Information Security Management System: Introduction to ISO 27001

Current Scenario: Present day organizations are highly dependent on Information systems to manage business and deliver products/services. They depend on IT for development, production and delivery in various internal applications. The application includes financial databases, employee time booking, providing helpdesk and other services, providing remote access to customers/ employees, remote access of client systems, interactions with the outside world through e-mail, internet, usage of third parties and outsourced suppliers.

Business Requirements:Information Security is required as part of contract between client and customer. Marketing wants a competitive edge and can give confidence building to the customer. Senior management wants to know the status of IT Infrastructure outages or information breaches or information incidents within organization. Legal requirements like Data Protection Act, copyright, designs and patents regulation and regulatory requirement of an organization should be met and well protected. Protection of Information and Information Systems to meet business and legal requirement by provision and demonstration of secure environment to clients, managing security between projects of competing clients, preventing leak of confidential information are the biggest challenges to Information System.

Information Definition: Information is an asset which like other important business assets is of value to an organization and consequently needs to be suitably protected. Whatever forms the information takes or means by which it is shared or stored should always be appropriately protected.

Forms of Information: Information can be stored electronically. It can be transmitted over network. It can be shown on videos and can be in verbal.

Information Threats:Cyber-criminals, Hackers, Malware, Trojans, Phishes, Spammers are major threats to our information system. The study found that the majority of people who committed the sabotage were IT workers who displayed characteristics including arguing with co-workers, being paranoid and disgruntled, coming to work late, and exhibiting poor overall work performance. Of the cybercriminals 86% were in technical positions and 90% had administrator or privileged access to company systems. Most committed the crimes after their employment was terminated but 41% sabotaged systems while they were still employees at the company.Natural Calamities like Storms, tornados, floods can cause extensive damage to our information system.

Information Security Incidents: Information security incidents can cause disruption to organizational routines and processes, decrease in shareholder value, loss of privacy, loss of competitive advantage, reputational damage causing brand devaluation, loss of confidence in IT, expenditure on information security assets for data damaged, stolen, corrupted or lost in incidents, reduced profitability, injury or loss of life if safety-critical systems fail.

Few Basic Questions:

• Do we have IT Security policy?

• Have we ever analyzed threats/risk to our IT activities and infrastructure?

• Are we ready for any natural calamities like flood, earthquake etc?

• Are all our assets secured?

• Are we confident that our IT-Infrastructure/Network is secure?

• Is our business data safe?

• Is IP telephone network secure?

• Do we configure or maintain application security features?

• Do we have segregated network environment for Application development, testing and production server?

• Are office coordinators trained for any physical security out-break?

• Do we have control over software /information distribution?

Introduction to ISO 27001:In business having the correct information to the authorized person at the right time can make the difference between profit and loss, success and failure.

There are three aspects of information security:

Confidentiality: Protecting information from unauthorized disclosure, perhaps to a competitor or to press.

Integrity: Protecting information from unauthorized modification, and ensuring that information, such as price list, is accurate and complete

Availability: Ensuring information is available when you need it. Ensuring the confidentiality, integrity and availability of information is essential to maintain competitive edge, cash flow, profitability, legal compliance and commercial image and branding.

Information Security Management System (ISMS): This is the part of overall management system based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

About ISO 27001:- A leading international standard for information security management. More than 12,000 organizations worldwide certified against this standard. Its purpose is to protect the confidentiality, integrity and availability of information.Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls. It does not focus only on information technology but also on other important assets at the organization. It focuses on all business processes and business assets. Information may or may not be related to information technology & may or may not be in a digital form. It is first published as department of Trade and Industry (DTI) Code of Practice in UK known as BS 7799.ISO 27001 has 2 Parts ISO/IEC 27002 & ISO/IEC 27001

ISO / IEC 27002: 2005: It is a code of practice for Information Security Management. It provides best practice guidance. It can be used as required within your business. It is not for certification.

ISO/IEC 27001: 2005:It is used as a basis for certification. It is something Management Program + Risk Management. It has 11 Security Domains, 39 Security Objectives and 133 Controls.

ISO/IEC 27001: The standard contains the following main sections:

 

  • Risk Assessment
  • Security Policy
  • Asset Management
  • Human Resources Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • Access Control
  • Information Systems Acquisition, development and maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance

 

Benefits of Information Security Management Systems (ISMS):competitive Advantages: Business partners and customers respond favorably to trustworthy companies. Having ISMS will demonstrate maturity and trustworthiness. Some companies will only partner with those who have ISMS. Implementing ISMS can lead to efficiencies in operations, leading to reduced costs of doing business. Companies with ISMS may be able to compete on pricing also.

Reasons for ISO 27001: There are obvious reasons to implement an Information Security Management System (ISO 27001). ISO 27001 standard meets the statutory or regulatory compliance. Information assets are very important and valuable to any organization. Confidence of shareholders, business partner, customers should be developed in the Information Technology of the organization to take business advantages. ISO 27001 certification shows that Information assets are well managed keeping into consideration the security, confidentiality and availability aspects of the information assets.

Instituting ISMS:Information Security -Management Challenge or Technical Issue? Information security must be seen as a management and business challenge, not simply as a technical issue to be handed over to experts. To keep your business secure, you must understand both the problems and the solutions. To institute ISMS management play 80% role and 20% responsibility of technology system.

Beginning: – Before beginning to institute ISMS you need to get approval from Management/Stake Holders. You have to see whether you are attempting to do it for whole organization or just a part. You must assemble a team of stakeholders and skilled professionals. You may choose to supplement the team with consultants with implementation experience.

ISMS (ISO 27001) Certification: An independent verification by third party of the information security assurance of the organization based on ISO 27001:2005 standards.

Pre-Certification: Stage 1 – Documentation Audit

Stage 2 – Implementation Audit

Post- certification: Continuing Surveillance for 2 years 3rd-Year Re-assessment/Recertification

Conclusion: Prior to implementation of management system for Information Security controls, organization does have various securities control over information system.These security controls tend to somewhat disorganized and disjointed. Information, being a very critical asset to any organization needs to be well protected from being leaked or hacked out. ISO/IEC 27001 is a standard for Information security management system (ISMS) that ensures well managed processes are being adapted for information security. Implementation of ISMS lead to efficiencies in operations leading to reduced costs of doing business.

What Is Information Literacy?

Information literacy is the ability to find the information that we need and use that information. This need could be getting information about different courses that the universities offer or selecting the right tour operator for our next vacation. We make numerous trivial decisions everyday and some important ones now and then, like finding the right car or choosing the correct insurance policy. To make the right decision, or more importantly, to make the most beneficial decision, we need to gather all the relevant information before we can analyze the information and make a decision. Therefore, essentially, all the tasks that fall between identifying the information need and using the information that we find to make a decision fall under the scope of information literacy.

So how do we know if we are information literate? An information literate person can:

· Define the problem: That is we can recognize what the problem is and put that in words. Based on this problem, we can define the information that we need. For example, we wish to travel to Europe. We will want to know – the best time to travel, the average cost of travel, the places we want to visit, and so on. Defining all this is the first step in identifying the information need.

· How to get the information: After we define the information that we want to make the decision, we must then identify the sources of information. These sources could be people who have been to Europe, some tour operators, web sites, and so on. An information literate person at this point will create a strategy for finding the relevant information by identifying the most useful and relevant information sources.

