Implementing HPC HIPAA (& FISMA)

Implementing HPC HIPAA

(& FISMA)

Anurag Shankar

University Information Technology Services

Indiana University


Outline

1. Introduction

2. HIPAA

3. FISMA

4. Implementation

5. Conclusion

CASC: 4/23/2014


1. Introduction

CASC: 4/23/2014

University Information Technology Services CASC: 4/23/2014

A Changing Landscape

• As HPC shops, our heritage has been to serve physical scientists and engineers - the

“usual suspects”.

• Regulatory compliance is a concept foreign to these users.

• While we’ve addressed security, compliance still remains an unexplored frontier , not only for HPC, but for Central IT in general.


The New Reality

• Clinical research computing, traditionally confined to Med School cyberinfrastructures, increasingly requires HPC resources.

•  Med School IT cannot keep pace; identifiable HIPAA data is leaking into

Central IT/national HPC environments.

• We have to weave compliance into the HPC fabric sooner or later.


New Motivations

• A new HIPAA Omnibus Rule came out in

2013, with new requirements and mandates.

• The government will initiate random HIPAA audits in 2014 . (They were triggered only in response to a breach earlier.)

• Penalties have been raised to millions.


But the worst is being in the newspapers!

CASC: 4/23/2014

The Corrective Action Plan (CAP) signed by Idaho State University



Breaches reported by universities


No Plausible Deniability

• HIPAA applies if even a single clinical researcher has an account on a system.

• The govt. says you should have known that allowing clinical researchers on a system opens the possibility of sensitive health information on the system.)



An environment with clinical researchers must be secured, independently of what a researcher may or may not do.


FISMA

• In addition to HIPAA, we now have FISMA to deal with.

• It is slowly showing up in NIH grants and contracts.

• It is the next regulatory frontier HPC will have to deal with.

• Fortunately, it’s possible to tackle both HIPAA and FISMA using a single, unified approach.


The Scope

• HIPAA & FISMA require end to end security .

This means starting at the customer end

(where data is generated)  the network  your end  data disposal.

• Any and all dependencies and infrastructure pieces must also be included.

• We must consider the entire research workflow .


Grant = Data Life Cycle

• Preliminary

Investigation

• Cyberinfrastructure

Design

✔ Pre-Grant

A grant life cycle from an

IT provider’s perspective is a data life cycle

Proposal

Execution

• Proposal Prep

• Budget

• IRB Process ✔

• Data Acquisition ✔

• Data Analysis ✔

• Data Mgmt ✔

• Data Sharing ✔

• Data Viz ✔

✔

= Involves compliance

Post-Grant

• Data Publishing ✔

• Data Archival ✔

• Data Disposal ✔


2. HIPAA

CASC: 4/23/2014


A HIPAA Primer

• H ealth I nsurance P ortability & A ccountability A ct.

• Passed in 1996, became law in 2001.

• Enforced by the Office for Civil Rights ( OCR ) in the

US Dept. of Health & Human Services ( HHS ).

• The Omnibus File Rule of 2013 includes provisions from the 2006 Health Information Technology for

Economic & Clinical Health ( HITECH ) Act & the

2008 Genetic Information Nondiscrimination Act

( GINA ).


HITECH & GINA

• HITECH was part of ARRA and enacted to promote the adoption of Health Information

Technology, especially Electronic Health

Records ( EHR ).

• GINA prohibits insurers from using human genetic data to deny coverage based on genetic predisposition to future diseases.


Patient Privacy Protection

• Addressed via the HIPAA Privacy Rule and the

HIPAA Security Rule .

• The Privacy Rule defines who HIPAA applies to

( covered entities ) and what is protected

( protected health information or PHI* ).

• The Security Rule focuses exclusively on how to protect electronic PHI ( ePHI ) in any form – at rest, in transit, under analysis, etc.

* PHI is identifiable patient data with one or more of 18 identifiers


HIPAA Security Rule

• The Security Rule requires 1. administrative, 2. physical, and 3. technical safeguards to

• Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained or transmitted ;

• Identify and protect against reasonably anticipated threats to the security or integrity of the information ;

• Protect against reasonably anticipated, impermissible uses or disclosures;

• Ensure compliance by the workforce; and

• Provide a means for managing risk in an ongoing fashion.


Security Rule Safeguards

• Administrative – security organization, policies, training, responsibilities, incident response, etc.

• Physical – data center access, equipment/media disposal, inventory control, etc.

• Technical – firewalls, patching, auditing,


Required & Addressable

• Each Security Rule safeguard is either “ required ” or “ addressable ”.

• Required = what it says.

• Addressable = should address, but ok if you describe why it is not in place or how you will otherwise address the risk.

