Sherlock Cloud - University of California | Office of The

advertisement

H EALTH C YBERINFRASTRUCTURE D IVISION

San Diego Supercomputer Center at UC San Diego

2015 Larry L. Sautter Award for Innovation in Information Technology

Project Title

Sherlock Cloud: Health Information Portability and Accountability

Act (HIPAA)-Compliant Cloud for the University of California

(UC)

Submitter’s Name

Sandeep Chandra

Director, Health Cyberinfrastructure Division

San Diego Supercomputer Center chandras@sdsc.edu

858.534.5031

Project Timeframe

September 2013 – Present

Relevant URLs http://sherlock.sdsc.edu/ http://www.sdsc.edu/

Project Leader

Sandeep Chandra, System Architect

Project Team Members

Winston Armstrong, Information Security Officer

Kyle Barber, IT Systems Lead

David Beitler, Systems Engineer

Brian Hom, Security Analyst

Phillip Lopo, Security Analyst

Claire Mizumoto, Technical Project Manager

Leslie Morsek, Technical Project Manager

Mark Pumphrey, Systems Engineer

Danielle Whitehair, User Support Lead

Hua Uy, Systems Engineer

Technologies Used

Apache

Aspera

Bro

Cognos

Commvault

DB2

Globalscape

Linux OEL

Oracle

Oracle Enterprise Manager

OSSEC

Puppet

RSA Authentication Manager

Shibboleth

Splunk

Tibco

Tivoli

VMWare

Vyatta

Windows Server 2008R2

Windows Server 2012R2

1 | P a g e

H EALTH C YBERINFRASTRUCTURE D IVISION

San Diego Supercomputer Center at UC San Diego

2015 Larry L. Sautter Award for Innovation in Information Technology

Introduction and Background

The Health Cyberinfrastructure (CI) Division at the San Diego Supercomputer Center recognized a need to provide secure and compliant data management, application hosting, and computing capabilities to University of California (UC) and academic and government partners. As such, it embarked on a journey to establish the Sherlock Cloud infrastructure. Cloud computing provides a way for projects to scalably store and manage their data in a secure online environment. New projects can be deployed and managed without a large investment of time, cost, or infrastructure, and cloud resources can be tailored to the individual project’s computing needs while leveraging economies of scale and shared expertise.

When the Health CI Division debuted in November 2008, it had developed a cloud infrastructure that complied with the

Federal Information System Management Act (FISMA), rendering it the largest FIMSA-certified cloud within the UC system. The cloud infrastructure was further developed in accordance with hundreds of National Institute of Standards and

Technology (NIST) controls governing system access, information control, and management processes; it also addressed federal Cloud First requirements. The Division subsequently branded its cloud: Sherlock Cloud.

After working a few years with data governed by FISMA requirements, the Health CI Division decided to parlay this knowledge and expertise and embark on an innovative journey to expand its cloud offering to include a Health Insurance

Portability and Accountability Act (HIPAA)-compliant cloud environment, a niche and unique offering within the UC. This expansion would not only strengthen the Sherlock Cloud infrastructure for UC campuses, divisions, and researchers, but it would also lay the groundwork for the Health CI Division’s designation as an SDSC “Center for Excellence” for secure

HIPAA- and FISMA-compliant managed cloud services.

Conceptualization and Creation of the HIPAA-Compliant Cloud Environment

In mid-2013, the UC Office of the President (UCOP) approached the Health CI Division with a need that would support

UCOP achieve its mission of strategically managing risk to create greater financial stability for UC through its Enterprise

Risk Management (ERMIS) initiative. To accomplish this mission, UCOP requested a HIPAA-compliant cloud environment to host its data, which currently did not exist in the Sherlock Cloud infrastructure or anywhere else within the UC. Following collaborative discussions with UCOP, which entailed understanding and capturing the compliance requirements of the

ERMIS platform and ensuring that the application, data and system access, and usability was maintained, the Health CI

Division conceptualized and devised the required architecture needed to build the HIPAA-compliant cloud environment, which required scaling the Sherlock Cloud infrastructure, and began the innovative process of building this environment in

September 2013.

Building the HIPAA-compliant cloud environment required innovation on the part of the Health CI Division, as HIPAA does not prescribe the exact physical and technical safeguards a cloud service provider must employ to ensure its cloud complies with the Act to protect and secure sensitive Protected Health Information (PHI) data. Indeed, the Health CI Division accepted the challenge and identified those HIPAA safeguards it deemed necessary, and further incorporated its experience with the heightened physical and technical requirements of FISMA to create a HIPAA-compliant cloud environment that fully encapsulated the safeguards and statutory framework of HIPAA. The approach involved identifying and applying a comprehensive subset of security controls, as identified within the NIST guidelines, scaling the cloud infrastructure by identifying a number of operational and management services that could be deployed once and leveraged across the various projects hosted within the HIPAA cloud, and developing policies and processes that comprehensively encompass all elements of HIPAA compliance and auditability. In addition, some management services could not be shared across various projects because of compliance requirements and these limited set of services were operationalized to be easily instantiated for every project. This approach provided significant economies of scale, both at the services and software/hardware level, within the

HIPAA-compliant cloud. The ingenuity of the Health CI Division to capitalize on its FISMA expertise undoubtedly provides a HIPAA-compliant cloud that exceeds the expectations of the Act’s objectives.

