Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anurag Shankar University Information Technology Services Indiana University Implementing HPC HIPAA (& FISMA)

Similar presentations


Presentation on theme: "Anurag Shankar University Information Technology Services Indiana University Implementing HPC HIPAA (& FISMA)"— Presentation transcript:

1 Anurag Shankar University Information Technology Services Indiana University Implementing HPC HIPAA (& FISMA)

2 CASC: 4/23/2014 University Information Technology Services Outline 1.Introduction 2.HIPAA 3.FISMA 4.Implementation 5.Conclusion

3 CASC: 4/23/2014 University Information Technology Services 1. Introduction

4 CASC: 4/23/2014 University Information Technology Services As HPC shops, our heritage has been to serve physical scientists and engineers - the “usual suspects”. Regulatory compliance is a concept foreign to these users. While we’ve addressed security, compliance still remains an unexplored frontier, not only for HPC, but for Central IT in general. A Changing Landscape

5 CASC: 4/23/2014 University Information Technology Services Clinical research computing, traditionally confined to Med School cyberinfrastructures, increasingly requires HPC resources.  Med School IT cannot keep pace; identifiable HIPAA data is leaking into Central IT/national HPC environments. We have to weave compliance into the HPC fabric sooner or later. The New Reality

6 CASC: 4/23/2014 University Information Technology Services New Motivations A new HIPAA Omnibus Rule came out in 2013, with new requirements and mandates. The government will initiate random HIPAA audits in (They were triggered only in response to a breach earlier.) Penalties have been raised to millions.

7 CASC: 4/23/2014 University Information Technology Services The Corrective Action Plan (CAP) signed by Idaho State University Breaches reported by universities  But the worst is being in the newspapers!

8 CASC: 4/23/2014 University Information Technology Services HIPAA applies if even a single clinical researcher has an account on a system. The govt. says you should have known that allowing clinical researchers on a system opens the possibility of sensitive health information on the system.)  An environment with clinical researchers must be secured, independently of what a researcher may or may not do. No Plausible Deniability

9 CASC: 4/23/2014 University Information Technology Services FISMA In addition to HIPAA, we now have FISMA to deal with. It is slowly showing up in NIH grants and contracts. It is the next regulatory frontier HPC will have to deal with. Fortunately, it’s possible to tackle both HIPAA and FISMA using a single, unified approach.

10 CASC: 4/23/2014 University Information Technology Services The Scope HIPAA & FISMA require end to end security. This means starting at the customer end (where data is generated)  the network  your end  data disposal. Any and all dependencies and infrastructure pieces must also be included. We must consider the entire research workflow.

11 CASC: 4/23/2014 University Information Technology Services Grant = Data Life Cycle Pre-Grant Preliminary Investigation Cyberinfrastructure Design ✔ Proposal Proposal Prep Budget IRB Process ✔ Execution Data Acquisition ✔ Data Analysis ✔ Data Mgmt ✔ Data Sharing ✔ Data Viz ✔ Post-Grant Data Publishing ✔ Data Archival ✔ Data Disposal ✔ = Involves compliance ✔ A grant life cycle from an IT provider’s perspective is a data life cycle

12 CASC: 4/23/2014 University Information Technology Services 2. HIPAA

13 CASC: 4/23/2014 University Information Technology Services A HIPAA Primer Health Insurance Portability & Accountability Act. Passed in 1996, became law in Enforced by the Office for Civil Rights (OCR) in the US Dept. of Health & Human Services (HHS). The Omnibus File Rule of 2013 includes provisions from the 2006 Health Information Technology for Economic & Clinical Health (HITECH) Act & the 2008 Genetic Information Nondiscrimination Act (GINA).

14 CASC: 4/23/2014 University Information Technology Services HITECH was part of ARRA and enacted to promote the adoption of Health Information Technology, especially Electronic Health Records (EHR). GINA prohibits insurers from using human genetic data to deny coverage based on genetic predisposition to future diseases. HITECH & GINA

15 CASC: 4/23/2014 University Information Technology Services Addressed via the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule defines who HIPAA applies to (covered entities) and what is protected (protected health information or PHI*). The Security Rule focuses exclusively on how to protect electronic PHI (ePHI) in any form – at rest, in transit, under analysis, etc. * PHI is identifiable patient data with one or more of 18 identifiers Patient Privacy Protection

16 CASC: 4/23/2014 University Information Technology Services HIPAA Security Rule The Security Rule requires 1. administrative, 2. physical, and 3. technical safeguards to Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained or transmitted; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; Ensure compliance by the workforce; and Provide a means for managing risk in an ongoing fashion.

