Challenges of Integrating Data. Driving Factors A Systems Development Lifecycle Primer Data Security Considerations Integration Approach Questions

Size: px

Start display at page:

Download "Challenges of Integrating Data. Driving Factors A Systems Development Lifecycle Primer Data Security Considerations Integration Approach Questions"

Coleen Lawson
8 years ago
Views:

1 Challenges of Integrating Data Driving Factors A Systems Development Lifecycle Primer Data Security Considerations Integration Approach Questions Page 1

2 Driving Factors Integration of significant disparate data Security and anonymity of data Requirements gathering process Page 2

3 Integration Approach A Common Platform for All Communities Physician Data Sperm Bank Data Recruiting Agencies Web Access via Common User Interface Central non indicative data Web Access via Common User Interface Health Professionals Existing Registries Need Similar: Planning - Interface - Requirements Gathering Development - Implementation - Testing Documentation - Reporting Page 3

via Common User Interface Health Professionals Existing Registries Need Similar: Planning -

4 SDLC Overview Requirements Analysis System Design Software Design SRS HLD LLD Software Development System Int. & Test Installation & Transition Maintenance & Operations Legend: SRS = Software Requirements Specification HLD = High Level Design LLD = Low level Design Development Model Considerations Are all system requirements known, or definable, up-front? Are there No or few hierarchical dependencies? Sequential phases; no overlap planned Is the entire system needed at one time (no early capability required)? Are resources are available to develop system in one pass Page 4

level Design Development Model Considerations Are all system requirements known, or definable, up-front?

5 Data Security Requirements I. Administrative Requirements II. Physical Security Requirements III. Technical Security Services IV. Technical Security Mechanisms V. Electronic Signature Standards Page 5

6 I. Administrative Requirements Requirement Certification Chain of Trust Agreement Contingency Plan Mechanism for Processing Information Access Control Internal Audit Personnel Security Security Configuration Management Security Incident Procedures Security Management Process Termination Procedures Training Page 6 Implementation Certification by internal process or external accrediting agency Written agreements in place with all third parties handling data Plan covering criticality analysis, data backup, disaster recovery, emergency operation, and testing and revision Record Policy for routine and exceptional processing Policy for access authorization, establishment, and modification Internal Audit Regular auditing procedures and process Assure supervision of maintenance personnel by knowledgeable and authorized person, record of access authorizations, assure proper authorizations for operations (and as necessary, maintenance) personnel, personnel clearance procedure, personnel security policy/procedure, system users and maintainers trained in security Must cover documentation, hardware/software installation and maintenance, inventory procedures, security testing, virus checking Must cover risk analysis, risk management, sanction policy, security policy Must cover risk analysis, risk management, sanction policy, security policy Must mandate change locks and passwords, remove from access lists, remove user accounts, turn in physical access materials Awareness training for all personnel, periodic security reminders, virus protection education, education in monitoring access attempts and reporting access discrepancies, education in password management

agency Written agreements in place with all third parties handling data Plan covering criticality analysis, data backup, disaster recovery, emergency operation, and testing and revision Record Policy

7 II. Physical Security Requirements Requirement Assigned Security Responsibility Media Controls Physical Access Controls Policy on Workstation Use Secure Workstation Location Security Awareness Training Implementation Documented responsible organization or individual Access control, Tracking Mechanism, Backup, Storage, Disposal Disaster recovery, emergency operation, equipment movement controls, facility security plan, physical access authorization validation procedure, maintenance records, need-to-know policy, visitor sign-in and escort policy, testing and revision Standard security functions and process Removal from unsecured areas physically and visually Training and refreshing of security awareness Page 7

emergency operation, equipment movement controls, facility security plan, physical access authorization validation procedure, maintenance records, need-to-know policy, visitor

8 III. Technical Security Requirements Requirement Implementation Access Control Must procedure for emergency access, one of role/user/context access, optional encryption Audit Control Authorization Control Data Authentication Mechanisms to record system activity and identify suspect access Role or User based access Data integrity confirmation by checksum, double keying, MAC or digital signature Entity Authentication Must automatic log off, unique user id; one of biometric, password, PIN, telephone callback, token Page 8

activity and identify suspect access Role or User based access Data integrity confirmation by checksum, double keying, MAC or

9 IV. Technical Security Mechanisms Required: Authentication One of: Required if using a network: Integrity Controls, Message Access Control, Encryption Alarm, Audit Trail, Entity Authentication, Event Reporting Page 9

10 V. Electronic Signature Standards (Not required for any proposed standard transactions, must be digital signatures if required) Required: Optional: Message Integrity, Non-repudiation, Entity Authentication Attributes, Continuity, Countersigning, Independent verification, Interoperability, Multiple Signatures, Transportability Page 10

Integrity, Non-repudiation, Entity Authentication Attributes, Continuity,

11 Compliance Issues Examples Sarbanes-Oxley Gramm-Leach-Bliley Health Insurance Portability and Accountability Act (HIPAA) Page 11

12 Data Gathering/Integrity Voluntary vs. Required Source Verification Duplicate Data Remediation Approach/Implementation/Reverificaton Page 12

13 Next Steps to be Considering Budgeting Scheduling I.P. Budgeting Scheduling Information Technology Department Budgeting Scheduling I.P. I.P. Information Technology Department Information Technology Department Interface Development 1. Study/Scope 2. Budget 3. Plan/Schedule 4. Develop 5. Test 6. Implement Web Access via Common User Interface Central Data Web Access via Common User Interface Page 13

I.P. Information Technology Department Information Technology Department Interface Development 1.

14 Questions Earl M. Furfine Page 14

15 References REFERENCES [1] Standards for Privacy of Individually Identifiable Health Information A brief summary of the final rule American Medical Informatics Association (AMIA)( [2] Frequently Asked Questions About Electronic Transaction Standards Adopted Under HIPAA Department of Health and Human Services ( [3] Frequently Asked Questions About Security and Electronic Signature Standards Department of Health and Human Services ( [4] Notice of Proposed Rule Making for the Security and Electronic Signature Standards Department of Health and Human Services ( [5] Addressing HIPAA Compliance Issues Technical White Paper ( vid,429/id,/cid,/) Page 15

gov/admnsimp/faqtx.htm) [3] Frequently Asked Questions About Security and Electronic Signature Standards Department of Health and Human Services (http://aspe.dhhs.gov/admnsimp/faqsec.

An Introduction to HIPAA and how it relates to docstar

Disclaimer An Introduction to HIPAA and how it relates to docstar This document is provided by docstar to our partners and customers in an attempt to answer some of the questions and clear up some of the