NYS OMH operates more than 1300 psychiatric facilities in the State of New York and has its headquarters in Albany. The other facilities have field offices but major decisions are made at the headquarters (Nag & Sengupta, 2007). NYS OMH is located in a 5,000 acres piece of land which comprises more than 33 million square feet.
The major obligation of NYS OMH is “to protect its information assets and computer information systems collected or created as part of its ongoing business” (NYS OMH 2003a, p.1). This obligation is observed under the State and the Federal Statutory and regulatory requirements (NYS OMH, 2011).
Therefore, given the functions of NYS OMH, IT security is required to ensure data and sensitive information belonging to different clients and patients is safeguarded. The purpose of the paper is to carry for an analysis on IT security breach prevention with respect to NYS OMH.
NYS OMH is a constituent of the Research Foundation for Mental Hygiene, Inc (UCLA Health Services Research Center, 2009). NYS OMH is a not-for-profit outfit whose responsibility is improve research and training, in addition to providing research assistance to the mental hygiene department in the state of New York.
All the research programs in the NYS are administered and overseen by the organization. As part of the foundation, NYS OHM offers necessary assistance to ensure the mental wellbeing and welfare of New Yorkers are achieved as stipulated its mission statement.
In the nineteenth century, there emerged different mental health systems and facilities in New York Stat. Under the State Care Act, the facilities were established with the intention of ensuring better mental health welfare to New Yorkers. Due to the increased demand for mental retardation and mental health services, the State Department of Mental Hygiene was founded in 1927.
In the 1950s, the mental health sector was faced with increased professionalization of staff, growth and institutionalization as the demand for effective and safe mental retardation and mental health services increased. The number of the State Mental Institutions offering better services to mentally challenged people continued to increase.
Between 1950s and 1960s, the New York State set an example by assuming the responsibility of taking care of the mentally challenged persons (Benjamin & Brecher, 1988). In 1954, the State’s Community Mental Health Services Act was enacted to oversee services delivery to retarded and mentally disabled persons. The following years saw the formation of the New York State Department of Mental Health.
The NYS OMH was founded as a corporation that would oversee the delivery of better services to the mentally challenged persons. The legislature has been offering an assistance of $ 3 million annually to NYS OMH as part of financial funding.
Between 1982 and 1986, the beds offered to mentally challenged persons in NYS OMH were increased to 2,020 beds from 982 (Benjamin & Brecher, 1988). This is an indication that the OMH has been expanding slowly and slowly.
NYS OMH operates under a five year strategic plan which ensures that its set strategic goals as stipulated in the company’s mission statement and visions are achieved (Mangurian et al., 2010).
The organization has experienced rapid expansion because it currently runs over 4,500 programs in the NYS. As a large city with a large population, NYS operates a comprehensive mental health system which serves an estimated 700,000 persons annually. In addition, NYS OMH certifies, regulates and oversees over 4,000 programs run by nonprofit agencies and the local government.
The affairs of the agency (NYS OMH) are operated and run from its headquarters. It operates different psychiatric facilities with headquarters in New York. However, field managers in different psychiatric facilities coordinate operations with the headquarters.
In addition, the agency oversees, regulates and certifies an estimated 2,500 programs run by nonprofit agencies and local governments (UCLA Health Services Research Center, 2009). Also, an oversight committee oversees that all these programs have been facilitated and are run well.
The objective of NYS OMH is to promote the well being and mental health of New York residents. The mission of the organization as stated by Hogan (2010) is;
‘To facilitate recovery for young to older adults receiving treatment for serious mental illness, to support children and families in their social and emotional development and early identification and treatment of serious emotional disturbances, and to improve the capacity of communities across New York to achieve these goals” (p.2).
The values of New York State OMH are recovery, resilience, excellence, respect, disparities elimination, cultural competence, positive emotional, and social developments (Hogan, 2010). Like any other organization, NYS OMH has different stakeholders who are part of its daily operations.
Some of its major stakeholders are patients, nongovernmental organizations, the New York State, nonprofit agencies, and local governments. All these stakeholders are provided with different programs and psychiatric services.
