The UAMS Security Plan and Risk documentation are separated into three major control areas: 1) Management Controls, 2) Operational Controls, and 3) Technical Controls. The division of control areas in this manner complements six NIST Special Publications: NIST Special Publication 800-12, An Introduction to Computer Security: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, NIST Special Publication 800-37, Revision 2, Guide for Applying the Risk Management Framework to Federal Information Systems, NIST Special Publication 800-53, Revision 5,Security and Privacy Controls for Information Systems and Organizations, and NIST Special Publication 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. These documents may be referenced for further information. The documents can be obtained from the NIST Computer Security Resource Center web site at the URL: https://csrc.nist.gov. UAMS IT Security has begun the move to the NIST Cybersecurity Framework.
Security Statement:
While initially framed around HIPAA compliance, UAMS security policies have evolved into comprehensive Information Security Policies that address the broader needs of safeguarding sensitive research information.
UAMS workforce must undertake appropriate administrative, technical and physical safeguards, to the extent reasonably practicable, to preclude Protected Health Information (PHI) from intentional or unintentional use or disclosure in violation of the HIPAA regulations. Access to UAMS Information Systems is managed to protect the confidentiality, integrity and availability of Confidential Information, including ePHI. UAMS Policies 2.1.23 Safeguarding Protected Health Information and 2.1.35 Information Access Management must be strictly adhered to in order to protect information containing PHI.
Data at UAMS is protected utilizing a defense in depth methodology. Multiple firewalls, both application and port based, anti-spyware/virus/vulnerability gateway, Endpoint Detection and Response (EDR), Intrusion Detection (IDS), Vulnerability scanners, Security Information & Event Management (SIEM) systems, Data Loss Prevention (DLP), network segmentation, strict access controls (including MFA), data back-up/restore appliances, and custom audits and reporting services are utilized to maintain the security and integrity of UAMS research data.
Policies:
UAMS policies relating to the privacy and security of UAMS data can be found here: https://hipaa.uams.edu/