Campus Access Only

All rights reserved. This publication is intended for use solely by faculty, students, and staff of Nova Southeastern University. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, now known or later developed, including but not limited to photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author or the publisher.

An Examination of an Information Security Framework Implementation Based on Agile Values to Achieve Health Insurance Portability and Accountability Act Security Rule Compliance in an Academic Medical Center: The Thomas Jefferson University Case Study

Author

David W. Reis, Nova Southeastern UniversityFollow

Date of Award

2012

Document Type

Dissertation - NSU Access Only

Degree Name

Doctor of Philosophy in Information Systems (DISS)

Department

Graduate School of Computer and Information Sciences

Advisor

Marlyn Littman

Committee Member

Ling Wang

Committee Member

Carol C Woody

Keywords

Agile, HIPAA, HITRUST, Information Security, Project Management

Abstract

Agile project management is most often examined in relation to software development, while information security frameworks are often examined with respect to certain risk management capabilities rather than in terms of successful implementation approaches. This dissertation extended the study of both Agile project management and information security frameworks by examining the efficacy of implementing a security framework using a nontraditional project management approach. Such an investigation is significant because of the high rate of failed IT projects, gaps in the current security framework implementation literature, and increased regulatory pressure on Health Insurance Portability and Accountability (HIPAA)-covered entities to become compliant with the HIPAA Security Rule.

HIPAA-covered entities have struggled to achieve HIPAA compliance since the Act's enforcement date. Specifically, academic medical centers have struggled to achieve and authoritatively document their compliance with the HIPAA Security Rule. To aid HIPAA-covered entities in confirming and documenting their HIPAA Security Rule compliance, the HITRUST Alliance has published the Common Security Framework. Thomas Jefferson University selected the Common Security Framework to help them assess and document their HIPAA Security Rule compliance. However, there is a documented gap in the literature on successful methods for implementing information security-related projects, particularly HIPAA compliance.

In this single-case case study, the author examined the implementation of an Information Security Framework based on Agile values. Specifically examined were the values of (a) individuals and interactions over processes and tools; (b) working software over comprehensive documentation; (c) customer collaboration over contract negotiation; and (d) responding to change over following a plan. The results of this investigation indicated that an information security framework implementation based on Agile values is a viable approach for successfully implementing the Common Security Framework at an academic medical center.

NSUWorks Citation

David W. Reis. 2012. An Examination of an Information Security Framework Implementation Based on Agile Values to Achieve Health Insurance Portability and Accountability Act Security Rule Compliance in an Academic Medical Center: The Thomas Jefferson University Case Study. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, Graduate School of Computer and Information Sciences. (286)
https://nsuworks.nova.edu/gscis_etd/286.