University of Pittsburgh Data Center Information Security



Similar documents
CHIS, Inc. Privacy General Guidelines

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

How To Write A Health Care Security Rule For A University

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Print4 Solutions fully comply with all HIPAA regulations

HIPAA Privacy & Security White Paper

Checklist of Requirements for Protection of Restricted Data College of Medicine Departments (v 03/2014)

HIPAA Security Alert

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Statement of Policy. Reason for Policy

Montclair State University. HIPAA Security Policy

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Research Information Security Guideline

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Virginia Commonwealth University School of Medicine Information Security Standard

Security Whitepaper. NetTec NSI Philosophy. Best Practices

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

IRB Policy for Security and Integrity of Human Research Data

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

1B1 SECURITY RESPONSIBILITY

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Security Considerations

Retention & Destruction

ABSTRACT INTRODUCTION WINDOWS SERVER VS WINDOWS WORKSTATION. Paper FC02

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

DHHS Information Technology (IT) Access Control Standard

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

How To Protect Research Data From Being Compromised

Account Restrictions Agreement [ARA] - Required by LuxSci HIPAA Accounts

Cyber Self Assessment

Estate Agents Authority

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Preparing for the HIPAA Security Rule

How To Use The Revenue Accounting And Management System (Ram) System

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Network Security Policy

Congregation Data Security Education

INFORMATION SECURITY PROCEDURES. Maintaining the Security of Information throughout its Lifecycle

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Supplier Information Security Addendum for GE Restricted Data

How To Protect Your School From A Breach Of Security

System Security Plan University of Texas Health Science Center School of Public Health

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Best Practices For Department Server and Enterprise System Checklist

California State University, Sacramento INFORMATION SECURITY PROGRAM

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

HIPAA ephi Security Guidance for Researchers

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Vendor Assessment Worksheet:

ClockWork Enterprise 5

Building A Secure Microsoft Exchange Continuity Appliance

Security Controls for the Autodesk 360 Managed Services

Newcastle University Information Security Procedures Version 3

FINAL May Guideline on Security Systems for Safeguarding Customer Information

C.T. Hellmuth & Associates, Inc.

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Data Management Policies. Sage ERP Online

How To Protect Your Data From Being Hacked

CyberEdge Insurance Proposal Form

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Security Information & Policies

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Electronic Data Security: Designing Good Data Protection Plans

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

ISAAC Risk Assessment Training

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

Standard: Network Security

Miami University. Payment Card Data Security Policy

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Information Technology Security Procedures

SOP Number: OCR-HIP-001 Effective Date: August 2013 Page 1 of 5

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Virtual Data Room. From Deal Making to Due Diligence

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Information Technology Acceptable Use Policy

White Paper. BD Assurity Linc Software Security. Overview

Information Technology Branch Access Control Technical Standard

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

White Paper: NCBI Database of Genotypes and Phenotypes (dbgap) Security Best Practices Compliance Overview for the New DNAnexus Platform

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA Security Matrix

Critical Data Guide. A guide to handling critical information at Indiana University

BOWMAN SYSTEMS SECURING CLIENT DATA

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Copyright Telerad Tech RADSpa. HIPAA Compliance

GoodData Corporation Security White Paper

Client Security Risk Assessment Questionnaire

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

INFORMATION SECURITY PROGRAM

Comparative study of security parameters by Cloud Providers

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations

Data Security Considerations for Research

Transcription:

University of Pittsburgh Department of Critical Care Medicine CRISMA Center Data Management Core Standard Operating Procedures University of Pittsburgh Data Center Information Security CRISMA Data Management SOP: Pitt Information Security Archive Date 6.01.11