The leadership style used by NYS OMH ensures that accountability and transparency are realized. The organizational leadership major focus is the promotion of mental health with the objective of reducing stigma and fear among the people (Hogan, 2010).
It also conducts mental health research with the aim of advancing prevention, treatment and recovery. Furthermore, it provides state operated inpatient and outpatient mental health support and services to New Yorkers.
NYS OMH has a well set organizational chart which foresees the management of the organization. At the top of the organization is the office of the commissioner who chairs NYS OMH meetings.
Sitting on the board of the company are representatives from the office of counsel, division of financial management, office of medical director, public information, intergovernmental affairs, and consumer affairs. A well elaborated organizational chart of NYS OMH as adopted from the company’s website (http://www.omh.ny.gov/omhweb/orgchart/orgchart.htm) is presented below
Figure 1: Organizational Chart of NYS OMH
Source: NYS OMH (2012b)
As shown in the organizational chart, NYS OMH has five major field offices (mental health regions) and they are the New York City, the Long Island, the Hudson River, the Central and the Western regions. All these regions are coordinated through the central NYS OMH office in Albany. The organizational structure of NYS OMH is simple and as a result it allows easy and effective running of operations.
NYS OMH operates using the latest information technology. For instance, the company operates using Oracle database, and Spatial Ware server, GIS technology and internet and internet. In other words, NYS OMH has established a network that facilitates easy connection between the field offices and the headquarters.
The IT system has been established in such as way that safety and health related issues are spotted quickly as they emerge. Moreover, the company has a well established emergency response system.
The IT of the NYS OMH is headed by facility directors. Under each facility director is a security manager who controls all security operations in each of the NYS OMH run facilities. Under the Security Management Systems, it becomes easy to control any form of security breach in the company.
SWOT analysis as an analytical tool gives an internal assessment of an organization by exploring the weakness and strengths experienced internally and opportunities and threats resulting from the outside environment.
One of the major strengths of NYS OMH is the presence of a well established Security Management System (SMS). Basically, the SMS is an application system which is web based. Both local and state facilities staff members use this application to have an access secured and sensitive web based applications such as PSYCKES Medicaid and Patient Characteristics Survey (PCS).
As a result, the company is able to reduce security breach on its data and information. In addition, the SMS allows the security manager to expand the system network or reduce the number of persons accessing sensitive data. The SMS has replaced previous requests for access paper forms which were used to get access data. This has not only enhanced security but has also increased efficiency and confidentiality in NYS OMH.
Others information system tools and application established are such as authentication, encryption, auditing and monitoring tools which increase security levels in the organization.
NYS OMH has put in place an emergence response system operated through Oracle database and Spatial Ware server based GIS technology which is accessible via OMH intranet (Nag & Sengupta, 2007). This allows OMH system to analyse many “what if” scenarios.
In addition, safety and health related issues can easily be spotted and addressed. Also, federally reimbursed costs are easily tracked once they are uploaded. It also becomes easier to track how such costs have been incurred thus increasing the levels of transparency.
The company operates more than 2,500 psychiatric facilities and over 4,500 programs in New York State. This gives the company monopoly as it is the sole provider of data and information related to mental health in NYS. By cooperating with nonprofit agencies and local government, the company is able to offer netter services not only in NYS but in U.S.
Numerous campaigns have been carried in the past to have the company closed because of mistrust. Basically, there has been a claim that funds channeled to mental health services have not been accountable for. In addition, the funds have been channeled to other functions instead of the stipulated functions.
This has a high chance of damaging the reputation and the trust people have on the company. Given that the company is majorly funded through taxpayers’ money, funding may be cut down if the claims are found to be true.
The company depends highly on information technology for data storage and processing. It also relies on the internet to carry out it transactions. Despite the fact that technology is important since it increase efficiency, it is prone to security related problems. Management of the networks is a major challenge that the company faces is managing a large network with specialized facilities (Nag & Sengupta, 2007).
This is because coordination is required between field managers and the headquarters administrators without any form security breach. The company depends highly on federal state funding. This implies that the company experiences budget cuts. It is not a fully independent body as it is part of the Research Foundation for Mental Hygiene, Inc which means it cannot make all informed and corporate decisions without the foundation.
