Transcript Implementing HPC HIPAA (& FISMA)

Implementing HPC HIPAA
(& FISMA)
Anurag Shankar
University Information Technology Services
Indiana University
University Information Technology Services
CASC: 4/23/2014
Outline
1. Introduction
2. HIPAA
3. FISMA
4. Implementation
5. Conclusion
University Information Technology Services
CASC: 4/23/2014
1. Introduction
University Information Technology Services
CASC: 4/23/2014
A Changing Landscape
• As HPC shops, our heritage has been to
serve physical scientists and engineers - the
“usual suspects”.
• Regulatory compliance is a concept foreign
to these users.
• While we’ve addressed security, compliance
still remains an unexplored frontier, not only
for HPC, but for Central IT in general.
University Information Technology Services
CASC: 4/23/2014
The New Reality
• Clinical research computing, traditionally
confined to Med School cyberinfrastructures,
increasingly requires HPC resources.
•  Med School IT cannot keep pace;
identifiable HIPAA data is leaking into
Central IT/national HPC environments.
• We have to weave compliance into the HPC
fabric sooner or later.
University Information Technology Services
CASC: 4/23/2014
New Motivations
• A new HIPAA Omnibus Rule came out in
2013, with new requirements and mandates.
• The government will initiate random HIPAA
audits in 2014. (They were triggered only in
response to a breach earlier.)
• Penalties have been raised to millions.
University Information Technology Services
CASC: 4/23/2014
But the worst is being in the newspapers!
The Corrective Action Plan (CAP)
signed by Idaho State University

Breaches reported by universities
University Information Technology Services
CASC: 4/23/2014
No Plausible Deniability
• HIPAA applies if even a single clinical
researcher has an account on a system.
• The govt. says you should have known that
allowing clinical researchers on a system
opens the possibility of sensitive health
information on the system.)
 An environment with clinical researchers must be
secured, independently of what a researcher may or
may not do.
University Information Technology Services
CASC: 4/23/2014
FISMA
• In addition to HIPAA, we now have FISMA to
deal with.
• It is slowly showing up in NIH grants and
contracts.
• It is the next regulatory frontier HPC will have
to deal with.
• Fortunately, it’s possible to tackle both HIPAA
and FISMA using a single, unified approach.
University Information Technology Services
CASC: 4/23/2014
The Scope
• HIPAA & FISMA require end to end security.
This means starting at the customer end
(where data is generated)  the network 
your end  data disposal.
• Any and all dependencies and infrastructure
pieces must also be included.
• We must consider the entire research
workflow.
University Information Technology Services
CASC: 4/23/2014
Grant = Data Life Cycle
Pre-Grant
A grant life
cycle from an
IT provider’s
perspective is
a data life cycle
• Preliminary
Investigation
• Cyberinfrastructure
Design ✔
• Proposal Prep
Proposal
Execution
Post-Grant
• Budget
• IRB Process ✔
•
•
•
•
•
Data Acquisition ✔
Data Analysis ✔
Data Mgmt ✔
Data Sharing ✔
Data Viz ✔
• Data Publishing ✔
• Data Archival ✔
• Data Disposal ✔
✔ = Involves
compliance
University Information Technology Services
2. HIPAA
CASC: 4/23/2014
University Information Technology Services
CASC: 4/23/2014
A HIPAA Primer
• Health Insurance Portability & Accountability Act.
• Passed in 1996, became law in 2001.
• Enforced by the Office for Civil Rights (OCR) in the
US Dept. of Health & Human Services (HHS).
• The Omnibus File Rule of 2013 includes provisions
from the 2006 Health Information Technology for
Economic & Clinical Health (HITECH) Act & the
2008 Genetic Information Nondiscrimination Act
(GINA).
University Information Technology Services
CASC: 4/23/2014
HITECH & GINA
• HITECH was part of ARRA and enacted to
promote the adoption of Health Information
Technology, especially Electronic Health
Records (EHR).
• GINA prohibits insurers from using human
genetic data to deny coverage based on
genetic predisposition to future diseases.