· Where to get the information: Now, we know what information we need and how we can find this information. The third step is to find these information sources. We will know people who have travelled to Europe in our community. In current times, we can use the social networking web sites to find people who have been to Europe to hear their first-hand accounts and experiences. Other than these people, we can look up government tourism web sites to get most of the information.

· Is everything true? People are generally truthful about narrating their experiences, but these could be biased for any number of reasons; we all don’t have the same likes and dislikes. There is a lot of information online, but then not everything we read is true. My point? We can define the information need and get the information too; however, we also need the ability to evaluate critically the information we have. For example, the ability to separate a commercial sales pitch from genuine information.

· Using the information: Whew! This has been a long journey and we have all the ingredients ready. But, it is all in bits and pieces. We still need to assemble all of this information in a way that will help us make that decision about the tour. Define priorities perhaps? Decision based on the variables that we defined in the first step.

Information literacy is not new. It is just that we have a lot of information available and need to be aware of ways to look systematically for the information if we do not wish to drown in this ocean of information. Constantly evolving technology and ways of communication make the task more difficult. So, next time you are looking for information, keep these steps in mind before you dive in the World Wide Web.

Technical writers present information to their readers by identifying readers’ information need. Presenting only the relevant information forms the core of their job. Therefore, this is one skill that technical communicators must master reduce the effort readers have to put-in to use the information. Please visit my blog to know why information literacy is more important for technical writers and what do employers think about these skills when they are hiring a technical writer.

Creating Value Through Information

When you attempt to create value, you have to make a choice between alternatives and this requires reliance on information. Understanding how to create “quality” information is paramount to decision making. One way to improve the quality of information is to make sure there is a strong flow of external sources – looking at market trends, surveying the customers, pursuing new technologies, and of course, competitive intelligence. These external sources provide the “reality checks” we need to remove internal bias, common to so many organizations.

“For managers to produce information required for their work, they have to address two broad questions:

1. What information do I owe to the people with whom I work, and on whom I depend? In what form? And in what time frame?
2. What information do I need myself? From whom? In what form? And in what time frame?

– Competing with Information: A Manger’s Guide to Creating Business Value with Information Content, Edited by Donald A. Marchand

Another way to improve the quality of information is to look at your people. Information is how people communicate their knowledge so things get accomplished. Since information relies on people, it only stands to reason that the quality of information has a lot to do with the quality of people; i.e. the skills, expertise, training, experience as well as their communication skills. This can greatly impact the quality of information – improve your people if you want to improve your information.

The quality of information also follows certain characteristics. These characteristics can lend serious value to information. Here are a few examples:

• Up to Date – Information that is current usually has more value than old, outdated information.
• Accuracy – Some sources of information tend to have higher accuracy than others.
• Impact on Decision Making – Information that is useful to decision making will lend value to the organization.

One common problem in creating value through information is putting the information in front of the decision maker. This requires that people have access to information. Too often, organizations have fragmented silos of information, contributing to inconsistency in decision-making. Pulling all of these stovepipes of information together into one common repository can yield numerous benefits, such as: Faster response time by decision makers, better creditability with stakeholders (employees, customers, suppliers, etc.), improved accuracy through verification, and more value added through the application of analytical tools.

Obviously, technology plays a big role in making this happen – everything from better access to filtering of the information overload. Perhaps the single biggest technology behind the management of information is something called the Data Warehouse. The Data Warehouse pulls together all of the desperate databases, providing not only wider access, but also increased analytical capability through the understanding of relationships between all of this data. So if you are serious about creating value through information, you’ll probably have to consider some form of a data warehouse.

“Capitalizing on the information a company owns about its customers, suppliers, and partners is now the value proposition for sustainable long-term growth. Better information, then, transforms business. Better information also transforms the terms of collaboration between businesses.” – The Value Factor by Mark Hurd and Lars Nyberg

Finally, the roadmap to value through information is creating systems and processes for learning. Author Peter Senge popularized this concept in his book The Fifth Discipline – namely that we all need to become systems thinkers, having the ability to fit the pieces together. This entire process is commonly referred to as the Learning Organization. And this is a big factor behind creating value through information! And when coupled with the right people and the right technology (such as a data warehouse), information can add a lot of value for anyone touched by the information.

“The knowledge economy stands on three pillars. Knowledge has become what we buy, sell, and do. It is the most important factor of production. The second pillar is a mate, a corollary to the first: Knowledge assets – that is, intellectual capital – have become more important to companies than financial and physical assets. The third pillar is this: To prosper in this new economy and exploit these newly vital assets, we need new vocabularies, new management techniques, new technologies, and new strategies. On these three pillars rest all the new economy’s laws and its profits.” – The Wealth of Knowledge by Thomas A. Stewart

Right to Information – A Gateway to Fight Corruption

INTRODUCTION: September 28 is celebrated internationally as right to know Day. In spite of the fact that India has won its battle of independence in 1947 making democracy its weapon, unfortunately, the truth was something else. The power was handed over to the politicians and democrats, not to the common man then. In India, following a nationwide campaign led by grassroots and civil society organizations, the Government passed a landmark Right To Information Act in 2005. It is an Act ” to provide for setting out the practical regime of right to information for citizens “. RTI mandates timely response to citizens’ requests for Government information. It is a initiative taken by Department of Personnel and Training, Ministry of Personnel, Public Grievances and Pensions to provide a RTI portal Gateway to citizens for quick search of information.

The idea that Government withhold information for the public has become outdated. During the last decade, many countries have enacted legislations on freedom of information. In India, the Official Secrets Act 1923 was enacted to protect the official secrets. The new law intend to disclose information replacing the ‘ culture of secrecy ‘. It will promote public accountability which will trim the malpractices, mismanagement, abuse of discretion and bribery etc.

OBJECTIVES: The object of RTI is to empower the citizens, promote transparency and accountability in the working of the Government. The Act is a big step towards making the citizens informed about the activities of the Government. Social Activist Aruna Roy has described India’s RTI as ” the most fundamental law this country has seen.”

EFFECT OF RIGHT TO INFORMATION: While the debate on corruption in the country rages on, the RTI Act is fast growing as an effective anti- corruption tool.

Jan Lok Pal Bill gained tremendous public support with citizens coming out on the streets of Delhi, Bangalore and other cities to voice their anger over corruption. Where RTI has been used by journalists and the media, the law has a broad base of users. Earlier right to freedom of speech and expression is granted under Article 19(1) of Constitution, but it requires fair and efficient procedure to make the freedom of information work. In the first three years, 2 million RTI requests were filed. The first and well known movement was by Mazdoor Kissan Shakti Sangathan (MKSS) in Rajasthan for the access to village accounts. Case studies and media reports shows that RTI is being used to redress individual grievances, access entitlements such as Ration Cards and pension. The RTI has paved way for informed citizenry which would strengthen the democratic Government of India. With this Act, we can use our right to speech and expressions and control the Government activities effectively. The idea of open Government is becoming a reality with the implementation of RTI Act. The RTI can be called a success only if the bureaucracy accepts that they have constitutional to serve into.