New York has the largest multi-faceted mental health system serving over 700,000 persons annually (NYS OMH, 2012). This means that it stores very sensitive information of almost all New Yorkers. With the latest advancement in technology and the presence of computer geeks, the information is prone to IT security breaches.
This means that the information can be accessed by unauthorized party through hacking or be corrupted through computer viruses and software (Ammenwerth, Graber, Herrman, Burkle & Konig, 2003). This can jeopardize the privacy and the confidentiality of the information stored in OMH database.
NYS OMH database store diversified data types which threaten effective distribution of data and information. In addition, multitude computing platforms are required to keep the network linked and connected (Nag & Sengupta, 2007.
As a result, this threatens the welfare and the functionality of the OMH Security Management System. The system is prone to inside jobs which can lead to extraction and access of sensitive data and information by authorized personnel for malicious reasons. Unauthorized access by authorized personnel to sensitive data is an IT breach of security which jeopardizes personal information and data.
Advancement in technology and information gives OMH the opportunity to embrace the latest technology. This would help the company offer safe and innovative alternatives to healing and mental health recovery. In addition, other than increasing treatment effectiveness, technology opens a window for adopting the latest technology for research on mental health related issues (Sinclair, 2001).
With regard to the issue of IT security breach, the organization will invest in the latest data storage facilities. OMH can also improve on the security systems used by adopting more advanced security systems and protocols.
Web based application in mobile phones, tablets, and androids Smartphone ensure that personal data and information is made accessible at anytime and from anywhere. This ensures that business and interested individuals can have access to information increase the level of corporation.
This section of the research study uses different materials with the objective of exploring IT security breach and measures which are undertaken to reduce its occurrence.
Definition of IT Security Breach
In simple terms, security breach is the violation of the set protocols, procedures, and processes by a third party. It can also be termed as security violation after another organization or individual gets illegal access to secured data or information. Legally, security breach is a criminal offence and a liability to an organization. This is because it reduces the level of trust and operations of an organization.
Either internally or externally, unauthorized access to information or data acts as an IT security breach (Appari & Johnson, 2008; Fleming, 2009). The presence of hackers, malicious software, and viruses pose a threat to companies which really heavily to IT such as NYS OMH.
With the advancement in technology, health agencies inclusive of NYS OMH use electronic applications and means to get, use, maintain, and store personal health data and information (Myers, Frieden, Bherwani & Henning, 2008; Ko & Dorantes, 2006). Although electronic data and information formats improve performance in running of health operations, they pose a potential threat to privacy.
This is because data can be duplicated or transmitted easily through other information systems components to unauthorised parties. As a result, security breaches occur which threaten confidentiality and privacy of patients’ information. Security breach can be both electronic and physical (Myers et al. 2008).
For example, it can be electronic if information is copied and transported through laptops or flash devices and made available through the use of wired networks from any location in the world. In addition, transfer of information and network access management are vulnerable to security breaches such as interception by hackers and infection by malicious software or virus.
According to Myers et al. (2008), public health departments and agencies are prone to external and internal intruders who pose a great threat to IT security. If their security and electronic access to an organization database is not been revoked they stand out as the largest threat to security breach. Hackers and burglars may get access to sensitive information thus threatening the security levels of information.
Hanover (2012) opine that in April this year, three high profile and high volume data breaches took place in the U. S where more than 1.3 million healthcare consumers were affected. The three counts of security breach were as a result of lost backup tapes, hacker activities, and inappropriate access and internal misconduct by an employee.
Hanover (2012) adds that these breaches occurred in three weeks consecutive in the healthcare sector. As a result, the issue of security breach has raised a heated debate.
Therefore, the three cases are an example of the need to adopt multi prolonged approach to ensure security to information and data available to healthcare organizations inclusive of NYS OMH. Consequently, there is need to consider and assess internal threats, physical security threats, intrusion and network security.
Countermeasures to security breach
The government has envisioned the adoption of electronic healthcare records by all HMOs (Appari & Johnson, 2008). This will ultimately reduce the threat posed by IT security breach. Through the implementation and adoption of different countermeasures, security related risks on the healthcare sector can be curtailed (Laverdière-Papineau, 2008).
