CAMP Med

Building a Health Information Infrastructure to Support HIPAA

Rick Konopacki, MSBME

HIPAA Security Coordinator

University of Wisconsin-Madison

Madison, Wisconsin

2

CAMP Med

Organizational Structure

University of Wisconsin - Madison

• 41,500 students

• 2,060 Faculty

• 15,000 Employees

• Ranks second among public universities, third among all universities for research expenditures

3

CAMP Med

Organizational Structure

UW Medical School

• 15 Clinical, 11 Basic Science Departments

• 1,150 Faculty

• 550 MD, 427 PhD students

• 29th for NIH funding in 2003 (~ $142,000,000)

4

CAMP Med

UW-Madison

Organizational Structure

UWHospital

AndClinics

UWMedical

Foundation

UW-Health

5

CAMP Med

Organizational Structure

UW – Hybrid Covered Entity

Non-HCC

Health Care Component

• School of Nursing• School of Pharmacy• Student Health• Hygiene Lab• Clinical Departments of the Medical School

6

CAMP Med

Organizational Structure

UW – Hybrid Covered EntityAffiliated Covered Entity

UWHospital

AndClinics

UWMedical

Foundation

USE

7

CAMP Med

Administrative Structure

• Campus (CE):– Security Officer

– HIPAA Task Force

– Security Committee

• HCC units:– Security Coordinators

8

CAMP Med

CE Requirements under Security Rule

• Ensure CIA of electronic PHI

• Protect against any reasonably anticipated threats or hazards to security or integrity of ePHI

• Protect against any reasonably anticipated uses or disclosures of such information not permitted under the Privacy Rule

• Ensure compliance by workforce

9

CAMP Med

HIPAA Security Rule

Essentially requires the implementation of safeguards to protect the CIA of data (ePHI):

• Confidentiality• Integrity• Availability

Requires reasonable and appropriate measures, not NSA-proof. Same measures that “best practices” suggests should be used with all electronic data

10

CAMP Med

Challenges to Compliance

• Academic, traditionally open environment

• Research mission encourages collaboration

• Decentralized organization

• Multiple research databases

• Non-uniform IT resources– Each department has separate IT group & budget

– Wide range of OS’s, servers, support

11

CAMP Med

Approach to Compliance

• Electronic data, purely IT Solution, right?

• Improved security awareness

• Additional technology, e.g., firewall

• User behavior:– Training

– Policies

12

CAMP Med

Campus Level Initiatives

• Campus HIPAA security committee created representing all units in the HCC

• Series of best practices guidelines developed to ensure security of all data including ePHI

• All units meeting the best practice guidelines in compliance with security rule

• Not all of guidelines addressed with pure IT solutions

13

CAMP Med

Best Practices Guidelines

• Encryption

• Account Creation and Access Control

• Audit Controls

• User Authentication

• Network Device Security

• Password Management

• Single Device Remote Access

14

CAMP Med

Best Practices Guidelines (cont)

• Server Security

• Wireless Communication

• Information Sensitivity

• DMZ Network

• Workstation Use and Workstation Security

• Portable Devices

• Disaster Recovery

15

CAMP Med

First Step of the 1000 Mile (Li) Trip

• Sec. 164.308(a) (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

– Risk analysis

– Risk management

– Sanction policy

– Information system activity review

16

CAMP Med

Risk Analysis: Risk Assessment Inventory

• Based on the Security Standard Matrix, the central IT group on campus developed a spreadsheet against which each unit in the HCC can appraise their current condition in terms of risk.

17

CAMP Med

Risk Assessment Inventory

• Spreadsheet configured as separate matrices for:– Technical Assets

– Physical Sites

– Administrative Units

• Individual cells given a A – F grade with color coding for easy browsing

• Each clinical department in the Medical School submits their own RAI

18

CAMP Med

Risk Assessment Inventory (Administrative)

Technical Asset Asset Location Description Incid

en

t R

espon

se &

R

eport

ing (

R)

Data

Backu

p P

lan

(R

)

Dis

aste

r R

ecovery

Pla

n (

R)

Em

erg

en

c y

Mode

Opera

tion

Pla

n (

R)

Peri

odic

Evalu

ati

on

(R

)

Win2k servers Server CSC 1326 168.0.0.20-40 D A B B BMac OS X Servers Server CSC 1326 168.0.0.20-40 D A B B BMac OS 9 servers Server CSC 1326 168.0.0.20-40 D A B B BOpenBSD server Server CSC 1326 168.0.0.20-40 D A B B BWin2k workstations Workstation CSC 168.0.0.100-254 D B D D DWinXP workstations Workstation CSC 168.0.0.100-254 D B D D DMac OS 9 workstations Workstation CSC 168.0.0.100-254 D B D D DMac OS X workstations Workstation CSC 168.0.0.100-254 D B D D DWindows laptops Portable CSC 168.0.0.100-254 D C D D DMac laptops Portable CSC 168.0.0.100-254 D C D D D