PROVISIONS OF RTI: Section 3 says all citizens shall have right to information. The Act enforces a duty upon the public authorities to disclosed all information. In V.S.Lee V. State of Kerala.. the remedy provided by Parliament is that wherever there is substantial financial support, the People, have the right to know or information. Section 4(2) states that every public authority shall take constant steps to provide information suo moto to the public. Thus, the authorities have to give information voluntarily so that the public have minimum resort to use this Act. The public authorities also have to disseminate (making known or communicated the information to the public through notice boards, newspapers, public announcements, media broad casts, internet and inspection of offices of public authority) information widely in any form which is easily accessible to the public. Information can be obtained by request in writing or through electronic means in English or Hindi or in official language of the area U/S 6. Here, the person has to give fees, and if request can’t be made in writing, the Central PIO and State PIO shall render all assistance to make request in writing form. If the information has been provided correctly or within time, it may be made available by appeal or complaint to the Information Commission U/S (8(a) 1). In The Registrar General V. K.U. Rajasekar, it was held that Section 8 of RTI specially deals with the cases of exemption from disclosure or information when such information affects prejudicially the sovereignty and security of India etc. Section 5 says every public authority shall within 100 days of enactment of the Act, designate as many as officers as the Central Public Information Officers or State Public Information Officers.

Section 6 permits person to obtain information in English or Hindi or in the official language of the area from the designated officers. The person need not to give any reason for the request. Section 7 requires the request to be disposed of within 30 days provided where information sought for concerns the life or liberty of a person, the same shall be provided within 48 hours. Section 7(7) before taking any decision for furnishing the information, the designated officer shall take into consideration the representation made by the third party U/S 11. Section 7(9) exempts granting information where it would divert the

Resources of the public authority or would be detrimental to the safety and preservation of the record in record. U/S 8,it is important to note that the Act specifies that intelligence and security organisations are exempted from the application of the Act. However, it is provided that in case the demand for information pertains to allegation of corruption and human rights violations, the Act shall apply even to such institutions.

RIGHT TO INFORMATION AS A FUNDAMENTAL RIGHT: The RTI is a fundamental right as in Article 19(1)(a) of the Constitution is now a well settled proposition. It has been discussed by Supreme Court in Number of cases, it has been read into Article 14.(Right to equality), 19(1)(a) freedom of speech and expression and Article 21 (Right to life) through cases such as Bennet Coleman V. Union Of India, Tata Press Ltd. V. Maharashtra Telephone Nigam Ltd. Etc. The same Articles were also interpreted in Kharak Singh V. State of U.P., Govind V. State of M.P. ETC. to include within their scope a right to privacy.

A plain reading of Section 11 suggests that for the section to apply the following three conditions must be satisfied (I) if the PIO is considering disclosing the information (ii) the information relates to the third party (iii) the third party treated the information to be confidential, the third party to be consulted and a notice to be sent to that party. Section 19 provides two tier system of appeals- First appeal and Second appeal. Any person who is aggrieved by the decision of the Central PIO and State PIO within 30 days can prefer First appeal before the First Appellate Authority. This authority shall be an officer who is senior in rank to the Central PIO and State PIO. An appeal can also be made by third party. The Second appeal lies before the State or Central Information Commission against the decision of the First Appellate Authority. It has to be filed within 90 days. As per Section 19(7), decision of Central or State Information Commission is final. The Information Commissioners shall be persons of eminence in public life with wide knowledge and experience in law, science and technology, social service, management, journalism, mass media and governance. In Nirmal Singh Dhiman V. Financial Commissioner Revenue, Section 23 says that no court shall entertain any suit, application or other proceeding in respect of any order and no order shall be called in question, otherwise than by way of an appeal. In case, the complainant was aggrieved against the non-supply of information by the Public Information Officer.

CRITICISM: The Act has been criticized on several grounds. It provides for information on demand, but does not sufficiently stress information on matters related to food, water, environment and other survival needs. It does not emphasize active intervention in educating people about their rights to access information. Another thing is allowing for file notings except those related to social and development projects to be exempted. File notings are very important when it comes to the policy making of the Government.

CONCLUSION: By enacting the RTI, India has moved from opaque and arbitrary system of Government to the beginning of an era where there will be greater transparency and to a system where the citizen will be empowered. The real Swaraj will come not by the acquition of authority by a few but by the acquition of capacity by all to resist authority when abused.

“KNOWLEDGE IS POWER, INFORMATION IS POWER, THE SECRETING OF INFORMATION MAY BE AN ACT OF TYRANNY CAMOUFLAGED AS HUMILITY.”

Information Management in Construction From a Lean Perspective

Lean thinkers have referred to “ensuring that relevant customer requirements are available in all phases of production, and that they are not lost when progressively transformed into design solutions, production plans and products.” Customer requirements are however only part of the information flow in design.

Information Waste

In Lean there are 7 classic wastes:

 

  • Over-production Producing more than is needed right now
  • Transportation Movement of product that does not add value
  • Motion Movement of people that does not add value
  • Waiting Idle time created when material, information, people, or equipment is not ready
  • Processing Effort that creates no value from the customer’s viewpoint
  • Inventory More materials, parts, or products on hand than is needed right now
  • Defects Work that contains errors, rework, mistakes or lacks something necessary

 

Some Lean thinkers add additional wastes:-

Making Do – Drawings, documents and information required to complete the task are not available and the task is started despite these not being available, or the task is continued when supply ceases

Unused Creativity – Effort available to the team but not used to create value

From these wastes the following information related wastes can be identified

 

  • Waiting – unable to do work because information is not available or time is spent trying to identify information that needs to flow
  • Over Processing – excessive steps to produce the output caused by resources or activities necessary to overcome a lack of information
  • Making Do – continuing with production in the absence of required information
  • Defects – drawings and design requiring rework and resources and activities used to correct or verify information
  • Unused Creativity – team members making do due to lack of information when they could be employed creating value

Information Flow

In design the “flow” is information to each workstation so that the output in the form of information for the next step in line (which could be further design or construction) can be completed on time and to budget with minimum waste.

A scenario can occur in a design office where an absence or shortage of knowledge and information threatens to halt production (of deliverables). The pressure of deadlines (push planning) requires work to continue and assumptions are made to fill in for the missing knowledge or information. This builds in the necessity to make corrections of the assumption later, or contingencies are made that the assumption may be incorrect and the design is “over-dimensioned.” The result is unplanned work.

Making do has been described as an “art” in the construction industry and that the response to lack of input availability is making do on a “massive scale”.

The conclusion is that the reduction of making do in design requires control and optimisation of the flow of information and knowledge in the design team and between teams.

Information Sources

Typical types of information include emails, letters, meeting notes, call records, drawings, electronic data and photographs. A distinction may be drawn between “data” and “information”:-

Data – Individual facts, statistics, or items of information.

Information – Knowledge communicated or received concerning a particular fact or circumstance or Knowledge gained through study, communication, research, instruction, etc.

In the project environment typically a large mass of data will exist which continually grows in size. Information that adds value to an output is a subset of the total data.

Management activity should therefore focus on Information as it is this which forms the value stream in the design process. An 80/20 rule may apply whereby only 20% of the data collected is used in creating value.

Applying lean 5S to information management produces:-

 

  • Sift (shine) – Ensure information is accurate and up to date
  • Sort – Structure information so it can be easily navigated and found
  • Set in Order – Store information in a single location that is available to all working on the project
  • Sustain – Make sure teams use the system and continuously improve
  • Standardise – Set protocols for information management

 

With the volumes of information within organisations increasing exponentially increasing attention is being paid to the challenges it produces, and the risks it creates.

