Building a Health Information Infrastructure to Support HIPAA

1
Building a Health Information Infrastructure to
Support HIPAA

• Rick Konopacki, MSBME
• HIPAA Security Coordinator
• University of Wisconsin-Madison
• Madison, Wisconsin

2
Organizational Structure

• University of Wisconsin - Madison

• 41,500 students
• 2,060 Faculty
• 15,000 Employees
• Ranks second among public universities, third
  among all universities for research expenditures

3
Organizational Structure

• UW Medical School

• 15 Clinical, 11 Basic Science Departments
• 1,150 Faculty
• 550 MD, 427 PhD students
• 29th for NIH funding in 2003 ( 142,000,000)

4
Organizational Structure

• UW-Madison

5
Organizational Structure

• UW Hybrid Covered Entity

6
Organizational Structure

• UW Hybrid Covered Entity

7
Administrative Structure

• Campus (CE)
• Security Officer
• HIPAA Task Force
• Security Committee
• HCC units
• Security Coordinators

8
CE Requirements under Security Rule

• Ensure CIA of electronic PHI
• Protect against any reasonably anticipated
  threats or hazards to security or integrity of
  ePHI
• Protect against any reasonably anticipated uses
  or disclosures of such information not permitted
  under the Privacy Rule
• Ensure compliance by workforce

9
HIPAA Security Rule

• Essentially requires the implementation of
  safeguards to protect the CIA of data (ePHI)

• Confidentiality
• Integrity
• Availability

Requires reasonable and appropriate measures, not
NSA-proof. Same measures that best practices
suggests should be used with all electronic data
10
Challenges to Compliance

• Academic, traditionally open environment
• Research mission encourages collaboration
• Decentralized organization
• Multiple research databases
• Non-uniform IT resources
• Each department has separate IT group budget
• Wide range of OSs, servers, support

11
Approach to Compliance

• Electronic data, purely IT Solution, right?
• Improved security awareness
• Additional technology, e.g., firewall
• User behavior
• Training
• Policies

12
Campus Level Initiatives

• Campus HIPAA security committee created
  representing all units in the HCC
• Series of best practices guidelines developed to
  ensure security of all data including ePHI
• All units meeting the best practice guidelines in
  compliance with security rule
• Not all of guidelines addressed with pure IT
  solutions

13
Best Practices Guidelines

• Encryption
• Account Creation and Access Control
• Audit Controls
• User Authentication
• Network Device Security
• Password Management
• Single Device Remote Access

14
Best Practices Guidelines (cont)

• Server Security
• Wireless Communication
• Information Sensitivity
• DMZ Network
• Workstation Use and Workstation Security
• Portable Devices
• Disaster Recovery

15
First Step of the 1000 Mile (Li) Trip

• Sec. 164.308(a) (1)(i) Standard Security
  management process. Implement policies and
  procedures to prevent, detect, contain, and
  correct security violations.
• Risk analysis
• Risk management
• Sanction policy
• Information system activity review

16
Risk Analysis Risk Assessment Inventory

• Based on the Security Standard Matrix, the
  central IT group on campus developed a
  spreadsheet against which each unit in the HCC
  can appraise their current condition in terms of
  risk.

17
Risk Assessment Inventory

• Spreadsheet configured as separate matrices for
• Technical Assets
• Physical Sites
• Administrative Units
• Individual cells given a A F grade with color
  coding for easy browsing
• Each clinical department in the Medical School
  submits their own RAI

18
Risk Assessment Inventory (Administrative)
19
Risk Assessment Inventory (Physical)
20
Risk Assessment Inventory (Technical)
21
Risk Management

• Medical School Migration Plan
• Based on the results of the RAIs from each of
  the departments, the migration plan is intended
  to spell out an organized, systematic approach
  designed to ensure timely Medical School
  compliance with the Security Rule based on
  analysis of the current state of data security.

22
Migration Plan

• Develop strategy on steps to take
• Using technology to improve CIA of ePHI
• Provide training
• Develop policies to modify user behavior
• Evaluate the level at which the implementation
  most efficiently occurs

23
Campus Level Elements

• Assign security officer
• Develop training
• Develop best practices guidelines for HCC

24
Departmental Elements

• Risk Assessment
• Workforce Security
• Physical Controls
• Backup
• Media Controls
• Authentication

25
Unit (MS) Level Elements

• Designate HIPAA Security Coordinator
• Develop security architecture that includes
  firewall, vulnerability scanning and incident
  response. Assign a full time position.
• Contingency planning
• Security committee represented by all departments
• Policy

26
Medical School Firewall

• Clinical departments,
• with trusted access to
• UW Hospital and Clinics
• (EMR)

UWHC
Campus/ Internet
HCC
Basic science departments, restricted access to
PHI
27
Medical School Firewall -Clinical

• Clinical departments,
• with trusted access to
• UW Hospital and Clinics
• (EMR)

Campus/ Internet
28
Medical School Firewall

• Allowing limited access from outside to inside

Campus/Internet
29
Medical School Wireless Network

• Open wireless useful in MS library, etc
• No authentication
• Outside MS firewall
• Requires remote access client to access networks
  containing PHI
• Citrix
• VPN
• Ensures authentication, end-to-end encryption
  when accessing PHI

30
Elements to be Addressed by ACE

• Incident response team
• Secure E-mail solutions

UWHC
UWMS
UWMF
31
Keys

• Ongoing process, much different than Y2K problem
• Security Rule not just IT issue
• HIPAA Security Rule should be approached as
  safeguards to all data especially ePHI
• Reasonable and appropriate

32
Enterprise (CE) Level Authentication

• Workforce security
• Enforce minimal use part of Privacy Rule
• Enable audit controls
• First step in multi-factor authentication