CAMP Med
Building a Health Information Infrastructure to Support HIPAA
Rick Konopacki, MSBMEHIPAA Security Coordinator
University of Wisconsin-MadisonMadison, Wisconsin
2
CAMP Med
Organizational Structure
University of Wisconsin - Madison
• 41,500 students
• 2,060 Faculty
• 15,000 Employees
• Ranks second among public universities, third among all universities for research expenditures
3
CAMP Med
Organizational Structure
UW Medical School
• 15 Clinical, 11 Basic Science Departments
• 1,150 Faculty
• 550 MD, 427 PhD students
• 29th for NIH funding in 2003 (~ $142,000,000)
5
CAMP Med
Organizational Structure
UW – Hybrid Covered Entity
Non-HCC
Health Care Component
• School of Nursing• School of Pharmacy• Student Health• Hygiene Lab• Clinical Departments of the Medical School
6
CAMP Med
Organizational Structure
UW – Hybrid Covered EntityAffiliated Covered Entity
UWHospital
AndClinics
UWMedical
Foundation
USE
7
CAMP Med
Administrative Structure
• Campus (CE):– Security Officer– HIPAA Task Force– Security Committee
• HCC units:– Security Coordinators
8
CAMP Med
CE Requirements under Security Rule
• Ensure CIA of electronic PHI• Protect against any reasonably anticipated
threats or hazards to security or integrity of ePHI• Protect against any reasonably anticipated uses
or disclosures of such information not permitted under the Privacy Rule
• Ensure compliance by workforce
9
CAMP Med
HIPAA Security Rule
Essentially requires the implementation of safeguards to protect the CIA of data (ePHI):
• Confidentiality• Integrity• Availability
Requires reasonable and appropriate measures, not NSA-proof. Same measures that “best practices” suggests should be used with all electronic data
10
CAMP Med
Challenges to Compliance
• Academic, traditionally open environment• Research mission encourages collaboration• Decentralized organization• Multiple research databases• Non-uniform IT resources
– Each department has separate IT group & budget– Wide range of OS’s, servers, support
11
CAMP Med
Approach to Compliance
• Electronic data, purely IT Solution, right?
• Improved security awareness• Additional technology, e.g., firewall• User behavior:
– Training– Policies
12
CAMP Med
Campus Level Initiatives
• Campus HIPAA security committee created representing all units in the HCC
• Series of best practices guidelines developed to ensure security of all data including ePHI
• All units meeting the best practice guidelines in compliance with security rule
• Not all of guidelines addressed with pure IT solutions
13
CAMP Med
Best Practices Guidelines
• Encryption• Account Creation and Access Control• Audit Controls• User Authentication• Network Device Security• Password Management• Single Device Remote Access
14
CAMP Med
Best Practices Guidelines (cont)
• Server Security• Wireless Communication• Information Sensitivity• DMZ Network• Workstation Use and Workstation Security• Portable Devices• Disaster Recovery
15
CAMP Med
First Step of the 1000 Mile (Li) Trip
• Sec. 164.308(a) (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
– Risk analysis– Risk management– Sanction policy– Information system activity review
16
CAMP Med
Risk Analysis: Risk Assessment Inventory
• Based on the Security Standard Matrix, the central IT group on campus developed a spreadsheet against which each unit in the HCC can appraise their current condition in terms of risk.