In the absence of information management there is lack of certainty as to where information is, who has relevant information, and limited certainty as to its availability and currency. One consequence is that time is spent in search of essential information with which to continue production.

Smoothing the Design Workflow

To smooth the design workflow there must be a means of delivering the required information to the workface at the time it is required. It is however difficult in design to fix with certainty the time when information is required and in consequence information is delivered by “push”.

The concept of “pull” should be applied so that designers acquire information when they are ready to use it without the overload caused by “push”. There is then a likelihood that the information to be used in design will be current, correct and the best available.

Users need to be confident that they will find the information they are looking for and that it is current and up to date. All team members must use the system consistently and for all information.

Key principles of a strategy for managing project information within a Lean production (design) environment become:-

 

  • Identify valuable information as distinct from data and manage it
  • Users will only use a system if it has direct value to them or they understand the indirect value for another team
  • Information should be available in real time as soon as it is acquired
  • Minimise duplication of information
  • Minimise out of date information
  • Minimise duplication of effort
  • Information should only be delivered as it is demanded by users (pull)

 

Information Management Strategy

To achieve 5S in an industry which is heavily dependent on the flow of information and knowledge requires a system that can provide:-

Single source of all Information to:

 

  • Minimise duplication
  • Minimise out of date or superseded information
  • Provide Information on demand as it is needed

 

Be accessible to all project users at any time and be user friendly to:

 

  • Provide direct value to users
  • Enable users to supply information to others working on the project
  • Provide real time access with notification of changes and additions

 

Conclusions

Reducing making do generated by lack of information can be attained by the adoption of relatively simple strategies.

Managing Information Better In Construction

In a conventional highway design model, the data consist of points and lines that define the outline of the planned works. Other information critical to successful completion such as design data and specifications is disassociated. In typical engineering application data is not only stored in different locations, it is often linked via a human or paper intermediary. This segregation of data occurs because, in the common file based data management environment, there is no direct link between a drawing and a document. Changes in one may not be reflected in the other. This state of affairs is accepted historically as the design process has evolved to produce a final paper output with documents and drawings as separate entities. This is the focus of established design processes that have evolved over the years.

In a typical large highways project under the Early Contractor Involvement model, systems such as Business Collaborator (BC) share information among the parties. However in a typical application the data set held on BC is incomplete. BC is often used to issue information to team members rather than as an information or knowledge repository. The effect of this approach is to create duplication between data stored in the collaboration system and data held internally on file servers. This duplication may further increase inside the design organisation as different teams or groups maintain their own file systems. Multiple asynchronous copies of information may be held (and relied upon) that are not subject to a consistent update policy.

The lack of compatibility means that it is not possible to go to a “single source of truth” for project information it is necessary in many cases to know first what is being looked for and where it may be stored. This increases the workload to locate information and introduces a risk that it may not be found or when found may be (dangerously) out of date. A user cannot be totally confident that he has discovered the true and complete information needed to complete his task. The secondary effect of this is that often it will be easier for a person to go direct to the source of the information and the result is uncontrolled information. Additional workload is created within teams from making and responding to these requests. Multiple requests may be made over time for essentially the same information.

Should information need updating it is not possible to be confident that all versions on the system have been updated, and team members, as a result, have low confidence that information on the system is up to date. The output may, therefore, be subject to additional and unnecessary validation and control stages. Authors may hold back information in which they have little confidence, but is still useful information. This creates additional inefficiencies.

Where out of date information is held on the system this may result in rework when new information comes to light or it is corrected. A culture of making do emerges where tasks are commenced even though faith in the information is reduced, or it is known that input data will be subject to change. To enable work to advance assumptions are made to avoid future correction that in themselves may require correction at a later date. Hidden contingency is built in to cover these assumptions increasing base costs and extending project time.

Within many organisations the culture of “design iteration” remains embedded as it is implicitly accepted that information will change through the design cycle and that the design will be changed several times in response to this changing information. Supported by better information and better management of that information it should be possible to deliver better designs, earlier and cheaper, by eliminating wasteful iteration, risk and rework.

To adopt new ways of working and managing information, we must first recognise that deliverable and document focused systems are based on a paper model. In such a model information is collated into paper based documents such as reports and drawings. Information based methodologies eclipse paper and focus on delivering the right information to the right person at the right time. How information is delivered, and consumed can be variable, depending on the receiver. It is not necessary, therefore, to maintain information in different forms just because the consumer of that information has different needs. Information kept in different forms may result in omissions when updated if one of the forms is overlooked.

Much current technology for managing and indexing information is based on the assumption that information arrives in paper form or a paper analogue (e.g. email). In fact, what is essential is that the information can be found by those needing to know it. Such information is better found, not from the paper mindset of looking through all likely documents, but through search.

Traditional filing systems are based on a paper methodology with information collated into folders (files) browsed as a file analogue. The division into files can be arbitrary and at odds with how information is sought by the user. Within a traditional filing system, vertical navigation is straightforward, but horizontal navigation between folders is more difficult. The analogy would be that to move from the east wing of a 40 floor building to the west wing it was necessary to take a lift first to the lobby. If the constraint of the paper is broken, and the appropriate technology adopted, it becomes possible to obtain information by whatever method (for example full text search) is best and most effective.

It is clear, therefore, that paper based approaches to information management in a world in which almost all project information is either electronic or convertible to electronic form creates an unnecessary overhead. Search based approaches will locate information more thoroughly and more efficiently. We are used now to the internet and Google, would we gladly give up Google to use a library instead? By continuing to use deliverable and document focused systems, as opposed to information focused, this is in effect what we force teams to do.

An effective information system must provide assurance as to the quality of the information being delivered. The current position of document controller on a project will change to information manager in order that the system is properly managed and controlled.

Want Your Employees to Get the Right Information Security Awareness

There are many great websites that provide generic best practice information security tips for the workplace. However, employers need to be aware of two major risks of asking employees to rely on them for their security awareness.

The first risk is making sure that your employees visit one of the good websites, rather than fall foul of one of the ‘lesser’ sources. Simple enough to solve – send your staff an email of the information security websites that you approve of. Job done!

The second risk isn’t so simple to address. Your organisation is unique, with its own specific processes, procedures and information types. It may even draw unique cyber threats that other industries and organisations don’t have to contend with. Unfortunately, any best practice that your employees draw from generic security websites is unlikely to be fully applicable to these unique aspects of your organisation.

For example, generic websites can talk about the dangers of phishing, but they can’t talk about the specific dangers of spear phishing attacks that are unique to your industry or organisation. Generic sites can talk about how ‘sensitive information’ should be encrypted when copied onto storage media or transported on laptops, but they can’t define what ‘sensitive information’ means in the context of your organisation.

Benefits of the specific source

Many organisations are addressing this second risk by bringing the source of security best practice in-house. This ensures that employees have fast access to a comprehensive portal that covers the breadth of required information security awareness. In most cases this is achieved by way of a distinct information security micro-site held within their existing intranet framework.

This delivers the immediate benefit of allowing you to tailor all information security best practice to your organisation, making it fit for purpose for the work your employees do and the way that they do it. The types of information can be discussed within the context of the organisation’s own information classification system. All handling procedures can refer specifically to organisation processes. The unique risks of the industry or organisation can also be addressed, with relevant real life case studies providing additional weight.

