1 CSCI 1800: Cybersecurity and International Relations Mid Semester Project Electronic Medical Records Due: Friday, April 10th :59 PM, CIT 2nd Floor Hand in Introduction While most individuals are still rather careless when it comes to their security and privacy on the Internet, that same attitude cannot be ascribed to their medical records. In several ways medical records would seem to be most secure when maintained in their physical paper form. However, in an increasingly mobile society, leaving records in this form seems both impractical in terms of physical storage as well as in terms of accessibility. In this project you will design (in groups of 2) a system that can distribute information via the Internet so that a doctor operating on a broken leg in Aspen can have access to the patient's records in Miami. Each team will consist of one person with a Computer Science background and one with an International Relations/Political Science background. Assignment The project itself consists of two primary components due on April 10th, as well as a design check that occurs the week of March 16th. The first of these components is a detailed policy paper outlining how the proposed system complies with current HIPAA protocols, while also taking into account the various privacy, security, and legal issues that arise when designing a distributed medical records system. This paper should be 8 10 pages (double spaced). You should design your database with HIPAA protocols in mind; the focus should be on the specifics of how your database complies with HIPAA regulations, rather than HIPAA in general. However, exploration of themes involving shortcomings in the current HIPAA system, coupled with proposed solutions or avenues that could generate such solutions are entirely within the scope of the paper. The second part of the project consists of a detailed technical design of the technical implementation of the system. A good design should not contain code, but should be detailed enough that it could be handed off to a team of developers and implemented without further explanation. While the design must be technical, the writing should be cogent and accessible to all backgrounds. CSCI 1800 is a writing designated class and the TAs will levy serious deductions for pieces that exhibit writing deficiencies. This document should outline each technical component of the system, describing their structure and role within the system as a whole, as well as how it interacts with the other components of the system. This paper should be 8 10 pages (double spaced).
2 The complete midterm, including both policy and technical papers, should be no more than 20 double spaced pages combined, including diagrams or other inset information excluding the bibliography. Design Check Please bring a one page, single spaced paper (about one longer paragraph for policy, about one longer paragraph for technical) outline of how you plan to design and implement your proposed system. The policy paper should address the main policy points described in this outline; the technical should do the same with the technical material. We will be holding open office hours for these design checks; if you have questions about your design, we are happy to help. If not, we will ask you to come by to turn in your document in order to receive a complete for the 10% design check grade that will be factored into your overall midterm grade. Requirements These requirements should form a framework for your design. When choosing your design, keep in mind the need to comply with HIPAA standards, while also creating a technically sound system. Feel free to be creative, but be sure to thoroughly read HIPAA specifications. 1. Centralized/Decentralized Database A centralized database would include few centers where the majority of data is stored; a decentralized system would spread that information across many centers. Do you want your design to consolidate records, or would you rather have each medical center maintain their own records? What other options exist? 2. Types of Access It is possible that many types of individuals will need access to medical records, including the individual patients, doctors, and other medical and pharmaceutical personnel. Who would you like to have access to this protected information? Should every person have a similar amount of access? Clearly read HIPAA to decide the depth of information that should be given to any entity you wish to give access to. 3. Security, Encryption, and Authentication Protocols Under HIPAA, information must be encrypted before being sent across networks; proper authentication should be received before access to information is granted. What encryption scheme should be used to access information in your database? What authentication protocols do you want to employ? Be sure to consider how easy your database would be to hack, and make sure to address counter arguments or flaws in your system. 4. Auditing and Backup Protocols
3 HIPAA requires certain auditing and backup protocols be in place. Familiarize yourself with the requirements for routine and security based audits. How will your information be backed up and stored, especially in cases of natural disaster or emergency? Hints and Useful Questions 1. When designing the system, make sure to consider who stores the medical records, where those records are stored, and the advantages/disadvantages to these decisions. 2. When thinking about access control, consider not only who should have access to the medical records, but also for how long. For instance, the doctor in Aspen who needs their patient's files before operating on a broken leg does not need access to patient information one year in the future. 