According to Kwon and Jonson (2012), majority of organization in the healthcare sector fail to curb IT security threats because they belief that security breach is only a technical issue. However, there has been a shift in viewing ways of reducing security breach issues achieved by adopting a social perspective framework of IT security.
Education, policies, and organizational culture are some of measures which are used to support technical measures in curtailing security breach (Kwon & Johnson, 2012). Strategic approaches have been adopted by different organization in the healthcare sector to mitigate security issues caused by the rapid change in technology. As a result, hospitals and healthcare agencies have been able to protect patients’ information.
Once enacted in an organization, compliance policies and regulatory policies ensure that patients’ information is protected. Regulatory compliance is not only an internally implemented strategy but is also an external policy (Kwon &, Johnson, 2012). The rationale behind the preceding statement is that organizations like hospitals share patients’ information with third parties who may lack compliance regulatory policies.
Therefore, the implementation of regulatory compliance makes third parties liable to compliance security breach policies. As noted by Al-Hakim (2007), security countermeasures improve security by creating a more secure network.
There are three major areas of countermeasures adopted by organization to prevent IT security breach. These are software, operational and management areas. Management countermeasures are concerned with preventative level (Al -Hakim, 2007). For example, policies are designed constituting breach and the resultant consequences in case security breach occurs (Asfaw, 2008).
In operational countermeasures, detection and preventive controls are offered. Some of the detection and preventive measures are such as use of surveillance cameras, security guards, and biometrics systems, use of passwords, identification badges and logging as well as auditing attempted access with the objective of determining any unauthorized access.
Technical countermeasures entail the use of hardware and software to offer protection to web application and networks. Some of the commonly applied tools are such as public-key infrastructure, firewalls, virtual private networks, encryption, intrusion-detection systems, authentication, upgrades and software patches and access point configurations (Al -Hakim, 2007).
Given that most of the healthcare agencies use network configurations, these technical measures play an integral role in security maintenance. In addition, these measures ensure that patients’ data and information is only accessible by authorized parties.
Governments have regulations provided to healthcare providers which encourage maintenance of security and privacy of patients’ information when transmitting data and keeping patients recorded. For example, in U.S there is the Health Insurance Portability and Accountability Act while in Canada, theirs is PHIA (Asfaw, 2008).
In Europe there are legal policies which make healthcare providers accountable for any breach of privacy in respect to patients’ data and information (Mennerat, 2002). These compliance requirements make it possible to maintain confidentiality and privacy of sensitive information.
Myers et al. (2008) note that technical training is one of preventive measures adopted by healthcare agencies. This is because most security breaches occur internally and do not result from external hackers. As a result, educational initiatives are important in ensuring that a cultural change is incorporated in the healthcare sector.
Preventive measures are embedded in organizational and electronic policies to reduce human error which can result to breach of security.
This can be realized through preventive engineering via the adoption of recent technologies such as multifactor or single authentication (Myers et al., 2008). Some organizations have supported this with high level confidentiality policy to all personnel who have access to very sensitive information.
Compare and contrast
There are different software and programs used to reduce security breach not only in health sector but in other sectors. One of these is the WORM (Write Once, Read Many) program which according to Myers et al. (2008) and Null and Lobur (2010) has electronic and technology signatures.
The benefit associated with this program is that it prevents tampering of data after the creation of the initial files. This means that the WORM has the capacity to protect the duplication of health related data and information thus curtailing security breach (Richards & Heathcote, 2001). The only limitation is that WORM is an expensive program but it is worthy every the implementation.
Some organizations use virtual private network (VPN) to run networked transmissions. Just as described by Al –Hakim (2007), VPN is used to create an encrypted network and channels between the network and the user’s wireless device, hence hiding data and information transmission. It reduces cost and ensures network scalability (Mitchell, 2012; Shinder, 2001).
This means that organizations with many branches can share costs through sharing of communication lines. The only limitation of VPN is that its reliability may be compromised if not well implemented (Shinder, 2001). Reliable and outstanding internet connection is necessary to ensure that communication is carried securely.
