II: Obtaining PHI under false pretenses (1-5yr)
- III: Obtaining PHI for personal gain or malice (1-10yr)
-Monetary Civil penalties which cannot be levied if resolved within a specific period of time.
Threats to HIPAA
- Human tampering (intentional/unintentional; Internal/External)
- Natural or environmental
- Environmental factors and technological malfunction
Malware
Software that is written to “infect” and subsequently harm a host computer systems
Viruses
Infects the host system and spread itself
Trojans
Designed to look like a safe program; steals personal information or takes over the resources of a host computer.
Spyware
Tracks Internet activities, assisting the hacker in gathering information without consent
Worms
Replicates itself and destroys the host computer’s files
Ransomware
Encrypts and locks files; demands money to unlock
Security Management Process
1) Lead your culture, select your team, and learn.
2) Document your process, findings, and actions
3) Review existing security of ePHI; perform risk analysis
4) Develop an action plan
5) Manage and mitigate risks
6) Attest for meaningful use security-related objectives
7) Monitor, audit, and update security on an ongoing basis
Cybersecurity
1) Protect mobile devices
2) Maintain good computer habits
3) Use a firewall
4) Install and maintain antivirus software
5) Plan for the unexpected
6) Control access to PHI
7) Use strong passwords
8) Limit network access
9) Control physical access
National Institute of Standards and Technology (NIST)
Directed to develop, with the help of stakeholder organizations, a voluntary cybersecurity framework to reduce cyber-attack risks.
NIST: Framework Core
Five concurrent and continuous functions:
1) Identify
2) Protect
3) Detect
4) Respond
5) Recover
-The highest level, strategic view of an organization’s management of cybersecurity risks
NIST: Framework Implementation Tiers
Characterizes an organization’s actual cybersecurity practices compared to the framework; range from Tier 1 (Partial) to Tier 4 (Adaptive).
NIST: Framework Profile
Documents outcomes obtained by reviewing all of the categories and subcategories and comparing them to the organization’s business needs