• A risk assessment (RA) identifies where to concentrate effort. RA can be internal or external.


Breach Notification

• HIPAA requires that a breach of ePHI be reported ASAP:

1. To everyone whose ePHI has been compromised.

2. For a breach involving > 500 patients, to the media and the Secretary of

HHS.


Business Associates

• HIPAA requires a business associate agreement (BAA) with any external entity (= business associate) that touches your ePHI.

• Your BAA must include a clause that the BA will protect your ePHI. So must their BAAs with their BAs.

• Due diligence requires ensuring that the BA can actually protect your ePHI as per HIPAA.

 Purchasing & HIPAA Compliance Office partnerships


Enforcement

• HIPAA violations can result in civil monetary penalties ( up to $1.5 million/violation ) against a covered entity and/or individual criminal penalties (up to 10 yrs prison term).

• The OCR has been funded via ARRA/HITECH to institute an audit program. They will start random HIPAA audits in 2014.


Does HIPAA apply to All

Identifiable Health Data?

CASC: 4/23/2014

• No . Only healthcare providers, facilities, and insurers are subject to HIPAA. Identifiable health data outside a healthcare context is not

(e.g. personal health data users upload to Google

Health, Microsoft HealthVault) .

• Data, if properly de-identified , is not subject to

HIPAA.

If unsure, contact your HIPAA Compliance office


Who does HIPAA Cover at a

University?

• Employees, healthcare providers, trainees & volunteers at the medical school and affiliated healthcare sites or programs.

• Employees who work with university health plans.

• Employees who provide financial, legal, business, administrative, or IT support to the above.


Just Good Security?

Q: So, the HIPAA Security Rule means we just need to provide good IT security for systems?

A: NO. The Security Rule is about assessing & managing risk , and security is only PART of that process. HIPAA requires administrative controls, training, governance, policies, formal review, etc.


Information Security Risk

Management

CASC: 4/23/2014

• Identify, assess, prioritize, and mitigate risk to information security, on an ongoing basis.

• Think in terms of managing risk , not just plugging security holes.

Risk = {Threat/Vulnerability x Likelihood x Impact}

• A big threat due to an existing vulnerability that is highly unlikely to be exploited/has little impact is low risk. You don’t kill yourself over it.


Risk Management Framework

A mature RMF consists of:

• Good governance = institutional security organization, policies, sanctions, enforcement

• Risk management = assessment, mitigation through appropriate physical, administrative, technical controls, documentation

• Review = regular monitoring, reviews, assessment, and mitigation

• Awareness and training


HIPAA Security Rule Myths

• Myth #1 – Security rule compliance is a boolean.

Truth: There is no threshold where you suddenly become compliant.

• Myth #2 – You can be certified HIPAA compliant.

Truth: No company or federal agency is authorized to certify you as being HIPAA “compliant”

. ( The only way to know for sure is to survive a HIPAA audit, highly undesirable.

)

So you align with the HIPAA rules as best as you can and “ self assert ” compliance.


HIPAA Security Rule Myths

• Myth #3 – Once compliant, you stay compliant.

Truth: No . Compliance is an ongoing process; once started, it never stops .

• Myth #4 – You must use external third party for risk/security assessment.

Truth: No . You can do it internally, so long as you follow accepted practices and document it all.


3. FISMA

CASC: 4/23/2014


FISMA

• F ederal I nformation S ecurity M anagement

A ct of 2002.

• Requires government agencies to secure their system as per NIST guidelines.

• Subcontractors of the agencies (=you) must also comply.

• Contracts are now seeing FISMA language.

• You are likely to be involved.


The FISMA Process

• Grants Administrators/Business Development

- Identify and notify the Office of Research Administration (ORA) if there are

FISMA terms in the contract

- Make sure the budget includes FISMA costs

- Identify and document key IT security personnel

Make sure all documents that are referenced are included

• PI/Study Team

- Clearly describe the scope of work

- Identify all potential subcontractors and their scope of work

• PI/Study Team and IT Support

- Clearly describe data flows

In detail, describe all systems used to support the contract


The FISMA Information Security Process

Define system boundaries

Plan of Action &

Milestones

(POA&M)

Assess Risk

(NIST 800-30,

37, 39)

Authority to

Operate (ATO)

Evaluate

Controls (NIST

800-53A)

Apply Controls

(NIST 800-53)


Authority to Operate

• The information security plan is submitted to the agency.

• An ATO letter is issued by the government agency to the business owner (and some authoritative information security unit like the

ISO) authorizing operations of the system.

• If remediation is not too serious, the agency will issue an Interim Authority To Operate

(IATO). The IATO will have a defined end date. Therefore, the problems must be fixed by a certain date

.