3. Since this project revolves around putting forth a proposal for a new medical records transfer service, feel free to propose changes to the HIPAA rules. For instance, you might need an increased federal oversight, or some third party identification/authentication system that doesn't yet exist. However, if you do this, make sure that the changes proposed are reasonable, and that you outline how they will be completed/implemented, and why this path is necessary. You cannot say for instance that all authentication needs to be done by the federal government, and then use that to avoid having to propose some sort of authentication system. The assignments page contains a link to a new National Strategy for Trusted Identities in Cyberspace, a 2011 federal initiative to issue some privacy and security concerns for Electronic Health Records. Issues That Must Be Addressed 1. Privacy Rule a. The Privacy Rule regulates the use and disclosure of Protected Health Information by medical personnel and covered entities with access to information (look at Requirement 2 above). PHI includes any part of medical history and payment information related to medical history. Covered entities are obligated to release PHI when requested within 30 days, and when required by law in cases of child abuse or other illegal activity. b. This rule also requires that covered entities correct any inaccurate PHI. It also bolsters patient confidentiality, allowing for individuals to ask for the release of information by a specific venue ie, home phone number versus work number. c. Covered entities are also obligated to report uses of PHI to individuals. Covered entities must keep track of disclosures, document privacy policies, and appoint a Privacy Official responsible for training all covered entities, and who can be contacted with complaints. 2. Security Rule
4 a. The Security Rule supports the Privacy Rule in that while the Privacy Rule protects all Protected Health Information, the Security Rule protects all Electronic Protected Health Information. The following three safeguards must be implemented in order to adhere to the Security Rule, although covered entities can determine how to implement these safeguards: b. Administrative Policies to show how the entity complies with the act on an administrative level. This includes: i. Adoption of written privacy procedures and designation of a privacy officer, referencing managerial and organizational oversight. ii. Clear identification of levels of access and types of individuals granted access, with an ongoing HIPAA training process. iii. Policies must address the access of EPHI, establishment of access, modification of EPHI, and termination of access to EPHI. iv. Assurance that any contracted parties (ie, labs, clearing houses) or business associates comply with HIPAA protocols. v. Safeguards should include an outline of auditing and backup policies, designed to both routinely check security of the database as well as respond to emergency situations. How will your database respond in the case of a security breach? c. Physical Policies to control access to EPHI and other protected data. i. Covered entities must control access to installation and removal of all hardware and software that will be used to access EPHI (ie, when equipment is retired, it should be disposed of properly). ii. Both hardware and software that can access EPHI should be protected, and only accessed by authorized individuals. iii. Access to physical sites should be strictly controlled and monitored; workstations should not be in public, high traffic areas. iv. Any contractors or agents will need HIPAA training before access. d. Technical Policies to control access to communications, EPHI, and networks through which EPHI is transmitted. i. Encryption must be utilized for any transmission of EPHI, unless the database uses a closed network. ii. Covered entities are responsible for ensuring that EPHI has not been tampered with or erased without authorization. iii. Data corroboration (for example, double keying, message authentication, etc) may be used to ensure data integrity. iv. All entities with access to EPHI must be authenticated before receiving access to EPHI.
5 v. Documentation of HIPAA practices must be made available to the government to assure compliance. vi. All configuration specifications should also be documented and maintained in a written record. vii. Risk analysis and risk management must also be documented. These aforementioned security requirements make up a minimum level of adherence, and places responsibility on the covered entities to take reasonable precautions to prevent EPHI being used for non health purposes. 3. National Provider Identifier a. All medical personnel are currently required to use a National Provider Identifier to identify their practice. The NPI is a 10 character, unique number that does not contain any intelligence information. How will your database utilize or acknowledge the NPI? 4. HITECH Rule a. The Health Information Technology for Economic and Clinical Health Act extends HIPAA regulations to business associates of covered entities. Essentially this Act requires business associates (ie, pharmaceutical companies and medical clearing houses, among others) to report breaches of Protected Health Information. Be sure to address these requirements in your midterm. Grading You will be graded based on the metrics described in the midterm rubric. Your grade will be shared with your partner, so we expect equal amounts of effort and completeness on both policy and technical aspects in order to maximize points. Distribution is as follows: 10 percent of the grade will be based on the design check. 90 percent of the grade will be based on the policy and technical papers (see rubric below).
6 Midterm Project Grading Rubric Requirements Paper Guidelines (100 Points) Points Purpose of the system 10 Counter arguments to the proposed system (justification of decisions 10 made) and why the proposed system is better than the existing system and alternatives Complies with HIPAA, HITECH, Legal Privacy and the Security 15 Rule (changes to HIPAA must be reasonable and supported; implementation of system must be explained) Server/Client interface 8 Auditing and backup (automated and manual) 8 Database location, centralization/decentralization, Storage advantages/disadvantages 8 Authorized access: types, time to live for access 8 Secure communication between client/server 8 Style Grammar, 8 10 pages single spaced (including both papers), follows standard formatting guidelines for papers 15 Independent Research (including bibliography) 10