19

CAMP Med

Risk Assessment Inventory (Physical)

Technical Asset Asset Location Description Work

sta

tion

Use (

R)

Work

sta

tion

Secu

rity

(R

)

Media

Dis

posal (R

)

Media

Re-u

se (

R)

Win2k servers Server CSC 1326 168.0.0.20-40 B B C CMac OS X Servers Server CSC 1326 168.0.0.20-40 B B C CMac OS 9 servers Server CSC 1326 168.0.0.20-40 B B C COpenBSD server Server CSC 1326 168.0.0.20-40 B B C CWin2k workstations Workstation CSC 168.0.0.100-254 C B C CWinXP workstations Workstation CSC 168.0.0.100-254 C B C CMac OS 9 workstations Workstation CSC 168.0.0.100-254 C B C CMac OS X workstations Workstation CSC 168.0.0.100-254 C B C CWindows laptops Portable CSC 168.0.0.100-254 C B C CMac laptops Portable CSC 168.0.0.100-254 C B C C

20

CAMP Med

Risk Assessment Inventory (Technical)

Technical Asset Asset Location Description Un

iqu

ie U

ser

Iden

tifi

er

(R)

Em

erg

en

cy A

ccess

Pro

cedu

re (

R)

Au

dit

Con

trols

(R

)

Pers

on

or

En

tity

A

uth

en

ticati

on

(R

)

Win2k servers Server CSC 1326 168.0.0.20-40 A C C CMac OS X Servers Server CSC 1326 168.0.0.20-40 A C C CMac OS 9 servers Server CSC 1326 168.0.0.20-40 A C C COpenBSD server Server CSC 1326 168.0.0.20-40 A C C CWin2k workstations Workstation CSC 168.0.0.100-254 A C C CWinXP workstations Workstation CSC 168.0.0.100-254 A C C CMac OS 9 workstations Workstation CSC 168.0.0.100-254 C C C CMac OS X workstations Workstation CSC 168.0.0.100-254 B C C CWindows laptops Portable CSC 168.0.0.100-254 B C C CMac laptops Portable CSC 168.0.0.100-254 B C C C

21

CAMP Med

Risk Management

• Medical School Migration Plan

Based on the results of the RAIs from each of the departments, the migration plan is intended to spell out an organized, systematic approach designed to ensure timely Medical School compliance with the Security Rule based on analysis of the current state of data security.

22

CAMP Med

1. Develop strategy on steps to take– Using technology to improve CIA of ePHI

– Provide training

– Develop policies to modify user behavior

2. Evaluate the level at which the implementation most efficiently occurs

Migration Plan

23

CAMP Med

Campus Level Elements

• Assign security officer

• Develop training

• Develop best practices guidelines for HCC

24

CAMP Med

Departmental Elements

• Risk Assessment

• Workforce Security

• Physical Controls

• Backup

• Media Controls

• Authentication

25

CAMP Med

Unit (MS) Level Elements

• Designate HIPAA Security Coordinator

• Develop security architecture that includes firewall, vulnerability scanning and incident response. Assign a full time position.

• Contingency planning

• Security committee represented by all departments

• Policy

26

CAMP Med

Clinical departments,with trusted access to UW Hospital and Clinics

(EMR)

Medical School Firewall

Campus/

Internet

Basic science departments, restricted access to PHI

HCC

UWHC

27

CAMP Med

Clinical departments,with trusted access to UW Hospital and Clinics

(EMR)

Campus/Internet

Campus/

Internet

Medicine

Biostatistics & Medical Informatics

ACESurgery

Medical School Firewall -Clinical

28

CAMP Med

Medical School Firewall

• Allowing limited access from outside to inside

•VLAN •<•8•x•1•>

A firewall “hole” may be requested to allow limited access to hosts on the inside of the firewall

Campus/Internet

All open TCP ports periodically scanned

29

CAMP Med

Medical School Wireless Network

• Open wireless useful in MS library, etc

• No authentication

• Outside MS firewall

• Requires remote access client to access networks containing PHI– Citrix

– VPN

• Ensures authentication, end-to-end encryption when accessing PHI

30

CAMP Med

Elements to be Addressed by ACE

• Incident response team

• Secure E-mail solutions

TLS

UWMS

UWMF

UWHC

31

CAMP Med

Keys

• Ongoing process, much different than Y2K problem

• Security Rule not just IT issue

• HIPAA Security Rule should be approached as safeguards to all data especially ePHI

• Reasonable and appropriate

32

CAMP Med

Enterprise (CE) Level Authentication

• Workforce security

• Enforce “minimal use” part of Privacy Rule

• Enable audit controls

• First step in multi-factor authentication