Compiling an in-house resource also provides many other advantages. The content can be re-tasked for your employee information security awareness training sessions. It can also become the central information hub from which organisation-wide information security communications campaigns are run. No matter how campaign messages are conveyed to employees – whether by posters, presentations, plasma screen animations or quick-guides – the information security micro-site is always cited as the first port of call for further information.

Building an information security portal

Naturally there are many factors that contribute to a successful information security portal. Two key priorities are to plan a clear information hierarchy and aim for maximum build flexibility.

Getting the information hierarchy right plays a huge role in dictating the success of the project. If users have trouble finding what they want to know, you run the risk that they’ll try and find it on a web search, which takes them outside your control. Information security is a complex topic, and a clear information hierarchy not only makes it easy to find topics, it can also help employees to see how all the various topics inter-relate. This can make the entire subject seem much more mentally accessible and therefore easier to employ.

Build flexibility gives your site the longest possible shelf-life and makes it a highly versatile communications tool. Like any website, users are encouraged to return if they feel it is a dynamic source of valuable information. For example, home page flexibility in particular can allow you to tailor it to specific information security awareness campaigns. You should also ensure that the clear information hierarchy takes into account that the site will grow over time. For example, as new threats emerge or as new processes are introduced to the organisation.

Before embarking on a portal project, it’s a good idea to ask a cross-section of your employees what they would like to see and what would help them most. Although many will almost certainly provide generic answers, look closely at the way they are responding. This is an excellent opportunity to test the temperature of your organisation’s attitude to information security. If a large proportion of your staff members have no opinion, it could indicate that they aren’t that interested in handling their work securely – something that certainly needs to be addressed.

Gathering of Information: The Silent Spies in the Internet and in Telecommunications

Anyone who is regularly online will have seen it more than once, if they’re really interested in Social Media Networking, they’ll have seen it tens of times over the last few years: Big Brother. Stories, articles, essays and a whole mess of scaremongering about what happens each and every time a person logs onto the Internet. Someone, somewhere is watching over them, peeking over their shoulder and following each and every move whilst they are surfing. They know what has been purchased on Amazon, what is searched for on Google, each status update on Facebook and Twitter. The curtains may have been drawn and the door locked, but no one is ever alone on the Internet.

In Europe and the United States there is a great deal of legal pressure on politicians, not so much pressure from the public because they know better, but from civil rights organizations and the like, to limit the ability of some web sites to gather information. Much has been written about Facebook and Google gathering information, and there have been many diverging opinions: the information is entered voluntarily, so be it! It is, however, much more than that.

The Internet is the biggest potential marketplace ever. The discussions might be about markets such as China and the United States, about emerging markets and First and Third World markets but they have nothing compared to the potential of the Internet, because the Internet brings every single country together, almost into one melting pot, and has all the possibilities at anyone’s fingertips for exploitation. Not necessarily in a bad way, not all exploitation is bad, but in a way which could define how the market evolves, what offers are made and how web sites and online stores are designed and geared up for the customer of the future.

In short, someone out there is gathering information on you and your habits.

Most of the information being gathered is harmless. It is information individuals have entered themselves – such as by Facebook – and it is information on what is needed, desired or enjoyed – such as by Google, Yahoo, Bing and any other search engine one might care to mention. It is information about what has bought – where else can Amazon get its recommendations from other than from individual buying habits?

And the rest of the information?

The rest is a gathering of individual surfing habits. Which web sites have been visited and how long has the visitor stayed there? Where did they come from and where did they go? Which page did they land on and which search words did they use to get there?

What would happen if a single person or a company could use all this technology at their fingertips to see what each person does on other sites? What if they could set up a little bit of spying software on another site and see whether someone visits when that site has no other connection to them?

This has happened here from the moment a link was made to this site. Not in a bad way, but everyone visiting this page has been checked by others. They’ve been checked by Google (Google Analytics), by Alexa, by Facebook. Even if the visitor doesn’t have a Facebook account, they’ve been checked and the visit logged.

Why and how?

Why. Facebook is a site which gathers all manner of information to advance its own advertising strategy. A person doesn’t need to be registered for Facebook to want to know what interests them, to be able to build up a global picture of what is popular and what is on the way out. Each time there is a Facebook symbol on a web site, even if no one presses Like, they’ve been seen, their visit has been noted. The page has loaded in a browser and the Like button has been loaded direct from Facebook.

How do webmasters know when others are hot linking to their photographs and images? The visit, on another web site, has been logged and, eventually, evaluated.

And when a person thinks that they’ve only been surfing safe sites? Think again.

A few days ago I installed a new tracking checker on my personal system. It tells me how many other companies are watching my every move, how many spies there are out there. I went through my normal surfing routine, a little bit of Twitter, a touch of Facebook, some StumbleUpon, a hint of Google+ and a few sites with adult content. The result after only two days, that is perhaps seven or eight hours of actual surfing from one web site to another, was seven hundred and sixty-eight hits by Facebook alone.

Let’s get one thing right out of the way: in the majority of cases Facebook, and all the others tracking, do not know who an individual is. They can’t put a name to their activities, or a face. That is, unless they happen to be logged in to Facebook while surfing elsewhere. Unless they happen to still have the Facebook cookie saved in their computer cache. Facebook and others can see where a person is on the Internet, where they’ve been, which country they are in and, probably, also which area from the IP address, but they don’t know who an individual is.

Is this a bad thing, this gathering of information for marketing purposes?

Perhaps there will indeed come a time when Minority Report – the film with Tom Cruise – is not just a threat but a reality. A time when a person’s features can be recognized from afar and advertising is adapted to their needs, their interests. At the moment it is all limited to offers made when someone log into the web sites of their choice and based upon the information they’ve given up voluntarily. But some of that information is already being used to influence other people in their buying choices.

Who hasn’t seen the little addition on Amazon: people who bought this book also bought…

This is the thin edge of the wedge, this is just the beginning. This is the information other people have put in to a web site being used to influence you, the visitor. It’s one thing to say that an item might interest you based on what you’ve purchased before, but quite another to have information based on what other people have looked at or bought.

And it is also a simple fact of life which cannot be avoided. I may well have been able to block over three thousand tracking attempts during my few hours of surfing, but did they catch all of them? More to the point, aside from Facebook, who is tracking me? The Big Bad Wolf is not an advertising company checking on who has been looking at their banners or pop-ups. The Big Bad Wolf is those tracking companies who gather information, press it all together and then sell it to others. The anonymous, faceless people we have nothing to do with. Are they just marketing companies, or is the government, any government, hiding behind them? Has the CIA found me, or you and decided to track our movements because a web site visited published a photo of someone, or MI6 because there is a comment posted about Kate Middleton’s figure?

Enough of the scaremongering. To be honest and there is not a great deal about this gathering of information that’s all that bad. Information has always been gathered, evaluated, passed on and it always will be. Every single time someone goes shopping in the Real World their purchases are recorded: the credit or debit card company; the store; the wholesaler; the manufacturer. No names in most instances, but the information has been gathered. A tin of peas has been purchased, restock the shelves and order a new tin.

Are there any benefits to this mass gathering of information?

If a product isn’t popular it gets removed from sale. If a whole range of products suddenly go viral, more are produced. If a web site suddenly falls in the ratings, it gets improved or it vanishes. If an advert gets no clicks at all, it needs to be re-evaluated and a new marketing strategy pounded out.