Plan of Action & Milestones

• The POA&M describes remediation steps.

• Even if a contractor receives an ATO, there still may be items for which the agency requires remediation. These weaknesses may not be significant enough to withhold an

IATO/ATO, but they still must be corrected.

• Someone at your institution (the ISO?) must track these items and ensure that they are completed.


4. Implementing

HIPAA Security


Research Computing at IU

• Indiana University has a large central IT organization called the University Information

Technology Services (UITS).

• We provide advanced cyberinfrastructure supercomputing, massive data storage, visualization, etc., as well as basic services.

• Before 2000, IU research cyberinfrastructure was used mostly by the usual suspects.


HIPAA History

• In 2000, a grant from the Lilly Endowment required our cyberinfrastructure to support biomedical researchers at the IU School of

Medicine.

• We stored non-ePHI for IUSM for some years.

• A decision was finally made to align our entire research cyberinfrastructure with HIPAA.

• Accomplished in 2009 after a year of effort.


IU’s Approach

• A protected, walled garden will give you bullet-proof security.

• This may work from low to moderate scales.

• A separate walled garden HPC environment just for HIPAA is infeasible/impractical.

• HIPAA does not require bullet-proof security.

• At IU, we decided to focus on risk , not bullet-proofing.


HIPAA – Implementing the RMF

1. Assign ownership

8. Get official blessing & advertize

2 . Form partnerships

7. Create & execute risk mgmt plan

3. Document everything

6. Assess risk

5

.

Perform gap analysis/fill gaps

4

.

Hire external consultant


①

Assign Ownership

• Dedicated resources commensurate with the scale. At IU, we spent around 1.5

FTE-year for the initial effort and 1.0 FTE on an ongoing basis.

• Assigned someone to lead the project.

• Empowered the leader.


②

Form Partnerships

• Got to know IU and IU School of

Medicine Compliance folks.

• Formed an oversight committee ; put all stakeholders on it – Compliance,

Counsel, Information Security Office,

Information Policy Office, School of

Medicine CIO/Security Officer, staff/faculty, and UITS senior management.


③

Document Everything

• Spent a lot of time on developing a documentation strategy /format.

• Documented all current policies and procedures, physical, administrative, and technical controls.

• Consulted with line managers & key staff.

• Instituted a secure document management system (DMS).


④

Hire External Consultant

• Asked IU Compliance folks for references.

• Got referred to a consultant from DC, who also serves on national HIPAA committees, etc.

• Consultant was given information about the organization, documentation, etc.

• Consultant visited IU a couple times to do in-person interviews.


⑤

Perform Gap Analysis

CASC: 4/23/2014

• Information security Gap Analysis (GA) measures gaps between actual security on the ground and what HIPAA requires.

• Involved on-site interviews.

• Consultant used the data to identify gaps.

• We received the GA report.


Fill Gaps

• Reviewed gap analysis report.

• Filled as many holes as we could, especially the most serious ones.

• Updated documentation.

• Got ready for risk assessment.

CASC: 4/23/2014


⑥

Assess Risk

• Everything we had went into the risk assessment exercise.

• Submitted updated documentation and other information as requested to the external consultant.

• On-site interviews followed.

• Received a risk assessment report.

• Report identified risks and scored them.


Follow Standards

• We were measured against the NIST

800-53 security standard since it is often used for complying with HIPAA. This was fortuitous later for our FISMA work.

• It put an “official seal” & added rigor to the process.

• We also reviewed other NIST guidelines and standards such as ISO 27001, etc. and IT best practices.


⑦

Create a Risk Management

Plan

• Reviewed risk assessment report.

• Addressed all risks and documented mitigation, reason for not mitigating, or alternatives.

• Submitted the RM plan to the external consultant for review.

• Modified RM plan using her recommendations.


Execute Risk Management Plan

• Execution involved some short term actions that addressed many high/medium risk items immediately.

• Instituted long term processes such as regular reviews, risk monitoring, risk avoidance strategies, etc.

• Documented everything (again) …


⑧

Get Official Blessing &

Advertize

• Submitted everything to the oversight committee.

• Received an official letter of approval from Compliance in January 2009.

• Advertized internally and targeted only

IUSM researchers to avoid unnecessary attention.


HIPAA - Ongoing

• Semi-annual, internal reviews = Review/update all documentation. Reassess risk. External reviews every 5 years.

• Annual, mandatory HIPAA training in HIPAA regulation, how it applies to us, and our policies and procedures, etc.

• Self-assertion process for new services. Requires risk analysis, mitigation, documentation, security screening, & training/reviews, etc.


Do I too need to do ALL THIS?

• No . HIPAA does not prescribe how you manage risk, just that you do.

• You can customize according to your environment, budget, and risk level.