The Health CI Division successfully developed and deployed the HIPAA-compliant cloud in April 2014, approximately 6 months after accepting the challenge. “The Health CI Division was able to seamlessly take our data and application infrastructure from an open environment to a secure HIPAA-compliant environment in approximately 6 months. This aggressive timeline would not have been feasible absent the expertise and necessary skillset possessed by the Health CI

Division. The end product, which has now been in production for over a year, has greatly helped secure Risk management

2 | P a g e

H EALTH C YBERINFRASTRUCTURE D IVISION

San Diego Supercomputer Center at UC San Diego

2015 Larry L. Sautter Award for Innovation in Information Technology data and applications, and we are extremely pleased with the outcome,” said UCOP Director of Risk IT Systems, Nilofeur

Samuel.

The Health CI Division’s short term goal of deploying a high functioning, secure cloud environment that could be used by

UCOP to improve the effectiveness of UC Risk Initiative business processes was a stepping stone to its ultimate goal of establishing a scalable HIPAA-compliant cloud at UC, which could be used by UC campuses, medical centers, departments, and researchers as well as outside academic and non-academic partners seeking secure and compliant managed IT and cloud hosting services for projects involving sensitive PHI and Personally Identifiable Information (PII) data. The Health CI

Division successfully attained that goal, and created an environment that is scalable , sharable , interoperable, integrated , and used within UC, as well as nationally, as it currently supports the National Cancer Institute (NCI), National Institutes of

Health (NIH), Centers for Medicare and Medicaid Services (CMS), and a number of UC institutions (e.g., UCOP, UCSF

Medical Center, Calit2/Qualcomm Institute, etc.).

Maintenance of the HIPAA-Compliant Cloud Environment

To ensure the longevity and utility of the HIPAA-compliant cloud, the Health CI Division meticulously follows stringent guidelines and policies required to maintain its HIPAA-compliant status. Maintaining HIPAA compliance involves managing the entire software and hardware platform and the necessary management processes. Accordingly, the Health CI Division’s management, security, and systems teams continuously monitor, regularly test, and actively maintain the requirements including, but not limited to:

Generating and maintaining policy and lifecycle documents (e.g., System Security, Incident Response, and

Contingency);

System vulnerability scanning, flaw remediation, continuous system monitoring, and log analysis;

Conducting yearly security assessments and security testing for all staff with access to HIPAA data;

Testing regularly for purposes of backup/archiving;

Performing workforce clearances and background checks;

Monitoring physical security controls, access controls, and authentication; and

Ensuring data transmission security and data at rest security.

The diligence with which the Health CI Division works to maintain its compliance status strongly aids and improves the operational efficiency and usability/accessibility of the UC system to support its various projects and research initiatives that are reliant on the safeguards provided by the HIPAA-compliant cloud. Anyone within the UC system can commence new projects and initiatives with confidence knowing that the Health CI Division has these established protocols in place and it recognizes the important role it plays in the success of current and future projects and initiatives.

Proven Methodology for HIPAA-Compliant Cloud Project Deployment

The Health CI Division is comprised of IT specialists who guide partners through the process of determining and understanding the steps necessary to meet and maintain their HIPAA-compliant cloud needs. The Division has developed a standard framework to gather the requisite information to ensure proper planning, deployment, and maintenance of a project.

Consequently, with the advent of these four steps, it enables the HIPAA-compliant cloud to be shareable and readily implementable elsewhere within the UC .

Step 1: Determining Project Background and Scope

Before a project can be initiated, the Health CI Division must understand the project’s background and scope. Moreover, the project’s regulatory requirements (i.e., HIPAA) and security requirements and parameters must be identified. Armed with this information, it can then be determined how the Health CI Division can assist the partner with its project.

Step 2: Understanding Project Compliant Hosting Requirements

The Health CI Division must become familiar with the project’s compliant hosting requirements, which require the partner to detail specific technical requirements of the project (e.g., applications, compute and storage, service-level agreements, etc.).

Step 3: Proposing and Building a Platform

3 | P a g e

H EALTH C YBERINFRASTRUCTURE D IVISION

San Diego Supercomputer Center at UC San Diego

2015 Larry L. Sautter Award for Innovation in Information Technology

Next, the Health CI Division will jointly work with its partner to propose and architect the platform. This step entails outlining the system architecture for project deployment within Sherlock Cloud, defining and testing a proof-of-concept implementation, discussing costing options, developing a memorandum of understanding that outlines deliverables, roles and responsibilities and service level agreements, and initiating platform deployment upon contract award.

Step 4: Providing Ongoing Operations and Maintenance Support

Finally, as detailed in the previous section, the Health CI Division will work with its partner to maintain compliance requirements and provide ongoing operations and maintenance (e.g., infrastructure support, system administration and maintenance, change management, security/CISO support, and project management and coordination).

