1. CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago senti@uchicago.edu C opyright Sandra Senti, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. CAMP Med 2 Management & Policy HIPAA policies should be well underway Similarities/differences between University and Hospital policy – HIPAA and otherwise Translating policy into practice into policy Must have common vocabulary in order to automate Pieces are likely to need distributed management Expect the unexpected

3. CAMP Med 3 Common Vocabulary Middleware – “glue", a layer of software between the network and the applications Authentication – who you are Authorization – what you can do Organization Eligibility Roles – typical scenarios for how functions are grouped Affiliation – where are the lines drawn? Precedence

4. CAMP Med 4 Workforce Security All members of the workforce have appropriate access to ePHI, and to prevent those workforce members who do not have access from obtaining access to ePHI. By individual, group or role? Middleware elements –Identity management, lifecycle management –Authentication –Authorization, authority management –Directory services

5. CAMP Med 5 Information Access Management Authorize access to ePHI to ensure privacy. Organizational lines Access authorization Management of user’s rights Middleware elements –Authorization, authority management –Directory services

6. CAMP Med 6 Security Awareness and Training Implement a security awareness and training program for all members of workforce. Security reminders Protection from malicious software Log-in monitoring Password management Middleware elements –Authority management – prerequisites –Directory services –Identity management – password management

7. CAMP Med 7 Contingency Plan Respond to an emergency or other occurrence that damages systems that contain ePHI. Data backup plan Disaster recovery plan Emergency mode operation plan Testing and revision procedures Applications and data criticality analysis

8. CAMP Med 8 Facility Access Controls Limit physical access to information systems and the facility in which they are housed, while ensuring that properly authorized access is allowed. Contingency operations Facility security plan Access control and validation procedures Maintenance records

9. CAMP Med 9 Facility Access Controls (cont.) Middleware elements –Identity management, lifecycle management, affiliate management –Authorization, authority management

10. CAMP Med 10 Workstation Security Physical safeguards for all workstations that access ePHI, to restrict access to authorized users. Middleware elements –Identity management, lifecycle management –Authorization, authority management –Directory services

11. CAMP Med 11 Device and Media Controls Govern the receipt and removal of hardware and electronic media that contain ePHI. Disposal Media re-use Accountability Data backup and storage Middleware elements –Directory services

12. CAMP Med 12 Access Control Allow access only to those persons or software programs that have been granted access rights to electronic information systems. Unique user identification Emergency access procedures Automatic logoff Encryption and decryption

13. CAMP Med 13 Access Control (cont.) Middleware elements –Identity management, lifecycle management –Authorization, authority management –Delegation –Encryption/PKI

14. CAMP Med 14 Audit Controls Hardware, software or procedural mechanisms that record and examine activity in information systems. Middleware elements –logging

15. CAMP Med 15 Integrity Protect ePHI from improper alteration or destruction. Middleware elements –Logging –Intrusion detection

16. CAMP Med 16 Person or Entity Authentication Verify that a person or entity seeking access to ePHI is the one claimed. Middleware elements –Identity management, including services –Authentication

17. CAMP Med 17 Transmission Security Guard against unauthorized access to ePHI that is being transmitted. Integrity controls Encryption Middleware elements –Encryption/PKI –Intrusion detection

18. CAMP Med 18 Building the Larger Picture What do you have today? What is your technical architecture? What is your technology strategy? What is your highest risk? What are the needs beyond your institution?

19. CAMP Med 19 Starting From Scratch Start with HR, training systems and ePHI apps Identity management is the cornerstone Directory services is a possible delivery mechanism Authn is modular, single sign-on is a plus Authz info can be stored in directory Must be able to manage identity outside HR system, grant authority Connect with other orgs HR system ePHI Apps Training System Identity Mgmt Directory Services Authn Authz Affiliate Mgmt Authority Mgmt Directory Services HR2 system

20. CAMP Med 20 Existing Middleware tools Directory services – eduPerson, medPerson Authority management - provides centralized management of user privileges across a range of applications – Signet is available for early adopters Group management - manages group information across integrated applications and repositories - Grouper is available for early adopters

21. CAMP Med 21 Existing Middleware tools (cont.) Federated identity - leverages campus identity and access management infrastructures to authenticate individuals and then sends information about them to the resource site, enabling the resource provider to make an informed authorization decision – Shibboleth running at several sites

22. CAMP Med 22 Existing Middleware tools (cont.) Encryption – strong encryption to support data security in transit and storage – PKI is widely used

23. CAMP Med 23 Questions?