Healthcare Information Security Program
On April 14, 2003, a proposal to initiate a project for developing a security program for the information and computing environment of the Academic Health Center (AHC) was presented to Dr. Douglas Barrett, Vice President for Health Affairs. Subsequent presentations were made to the Health Science Center Deans and Dr. Chuck Frazier, University of Florida Vice Provost for Information Technology. The security program for the information and computing environment (SPICE) was subsequently approved and efforts to assess and secure the AHC data infrastructure were undertaken. Healthcare Security Policies that were once those of the original SPICE Program are now under the leadership of the UF Information Security Office. (more)
Workforce Security Training Requirement
Everyone is responsible for information security including AHC leadership, management, faculty, staff, students and volunteers. The UF Health security policy requires annual training of the workforce in information security concepts, securing protect information and security best practices.
The University of Florida is the owner of information generated or used by University employees while in the employ and conducting the business of the University, no matter where that information resides. As Owner, the University of Florida is responsible for prescribing certain levels of protection for information whose loss, corruption or unauthorized disclosure results in some level of adversity for the University or an individual. Levels of protection can be costly and not all types of information need to be protected at the same level. Going through a thoughtful effort to classify information types can help a College, Department or Unit decide on a rational information security implementation. According to current UF policy, information must be classified into one of three classifications; Restricted, Sensitive, or Open (unrestricted). When classifying information consider, how important (high, medium or low) it is to keep it confidential, how important (high, medium or low) its integrity is, and how important (high, medium or low) it is to be available. (UF Data Classification Policy)
Each Unit shall maintain a written contingency plan. The format of standard CP0001 may be used. It is the intent that Standard CP0001 provides a format that facilitates meeting all requirements of contingency planning policy. It is the responsibility of the Unit Information Security Administrator to ensure that all requirements of the contingency planning policies are satisfied.
Each Unit shall must adhere to the UF Policies for Information Security. In addition each Unit may create additional policies to comply with accepted Security Policies and Technical Standards.