17 CASC: 4/23/2014 University Information Technology Services Security Rule Safeguards Administrative – security organization, policies, training, responsibilities, incident response, etc. Physical – data center access, equipment/media disposal, inventory control, etc. Technical – firewalls, patching, auditing, scanning, monitoring, accounts, etc. + organizational/policies/documentation requirements

18 CASC: 4/23/2014 University Information Technology Services Required & Addressable Each Security Rule safeguard is either “required” or “addressable”. Required = what it says. Addressable = should address, but ok if you describe why it is not in place or how you will otherwise address the risk. A risk assessment (RA) identifies where to concentrate effort. RA can be internal or external.

19 CASC: 4/23/2014 University Information Technology Services Breach Notification HIPAA requires that a breach of ePHI be reported ASAP: 1.To everyone whose ePHI has been compromised. 2.For a breach involving > 500 patients, to the media and the Secretary of HHS.

20 CASC: 4/23/2014 University Information Technology Services Business Associates HIPAA requires a business associate agreement (BAA) with any external entity (= business associate) that touches your ePHI. Your BAA must include a clause that the BA will protect your ePHI. So must their BAAs with their BAs. Due diligence requires ensuring that the BA can actually protect your ePHI as per HIPAA.  Purchasing & HIPAA Compliance Office partnerships

21 CASC: 4/23/2014 University Information Technology Services Enforcement HIPAA violations can result in civil monetary penalties (up to $1.5 million/violation) against a covered entity and/or individual criminal penalties (up to 10 yrs prison term). The OCR has been funded via ARRA/HITECH to institute an audit program. They will start random HIPAA audits in 2014.

22 CASC: 4/23/2014 University Information Technology Services No. Only healthcare providers, facilities, and insurers are subject to HIPAA. Identifiable health data outside a healthcare context is not (e.g. personal health data users upload to Google Health, Microsoft HealthVault). Data, if properly de-identified, is not subject to HIPAA. If unsure, contact your HIPAA Compliance office Does HIPAA apply to All Identifiable Health Data?

23 CASC: 4/23/2014 University Information Technology Services Employees, healthcare providers, trainees & volunteers at the medical school and affiliated healthcare sites or programs. Employees who work with university health plans. Employees who provide financial, legal, business, administrative, or IT support to the above. Who does HIPAA Cover at a University?

24 CASC: 4/23/2014 University Information Technology Services Just Good Security? Q: So, the HIPAA Security Rule means we just need to provide good IT security for systems? A: NO. The Security Rule is about assessing & managing risk, and security is only PART of that process. HIPAA requires administrative controls, training, governance, policies, formal review, etc.

25 CASC: 4/23/2014 University Information Technology Services Information Security Risk Management Identify, assess, prioritize, and mitigate risk to information security, on an ongoing basis. Think in terms of managing risk, not just plugging security holes. Risk = {Threat/Vulnerability x Likelihood x Impact} A big threat due to an existing vulnerability that is highly unlikely to be exploited/has little impact is low risk. You don’t kill yourself over it.

26 CASC: 4/23/2014 University Information Technology Services Risk Management Framework A mature RMF consists of: Good governance = institutional security organization, policies, sanctions, enforcement Risk management = assessment, mitigation through appropriate physical, administrative, technical controls, documentation Review = regular monitoring, reviews, assessment, and mitigation Awareness and training

27 CASC: 4/23/2014 University Information Technology Services HIPAA Security Rule Myths Myth #1 – Security rule compliance is a boolean. Truth: There is no threshold where you suddenly become compliant. Myth #2 – You can be certified HIPAA compliant. Truth: No company or federal agency is authorized to certify you as being HIPAA “compliant”. (The only way to know for sure is to survive a HIPAA audit, highly undesirable.) So you align with the HIPAA rules as best as you can and “self assert” compliance.

28 CASC: 4/23/2014 University Information Technology Services HIPAA Security Rule Myths Myth #3 – Once compliant, you stay compliant. Truth: No. Compliance is an ongoing process; once started, it never stops. Myth #4 – You must use external third party for risk/security assessment. Truth: No. You can do it internally, so long as you follow accepted practices and document it all.

29 CASC: 4/23/2014 University Information Technology Services 3. FISMA

30 CASC: 4/23/2014 University Information Technology Services FISMA Federal Information Security Management Act of Requires government agencies to secure their system as per NIST guidelines. Subcontractors of the agencies (=you) must also comply. Contracts are now seeing FISMA language. You are likely to be involved.