Other programs are such as firewalls which prevent unauthorized persons from having access to stored data and information. The only limitation is that some firewalls can be passed through by computer hackers. Firewalls allow only authorized persons have access to patient’s data and information (Al-Hakim, 2007).
Virus which can harm or tamper with stored data or information can be prevented through use of computer software. For example, antivirus such as Norton and MacAfee can be used to prevent any malicious software or virus which may lead to security breach.
Diagnosis of the Problem or Improvement
The major problem experienced by NYS OMH is on the management of its large network of specialized facilities from its headquarters without security breach. Basically, a challenge is experienced while managing all these facilities and while transmitting data from the OMH intranet system.
Statement of the Research Problem
NYS OMH like any other large corporation which provides services to a wider range of clients is faced with challenges in managing its diverse networked facilities from its headquarters without experiencing security breach. Basically the field personnel and the office administrators of the OMH have to keep in conduct.
Field managers who are obligated with serving specific clients have to carry their operations safely and effectively. The problem associated with the management of networked specialized facilities in NYS OHM is because the company deals with diversified data types. In addition, multitude computing platforms are required without experiencing security breach on its information systems (Nag & Sengupta, 2007).
Broadly, the identified research questions for the study are:
- What are the strategies utilized by companies to foster IT security?
- How can IT security be improved in organizations like NYS OMH?
Review of the Related Literature
The review of the related literature will provide the foundation for a written strategy and implementation plan to address the identified areas of concern.
Strategies applied to Foster IT Security
Different organizations employ different strategies to foster IT security in their organizations. One of these strategies is the implementation of compliance regulatory policy. As noted by Kwon and Johnson (2012), compliance policies foster IT security as data or information cannot be accessed without facing the set penalties.
This observation has been supported by Schiff (2009) who opine that data protection policy limits incidents associated security breach. A good protection policy limit access to sensitive information, puts into place response plan to handle security breach, uses strong encryption of storage devices, and considers privacy and confidentiality policies.
In a study that was conducted by Kwon and Johnson (2012), the researchers concluded that compliance is highly applied as a security management tool against third party breaches and training. To complement compliance regulatory, organizations run security audits as part of routine checks. In addition, practical guidelines and strategic goals are applied as part of the compliance regulatory (Andrés & Kenyon, 2004)
As part of strategic planning, some organizations adopt confidentiality and privacy policies as part of enhancing security of patients’ information (Myers et al., 2008). However, it is only about a third of the public health facilities in US which have implemented this policy to foster IT security.
Nonetheless, through the government, some acts such as HIPAA have been enacted which strengthen protection of healthcare information in the public sector. Despite the fact that most of the public health agencies are exempted from HPAA, the policy however requires privacy and confidentiality of patients’ information especially when it is transmitted electronically.
An organization like Amazon uses access control policies which require authentication of users before logging into the system (AWS, 2012). This can be adopted by other organizations to promote security in the healthcare sector.
Some organizations have gone to the extent of incorporating multifactor authentication as part of security check. According to AL-Hakim (2007), the use of biometric authentication system, people with access to sensitive would be countable in case of security.
In addition, it becomes easy to monitor and control access to networks and sensitive areas. Lastly, secure networks are applied if an organization has a multi-faceted connection with other facilities.
Ways to Improve IT Security
IT security can be improved through the incorporation of non-routine disclosure protocols. For this strategy to be effective, some important confirmation should be made to avoid security breach.
As opined by Myers et al. (2008), organizations should have the disclosure specify if it is authorized by law or policy, verify the integrity of the data being disclosed, determine the individual accessing the information, and ensure the information is send in a secure manner.
Organizations can set security policies as part of organizational culture to foster security check (Clark & McGhee, 2008). For example, security policies would prohibit employees from looking at patients’ information, deny employees from having access to high sensitive or classified information, put into place internal security checks, and ensure that employees cannot have access to guest operating system.
These protocols prohibit internal security breach which is considerably high compared to external breach (AWS, 2012). Educative programs and training can also be carried at organizational level to create awareness among employees on the importance of protecting patients’ information and data from unauthorized persons (Meyers et al., 2008). This would foster security improvement at organizational levels.
