HSC Information Security Office

 Message from Barney Metzner,
 HSC Information Security Officer

Barney Metzner

The UNM Health Sciences Center(HSC) works to continously improve IT security safeguards. IT Security assessments are conducted to confirm the effectiveness of (IT) security controls.  Improvement are planned and implemented to enhance the effectiveness of the most crtitical controls.  Adjustment are made as new IT threats are identified.

IT staff and Security Analysts  work with HSC workforce members when new threats are reported. Through annual training security awareness and secure computing practices are communicated and updated.

The Information Security Office develops and supports the HSC IT through IT security policies, analysis of business proposals, and incident response. By adhering to HSC IT standards and baseline security safeguards risk are reduced, compliance is maintained and privacy is protected.

Refer to the links at the top of this web page for specific topics such as IT security reviews for proposed departmental IT projects, current IT security alerts and information about protecting personal information when using computing and mobile devices.

The HSC Information Security Office manages security safeguard in a balanced approach, protecting privacy and information systems while supporting business objectives. IT security works to maintain privacy by safeguarding Protected Health Information (PHI), sensitive business data and critical systems, while enabling the use of innovative technologies to achieve HSC business goals. By building partnerships with business leaders, HSC departments and user communities, the HSC Information Security Office helps improve awareness of how IT security supports and enables business functions that are critical to the HSC mission.

Compliance with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)* is one outcome of an effective HSC information security program. The HSC Information Security Officer (ISO) is available to help workforce members* understand information security policies, standards and regulatory requirements applicable to HSC systems and users. Security awareness updates, notices and alerts are issued on a periodic basis to inform HSC workforce members about threats to HSC information assets. These updates and security training materials are also available on this website.

What Is “Information Security”? (Also referred to as "CyberSecurity".)

Information security is about the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The CIA triad (confidentiality, integrity and availability) encompasses the core principles of information security. The goals are the same for IT Security, Information Security or CyberSecurity: protect confidential information and systems and ensure the integrity and availability of business information assets.

IT Security Analysts are information technology specialists who are accountable for designing and maintaining safeguards that secure electronic data as it is stored, processed, transmitted and/or shared. IT Security Analysts at the HSC provide the following IT security services and support:

  • Administrative safeguards—Management of the selection and execution of security measures
  • Technical safeguards—Automated processes to provide data protection and access control
  • Physical safeguards—Protection of electronic systems, related buildings and equipment from environmental hazards and unauthorized intrusion

* Under HIPAA, "workforce member" includes employees, volunteers, trainees and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate or even a business associate of a covered entity.