University Information Technology Services
CASC: 4/23/2014
Patient Privacy Protection
• Addressed via the HIPAA Privacy Rule and the
HIPAA Security Rule.
• The Privacy Rule defines who HIPAA applies to
(covered entities) and what is protected
(protected health information or PHI*).
• The Security Rule focuses exclusively on how
to protect electronic PHI (ePHI) in any form – at
rest, in transit, under analysis, etc.
* PHI is identifiable patient data with one or more of 18 identifiers
University Information Technology Services
CASC: 4/23/2014
HIPAA Security Rule
• The Security Rule requires 1. administrative, 2.
physical, and 3. technical safeguards to
• Ensure the confidentiality, integrity, and availability of all ePHI
created, received, maintained or transmitted;
• Identify and protect against reasonably anticipated threats to
the security or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or
disclosures;
• Ensure compliance by the workforce; and
• Provide a means for managing risk in an ongoing fashion.
University Information Technology Services
CASC: 4/23/2014
Security Rule Safeguards
• Administrative – security organization,
policies, training, responsibilities, incident
response, etc.
• Physical – data center access,
equipment/media disposal, inventory
control, etc.
• Technical – firewalls, patching, auditing,
scanning,
monitoring, accounts,requirements
etc.
+ organizational/policies/documentation
University Information Technology Services
CASC: 4/23/2014
Required & Addressable
• Each Security Rule safeguard is either “required”
or “addressable”.
• Required = what it says.
• Addressable = should address, but ok if you
describe why it is not in place or how you will
otherwise address the risk.
• A risk assessment (RA) identifies where to
concentrate effort. RA can be internal or external.
University Information Technology Services
CASC: 4/23/2014
Breach Notification
• HIPAA requires that a breach of ePHI be
reported ASAP:
1. To everyone whose ePHI has been
compromised.
2. For a breach involving > 500 patients,
to the media and the Secretary of
HHS.
University Information Technology Services
CASC: 4/23/2014
Business Associates
• HIPAA requires a business associate
agreement (BAA) with any external entity (=
business associate) that touches your ePHI.
• Your BAA must include a clause that the BA
will protect your ePHI. So must their BAAs
with their BAs.
• Due diligence requires ensuring that the BA
can actually protect your ePHI as per HIPAA.
 Purchasing & HIPAA Compliance Office partnerships
University Information Technology Services
CASC: 4/23/2014
Enforcement
• HIPAA violations can result in civil monetary
penalties (up to $1.5 million/violation) against a
covered entity and/or individual criminal
penalties (up to 10 yrs prison term).
• The OCR has been funded via ARRA/HITECH
to institute an audit program. They will start
random HIPAA audits in 2014.
University Information Technology Services
CASC: 4/23/2014
Does HIPAA apply to All
Identifiable Health Data?
• No. Only healthcare providers, facilities, and
insurers are subject to HIPAA. Identifiable
health data outside a healthcare context is not
(e.g. personal health data users upload to Google
Health, Microsoft HealthVault).
• Data, if properly de-identified, is not subject to
HIPAA.
If unsure, contact your HIPAA Compliance office
University Information Technology Services
CASC: 4/23/2014
Who does HIPAA Cover at a
University?
• Employees, healthcare providers, trainees &
volunteers at the medical school and affiliated
healthcare sites or programs.
• Employees who work with university health
plans.
• Employees who provide financial, legal,
business, administrative, or IT support to the
above.
University Information Technology Services
CASC: 4/23/2014
Just Good Security?
Q: So, the HIPAA Security Rule means we just
need to provide good IT security for systems?
A: NO. The Security Rule is about assessing &
managing risk, and security is only PART of that
process. HIPAA requires administrative controls,
training, governance, policies, formal review, etc.
University Information Technology Services
CASC: 4/23/2014
Information Security Risk
Management
• Identify, assess, prioritize, and mitigate risk to
information security, on an ongoing basis.
• Think in terms of managing risk, not just plugging
security holes.
Risk = {Threat/Vulnerability x Likelihood x Impact}
• A big threat due to an existing vulnerability that is
highly unlikely to be exploited/has little impact is
low risk. You don’t kill yourself over it.