One of practical ways of improving information security state is through frequent information security assessments. Vladimirov et al. (2010) opine that information security assessments should be carried on regular basis. This would eliminate any tangible security gaps thus improving security of information.
This has been supported by Colling, York and Colling (2010) observation that security assessment acts a countermeasure as it determines security breach points. However, it should be noted that security assessment is carried at organizational level to determine and evaluate any possible security risks.
This is supported by security audit which ensure that the system operates as required and no IT security alert is posed (Colling, York & Colling, 2010).
Other ways of improving IT security include regular audits, background checks on all personnel who have access or handle sensitive information, and hosting of patients’ sensitive information and data on ‘thin clients workstations’ (Myers et al. 2008). Hosting patients’ sensitive information on thin clients workstations ensure that information is not easily transferred from main computer or database to secondary storage devices.
Rules and regulation may be passed which prohibit access by every employee to data rooms containing highly classified patients’ information. This is achieved through the use of authentication measures such as biometric validation. Video surveillance on data storage rooms could also be an effective way of preventing security breach.
Research Design/ Methodology
Collis and Hussey (2007) describe methodology as an approach used in research to organize and plan the general approach in which the research goals and questions are addressed
The research is descriptive in nature and qualitative research design has been adopted. Basically, since the research is more concerned with IT security breach, primary materials will be used to provide any relevant information and data which answers the stipulated research questions.
For example, data and information will be collected from NYS OMH website and different publications for easy analysis. Owing to the nature of the study, it would be appropriate to use qualitative research design since no generalization is required in respect to the case study. As noted by Williams (2007), qualitative research methods allow the researcher to get data and information related to the specific phenomenon under study.
The research is a case study based on the New York Office of Mental Health and the major focus will be on IT security breach. Given that NYS OMH is networked to other facilities all over NYS, the primary data collected will assist in determining the already available IT security strategies and define ways which can be applied to improve its security.
Primary data collection has been chosen because it is cheap, saves time, most important information needed can be collected from the company’s website and it is cost effective (Runciman, 2002). The only drawback is that the information may be biased since the owner (NYS OMH) like any public interested party may be willing to foster a positive image.
Presentation and Analysis of Data
The company also operates under the Federal Health Information Technology for Economic and Clinical Health (HITECH) Act which is safeguarded under the HIPAA (NYS OMH, 2003; Brown & Brown, 2011). This fosters information security in the company.
Since most of the operations of NYS OMH are based on Web Application, the company has adopted Security Management System which is based encryption (NYS OMH, 2012a). However, the company has not undertaken encryption protocols but it is on the verge of implementing EMR (electronic medical records) (NYS OMH, 2012a).
Based on the research findings, it is evident that NYS OMH has adopted strategies which foster IT security on its network. For example, the company has adopted and continued to train its employees on HIPAA and HITECH Act with the objective of improving its security. As acknowledged by Myers et al. (2008), the HIPAA is necessary since it safeguards patients’ information by preventing security breach.
Furthermore, HITECH Act has incorporated important clauses which encourage high penalties for persons of engage in security breach ranging from $50,000 to $1, 500,000 in a single year (NYS OMH, 2010). OMH has a well established Security Management Systems which foster security on patients’ information. This has made its network secure from any viable security breach.
As advocated by Al-Hakim (2007) and Meyers et al. (2008) on employee training and training initiatives as part of awareness creation, OMH has been training its employees to understand the need and importance of privacy and confidentiality. This will be a milestone as it will prevent security breaches from inside the organization.
In addition, the company is ensuring that its employees are acquainted with the requirements of HITECH Act and HIPAA as part of improving security (NYS OMH, 2010). NYS OMH has established SMS which is run through electronic authentication (NYS OMH, 2012c). Just like any other security fostering program, the SMS as a strategy will not only improve security in OMH but will also foster security.
The adoption of EMR, SIEM and DLP is an indication that OMH has realized the essence of fostering IT security. It can be concluded that, despite the fact that OMH is on the verge of adopting multifactor authentication it has so far shown its ability in fostering and improving security by safeguarding patients’ information.