31 CASC: 4/23/2014 University Information Technology Services The FISMA Process Grants Administrators/Business Development - Identify and notify the Office of Research Administration (ORA) if there are FISMA terms in the contract - Make sure the budget includes FISMA costs - Identify and document key IT security personnel - Make sure all documents that are referenced are included PI/Study Team - Clearly describe the scope of work - Identify all potential subcontractors and their scope of work PI/Study Team and IT Support - Clearly describe data flows - In detail, describe all systems used to support the contract

32 CASC: 4/23/2014 University Information Technology Services The FISMA Information Security Process Define system boundaries Assess Risk (NIST , 37, 39) Apply Controls (NIST ) Evaluate Controls (NIST A) Authority to Operate (ATO) Plan of Action & Milestones (POA&M)

33 CASC: 4/23/2014 University Information Technology Services Authority to Operate The information security plan is submitted to the agency. An ATO letter is issued by the government agency to the business owner (and some authoritative information security unit like the ISO) authorizing operations of the system. If remediation is not too serious, the agency will issue an Interim Authority To Operate (IATO). The IATO will have a defined end date. Therefore, the problems must be fixed by a certain date.

34 CASC: 4/23/2014 University Information Technology Services Plan of Action & Milestones The POA&M describes remediation steps. Even if a contractor receives an ATO, there still may be items for which the agency requires remediation. These weaknesses may not be significant enough to withhold an IATO/ATO, but they still must be corrected. Someone at your institution (the ISO?) must track these items and ensure that they are completed.

35 CASC: 4/23/2014 University Information Technology Services 4. Implementing HIPAA Security

36 CASC: 4/23/2014 University Information Technology Services Research Computing at IU Indiana University has a large central IT organization called the University Information Technology Services (UITS). We provide advanced cyberinfrastructure - supercomputing, massive data storage, visualization, etc., as well as basic services. Before 2000, IU research cyberinfrastructure was used mostly by the usual suspects.

37 CASC: 4/23/2014 University Information Technology Services HIPAA History In 2000, a grant from the Lilly Endowment required our cyberinfrastructure to support biomedical researchers at the IU School of Medicine. We stored non-ePHI for IUSM for some years. A decision was finally made to align our entire research cyberinfrastructure with HIPAA. Accomplished in 2009 after a year of effort.

38 CASC: 4/23/2014 University Information Technology Services IU’s Approach A protected, walled garden will give you bullet-proof security. This may work from low to moderate scales. A separate walled garden HPC environment just for HIPAA is infeasible/impractical. HIPAA does not require bullet-proof security. At IU, we decided to focus on risk, not bullet-proofing.

39 CASC: 4/23/2014 University Information Technology Services HIPAA – Implementing the RMF 1. Assign ownership 2. Form partnerships 3. Document everything 4. Hire external consultant 5. Perform gap analysis/fill gaps 6. Assess risk 7. Create & execute risk mgmt plan 8. Get official blessing & advertize

40 CASC: 4/23/2014 University Information Technology Services ① Assign Ownership Dedicated resources commensurate with the scale. At IU, we spent around 1.5 FTE-year for the initial effort and 1.0 FTE on an ongoing basis. Assigned someone to lead the project. Empowered the leader.

41 CASC: 4/23/2014 University Information Technology Services ② Form Partnerships Got to know IU and IU School of Medicine Compliance folks. Formed an oversight committee; put all stakeholders on it – Compliance, Counsel, Information Security Office, Information Policy Office, School of Medicine CIO/Security Officer, staff/faculty, and UITS senior management.

42 CASC: 4/23/2014 University Information Technology Services ③ Document Everything Spent a lot of time on developing a documentation strategy/format. Documented all current policies and procedures, physical, administrative, and technical controls. Consulted with line managers & key staff. Instituted a secure document management system (DMS).

43 CASC: 4/23/2014 University Information Technology Services ④ Hire External Consultant Asked IU Compliance folks for references. Got referred to a consultant from DC, who also serves on national HIPAA committees, etc. Consultant was given information about the organization, documentation, etc. Consultant visited IU a couple times to do in-person interviews.

44 CASC: 4/23/2014 University Information Technology Services ⑤ Perform Gap Analysis Information security Gap Analysis (GA) measures gaps between actual security on the ground and what HIPAA requires. Involved on-site interviews. Consultant used the data to identify gaps. We received the GA report.

45 CASC: 4/23/2014 University Information Technology Services Fill Gaps Reviewed gap analysis report. Filled as many holes as we could, especially the most serious ones. Updated documentation. Got ready for risk assessment.

46 CASC: 4/23/2014 University Information Technology Services ⑥ Assess Risk Everything we had went into the risk assessment exercise. Submitted updated documentation and other information as requested to the external consultant. On-site interviews followed. Received a risk assessment report. Report identified risks and scored them.

47 CASC: 4/23/2014 University Information Technology Services Follow Standards We were measured against the NIST security standard since it is often used for complying with HIPAA. This was fortuitous later for our FISMA work. It put an “official seal” & added rigor to the process. We also reviewed other NIST guidelines and standards such as ISO 27001, etc. and IT best practices.