The people who are surfing through the Internet are changing its features with each click of their mouse. Their surfing activity is the basis for what follows. A visitor to any web site doesn’t have to press Like to show appreciation, it is enough that the records show they stayed on a site for five minutes, read through an article, even if they didn’t comment or purchase. The visit alone is showing the manufacturers, the advertisers, the service industry where interest lie with the result that they are going to have to tailor what they have on offer to meet our (silent) demands. We, the Internet users, are shaping the future, just by being here. And that can only be a good thing.

Even so, nearly eight hundred blocks on Facebook alone in so few hours?

I have written so far about the marketing strategies of various Internet web sites, of advertising and the collection of data from individual visits to web sites while surfing through the Internet. Now I wish to take it one step further following an announcement by the German telecommunications company O2, a daughter firm of the Spanish telecommunications company Telefónica.

The collection of information through Internet sites, as illustrated above, is simple, cheap and effective. An Internet user surfs to a web site of interest and his or her movements through the web are logged, collected and evaluated by a whole range of different tracking devices, from spy software through cookies, links to social media networks and search engines or analytical tools. But what about the general movements of a person during their daily lives? Is it possible to follow a specific person, or a group of people, as they move through a city? Is it possible to collate the information gained from these movements and come up with an overall picture which might be useful to marketing companies, to advertisers, to the marketplace in general?

It is a well known and accepted fact that people who use modern smart phones, as well as older versions, can be tracked. The mobile telephone needs to be in constant contact with a transmission device, a node or similar, so that it is available should the user wish to telephone out or to receive calls from other people. As long as the mobile device is switched on it sends and receives a signal which places it within a certain area, within reach of a communications point to retain this high level of connectivity. A person moving through the streets of Berlin, New York, London, Paris or any other modern city as well as all minor cities, smaller towns, villages and the countryside with a mobile device is constantly followed by these connection signals as long as their device is switched on. Information on their position may, with the right technology, quickly be collected and, in the case of an emergency for example, directed to the appropriate authorities, even without the use of a Global Positioning System (GPS).

The German telecommunications company O2 is investigating the possibilities of using this information on the movement of individuals for marketing purposes. Being able to watch the movements of an individual or a group as they travel from one shop to another within a major city, or from one position to another on longer journeys, can give information about where the most interest in a town lies, where the shops and stores have the best pull and even, with finer tuning, how long a person remains in one position, in one shop or store.

Not, in and of itself, too much of a problem until you take it to the next step in the process.

Couple the information on a person’s movements with further information, such as age and gender, and it is possible to build up a very accurate picture of the movements and interests of a group of people within a certain age group – such as young women aged between 18 and 24. The necessary information is already there, voluntarily given by the customer during the process of buying or renting a mobile telephone. Date of birth, address, gender and, in some cases, income and educational levels are all included in the basic application process for a contract between telecommunications company and customer.

Here, because of the sudden lack of anonymity, we come into a gray area as far as data protection is concerned, and a potential earner for the telecommunications industry. Combine the information with actual sales, with positioning in an entertainment area of a city or the main shopping street, and it is possible to build up an individual picture of each and every person using a mobile device at any time of the day or night. Here we are verging on the private sphere, the gathering of information which can be narrowed down to a specific person.

What is the difference between an individual person using the Internet and being tracked and an individual using a mobile device?

With Internet tracking there may well be several hundred people using a connection point into the Internet, an IP address linked to an Internet Service Provider, at any one time. With mobile device tracking the link is direct to a specific mobile phone, to a specific person who has purchased or rented this device. It is possible to link directly to a name and an address without needing to go any further along the chain, without needing to find out who was using a specific IP at a certain time and then checking their communications protocol or whereabouts at the time of connection. It is possible to track movements without the person being tracked actually being active, without them having logged into the Internet or even making a telephone call.

With further innovations in the smart phone market, such as video devices, payment for services through a smart chip, it is possible to trace their every movement right down to the items they may purchase in any given store, even a parking ticket purchased through an appropriate application on their mobile phone. It is possible to see how long they remain in one area, where they move to and how much they have spent.

For the gathering of information with marketing potential, this is an absolute goldmine. For the individual, the mobile device owner, it is an incursion into their private sphere, into their daily lives.

This form of market information gathering is not music for the future; the first steps have already been taken by O2 in Germany. Information is already available and is constantly being added to each time a person switches their mobile device on. It is only a matter of time before the true potential of this information source is recognized and, data protection laws allowing, becomes common practice.

This form of gathering, of tracking is, according to many professional and civil rights organizations, one step too far. As long as the information gathered comes from a large group and cannot be traced back to an individual it is relatively harmless. With the mobile device potential, the move towards a Minority Report style society is far closer than anyone would wish to believe and, in all probability, far closer than anyone is prepared to accept.

Criminal Informants

Criminal informants, usually called “confidential informants” which is an oxymoron if I have ever heard one are glorified criminals. How can the criminal justice system justify a means to an end by giving criminals the opportunity to commit more crimes and the credibility to accuse other people of crimes? It would appear that a criminal will subject himself and others to danger, deceit and even death in order to commit a crime. When an informant is put on the street to carry out a job for the Justice system, does he suddenly become less dangerous and less deceitful?

Deceit is a major characteristic of criminals and is detestable in the eyes of the law, however; the system allows informants to deceive people in order to obtain information that will lead to an arrest. This can be compared to teaching your children not to hit people, however, you as the authoritative figure slap your child because the child hit his sister. This teaches the child nothing, actually; this confuses the child. This calls for a little “practice what you preach.” The informant is punished for “doing a thing” that you are now praising him for. Where is the consistency?

Confidential informants are supposed to be protected by the law. They are protected because if a defendant learns who the informant is; he may want revenge. By the same token, a detective will burn a confidential informant when he is not needed any longer. There is absolutely no consistency using the informant tactic to obtain information that may lead to an arrest. This is a selfish and lazy police tactic.

We entrust law enforcement with our safety, with our lives, however; it is a huge mistake in thinking that we are safe when criminals who have not been reformed are allowed to walk the streets as menaces to society. There may be a handful of descent informants walking the streets but; a handful is not a high enough number to prove a police tactic to be effective. There is nothing effective about a criminal entrusted, credited and glorified to do a detective’s job when he is deceitful and a possible danger.

Does a means to an end include informants committing more crimes and hurting innocent people when they should be in rehabilitation? I do not think that this informant tactic has been taken into consideration thoroughly. It is not fair to society at large to let recidivists run rampant. As a citizen I have a right to say this. As a witness to an informant gone wrong; I have even more of a right to say this because I was able to see first hand, a crooked, maniacal informant at work.

This informant has committed more crimes in more crime categories than anyone I know. He has bragged about being an informant for years stating that the police department is on his payroll and that he has a detective in his pocket. He set up a family friend in front of my family member and the detectives dropped him off at my house while the person who was set up was arrested, booked and thrown in jail. This is a dangerous game.

The informant has been a family friend for approximately eleven years so I can safely say that I have seen him in action. Many people can attest to the facts that this informant is a drug addict; drug dealer who drives on a suspended license while drinking and drugging, robs people and has been arrested for violent crimes. Why is this menace allowed to walk the streets without rehabilitation?

This is not fair to the citizens of this country. In fact, this is a crime against society and if something is not done about this; we can look forward to many innocent people doing time for an informants crime. This already is a reality, however, this reality will get worse. You have to realize that this deception does not stop with the informant and detective. This is a game of deception within the system.