Based on the findings analysis, the following suggestions have been recommended which can be used to improve IT security in NYS OMH. Employees working in different NYS OMH facilities need to be trained on the importance of security maintenance. This will not only create awareness but will encourage employees to be champions in preventing security breaches.
Security assessments can be carried from time to time to ensure that no security breach is being encountered. In addition, security assessments would ensure any form of security breach is noted and immediate action undertaken.
Owning to the fact that most of the NYS OMH are run through networking, more secure user protocols would be recommendable. This is because they assist in preventing any intrusion on the data being transmitted.
To improve the NYS OMH security, the following implementation processes outlined below are deemed viable. Definition, selection and identification of the most appropriate countermeasures for improving IT security in NYS OMH are the first steps in the implementation process (Jones & Ashenden, 2005). It should be noted that the implementation plan should be achievable and supported by considerate timeframe like two years.
The implementation manager with the help of an IT security consultant should then sign off each of the identified and selected countermeasures and security strategies.
Consultation between the security risk managers, security managers and head of security in each facility should carried to ensure that the implementation process is not hampered. Upon approval and agreement, the implementation process can be initiated in the first phase. The table below represents different phases and activities which will be undertaken during the implementation process.
Table 1: Implementation plan
|Phases/stages||Activities||Duration/time frame||Remarks on the progress of the implementation|
|1||Initiation of the selected, identified and defined security strategy. Personnel involved in security should be involved in this phase to make them acquainted to the new security protocols||3 months|
|2||Review of the progress of the implementation process||1 month|
|3||Departmental installation of the agreed upon strategies||2 months|
|4||Cost benefits analysis to determine whether the strategies have more benefits or costs. This determines whether the implementation process will continue.||2 months|
|5||Monitoring and evaluation of selected countermeasure before full implementation||3 months|
|6||Final process and launch of the improved system to all other facilities||6 months|
|7||Full implementation, evaluation and monitoring||Evaluation and monitoring are continuous processes and should not be stopped hence lack of specific time frame.|
Al-Hakim, L. (2007). Web mobile-based applications for healthcare management. Hershey, PA: IRM Press.
Ammenwerth, E., Graber, S., Herrman, G., Burkle, T., & Konig, J. (2003). Evaluation of health information systems – problems and challenges. International Journal of Medical Informatics, 71(2), 125-135.
Andrés, S., & Kenyon, B. (2004). Security Sage’s guide to hardening the network infrastructure. Rockland, MA: Syngress.
Appari, A., & Johnson, M. E. (2008). Information security and privacy in healthcare: current state of research. Hanover, NH: Dartmouth College.
Asfaw, E. (2008).Health Insurance Portability and Accountability Act (HIPAA): Confidentiality and Privacy from the Perspectives of the Consumer and the Physician. USA.: ProQuest
AWS. (2012). Creating healthcare data applications to promote HIPAA and HITECH Compliance. Retrieved from http://d36cz9buwru1tt.cloudfront.net/AWS_HIPAA_Whitepaper_Final.pdf.
Benjamin, G., & Brecher, C. (1988). The Two New Yorks: State-city relations in the changing federal system. New York: Russell Sage Foundation.
Brown, S. A., & Brown, M. (2011). Ethical issues and security monitoring trends in global healthcare: Technological advancements. Hershey, PA: Medical Information Science Reference.
Clark, C. L., & McGhee, J. (2008). Private and confidential?: Handling personal information in social and health services. Bristol, UK: Policy.
Colling, R. L., York, T. W., & Colling, R. L. (2010). Hospital and healthcare security. Amsterdam: Butterworth-Heinemann.
Collis, J., & Hussey, R. (2003). Business Research: A practical guide for undergraduate and postgraduate students. Hampshire: Palgrave Macmillan
Fleming, D. A. (2009). Ethics conflicts in rural communities: Health information technology. Hanover. NH: Dartmouth College Press
Hanover, J. (2012). 3 massive security breaches in 3 weeks: Taking a closer look. Retrieved from https://idc-insights-community.com/health/healthcare-transformation/3-massive-security-breaches-in-3-weeks-taking-a-cl.