17
CAMP Med
Risk Assessment Inventory
• Spreadsheet configured as separate matrices for:– Technical Assets– Physical Sites– Administrative Units
• Individual cells given a A – F grade with color coding for easy browsing
• Each clinical department in the Medical School submits their own RAI
18
CAMP Med
Risk Assessment Inventory (Administrative)
Technical Asset Asset Location Description Inci
dent
Res
pons
e &
Re
port
ing
(R)
Data
Bac
kup
Plan
(R)
Disa
ster
Rec
over
y Pl
an (R
)Em
erge
nc y
Mod
e O
pera
tion
Plan
(R)
Peri
odic
Eva
luat
ion
(R)
Win2k servers Server CSC 1326 168.0.0.20-40 D A B B BMac OS X Servers Server CSC 1326 168.0.0.20-40 D A B B BMac OS 9 servers Server CSC 1326 168.0.0.20-40 D A B B BOpenBSD server Server CSC 1326 168.0.0.20-40 D A B B BWin2k workstations Workstation CSC 168.0.0.100-254 D B D D DWinXP workstations Workstation CSC 168.0.0.100-254 D B D D DMac OS 9 workstations Workstation CSC 168.0.0.100-254 D B D D DMac OS X workstations Workstation CSC 168.0.0.100-254 D B D D DWindows laptops Portable CSC 168.0.0.100-254 D C D D DMac laptops Portable CSC 168.0.0.100-254 D C D D D
19
CAMP Med
Risk Assessment Inventory (Physical)
Technical Asset Asset Location Description Wor
ksta
tion
Use
(R)
Wor
ksta
tion
Secu
rity
(R)
Med
ia D
ispo
sal (
R)
Med
ia R
e-us
e (R
)
Win2k servers Server CSC 1326 168.0.0.20-40 B B C CMac OS X Servers Server CSC 1326 168.0.0.20-40 B B C CMac OS 9 servers Server CSC 1326 168.0.0.20-40 B B C COpenBSD server Server CSC 1326 168.0.0.20-40 B B C CWin2k workstations Workstation CSC 168.0.0.100-254 C B C CWinXP workstations Workstation CSC 168.0.0.100-254 C B C CMac OS 9 workstations Workstation CSC 168.0.0.100-254 C B C CMac OS X workstations Workstation CSC 168.0.0.100-254 C B C CWindows laptops Portable CSC 168.0.0.100-254 C B C CMac laptops Portable CSC 168.0.0.100-254 C B C C
20
CAMP Med
Risk Assessment Inventory (Technical)
Technical Asset Asset Location Description Uniq
uie
User
Iden
tifier
(R)
Emer
genc
y Ac
cess
Pr
oced
ure
(R)
Audi
t Con
trol
s (R
)Pe
rson
or E
ntity
Au
then
ticat
ion
(R)
Win2k servers Server CSC 1326 168.0.0.20-40 A C C CMac OS X Servers Server CSC 1326 168.0.0.20-40 A C C CMac OS 9 servers Server CSC 1326 168.0.0.20-40 A C C COpenBSD server Server CSC 1326 168.0.0.20-40 A C C CWin2k workstations Workstation CSC 168.0.0.100-254 A C C CWinXP workstations Workstation CSC 168.0.0.100-254 A C C CMac OS 9 workstations Workstation CSC 168.0.0.100-254 C C C CMac OS X workstations Workstation CSC 168.0.0.100-254 B C C CWindows laptops Portable CSC 168.0.0.100-254 B C C CMac laptops Portable CSC 168.0.0.100-254 B C C C
21
CAMP Med
Risk Management
• Medical School Migration Plan
Based on the results of the RAIs from each of the departments, the migration plan is intended to spell out an organized, systematic approach designed to ensure timely Medical School compliance with the Security Rule based on analysis of the current state of data security.
22
CAMP Med
1. Develop strategy on steps to take– Using technology to improve CIA of ePHI– Provide training– Develop policies to modify user behavior
2. Evaluate the level at which the implementation most efficiently occurs
Migration Plan
23
CAMP Med
Campus Level Elements
• Assign security officer• Develop training• Develop best practices guidelines for HCC
24
CAMP Med
Departmental Elements
• Risk Assessment• Workforce Security• Physical Controls• Backup• Media Controls• Authentication
25
CAMP Med
Unit (MS) Level Elements
• Designate HIPAA Security Coordinator• Develop security architecture that includes
firewall, vulnerability scanning and incident response. Assign a full time position.
• Contingency planning• Security committee represented by all
departments• Policy
26
CAMP Med
Clinical departments,with trusted access to UW Hospital and Clinics
(EMR)
Medical School Firewall
Campus/Internet
Basic science departments, restricted access to PHI
HCC
UWHC
27
CAMP Med
Clinical departments,with trusted access to UW Hospital and Clinics
(EMR)
Campus/Internet
Campus/Internet
Medicine
Biostatistics & Medical Informatics
ACESurgery
Medical School Firewall -Clinical
28
CAMP Med
Medical School Firewall• Allowing limited access from outside to inside
•VLAN •<•8•x•1•>
A firewall “hole” may be requested to allow limited access to hosts on the inside of the firewall
Campus/Internet
All open TCP ports periodically scanned
29
CAMP Med
Medical School Wireless Network
• Open wireless useful in MS library, etc• No authentication• Outside MS firewall• Requires remote access client to access
networks containing PHI– Citrix– VPN
• Ensures authentication, end-to-end encryption when accessing PHI
30
CAMP Med
Elements to be Addressed by ACE
• Incident response team• Secure E-mail solutions
TLS
UWMS
UWMF
UWHC
31
CAMP Med
Keys
• Ongoing process, much different than Y2K problem
• Security Rule not just IT issue
• HIPAA Security Rule should be approached as safeguards to all data especially ePHI
• Reasonable and appropriate