The game of deception within the system extends to attorneys and in fact other representatives have become questionable. I must inform you that an attorney asked me not to share this information. The attorney told me that if this type of information gets out and people know that there is foul play within the system people will panic and he said, “the public does not want to know that they are not safe.”

I am witness to three crooked cases and I have been extremely quite about them because I do not want to alarm the public. Today, you can search the web for anything you are curious about and I was curious about confidential informants so I did a search. I learned that the informant tactic is failing because too many informants are crooked and choose to lie about innocent people to law enforcement. According to some sources; this is becoming an epidemic and needs to be addressed. You should be informed that this is not just a problem with informants but with detectives as well.

According to one source in an article I read; police officers said that a man sold them drugs, however; this man that supposedly sold them drugs was in flight to Chicago at the time. This source also contends that in another case, a man approximately seventy pounds lighter and one foot shorter than the actual offender was blamed for a cocaine buy. In yet another case, a woman was picked out by using a sixth grade picture that was ten years old for selling drugs to a DEA agent (Kroll, 2008).

This same source states that Federal prosecutors did not see the signs. This is pathetic. I want to know that I trust with my life, and the lives of others, that authority figures KNOW the truth or close to it before they file charges against people (Kroll, 2008).

There are several websites available on the web for you to learn alarming information. I am not going to list them in this article. It will take an article of many pages to quote what I have found. There is a website called whosarat.com that you may be interested in reading. I have only pulled up the page and have not read the content yet and I am not suggesting you read it to find the rats. I recommend you read the content and conduct your own research in order for you to also realize that the crooked informant epidemic is a real epidemic.

We are the people and we have a right to protect ourselves and a right to say who we trust to protect us. We are all human and humans run the Criminal Justice System. As humans err, the administrators of justice do as well. Informants are criminals which makes them less than honest and always looking for a way out. It is our duty to investigate this crooked informant epidemic before it spreads world-wide and more innocent people do time for informant crimes.

Rebuilding the Tower of Babel – A CEO’s Perspective on Health Information Exchanges

Defining a Health Information Exchange

The United States is facing the largest shortage of healthcare practitioners in our country’s history which is compounded by an ever increasing geriatric population. In 2005 there existed one geriatrician for every 5,000 US residents over 65 and only nine of the 145 medical schools trained geriatricians. By 2020 the industry is estimated to be short 200,000 physicians and over a million nurses. Never, in the history of US healthcare, has so much been demanded with so few personnel. Because of this shortage combined with the geriatric population increase, the medical community has to find a way to provide timely, accurate information to those who need it in a uniform fashion. Imagine if flight controllers spoke the native language of their country instead of the current international flight language, English. This example captures the urgency and critical nature of our need for standardized communication in healthcare. A healthy information exchange can help improve safety, reduce length of hospital stays, cut down on medication errors, reduce redundancies in lab testing or procedures and make the health system faster, leaner and more productive. The aging US population along with those impacted by chronic disease like diabetes, cardiovascular disease and asthma will need to see more specialists who will have to find a way to communicate with primary care providers effectively and efficiently.

This efficiency can only be attained by standardizing the manner in which the communication takes place. Healthbridge, a Cincinnati based HIE and one of the largest community based networks, was able to reduce their potential disease outbreaks from 5 to 8 days down to 48 hours with a regional health information exchange. Regarding standardization, one author noted, “Interoperability without standards is like language without grammar. In both cases communication can be achieved but the process is cumbersome and often ineffective.”

United States retailers transitioned over twenty years ago in order to automate inventory, sales, accounting controls which all improve efficiency and effectiveness. While uncomfortable to think of patients as inventory, perhaps this has been part of the reason for the lack of transition in the primary care setting to automation of patient records and data. Imagine a Mom & Pop hardware store on any square in mid America packed with inventory on shelves, ordering duplicate widgets based on lack of information regarding current inventory. Visualize any Home Depot or Lowes and you get a glimpse of how automation has changed the retail sector in terms of scalability and efficiency. Perhaps the “art of medicine” is a barrier to more productive, efficient and smarter medicine. Standards in information exchange have existed since 1989, but recent interfaces have evolved more rapidly thanks to increases in standardization of regional and state health information exchanges.

History of Health Information Exchanges

Major urban centers in Canada and Australia were the first to successfully implement HIE’s. The success of these early networks was linked to an integration with primary care EHR systems already in place. Health Level 7 (HL7) represents the first health language standardization system in the United States, beginning with a meeting at the University of Pennsylvania in 1987. HL7 has been successful in replacing antiquated interactions like faxing, mail and direct provider communication, which often represent duplication and inefficiency. Process interoperability increases human understanding across networks health systems to integrate and communicate. Standardization will ultimately impact how effective that communication functions in the same way that grammar standards foster better communication. The United States National Health Information Network (NHIN) sets the standards that foster this delivery of communication between health networks. HL7 is now on it’s third version which was published in 2004. The goals of HL7 are to increase interoperability, develop coherent standards, educate the industry on standardization and collaborate with other sanctioning bodies like ANSI and ISO who are also concerned with process improvement.

In the United States one of the earliest HIE’s started in Portland Maine. HealthInfoNet is a public-private partnership and is believed to be the largest statewide HIE. The goals of the network are to improve patient safety, enhance the quality of clinical care, increase efficiency, reduce service duplication, identify public threats more quickly and expand patient record access. The four founding groups the Maine Health Access Foundation, Maine CDC, The Maine Quality Forum and Maine Health Information Center (Onpoint Health Data) began their efforts in 2004.

In Tennessee Regional Health Information Organizations (RHIO’s) initiated in Memphis and the Tri Cities region. Carespark, a 501(3)c, in the Tri Cities region was considered a direct project where clinicians interact directly with each other using Carespark’s HL7 compliant system as an intermediary to translate the data bi-directionally. Veterans Affairs (VA) clinics also played a crucial role in the early stages of building this network. In the delta the midsouth eHealth Alliance is a RHIO connecting Memphis hospitals like Baptist Memorial (5 sites), Methodist Systems, Lebonheur Healthcare, Memphis Children’s Clinic, St. Francis Health System, St Jude, The Regional Medical Center and UT Medical. These regional networks allow practitioners to share medical records, lab values medicines and other reports in a more efficient manner.

Seventeen US communities have been designated as Beacon Communities across the United States based on their development of HIE’s. These communities’ health focus varies based on the patient population and prevalence of chronic disease states i.e. cvd, diabetes, asthma. The communities focus on specific and measurable improvements in quality, safety and efficiency due to health information exchange improvements. The closest geographical Beacon community to Tennessee, in Byhalia, Mississippi, just south of Memphis, was granted a $100,000 grant by the department of Health and Human Services in September 2011.

A healthcare model for Nashville to emulate is located in Indianapolis, IN based on geographic proximity, city size and population demographics. Four Beacon awards have been granted to communities in and around Indianapolis, Health and Hospital Corporation of Marion County, Indiana Health Centers Inc, Raphael Health Center and Shalom Health Care Center Inc. In addition, Indiana Health Information Technology Inc has received over 23 million dollars in grants through the State HIE Cooperative Agreement and 2011 HIE Challenge Grant Supplement programs through the federal government. These awards were based on the following criteria:1) Achieving health goals through health information exchange 2) Improving long term and post acute care transitions 3) Consumer mediated information exchange 4) Enabling enhanced query for patient care 5) Fostering distributed population-level analytics.

