Due to formatting limitations, links to the documents related to these topics have been provided.
MUHC One Page Overview for Business Owners - This document provides an overview of the roles and responsibilities of business owners, users, and information security in protecting organizational data and infrastructure within MU Healthcare.
MUHC Device and Application Screening - This document outlines the screening process for medical equipment replacements, software renewals, and additions of new functionalities within the MU Healthcare system. It provides detailed qualification criteria and key questions to assess changes related to data, security, network configurations, and user access for both medical devices and software solutions.
Managing Risk Together: Department-Managed Software-as-a-Service / Cloud Solutions - This document explains how information security of cloud based solutions is a shared responsibility involving business owners, technical owners, and the Information Security Office throughout the solution’s lifecycle.
Vendor Requirements - This document outlines the information security requirements for vendors providing solutions focusing on protecting patient and regulatory data. It guides vendors through the procurement process, security expectations, and documentation needed to ensure compliance with healthcare data protection standards.
MUHC RFP Screening - The document outlines the MU Healthcare (MUHC) Information Security screening process for Requests for Proposals (RFPs). It details the necessary information and considerations to ensure appropriate security questions and requirements are included when evaluating prospective vendors and solutions.
Understanding High Risk Items - This document highlights findings that may lead to a solution or vendor being determined as "high risk".
Information System Activity Review Overview - This document describes the requirements for audit controls mandated by the HIPAA Security Rule.
MUHC Department Managed Application Documentation (form) - This form provides a structured framework for documenting user access and roles along with key account management processes in applications where accounts are managed by the department, ensuring compliance with HIPAA Security Rule requirements.
DEFINITIONS:
Executive Sponsor: C-suite leader who provides strategic oversight, advocacy, and accountability for a department developed solution. They ensure alignment with enterprise goals, secure funding and resources, and support compliance with security and regulatory requirements. While not involved in daily operations, they play a key role in risk management, governance, and resolving escalated issues.
Business Owner: the department director or executive who sponsors the acquisition or continued use of a system and ensures its effective management, operation, and compliance within a business unit or across the enterprise. The Business Owner is the primary decision-maker responsible for the solution, ensuring appropriate approvals obtained from various groups, defining implementation strategies, and overseeing usage to align with business objectives and regulatory requirements. Decisions are made with oversight from the Executive Sponsor and Information Security to ensure adherence to enterprise governance, security, and compliance standards.
Data Custodian: the individual responsible for the technical implementation of data management decisions, such as access control and implementation of safeguards.
Technical Owner: the primary technical contact responsible for administering, configuring, and securing a cloud application fully managed by a department. This role may be filled by a departmental resource or an IT staff member. Working in collaboration with the Business Owner and Information Security, the Technical Owner ensures the application is securely configured, integrates properly with enterprise systems (e.g., certificates, email settings), and complies with security and regulatory requirements.
Application Administrator: (can be the same person as the Technical Owner) is responsible for managing changes to the application and user account management under the direction of the Technical Owner.