Information Security

Information Security

Alpha Systems provides unparalleled protection to the country’s most sensitive healthcare information, with a longstanding dedication to widely recognized management system requirements. As of May 2012, we are ISO/IEC 2700 Certified and HIPAA/HITECH compliant and one of a few companies in the U.S. that has achieved this prestigious certification.

Protecting our customers' data is our highest priority. As healthcare organizations must already maintain strict records retention policies to ensure conformity to the Health Insurance Portability and Accountability Act of 1996, (HIPAA), the standard provides added confidence that patient records will remain secure and private. Security is highly ingrained in all of our processes and overall culture. We are obsessed with information security because your peace of mind is our business.

The ISO/IEC 27001 Standard
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization.

ISO/IEC 27001 represents the only auditable international standard to define the requirements for an Information Security Management System (ISMS). To receive certification, organizations are required to provide evidence that their ISMS has addressed information security risks in an objective, repeatable, measured and continually improving manner. Alpha Systems is one of a very small percentage of companies, in any industry, to be ISO 27001 certified.

Universal Minimum Requirements for an ISMS - ISO/IEC 27001 is the only internationally recognized standard for the minimum requirements for managing an Information Security Management System (ISMS). An ISMS refers to the people, processes, and tools to ensure security is properly addressed.

Universal List of Information Security Controls - In addition to ISO/IEC 27001’s minimum requirements for security management, organizations must successfully navigate an audit of the 11 exhaustive control categories and 133 unique controls to achieve certification.

These categories include; information security policy, security organization, personnel security, access controls, physical security, asset classification controls, business continuity planning, system deployment, security incident management, communications management and compliance.

Continuous Improvement Process - During an ISO/IEC 27001 audit, the registrar's auditor requires demonstration of continuous process improvement. The standard requires the organization to follow the "plan-do-check-act" model that was first popularized by W. Edwards Deming in his teachings on total quality management. According to Deming, every process should be:

  • Planned
  • Implemented
  • Monitored, measured, audited and reviewed
  • Improved

Continuous Audit of a Process - Inherent in the ISO/IEC 27001 certification is the concept of a continuous audit. After the initial audit and certification, surveillance audits are conducted for the next two years and a re-certification audit conducted in the third year. An organization could lose its certification if major non-conformities are noted by auditors and these are not addressed in a timely manner. This emphasis on continuous audit becomes a critical input into the process of continuous improvement noted above.