Information security management in a large academic medical center requires the ability to dynamically balance several conflicting business needs as well as trying to deal with decentralized workforce control and the research equivalent of “mergers and acquisitions” that may involve the on-boarding or off-boarding of entire labs, including staff and computer equipment that may not meet security standards. Our experience indicates that once computers are purchased with grant funds, rarely is there a way to get the grant to pay for upgrades or refreshes beyond the funding period of the grant, so it’s not uncommon to have very old computers that cannot be updated with current security patches. Additionally, the current research funding models foster multi-institution collaborate so it's not uncommon to have to setup shared access to documents and very large data sets with collaborators both nationally and internationally.
At times, it’s tempting to say “No, HIPAA won’t let you do that” but that may gloss over legitimate research or other academic requirements, with the result that very clever people find loopholes or workarounds that can make a network more insecure than the original request. The trick is to truly understand the academic/research requirements and collaborate with researchers to help develop a solution. In this presentation, we will review some strategies including setting up isolated networks, subsidizing the cost of centrally-managed storage, and upgrades, and establishing safety nets to compensate for gaps in access management.