Specific Impacts of the HIPAA-Compliant Cloud Environment

The HIPAA-compliant cloud has been extremely successful and the extent of its impact on multiple areas across campuses continues to grow and this enables the Health CI Division to add functionalities and capabilities that strengthen its cloud offering. Moreover, the flexibility and scalability of the compute, storage, software and services platform supports a variety of research and data projects requiring a secure, access-controlled environment. The Health CI Division partners with various departments, medical centers, and researchers to engage in projects that have yielded significant benefits in areas such as patient care, business continuity, and medical research.

Research & Collaboration

A driving factor behind the development of the HIPAA-compliant cloud was to support researchers and their projects. The

Health CI Division team understands the requirements of research computing, and how the needs of professors and investigators may differ from those of the typical end user of commercial cloud platforms. Coupling the expertise of the

Division with the availability of the HIPAA-compliant cloud enhances the quality of research and competitiveness , as researchers (1) are now able to pursue initiatives that were previously unavailable due to the lack of a cost-effective and secure cloud environment, (2) have access to highly technical and experienced Health CI staff who are intimately familiar with HIPAA requirements and can assist where and when needed, and (3) can reach back to the entire SDSC network of cyberinfrastructure specialists for support, which spans numerous fields of expertise.

Some of the research initiatives it supports include:

Be There San Diego : The Health CI Division partnered with various healthcare organizations to build and deploy a system to support a research project that focuses on helping reduce heart attacks and strokes in the San Diego area, with the goal that San Diego be the first “heart attack and stroke free zone” in the nation. The system was deployed in January 2015. This project received funding through the Health Care Innovation grant that was funded by CMS.

GeoDatabase (GeoDB) : The GeoDB project is funded by an NCI grant to develop a geo-database that facilitates the matching of geographic information system (GIS) data to GPS data, compares different spatial techniques for creating exposure variables, and assesses relationships across several data sets. In collaboration with the

Qualcomm Institute, the Health CI Division created a HIPAA environment for related GIS projects. The Health CI

Division built and deployed the geo-database in June 2014.

Another essential factor underlying the development of the HIPAA-compliant cloud was the ability to partner and collaborate with IT organizations in need of this service. The Health CI Division now partners with various IT organizations to collaborate and develop custom frameworks that support their projects. To do so, a comprehensive joint service model that defines roles, responsibilities, and processes to be used is cooperatively developed by the parties. The availability of the

HIPAA-compliant cloud to IT organizations has additionally broadened the spectrum of available resources, as the Division now works with UC Medical Centers IT departments to provide disaster recovery and business continuity services.

Health Care

The Health CI Division provides the UCSF Medical Center with a fully managed replication and disaster recovery service for its clinical applications as well as a business continuity service. As such, to improve the quality and preserve the integrity of patient care , the Health CI Division in conjunction with the UCSF Medical Center have developed stringent procedures to

4 | P a g e

H EALTH C YBERINFRASTRUCTURE D IVISION

San Diego Supercomputer Center at UC San Diego

2015 Larry L. Sautter Award for Innovation in Information Technology follow during a disaster and have implemented stringent RPO and RTO parameters to minimize data loss. With this service, patients can rest assured knowing that should a disaster occur, UCSF Medical Center has the ability to recover vital technology infrastructure, systems, and information needed to support each patient’s care.

Technology Infrastructure Innovation

With the addition of the HIPAA-compliant cloud, the UC system now has an environment to host sensitive PHI and PII data and support projects that must meet HIPAA regulations. This improvement to UC’s IT environment enhances multiple services , as it provides a mechanism within the university to achieve various goals and missions (i.e., strategically managing risk to create greater financial stability for UC and promoting patient care during times of disaster). The Health CI Division’s technological infrastructure innovation allows it to further provide its services at a reasonable cost, thereby reducing the cost for UC campuses, departments, and researchers. Specifically, Sherlock Cloud consists of three main environments (i.e.,

HIPAA, FISMA, and Agile). While each environment has a set of management services specific to that environment, all three environments leverage a set of shared management services and share the same physical hardware resource pool.

Sherlock Cloud uses virtualization technologies to achieve hardware economies of scale and increased system utilization through the secure sharing of hardware and storage devices. This provides economies of scale by lowering project costs and increasing resource reliability and uptime.

Figure 1: Sherlock Cloud Platform

Conclusion

The Health CI Division has greatly contributed to UC’s innovation in information technology landscape through its deployment of the HIPAA-compliant cloud. Despite being fairly new to this landscape, the Health CI Division has already received various accolades – demonstrating assessable success criteria – and it intends to continually develop and expand its

HIPAA-compliant cloud offerings and expertise. The journey did not end with the deployment of this cloud environment, but rather another leg of the journey commenced. The Health CI Division looks forward to continually working with the various

UC campuses, medical centers, and researchers as well as those partners outside the UC framework to deliver top-notch

HIPAA-compliant cloud offerings and services that continue to meet and exceed their systems and security expectations.

5 | P a g e

Download