camp med mapping hipaa to the middleware layer sandra senti biological sciences division university...
TRANSCRIPT
CAMP Med
Mapping HIPAA to the Middleware Layer
Sandra Senti
Biological Sciences Division
University of Chicago
Copyright Sandra Senti, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
CAMP Med
Management & Policy
• HIPAA policies should be well underway• Similarities/differences between University and
Hospital policy – HIPAA and otherwise• Translating policy into practice into policy• Must have common vocabulary in order to
automate• Pieces are likely to need distributed
management• Expect the unexpected
3
CAMP Med
Common Vocabulary
• Middleware – “glue", a layer of software between the network and the applications
• Authentication – who you are• Authorization – what you can do• Organization• Eligibility• Roles – typical scenarios for how functions are
grouped• Affiliation – where are the lines drawn?• Precedence
4
CAMP Med
Workforce Security
All members of the workforce have appropriate access to ePHI, and to prevent those workforce members who do not have access from obtaining access to ePHI.
• By individual, group or role?
• Middleware elements– Identity management, lifecycle management
– Authentication
– Authorization, authority management
– Directory services
5
CAMP Med
Information Access Management
Authorize access to ePHI to ensure privacy.
• Organizational lines
• Access authorization
• Management of user’s rights
• Middleware elements– Authorization, authority management
– Directory services
6
CAMP Med
Security Awareness and Training
Implement a security awareness and training program for all members of workforce.
• Security reminders• Protection from malicious software• Log-in monitoring• Password management• Middleware elements
– Authority management – prerequisites– Directory services– Identity management – password management
7
CAMP Med
Contingency Plan
Respond to an emergency or other occurrence that damages systems that contain ePHI.
• Data backup plan
• Disaster recovery plan
• Emergency mode operation plan
• Testing and revision procedures
• Applications and data criticality analysis
8
CAMP Med
Facility Access Controls
Limit physical access to information systems and the facility in which they are housed, while ensuring that properly authorized access is allowed.
• Contingency operations
• Facility security plan
• Access control and validation procedures
• Maintenance records
9
CAMP Med
Facility Access Controls (cont.)
• Middleware elements– Identity management, lifecycle management,
affiliate management
– Authorization, authority management
10
CAMP Med
Workstation Security
Physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
• Middleware elements– Identity management, lifecycle management
– Authorization, authority management
– Directory services
11
CAMP Med
Device and Media Controls
Govern the receipt and removal of hardware and electronic media that contain ePHI.
• Disposal
• Media re-use
• Accountability
• Data backup and storage
• Middleware elements– Directory services
12
CAMP Med
Access Control
Allow access only to those persons or software programs that have been granted access rights to electronic information systems.
• Unique user identification
• Emergency access procedures
• Automatic logoff
• Encryption and decryption
13
CAMP Med
Access Control (cont.)
• Middleware elements– Identity management, lifecycle management
– Authorization, authority management
– Delegation
– Encryption/PKI
14
CAMP Med
Audit Controls
Hardware, software or procedural mechanisms that record and examine activity in information systems.
• Middleware elements– logging
15
CAMP Med
Integrity
Protect ePHI from improper alteration or destruction.
• Middleware elements– Logging
– Intrusion detection
16
CAMP Med
Person or Entity Authentication
Verify that a person or entity seeking access to ePHI is the one claimed.
• Middleware elements– Identity management, including services
– Authentication
17
CAMP Med
Transmission Security
Guard against unauthorized access to ePHI that is being transmitted.
• Integrity controls
• Encryption
• Middleware elements– Encryption/PKI
– Intrusion detection
18
CAMP Med
Building the Larger Picture
• What do you have today?
• What is your technical architecture?
• What is your technology strategy?
• What is your highest risk?
• What are the needs beyond your institution?
19
CAMP Med
Starting From Scratch• Start with HR, training
systems and ePHI apps
• Identity management is the cornerstone
• Directory services is a possible delivery mechanism
• Authn is modular, single sign-on is a plus
• Authz info can be stored in directory
• Must be able to manage identity outside HR system, grant authority
• Connect with other orgs
HR
system
ePHI
Apps
Training
System
Identity
Mgmt
Directory
Services
Authn
AuthzAffiliate
Mgmt Authority
Mgmt
Directory
ServicesHR2
system
20
CAMP Med
Existing Middleware tools
• Directory services – eduPerson, medPerson• Authority management - provides centralized
management of user privileges across a range of applications – Signet is available for early adopters
• Group management - manages group information across integrated applications and repositories - Grouper is available for early adopters
21
CAMP Med
Existing Middleware tools (cont.)
• Federated identity - leverages campus identity and access management infrastructures to authenticate individuals and then sends information about them to the resource site, enabling the resource provider to make an informed authorization decision – Shibboleth running at several sites
22
CAMP Med
Existing Middleware tools (cont.)
• Encryption – strong encryption to support data security in transit and storage – PKI is widely used