University Information Technology Services
CASC: 4/23/2014
Risk Management Framework
A mature RMF consists of:
• Good governance = institutional security
organization, policies, sanctions, enforcement
• Risk management = assessment, mitigation through
appropriate physical, administrative, technical
controls, documentation
• Review = regular monitoring, reviews, assessment,
and mitigation
• Awareness and training
University Information Technology Services
CASC: 4/23/2014
HIPAA Security Rule Myths
• Myth #1 – Security rule compliance is a boolean.
Truth: There is no threshold where you suddenly
become compliant.
• Myth #2 – You can be certified HIPAA compliant.
Truth: No company or federal agency is authorized
to certify you as being HIPAA “compliant”. (The only
way to know for sure is to survive a HIPAA audit, highly undesirable.)
So you align with the HIPAA rules as best as you
can and “self assert” compliance.
University Information Technology Services
CASC: 4/23/2014
HIPAA Security Rule Myths
• Myth #3 – Once compliant, you stay compliant.
Truth: No. Compliance is an ongoing process; once
started, it never stops.
• Myth #4 – You must use external third party for
risk/security assessment.
Truth: No. You can do it internally, so long as
you follow accepted practices and document it
all.
University Information Technology Services
3. FISMA
CASC: 4/23/2014
University Information Technology Services
CASC: 4/23/2014
FISMA
• Federal Information Security Management
Act of 2002.
• Requires government agencies to secure
their system as per NIST guidelines.
• Subcontractors of the agencies (=you) must
also comply.
• Contracts are now seeing FISMA language.
• You are likely to be involved.
University Information Technology Services
CASC: 4/23/2014
The FISMA Process
• Grants Administrators/Business Development
- Identify and notify the Office of Research Administration (ORA) if there are
FISMA terms in the contract
- Make sure the budget includes FISMA costs
- Identify and document key IT security personnel
- Make sure all documents that are referenced are included
• PI/Study Team
- Clearly describe the scope of work
- Identify all potential subcontractors and their scope of work
• PI/Study Team and IT Support
- Clearly describe data flows
- In detail, describe all systems used to support the contract
University Information Technology Services
CASC: 4/23/2014
The FISMA Information Security Process
Define system
boundaries
Plan of Action &
Milestones
(POA&M)
Assess Risk
(NIST 800-30,
37, 39)
Authority to
Operate (ATO)
Apply Controls
(NIST 800-53)
Evaluate
Controls (NIST
800-53A)
University Information Technology Services
CASC: 4/23/2014
Authority to Operate
• The information security plan is submitted to
the agency.
• An ATO letter is issued by the government
agency to the business owner (and some
authoritative information security unit like the
ISO) authorizing operations of the system.
• If remediation is not too serious, the agency
will issue an Interim Authority To Operate
(IATO). The IATO will have a defined end
date. Therefore, the problems must be fixed
by a certain date.
University Information Technology Services
CASC: 4/23/2014
Plan of Action & Milestones
• The POA&M describes remediation steps.
• Even if a contractor receives an ATO, there
still may be items for which the agency
requires remediation. These weaknesses
may not be significant enough to withhold an
IATO/ATO, but they still must be corrected.
• Someone at your institution (the ISO?) must
track these items and ensure that they are
completed.
University Information Technology Services
CASC: 4/23/2014
4. Implementing
HIPAA Security
University Information Technology Services
CASC: 4/23/2014
Research Computing at IU
• Indiana University has a large central IT
organization called the University Information
Technology Services (UITS).
• We provide advanced cyberinfrastructure supercomputing, massive data storage,
visualization, etc., as well as basic services.
• Before 2000, IU research cyberinfrastructure
was used mostly by the usual suspects.
University Information Technology Services
CASC: 4/23/2014
HIPAA History
• In 2000, a grant from the Lilly Endowment
required our cyberinfrastructure to support
biomedical researchers at the IU School of
Medicine.
• We stored non-ePHI for IUSM for some years.
• A decision was finally made to align our entire
research cyberinfrastructure with HIPAA.
• Accomplished in 2009 after a year of effort.
University Information Technology Services
CASC: 4/23/2014
IU’s Approach
• A protected, walled garden will give you
bullet-proof security.
