CM-19 Information System Guidelines

I. PURPOSE

The LSU Health Sciences Center Shreveport (LSUHSC-S) is dedicated to insuring that information systems are maintained in a manner that offers reliable and secure information sources.

The purpose of this document is to define minimal standards to protect and preserve the integrity, security, availability and reliability of data.

II. SCOPE

This policy applies to systems used in decision making or official documentation of care, treatment or financial transactions and is intended to supplement any existing policy, laws, or regulations currently referring to computing and networking services or other LSUHSC-S standards or policies.

Any policy at a division or department level should build upon the foundation of this policy and may be more restrictive than this policy, but must not be less restrictive.

LSUHSC-S Assistant Dean of Information Technology provides leadership and direction for planning the information structure of LSUHSC-S. Future or planned information system acquisition and the plan for the use and support of this system must be presented for review to this office prior to purchase or purchase agreement.

Accountability for protection of information resources shall be the responsibility of the person or person(s) assigned custodianship of the resource system. The custodian(s) shall be held accountable for any violations associated with that system and shall be responsible to maintain and operate the system in a responsible manner.

III. DEFINITIONS AND TERMS

System Administrator or Custodian - authorized to add and or configure new workstations, establish user accounts, install software and or hardware.

Applications Manager - assigned operational management of the installed applications, supports users, and maintains the database.

Authorized User - Staff, student, faculty, contractor, vendor, or entity that has an official affiliation with LSUHSC-S and has been assigned a user ID that provides access to an information system.

LSUHSC-S - References all divisions of the LSUHSC-S campus.

Business Use/Need - That which is consistent with one's role in the organization.

Network - The infrastructure necessary to pass information among information technology devices.

Application - Software, data, and peripherals necessary to access and maintain an information system

Server - A computer that has other computers (clients), connected via a network that provides services for the clients.

IV. POLICY

LSUHSC-S information systems that provide or contain confidential, restricted or personal protected information shall be maintained in such a manner as to insure protection from

• unauthorized use
• loss of information
• loss of integrity
• misuse of information
• malicious threat
• unavailability of information

Authorized users, application managers or system administrators/custodians will

• Comply with all federal and state laws, LSUHSC-S rules and policies, contracts and license agreements governing software agreements and records/storage media containing student, health care, fiscal, payroll, and other information relating to business activities of LSUHSC-S.
• Obtain administrative approval from the Assistant Dean of Information Technology to operate a server or server-based system
• Submit acquisition plans prior to purchase or purchase agreement to the Assistant Dean of Information Technology for systems that will be utilized as a primary source or repository for clinical or other sensitive information.
• Present appropriate documentation to the Information Security Officer.
• Obtain the proper written authorization prior to accessing or sharing LSUHSC-S data.
• Comply with policies and procedures set forth by LSUHSC-S and or other governing bodies to safeguard the IT infrastructure and information stored on hardware and systems containing sensitive or protected information.

System administrators/custodians and application managers shall routinely evaluate and document (i.e. policy and or procedure manuals or logs) the following:

• System
  • Operation and use
  • Periodic maintenance and testing of safety features
  • Downtime
  • Backup, storage and restore
  • Emergency software and hardware support
  • Upgrades/enhancements
  • Security access - business use/need
  • Security audits
  • Data integrity and verification
  • Confidentiality, security and release of information
  • Risk analysis
• Environment
  • Clean and maintained hardware and facility
  • Adequate ventilation
  • Appropriate environmental controls
  • Accessible and appropriate fire-fighting equipment
  • Appropriate safety precautions and adherence with external and internal safety guidelines
  • Risk analysis
• Security
  • Software protection from alteration or destruction
  • Hardware protection from theft, destruction or alteration
  • Anti-virus software
  • Password protected access levels - business use/need
  • Mandatory password maintenance at frequent periodic intervals
  • Audit capability for software/data modifications and access
  • Risk analysis
• Data Integrity, Retrieval and Storage
  • Verification of data transmitted via interfaces to other systems or generated in paper form or video display
  • Data generated and used in care and treatment filed in appropriately in Hospital Health Information Services (Medical Records)
  • Memory capacity sufficient to meet the service demands
  • Reliable accessibility to data
  • Retention guidelines meet or exceed applicable laws and regulations
  • Data media is properly labeled, protected and stored
  • Backup and restore procedures followed
  • Storage facility for backup/restore located offsite and meets all applicable regulations for securing and protecting storage media
  • Risk analysis
• Hardware and Software
  • Scheduled and documented preventive maintenance that minimizes interruption of service
  • Documented evaluation of errors encountered in system maintenance or system malfunctions
  • Documented verification procedures of program and data integrity after system restore or hardware/software modifications/upgrades
  • Interfaces to and from systems utilize a recognized standard for electronic interchange of clinical, financial, and administrative information (i.e. HL-7)
  • Interface transmission includes reference ranges or units of measure where applicable
  • Uninterruptible power source and protection against power surge
  • Risk analysis

IV. Amendments and Revisions

This policy shall be amended or revised as the need arises.

Noncompliance with this policy could result in disciplinary action up to and including termination of employment, dismissal from an academic program, and civil or criminal liability.

This memorandum is effective January 16, 2004.

Signed: John C. McDonald, M.D. Chancellor