Information Security Plan

Nebraska Medical Center Affiliated Covered Entity (ACE) is committed to protecting data and information.   Faculty, staff, students, employees and business associates handle a variety of confidential information which includes, but may not be limited to:

  •      Protected Health Information (PHI) as defined by HIPAA
  •      Employee data
  •      Business Plans
  •      Research Data
  •      Student Data
  •      Financial Data

The organization utilizes information security industry best practices to define the development and implementation of the information security program.  The program is based upon the National Information Security Standards (NIST) standards in conjunction with the SANS 20 critical security controls.

The organization recognizes that it has both internal and external risks. Under the direction of the Information Security Officer (ISO), the organization periodically performs a formal risk assessment of the environment. Based upon this risk assessment, a risk management process is implemented.  As new major systems are implemented, a risk assessment of the system is performed and results integrated with the organization’s overall risk assessment. 

During 2011 a Hitrust Gap assessment was performed and no significant gaps were found within the security program.

View the complete Information Security Plan (Updated March 5, 2013)