Regulatory Aspects of Health Information Exchanges and Healthcare Reform

The department of Health and Human Services (HHS) is the regulatory agency that oversees health concerns for all Americans. The HHS is divided into ten regions and Tennessee is part of Region IV headquartered out of Atlanta. The Regional Director, Anton J. Gunn is the first African American elected to serve as regional director and brings a wealth of experience to his role based on his public service specifically regarding underserved healthcare patients and health information exchanges. This experience will serve him well as he encounters societal and demographic challenges for underserved and chronically ill patients throughout the southeast area.

The National Health Information Network (NHIN) is a division of HHS that guides the standards of exchange and governs regulatory aspects of health reform. The NHIN collaboration includes departments like the Center for Disease Control (CDC), social security administration, Beacon communities and state HIE’s (ONC).11 The Office of National Coordinator for Health Information Exchange (ONC) has awarded $16 million in additional grants to encourage innovation at the state level. Innovation at the state level will ultimately lead to better patient care through reductions in replicated tests, bridges to care programs for chronic patients leading to continuity and finally timely public health alerts through agencies like the CDC based on this information.12 The Health Information Technology for Economic and Clinical Health (HITECH) Act is funded by dollars from the American Reinvestment and Recovery Act of 2009. HITECH’s goals are to invest dollars in community, regional and state health information exchanges to build effective networks which are connected nationally. Beacon communities and the Statewide Health Information Exchange Cooperative Agreement were initiated through HITECH and ARRA. To date 56 states have received grant awards through these programs totaling 548 million dollars.

History of Health Information Partnership TN (HIPTN)

In Tennessee the Health Information Exchange has been slower to progress than places like Maine and Indiana based in part on the diversity of our state. The delta has a vastly different patient population and health network than that of middle Tennessee, which differs from eastern Tennessee’s Appalachian region. In August of 2009 the first steps were taken to build a statewide HIE consisting of a non-profit named HIP TN. A board was established at this time with an operations council formed in December. HIP TN’s first initiatives involved connecting the work through Carespark in northeast Tennessee’s s tri-cities region to the Midsouth ehealth Alliance in Memphis. State officials estimated a cost of over 200 million dollars from 2010-2015. The venture involves stakeholders from medical, technical, legal and business backgrounds. The governor in 2010, Phil Bredesen, provided 15 million to match federal funds in addition to issuing an Executive Order establishing the office of eHealth initiatives with oversight by the Office of Administration and Finance and sixteen board members. By March 2010 four workgroups were established to focus on areas like technology, clinical, privacy and security and sustainability.

By May of 2010 data sharing agreements were in place and a production pilot for the statewide HIE was initiated in June 2011 along with a Request for Proposal (RFP) which was sent out to over forty vendors. In July 2010 a fifth workgroup,the consumer advisory group, was added and in September 2010 Tennessee was notified that they were one of the first states to have their plans approved after a release of Program Information Notice (PIN). Over fifty stakeholders came together to evaluate the vendor demonstrations and a contract was signed with the chosen vendor Axolotl on September 30th, 2010. At that time a production goal of July 15th, 2011 was agreed upon and in January 2011 Keith Cox was hired as HIP TN’s CEO. Keith brings twenty six years of tenure in healthcare IT to the collaborative. His previous endeavors include Microsoft, Bellsouth and several entrepreneurial efforts. HIP TN’s mission is to improve access to health information through a statewide collaborative process and provide the infrastructure for security in that exchange. The vision for HIP TN is to be recognized as a state and national leader who support measurable improvements in clinical quality and efficiency to patients, providers and payors with secure HIE. Robert S. Gordon, the board chair for HIPTN states the vision well, “We share the view that while technology is a critical tool, the primary focus is not technology itself, but improving health”. HIP TN is a non profit, 501(c)3, that is solely reliant on state government funding. It is a combination of centralized and decentralized architecture. The key vendors are Axolotl, which acts as the umbrella network, ICA for Memphis and Nashville, with CGI as the vendor in northeast Tennessee.15 Future HIP TN goals include a gateway to the National Health Institute planned for late 2011 and a clinician index in early 2012. Carespark, one of the original regional health exchange networks voted to cease operations on July 11, 2011 based on lack of financial support for it’s new infrastructure. The data sharing agreements included 38 health organizations, nine communities and 250 volunteers.16 Carespark’s closure clarifies the need to build a network that is not solely reliant on public grants to fund it’s efforts, which we will discuss in the final section of this paper.

Current Status of Healthcare Information Exchange and HIPTN

Ten grants were awarded in 2011 by the HIE challenge grant supplement. These included initiatives in eight states and serve as communities we can look to for guidance as HIP TN evolves. As previously mentioned one of the most awarded communities lies less than five hours away in Indianapolis, IN. Based on the similarities in our health communities, patient populations and demographics, Indianapolis would provide an excellent mentor for Nashville and the hospital systems who serve patients in TN. The Indiana Health Information Exchange has been recognized nationally for it’s Docs for Docs program and the manner in which collaboration has taken place since it’s conception in 2004. Kathleen Sebelius, Secretary of HHS commented, “The Central Indiana Beacon Community has a level of collaboration and the ability to organize quality efforts in an effective manner from its history of building long standing relationships. We are thrilled to be working with a community that is far ahead in the use of health information to bring positive change to patient care.” Beacon communities that could act as guides for our community include the Health and Hospital Corporation of Marion County and the Indiana Health Centers based on their recent awards of $100,000 each by HHS.

A local model of excellence in practice EMR conversion is Old Harding Pediatric Associates (OHPA) which has two clinics and fourteen physicians who handle a patient population of 23,000 and over 72,000 patient encounters per year. OHPA’s conversion to electronic records in early 2000 occurred as a result of the pursuit of excellence in patient care and the desire to use technology in a way that benefitted their patient population. OHPA established a cross functional work team to improve their practices in the areas of facilities, personnel, communication, technology and external influences. Noteworthy was chosen as the EMR vendor based on user friendliness and the similarity to a standard patient chart with tabs for files. The software was customized to the pediatric environment complete with patient growth charts. Windows was used as the operating system based on provider familiarity. Within four days OHPA had 100% compliance and use of their EMR system.

The Future of HIP TN and HIE in Tennessee

Tennessee has received close to twelve million dollars in grant money from The State Health Information Exchange Cooperative Agreement Program.20 Regional Health Information Organizations (RHIO) need to be full scalable to allow hospitals to grow their systems without compromising integrity as they grow.21and the systems located in Nashville will play an integral role in this nationwide scaling with companies like HCA, CHS, Iasis, Lifepoint and Vanguard. The HIE will act as a data repository for all patients information that can be accessed from anywhere and contains a full history of the patients medical record, lab tests, physician network and medicine list. To entice providers to enroll in the statewide HIE tangible value to their practice has to be shown with better safer care. In a 2011 HIMSS editor’s report Richard Lang states that instead of a top down approach “A more practical idea may be for states to support local community HIE development first. Once established, these local networks can feed regional HIE’s and then connect to a central HIE/data repository backbone. States should use a portion of the stimulus funds to support local HIE development.”22 Mr. Lang also believes the primary care physician has to be the foundation for the entire system since they are the main point of contact for the patient.