• This may work from low to moderate scales.
• A separate walled garden HPC environment
just for HIPAA is infeasible/impractical.
• HIPAA does not require bullet-proof
security.
• At IU, we decided to focus on risk, not
bullet-proofing.
University Information Technology Services
CASC: 4/23/2014
HIPAA – Implementing the RMF
1. Assign
ownership
8. Get official
blessing &
advertize
2. Form
partnerships
7. Create &
execute risk
mgmt plan
3. Document
everything
4. Hire
external
consultant
6. Assess risk
5. Perform gap
analysis/fill
gaps
University Information Technology Services
CASC: 4/23/2014
① Assign Ownership
• Dedicated resources commensurate with
the scale. At IU, we spent around 1.5
FTE-year for the initial effort and 1.0 FTE
on an ongoing basis.
• Assigned someone to lead the project.
• Empowered the leader.
University Information Technology Services
CASC: 4/23/2014
② Form Partnerships
• Got to know IU and IU School of
Medicine Compliance folks.
• Formed an oversight committee; put all
stakeholders on it – Compliance,
Counsel, Information Security Office,
Information Policy Office, School of
Medicine CIO/Security Officer,
staff/faculty, and UITS senior
management.
University Information Technology Services
CASC: 4/23/2014
③ Document Everything
• Spent a lot of time on developing a
documentation strategy/format.
• Documented all current policies and
procedures, physical, administrative, and
technical controls.
• Consulted with line managers & key staff.
• Instituted a secure document management
system (DMS).
University Information Technology Services
CASC: 4/23/2014
④ Hire External Consultant
• Asked IU Compliance folks for references.
• Got referred to a consultant from DC, who
also serves on national HIPAA committees,
etc.
• Consultant was given information about the
organization, documentation, etc.
• Consultant visited IU a couple times to do
in-person interviews.
University Information Technology Services
CASC: 4/23/2014
⑤ Perform Gap Analysis
• Information security Gap Analysis (GA)
measures gaps between actual security
on the ground and what HIPAA requires.
• Involved on-site interviews.
• Consultant used the data to identify gaps.
• We received the GA report.
University Information Technology Services
Fill Gaps
• Reviewed gap analysis report.
• Filled as many holes as we could,
especially the most serious ones.
• Updated documentation.
• Got ready for risk assessment.
CASC: 4/23/2014
University Information Technology Services
CASC: 4/23/2014
⑥ Assess Risk
• Everything we had went into the risk
assessment exercise.
• Submitted updated documentation and
other information as requested to the
external consultant.
• On-site interviews followed.
• Received a risk assessment report.
• Report identified risks and scored them.
University Information Technology Services
CASC: 4/23/2014
Follow Standards
• We were measured against the NIST
800-53 security standard since it is often
used for complying with HIPAA. This was
fortuitous later for our FISMA work.
• It put an “official seal” & added rigor to
the process.
• We also reviewed other NIST guidelines
and standards such as ISO 27001, etc.
and IT best practices.
University Information Technology Services
CASC: 4/23/2014
⑦ Create a Risk Management
Plan
• Reviewed risk assessment report.
• Addressed all risks and documented
mitigation, reason for not mitigating, or
alternatives.
• Submitted the RM plan to the external
consultant for review.
• Modified RM plan using her
recommendations.
University Information Technology Services
CASC: 4/23/2014
Execute Risk Management Plan
• Execution involved some short term
actions that addressed many
high/medium risk items immediately.
• Instituted long term processes such as
regular reviews, risk monitoring, risk
avoidance strategies, etc.
• Documented everything (again) …
University Information Technology Services
CASC: 4/23/2014
⑧ Get Official Blessing &
Advertize
• Submitted everything to the oversight
committee.
• Received an official letter of approval
from Compliance in January 2009.
• Advertized internally and targeted only
IUSM researchers to avoid unnecessary
attention.
University Information Technology Services
CASC: 4/23/2014
HIPAA - Ongoing
• Semi-annual, internal reviews = Review/update
all documentation. Reassess risk. External
reviews every 5 years.
