Health Science Center’s SPICE project tackles tough task of securing information resources

The word “spice” conjures up sweet scents and tastes, but at the Health Science Center it stands for a massive undertaking to safeguard information resources throughout the HSC in Gainesville, Jacksonville and all remotes sites.

Defined by its mission, SPICE — an acronym for the new Security Program for the Information and Computing Environment — is aimed at appropriately protecting information wherever and however it is owned and generated by HSC faculty, staff and students.

Encompassed in the effort will be information contained in office computers, PDAs, floppy disks, compact disks, file cabinets and desks, photographs, videotapes, microfiche and hand-scrawled manuscripts.

Digital and wireless communication technologies, and even computerized copy machines, complicate the challenge of protecting information resources from loss, theft, corruption, misuse, inappropriate disclosure or malicious destruction, evidenced by recent computer worm and virus invasions. Points of vulnerability are further enlarged as a consequence of the HSC’s presence throughout Florida and South Georgia and its use of many different types of information systems.

Now enters a dash of SPICE, an initiative to shore up key areas of vulnerability — launched under the co-sponsorship of Douglas Barrett, M.D., vice president for health affairs, and Jan van der Aa, Ph.D., interim assistant vice president for health affairs for information technology, who described in an interview what the project means to all HSC faculty, staff and students:

Q: Why is it important to develop an information security program of this magnitude?

A: The Health Science Center has a responsibility to effectively address the security of all the vital information we generate through our missions in patient care, research, education and community service. We need an approach that addresses security needs and enables us to maintain the reliability, integrity, confidentiality and availability of information, while still allowing individuals to access information they need and share it safely.

Q: What are some of the biggest areas of risk for our health center?

A: Not having information available where and when it is needed to those who need it, or having information disclosed inappropriately, are our biggest challenges. Statistics have shown the largest threat to the security of information resources typically comes from within an organization — caused by human error, curiosity or malicious intent, closely followed by accidents or failure of systems. While computer hackers and viruses are highly publicized, information also can be readily destroyed as a consequence of natural events such as flooding and thunderstorms, electrical mishaps, human error or theft. We’re starting this project (SPICE) by identifying the likelihood of various threats and tackling the greatest risk factors first.

Q: Is it possible to completely protect the HSC’s information environment?

A: No, there is no such thing as being 100 percent secure. We aim to manage the risks as wisely as we can and make it known that each of us has a role to play in the security house we all live in. There are, of course, technical safeguards we will put in place to add to our ability to protect our information resources, but security, to a large extent, effectively uses what’s between our ears: common sense. Just think about it: Every time one of us leaves our computer on and unattended, important file drawers and office and lab doors unlocked, we put everyone’s information resources at risk.

Q: Will this security program address computer viruses, worms and hackers?

A: Yes, although we currently already have a number of safeguards in place to minimize the risk, we plan to put in place more safeguards against these invaders of our information environment.

Q: What kinds of new protective measures are being considered?

A: We’re looking at better virus protection systems and greater use of electronic firewalls that restrict unauthorized access to our information network. We plan to make more effective use of intrusion detection systems and expand use of automated patching’ of systems to reduce the points of vulnerability. We also plan to develop an Incident Response Procedure outlining proactive and reactive steps to take, from problem prevention to isolating the problem site to troubleshooting and corrective action, whenever a problem occurs.

Q: What are the steps being taken now?

A: We will conduct a thorough risk assessment throughout November, and the results of this process will drive the work on countermeasures we need to initially address. We will prioritize the most important vulnerabilities based on impact and acceptable level of risk to investigated during the first year.

Q: Who is doing the work?

A: Both Gainesville and Jacksonville HSC faculty and staff from all six colleges and major units, including community-based clinics and satellite campuses, are serving on project teamw. We have enlisted participants representing all of the HSC missions in research, teaching and clinical service, as well as administrative activities. Q: Once the new HSC information security plan is implemented, will it be fully maintained by the IT specialists?

A: No. Everyone in the HSC will have a role in securing our information resources. Security is a daily and ongoing process. For example, fculty and students will undergo training in work processes, including frequent changing of passwords, routine locking of individual workstations and other protective measures.

Q: What is the deadline for completing the new information security program?

A: The information security program is a necessary part of compliance with the federally mandated HIPAA security regulations. The deadline for meeting these regulations is April 21, 2005.

Q: How can HSC employees and students keep in step with the SPICE project?

A: Details regarding the project scope, all participating project teams and project updates are posted on our new web site at https://security.ufl.edu