Hogan, M. F. (2010). NYS OMH Strategic framework. Retrieved from http://www.omh.ny.gov/omhweb/planning/statewide_plan/2010_to_2014/framework.pdf.
Jones, A., & Ashenden, D. (2005). Risk management for computer security: Protecting your network and information assets. Burlington, MA: Elsevier Butterworth-Heinemann.
Ko, M., & Dorantes, C. (2006). The impact of information security breaches on financial performance of the breached firms: an empirical investigation. Journal of Information Technology Management, XVII, 13-22.
Kwon, J., & Johnson, M. E. (2012). Security practices and regulatory compliance in the healthcare industry. Journal of American Medical Informatics Association. doi:10.1136/amiajnl-2012-000906
Laverdière-Papineau, M.-A. (2008). Towards systematic software security hardening. Ottawa: Canada.
Mangurian, C., Miller, G. A, Jackson; Li, C. T. H, Essock, S. M., & Sederer, L. I. (2010). State mental health policy: Physical health screening in state mental health Clinics: The New York health indicators initiative. Psychiatric Services, 61(4), p.1.
Mennerat, F. (2002). Electronic health records and communication for better health care: proceedings of EuroRec ’01. Amsterdam: IOS Press
Mitchell, B. (2012). What Are the Advantages and Benefits of a VPN? Retrieved from http://compnetworking.about.com/od/vpn/f/vpn_benefits.htm.
Myers, J., Frieden, T. R., Bherwani, K. M., Henning, K. J. (2008). Ethics in public health research. American Journal of Public Health, 98(5), 793–801.
Nag, P., & Sengupta, S. (2007). Geographical information system: Concepts and business oportunities [opportunities]. New Delhi: Concept Pub. Co.
Null, L., & Lobur, J. (2012). Essentials of computer organization and architecture. Sudbury, Mass: Jones & Bartlett Learning.
NYS OMH (2003). HIPAA awareness training. Retrieved from http://www.omh.ny.gov/omhweb/mhbc/slides.pdf.
NYS OMH (2003a). Introduction to confidentiality and non disclosure agreement, data exchange agreement and computer application sharing agreement. Retrieved from http://www.labor.ny.gov/workforcenypartners/nyess-confidentiality-and-non-disclosure.pdf.
NYS OMH (2010). Federal HITECH Act: Protecting patient privacy and data security. Retrieved from https://www.omh.ny.gov/omhweb/resources/newsltr/2010/jan/#quality
NYS OMH (2011). Frequently Asked Questions. Retrieved from http://www.omh.ny.gov/omhweb/faq/
NYS OMH (2012). About OMH. Retrieved from http://www.omh.ny.gov/omhweb/about/
NYS OMH. (2012a). Description of the Security Management System. Retrieved from http://www.omh.ny.gov/omhweb/sms/description.html
NYS OMH. (2012b).New York State Office of Mental Health organization chart. Retrieved from http://www.omh.ny.gov/omhweb/orgchart/orgchart.htm
Richards, R. P., & Heathcote, P. M. (2001). AVCE information and communication technology: Units 4-6. Ipswich: Payne-Gallway.
Runciman, W. B. (2002). Qualitative versus quantitative research: Balancing cost, yield and feasibility. Quality and Safety in Health Care, 11, 146-147.
Schiff, J, (2009). Five ways to improve data protection. Retrieved from http://www.internetnews.com/security/article.php/3805156/Five+Ways+to+Improve+Data+Protection.htm
Shinder, D. L. (2001). Computer networking essentials. Indianapolis, IN: Cisco Press.
Sinclair, D. (2001). Health care reform: the effect of a vertically integrated health system on emergency medicine. Canadian Journal of Emergency Medicine, 2(3), 154-155.
UCLA Health Services Research Center. (2009). The New York Office of Mental Health (OMH). Retrieved from http://www.hsrcenter.ucla.edu/partner/nyomh.shtml
Vladimirov, A. A. et al. (2010). Assessing information security: Strategies, tactics, logic and framework. Ely: IT Governance Pub.
Williams, C. (2007). Research methods. Journal of Business & Economic Research, 5(3), 65-71.