Organizing Safety: Conditions for Successful Information Assurance Programs

Abstract

Organizations must continuously seek safety. When considering computerized health information systems, "safety" includes protecting the integrity, confidentiality, and availability of information assets such as patient information, key components of the technical information system, and critical personnel. "High Reliability Theory" (HRT) argues that organizations with strong leadership support, continuous training, redundant safety mechanisms, and "cultures of high reliability" can deploy and safely manage complex, risky technologies such as nuclear weapons systems or computerized health information systems. In preparation for the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Office of the Assistant Secretary of Defense (Health Affairs), the Offices of the Surgeons General of the United States Army, Navy and Air Force, and the Telemedicine and Advanced Technology Research Center (TATRC), US Army Medical Research and Materiel Command sponsored organizational, doctrinal, and technical projects that individually and collectively promote conditions for a "culture of information assurance." These efforts include sponsoring the "P3 Working Group" (P3WG), an interdisciplinary, tri-service taskforce that reviewed all relevant Department of Defense (DoD), Miliary Health System (MHS), Army, Navy and Air Force policies for compliance with the HIPAA medical privacy and data security regulations; supporting development, training, and deployment of OCTAVE(sm), a self-directed information security risk assessment process; and sponsoring development of the Risk Information Management Resource (RIMR), a Web-enabled enterprise portal about health information assurance.