University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Transcription

1 University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent set of HSC Policies. Some of the required actions have been revised since that time, but this document has not yet been revised accordingly. The Health Sciences Colleges (HSCs) Information Technology Group has developed 13 information security policies to meet the 63 federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) security standards and also in a larger scope to address the need to secure University of Illinois defined High Risk data (1) which includes data covered by federal legislation such as the Family Educational Rights and Privacy Act (FERPA) and by state legislation such as the Personal Information Protection Act (PIPA). Although some of these polices merely formalize existing practice, several will have a significant impact on the HSCs Information Technology (IT) environment. This document is a short summary of those policies and a description of how they will impact current practice. Policy Number 1: Access Controls This policy requires the business units to determine which users should have access to High Risk data and to limit access to only those individuals. It also requires all users to have unique identifiers and strong passwords. In addition, it requires campus networks to have perimeter security (firewalls) and defines a minimal level of controls for remote access and wireless networks. Remote users will have to pass through a two stage authentication. The departments will have to keep an inventory of users that have access to the High Risk data and their levels of access. This access will have to be reviewed on an annual basis. Policy Number 2: Audit Control This policy requires the implementation of systems logging mechanisms for systems that contain High Risk data and a plan in place for periodic review of these logs. In the current environment implementing and maintaining these controls would be labor intensive. However, in the new Microsoft Active Directory (AD) environment this can be

2 moved to an automated process. The combined Health Science Colleges are working with the ACCC to identify a common solution. Implementation: The HSCs recommend delaying widespread implementation of mandatory periodic log review until the AD project has been implemented and an automated log management solution has been identified. However, there is no reason that logging cannot be enabled immediately for existing High Risk data stores. Policy Number 3: Contingency Plan Controls This policy requires that each College and its units have documented and tested data backup, disaster recovery, and emergency mode operation plans. In the current environment it would be very difficult for the HSCs to monitor the compliance of each of its units with these requirements. However, as the HSCs move forward with the AD implementation and the centralization of data stores and server services they will be able to aggregate unit resources under larger College umbrellas. Units which continue to maintain local data stores will need to implement their own plans. This requirement overlaps the University s requirement that the HSCs develop disaster recovery and emergency operation plans. Implementation: The HSCs recommend tying the implementation of this plan to the AD implementation. The HSCs should begin developing their data backup, disaster recovery, and emergency mode operation plans. Policy Number 4: Device and Media Controls This policy requires that the HSCs and their units follow the State of Illinois Data Security on State Computers Act (2) and the University s Policy for the disposal of data storage devices and media (3). It also requires development of procedures for the reuse and inventory of hardware and electronic media. The units will have to keep up-to-date inventory and record of movement of any IT equipment that contains High Risk data. The HSCs will grant to an exception to the HIPAA movement record logging requirement for portable devices if the data contained upon those devices is encrypted. Implementation: The HSCs should implement this policy immediately, the units should already be following the state regulation and the University Policy.

3 Policy Number 5: Facility Access Controls This policy requires the units to have agreements in place with the Campus Police to allow facility access in support of disaster recovery and emergency mode operations. It also requires the HSCs to control and validate access to their facilities, and to automatically log access to facilities or portions therein where ephi is stored. This is one of the policies that is driving the requirement for the relocation of intracollege ephi to individual HSCs or multi-hscs central data facilities that have appropriately staffed and maintained access monitoring and physical environment protection. Implementation: The HSCs should identify their central data facility and implement the access controls on that location as soon as possible. Policy Number 6: Information Access Management Security This policy requires that access to High Risk data is approved by an individual s supervisor or department head. It also requires that access privileges must be updated immediately when an individual s duties change or the individual separates from the unit. It also requires business units ensure that each individual has a unique ID so that system access can be traced back to a specific users. The units have to implement formal procedures for authorizing access to High Risk data and also have a mechanism for modifying or revoking access in a timely manner. Policy Number 7: Workforce Security This policy requires that job descriptions and responsibilities are clear and concise regarding the need to access or update High Risk data. It also requires that new employees be screened in accordance with campus HR guidelines. The units have to make sure that if an employee has to access High Risk data as part of their duties, this requirement is reflected in the individual s job description including the business need for the access. The units must also keep a current list of employees who

4 access High Risk data and have a mechanism in place for revoking or modifying that access if the employee s status changes. Policy Number 8: Transmission Security This policy requires that High Risk data transmissions are secure. Units will have to ensure that data in transit is secured. Implementation: The HSCs should implement this policy immediately with the understanding that although some of the Colleges do not have the technology in place to encrypt , implementation of that technology is being evaluated. Policy Number 9: Security Incident Response and Tracking This policy requires that all incidents, threats or violations that may affect the confidentiality, integrity, or availability of High Risk data be reported to the College Security Officer. It also defines the security officer s responsibilities in the event of one of the above occurrences. Each of the HSCs must formally appoint a Security Officer with a specific job description. The HSCs units must notify that individual in the event of a security incident, threat, or violation. Implementation: This policy should be implemented by each of the HSCs as soon as they identify their Security Officer. Policy Number 10: Security Management Process This policy requires each of the HSCs and its constituent units assemble an annual inventory of all systems that are used to collect, store, process, or transmit High Risk data. It also requires them to conduct a Risk Assessment, implement a Risk Management Program, and establish operational and technical controls.

5 The HSCs will have to implement formal Risk Assessment and Risk Management programs. Policy Number 11: Work Station Use This policy requires units to inventory workstations and devices capable of accessing High Risk data, classify them by vulnerabilities, capabilities, connections, and allowable activities, and then develop procedures for their usage. This policy also requires units to analyze the risks associated with workstation physical surroundings. Units will have to assign individuals to complete these assessments. Policy Number 12: Security Awareness and Training This policy requires every individual with access to ephi to under go annual training. HSCs employees who have access to the University of Illinois Medical Center at Chicago (UIMC) Cerner system receive annual training through the UIMC. However, there are a number of individuals in the HSCs who deal with ephi but who do not have Cerner access. Since this problem exists across the HSCs it is most likely that a training solution will be provided by the Covered Entity (the collective University of Illinois at Chicago units including those in the HSCs which routinely handle protected health information). Implementation: This policy cannot be completely implemented until there is a Covered Entity training solution in place. Policy Number 13: Messaging Security This policy governs the transmission of ephi via messaging systems (including but not limited to ). It requires that messages containing ephi be encrypted prior to sending and prohibits the use of non-university of Illinois messaging systems for conducting university business. This policy will be controversial because it will require College employees to use a specific system.

6 Implementation: All university business requiring messaging must be conducted on University of Illinois messaging systems. Staff who transmit ephi via and who currently have account privileges on the UIMC Microsoft Exchange system must use it. This policy cannot be completely implemented until the HSCs have a secure solution in place. References (1) University of Illinois, Office of Business and Financial Services, Business and Financial Policies and Procedures, Section Information Security Policy - The University of Illinois : (2) State of Illinois Data Security on State Computers Act, 20 ILCS 450/1 : CS%26nbsp%3B450%2F&ChapterID=5&ChapterName=EXECUTIVE+BRANCH&Act Name=Data%3DSecurity%3Don+State+Computers+Act%2E&Print=True (3) University of Illinois, Office of Business and Financial Services, Business and Financial Policies and Procedures, Section Elimination of Data From University Computers Prior To Disposal or Transfer :