• Annual, mandatory HIPAA training in HIPAA
regulation, how it applies to us, and our policies
and procedures, etc.
• Self-assertion process for new services. Requires
risk analysis, mitigation, documentation, security
screening, & training/reviews, etc.
University Information Technology Services
CASC: 4/23/2014
Do I too need to do ALL THIS?
• No. HIPAA does not prescribe how you
manage risk, just that you do.
• You can customize according to your
environment, budget, and risk level.
• Chances are you already meet a bulk of
HIPAA Security Rule requirements.
• You need to document your practices in the
format HIPAA requires.
University Information Technology Services
CASC: 4/23/2014
Institutional HIPAA Process
1. Researcher
needs to
process/store ePHI
6. The researcher
self-asserts HIPAA
compliance
2. IU HIPAA
Compliance Office
sends them to us
5. Documentation is
submitted to the
Compliance Office
3. We help build a
HIPAA compliant
“solution”
4. We help with
documentation
University Information Technology Services
CASC: 4/23/2014
Institutional FISMA Process*
1. Researcher gets
a govt. contract
6. Agency issues
an ATO
2. Office of
Research Admin
(ORA) contacts us
5. PI/ORA submit
the package to
agency
3. We help build
and monitor FISMA
compliance
4. We help create a
FISMA “package:
for ORA
* = Future
University Information Technology Services
CASC: 4/23/2014
Lessons Learned
• At IU, HIPAA compliance has made a huge
impact. Starting from zero in 2009, we now
have:
1. Number of biomedical user accounts
3,000
2. Volume of biomedical data stored
~1PB
3. Use of computing cycles
4. Number of databases
5. New services for biomedical users
6. Number of NIH grants that fund FTEs
7. Number of FTEs funded by these grants
1 MSUs
> 800
>10
5
~ 10
University Information Technology Services
CASC: 4/23/2014
Benefits
• The IU Compliance office trusts us and sends
customers our way. (We have made their job
easier by lowering institutional risk.)
• The School of Med researchers are flocking to
us to meet their research computing needs.
• We have standardized on regulatory
compliance, saving effort and $ going forward.
• We can defend ourselves if audited.
University Information Technology Services
CASC: 4/23/2014
Current Status
•
•
•
•
We are establishing institutional processes.
HIPAA is mostly in place for HPC/Central IT.
FISMA is in process.
A new IT policy addresses risk institutionally.
As for many others, IU’s GRC (Governance, Risk,
Compliance) framework is evolving rapidly. We
have learned a lot in the past half decade.
University Information Technology Services
CASC: 4/23/2014
Future
• Expand to a mature, institutional, regulationneutral, NIST standards-based RMF.
• Provide NIST-based risk and security
assessment tools to IU IT units for internal
assessments.
• Centralize documentation.
• Weave risk into the very fabric of IT, assess
and mitigate continuously as risks evolve.
University Information Technology Services
CASC: 4/23/2014
5. Conclusions
University Information Technology Services
CASC: 4/23/2014
Conclusions
• There will be more ePHI in more places on
HPC and Central IT systems.
• There will be more regulations ending with an
“A”!
• Not paying attention will impact institutional
liability and reputation.
• An institutional RMF is essential/feasible.
• It will give you resources to align with any
current/future regulation/requirement.
University Information Technology Services
CASC: 4/23/2014
WE ARE MORE
THAN HAPPY TO
HELP
University Information Technology Services
CASC: 4/23/2014
HIPAA Resources
•
The HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
•
NIST 800-66: Guide to Implementing the HIPAA Security
Rule
http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
•
NIST 800-53: Recommended Security Controls
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
•
NIST 800-53A: Guide for Assessing Security Controls
http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf
•
FIPS 200: Federal Systems Minimum Security Requirements
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
•
NIST HIPAA Security Rule Toolkit
http://scap.nist.gov/hipaa/
•
•
IU HIPAA Documentation Templates (email me)
IU HIPAA Risk Assessment Template (email me)
University Information Technology Services
CASC: 4/23/2014
Contact
Anurag Shankar
[email protected]
812-325-8629
Bill Barnett
[email protected]
812-856-3038