48 CASC: 4/23/2014 University Information Technology Services ⑦ Create a Risk Management Plan Reviewed risk assessment report. Addressed all risks and documented mitigation, reason for not mitigating, or alternatives. Submitted the RM plan to the external consultant for review. Modified RM plan using her recommendations.

49 CASC: 4/23/2014 University Information Technology Services Execute Risk Management Plan Execution involved some short term actions that addressed many high/medium risk items immediately. Instituted long term processes such as regular reviews, risk monitoring, risk avoidance strategies, etc. Documented everything (again) …

50 CASC: 4/23/2014 University Information Technology Services ⑧ Get Official Blessing & Advertize Submitted everything to the oversight committee. Received an official letter of approval from Compliance in January Advertized internally and targeted only IUSM researchers to avoid unnecessary attention.

51 CASC: 4/23/2014 University Information Technology Services HIPAA - Ongoing Semi-annual, internal reviews = Review/update all documentation. Reassess risk. External reviews every 5 years. Annual, mandatory HIPAA training in HIPAA regulation, how it applies to us, and our policies and procedures, etc. Self-assertion process for new services. Requires risk analysis, mitigation, documentation, security screening, & training/reviews, etc.

52 CASC: 4/23/2014 University Information Technology Services Do I too need to do ALL THIS? No. HIPAA does not prescribe how you manage risk, just that you do. You can customize according to your environment, budget, and risk level. Chances are you already meet a bulk of HIPAA Security Rule requirements. You need to document your practices in the format HIPAA requires.

53 CASC: 4/23/2014 University Information Technology Services Institutional HIPAA Process 1. Researcher needs to process/store ePHI 2. IU HIPAA Compliance Office sends them to us 3. We help build a HIPAA compliant “solution” 4. We help with documentation 5. Documentation is submitted to the Compliance Office 6. The researcher self-asserts HIPAA compliance

54 CASC: 4/23/2014 University Information Technology Services Institutional FISMA Process* 1. Researcher gets a govt. contract 2. Office of Research Admin (ORA) contacts us 3. We help build and monitor FISMA compliance 4. We help create a FISMA “package: for ORA 5. PI/ORA submit the package to agency 6. Agency issues an ATO * = Future

55 CASC: 4/23/2014 University Information Technology Services Lessons Learned At IU, HIPAA compliance has made a huge impact. Starting from zero in 2009, we now have: 1.Number of biomedical user accounts3,000 2.Volume of biomedical data stored~1PB 3. Use of computing cycles1 MSUs 4. Number of databases> New services for biomedical users>10 6. Number of NIH grants that fund FTEs5 7. Number of FTEs funded by these grants~ 10

56 CASC: 4/23/2014 University Information Technology Services Benefits The IU Compliance office trusts us and sends customers our way. (We have made their job easier by lowering institutional risk.) The School of Med researchers are flocking to us to meet their research computing needs. We have standardized on regulatory compliance, saving effort and $ going forward. We can defend ourselves if audited.

57 CASC: 4/23/2014 University Information Technology Services Current Status We are establishing institutional processes. HIPAA is mostly in place for HPC/Central IT. FISMA is in process. A new IT policy addresses risk institutionally. As for many others, IU’s GRC (Governance, Risk, Compliance) framework is evolving rapidly. We have learned a lot in the past half decade.

58 CASC: 4/23/2014 University Information Technology Services Future Expand to a mature, institutional, regulation- neutral, NIST standards-based RMF. Provide NIST-based risk and security assessment tools to IU IT units for internal assessments. Centralize documentation. Weave risk into the very fabric of IT, assess and mitigate continuously as risks evolve.

59 CASC: 4/23/2014 University Information Technology Services 5. Conclusions

60 CASC: 4/23/2014 University Information Technology Services Conclusions There will be more ePHI in more places on HPC and Central IT systems. There will be more regulations ending with an “A”! Not paying attention will impact institutional liability and reputation. An institutional RMF is essential/feasible. It will give you resources to align with any current/future regulation/requirement.

61 CASC: 4/23/2014 University Information Technology Services WE ARE MORE THAN HAPPY TO HELP

62 CASC: 4/23/2014 University Information Technology Services HIPAA Resources The HIPAA Security Rule NIST : Guide to Implementing the HIPAA Security Rule NIST : Recommended Security Controls NIST A: Guide for Assessing Security Controls FIPS 200: Federal Systems Minimum Security Requirements NIST HIPAA Security Rule Toolkit IU HIPAA Documentation Templates ( me) IU HIPAA Risk Assessment Template ( me)

63 CASC: 4/23/2014 University Information Technology Services Contact Anurag Shankar Bill Barnett


Download ppt "Anurag Shankar University Information Technology Services Indiana University Implementing HPC HIPAA (& FISMA)"

Similar presentations


Ads by Google