• Chances are you already meet a bulk of

HIPAA Security Rule requirements.

• You need to document your practices in the format HIPAA requires.


Institutional HIPAA Process

6. The researcher self-asserts HIPAA compliance

1. Researcher needs to process/store ePHI

2. IU HIPAA

Compliance Office sends them to us

5. Documentation is submitted to the

Compliance Office

4. We help with documentation

3. We help build a

HIPAA compliant

“solution”


Institutional FISMA Process*

6. Agency issues an ATO

1. Researcher gets a govt. contract

2. Office of

Research Admin

(ORA) contacts us

5. PI/ORA submit the package to agency

4. We help create a

FISMA “package: for ORA

3. We help build and monitor FISMA compliance

* = Future


Lessons Learned

• At IU, HIPAA compliance has made a huge impact. Starting from zero in 2009, we now have:

1. Number of biomedical user accounts

2. Volume of biomedical data stored

3. Use of computing cycles

4. Number of databases

5. New services for biomedical users

6. Number of NIH grants that fund FTEs

7. Number of FTEs funded by these grants

3,000

~1PB

1 MSUs

> 800

>10

5

~ 10


Benefits

• The IU Compliance office trusts us and sends customers our way. (We have made their job easier by lowering institutional risk.)

• The School of Med researchers are flocking to us to meet their research computing needs.

• We have standardized on regulatory compliance, saving effort and $ going forward.

• We can defend ourselves if audited.


Current Status

• We are establishing institutional processes.

• HIPAA is mostly in place for HPC/Central IT.

• FISMA is in process.

• A new IT policy addresses risk institutionally.

As for many others, IU’s GRC (Governance, Risk,

Compliance) framework is evolving rapidly. We have learned a lot in the past half decade.


Future

• Expand to a mature, institutional, regulationneutral, NIST standards-based RMF.

• Provide NIST-based risk and security assessment tools to IU IT units for internal assessments.

• Centralize documentation.

• Weave risk into the very fabric of IT, assess and mitigate continuously as risks evolve .


5. Conclusions


Conclusions

• There will be more ePHI in more places on

HPC and Central IT systems.

• There will be more regulations ending with an

“A”!

• Not paying attention will impact institutional liability and reputation.

• An institutional RMF is essential/feasible.

• It will give you resources to align with any current/future regulation/requirement.


WE ARE MORE

THAN HAPPY TO

HELP


HIPAA Resources

• The HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

• NIST 800-66: Guide to Implementing the HIPAA Security

Rule http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

• NIST 800-53: Recommended Security Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

• NIST 800-53A: Guide for Assessing Security Controls http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf

• FIPS 200: Federal Systems Minimum Security Requirements http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

• NIST HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa/

• IU HIPAA Documentation Templates (email me)

• IU HIPAA Risk Assessment Template (email me)


Contact

Anurag Shankar ashankar@iu.edu

812-325-8629

Bill Barnett barnettw@iu.edu

812-856-3038

CASC: 4/23/2014

Implementing HPC HIPAA (& FISMA)

Implementing HPC HIPAA

(& FISMA)

Outline

1. Introduction

2. HIPAA

3. FISMA

4. Implementation

5. Conclusion

1. Introduction

A Changing Landscape

The New Reality

New Motivations

No Plausible Deniability

FISMA

The Scope

Grant = Data Life Cycle

2. HIPAA

A HIPAA Primer

HITECH & GINA

Patient Privacy Protection

HIPAA Security Rule

Security Rule Safeguards

Required & Addressable

Breach Notification

Business Associates

Enforcement

Does HIPAA apply to All

Identifiable Health Data?

Who does HIPAA Cover at a

University?

Just Good Security?

Information Security Risk

Management

Risk Management Framework

HIPAA Security Rule Myths

HIPAA Security Rule Myths

3. FISMA

FISMA

The FISMA Process

The FISMA Information Security Process

Authority to Operate

Plan of Action & Milestones

4. Implementing

HIPAA Security

Research Computing at IU

HIPAA History

IU’s Approach

HIPAA – Implementing the RMF

Assign Ownership

Form Partnerships

Document Everything

Hire External Consultant

Perform Gap Analysis

Fill Gaps

Assess Risk

Follow Standards

Create a Risk Management

Plan

Execute Risk Management Plan

Get Official Blessing &

Advertize

HIPAA - Ongoing

Do I too need to do ALL THIS?

Institutional HIPAA Process

Institutional FISMA Process*

Lessons Learned

Benefits

Current Status

Future

5. Conclusions

Conclusions

WE ARE MORE

THAN HAPPY TO

HELP

HIPAA Resources

Contact

Related documents

Add this document to collection(s)

Add this document to saved