1 / 32

Building a Health Information Infrastructure to Support HIPAA

Building a Health Information Infrastructure to Support HIPAA. Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison Madison, Wisconsin. Organizational Structure. University of Wisconsin - Madison. 41,500 students 2,060 Faculty 15,000 Employees

kaiyo
Download Presentation

Building a Health Information Infrastructure to Support HIPAA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison Madison, Wisconsin

  2. Organizational Structure University of Wisconsin - Madison 41,500 students 2,060 Faculty 15,000 Employees Ranks second among public universities, third among all universities for research expenditures 2

  3. Organizational Structure UW Medical School 15 Clinical, 11 Basic Science Departments 1,150 Faculty 550 MD, 427 PhD students 29th for NIH funding in 2003 (~ $142,000,000) 3

  4. UW-Health UW Hospital And Clinics UW Medical Foundation Organizational Structure UW-Madison 4

  5. Non-HCC Health Care Component School of Nursing School of Pharmacy Student Health Hygiene Lab Clinical Departments of the Medical School Organizational Structure UW – Hybrid Covered Entity 5

  6. Affiliated Covered Entity USE UW Hospital And Clinics UW Medical Foundation Organizational Structure UW – Hybrid Covered Entity 6

  7. Administrative Structure • Campus (CE): • Security Officer • HIPAA Task Force • Security Committee • HCC units: • Security Coordinators 7

  8. CE Requirements under Security Rule • Ensure CIA of electronic PHI • Protect against any reasonably anticipated threats or hazards to security or integrity of ePHI • Protect against any reasonably anticipated uses or disclosures of such information not permitted under the Privacy Rule • Ensure compliance by workforce 8

  9. HIPAA Security Rule Essentially requires the implementation of safeguards to protect the CIA of data (ePHI): Confidentiality Integrity Availability Requires reasonable and appropriate measures, not NSA-proof. Same measures that “best practices” suggests should be used with all electronic data 9

  10. Challenges to Compliance • Academic, traditionally open environment • Research mission encourages collaboration • Decentralized organization • Multiple research databases • Non-uniform IT resources • Each department has separate IT group & budget • Wide range of OS’s, servers, support 10

  11. Approach to Compliance • Electronic data, purely IT Solution, right? • Improved security awareness • Additional technology, e.g., firewall • User behavior: • Training • Policies 11

  12. Campus Level Initiatives • Campus HIPAA security committee created representing all units in the HCC • Series of best practices guidelines developed to ensure security of all data including ePHI • All units meeting the best practice guidelines in compliance with security rule • Not all of guidelines addressed with pure IT solutions 12

  13. Best Practices Guidelines • Encryption • Account Creation and Access Control • Audit Controls • User Authentication • Network Device Security • Password Management • Single Device Remote Access 13

  14. Best Practices Guidelines (cont) • Server Security • Wireless Communication • Information Sensitivity • DMZ Network • Workstation Use and Workstation Security • Portable Devices • Disaster Recovery 14

  15. First Step of the 1000 Mile (Li) Trip • Sec. 164.308(a) (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. • Risk analysis • Risk management • Sanction policy • Information system activity review 15

  16. Risk Analysis: Risk Assessment Inventory • Based on the Security Standard Matrix, the central IT group on campus developed a spreadsheet against which each unit in the HCC can appraise their current condition in terms of risk. 16

  17. Risk Assessment Inventory • Spreadsheet configured as separate matrices for: • Technical Assets • Physical Sites • Administrative Units • Individual cells given a A – F grade with color coding for easy browsing • Each clinical department in the Medical School submits their own RAI 17

  18. Risk Assessment Inventory (Administrative) 18

  19. Risk Assessment Inventory (Physical) 19

  20. Risk Assessment Inventory (Technical) 20

  21. Risk Management • Medical School Migration Plan Based on the results of the RAIs from each of the departments, the migration plan is intended to spell out an organized, systematic approach designed to ensure timely Medical School compliance with the Security Rule based on analysis of the current state of data security. 21

  22. Migration Plan • Develop strategy on steps to take • Using technology to improve CIA of ePHI • Provide training • Develop policies to modify user behavior • Evaluate the level at which the implementation most efficiently occurs 22

  23. Campus Level Elements • Assign security officer • Develop training • Develop best practices guidelines for HCC 23

  24. Departmental Elements • Risk Assessment • Workforce Security • Physical Controls • Backup • Media Controls • Authentication 24

  25. Unit (MS) Level Elements • Designate HIPAA Security Coordinator • Develop security architecture that includes firewall, vulnerability scanning and incident response. Assign a full time position. • Contingency planning • Security committee represented by all departments • Policy 25

  26. Medical School Firewall Clinical departments, with trusted access to UW Hospital and Clinics (EMR) UWHC Campus/ Internet HCC Basic science departments, restricted access to PHI 26

  27. ACE Surgery Medicine Campus/ Internet Biostatistics & Medical Informatics Medical School Firewall -Clinical Clinical departments, with trusted access to UW Hospital and Clinics (EMR) Campus/ Internet 27

  28. VLAN < 8 x 1 > A firewall “hole” may be requested to allow limited access to hosts on the inside of the firewall All open TCP ports periodically scanned Medical School Firewall • Allowing limited access from outside to inside Campus/Internet 28

  29. Medical School Wireless Network • Open wireless useful in MS library, etc • No authentication • Outside MS firewall • Requires remote access client to access networks containing PHI • Citrix • VPN • Ensures authentication, end-to-end encryption when accessing PHI 29

  30. TLS Elements to be Addressed by ACE • Incident response team • Secure E-mail solutions UWHC UWMS UWMF 30

  31. Keys • Ongoing process, much different than Y2K problem • Security Rule not just IT issue • HIPAA Security Rule should be approached as safeguards to all data especially ePHI • Reasonable and appropriate 31

  32. Enterprise (CE) Level Authentication • Workforce security • Enforce “minimal use” part of Privacy Rule • Enable audit controls • First step in multi-factor authentication 32

More Related