Purpose Scope Definitions This document describes the CRISMA Center s policies for the storage, access, security and use of human subject data in University of Pittsburgh computing environments. This document applies to all personnel employed by or using any computer owned and operated by CRISMA; all computers owned or operated by CRISMA; and all human subject data managed by CRISMA that are managed within the University of Pittsburgh computing environment. Protected Health Information (PHI). Any information about health status, provision of health care or payment of health care that can be linked to a specific individual. HIPPA Privacy Rule. The portion of the Health Insurance Portability and Privacy Act of 1996 that governs use and disclosure of PHI. Under the privacy rule, PHI can be used for research purposes with either patient approval or waiver by an authorized regulatory agency. Common Rule. US Federal regulations for protection of human subjects in research, described by the Department of Health and Human Services in the Code of Federal Regulations Title 45 Part 46. De identified data. Health data that does not contain unique identifiers as defined by HIPPA. Limited data set. A de identified data set that contains either (a) geographic subdivisions not smaller than a town, city, state and ZIP code; (b) dates, or (c) ages over 89 Safe harbor data set. A de identified data set that does not contain any of the unique identifiers. Researcher. As defined by the Common Rule, any individual conducting or assisting in the conduct of a systematic investigation designed to develop or contribute generalizable knowledge. Data management team. The CRISMA operations manager and data developers responsible for ensuring compliance with HIPPA, the Common Rule, and other regulatory requirements for use of human subject data. Responsibilities Research team responsibilities CRISMA researchers are responsible for ensuring that the CRIMSA research projects involving PHI are reviewed and approved by the University of Pittsburgh Institutional Review Board. CRISMA researchers are responsible for adhering to IRB approved data storage and analysis policies at all times. Team members must undergo human subjects research training and annual data security training, and are required to maintain strong passwords. CRISMA Data Management Core SOP: Pitt Information Security 6.01.11 Page 1

Data management team responsibilities The Data Management Team is responsible for enforcing the procedures described in this document for the storage, access, security and use of data. The Data Management Team Includes: Tammy Young, CRISMA Operations Manager; Jeremy Kahn, Faculty Advisor, Data Management Core; Charles Kollar, Programmer and Systems Administrator; Their immediate designees. Procedures Overview The CRISMA Pitt Data Management Core is a highly secure analytic platform specifically designed for large research projects with sensitive information. Data types Data stored by the CRISMA Pitt Data Management Core are restricted to clinical and other biomedical data generated as part of a CRISMA affiliated research project. Data containing direct personal identifiers are allowed only with the explicit permission and monitoring of the University of Pittsburgh Vice Provost for Academic Planning and Resources Management Receipt of data Data can be received either electronically or physically via electronic media. Data transmitted electronically are encrypted using a FIPS 140 2 compliant software package with passwords communicated separately via a secure, pre approved source. Data transmitted physically are manually loaded onto Pitt servers using a secure local interface. Physical data security Data Management servers are housed at the University of Pittsburgh Network Operations Center (NOC) located in the Regional Industrial Development Complex (RIDC) Park in Blawnox, Pennsylvania. The NOC is a secure, guarded facility that houses sensitive, private and protected data for University of Pittsburgh. The building is locked, staffed and patrolled 24 hours per day. Access is restricted to authorized personnel with appropriate photo identification and security clearance. The server room contains advanced climate control, a redundant power supply and non liquid fire protection capabilities. All aspects of the NOC comply with both HIPPA regulations and the Federal Information Security Management Act (FISMA) for management of sensitive data. CRISMA Data Management Core SOP: Pitt Information Security 6.01.11 Page 2

Electronic data security CRISMA uses Penguin Niveus 4200 multi processor, multi core servers with approximately 10 terabytes of disk storage and RAID 10 redundancy, running opensuse 11.4 Linux based operating system. All data is backed up daily to tape by the Pitt NOC personnel, with tapes stored in locked cabinets within the server room. The servers are partitioned into two separate Virtual Local Area Networks (VLANs), both of which utilize multiple firewalls and industry standard encryption technologies to ensure complete electronic security. One VLAN is for data containing direct personal identifiers and the other is for limited and safe harbor datasets. On the VLAN holding personal identifiers, access to the servers is through a UNIX shell via a secure shell (SSH) connection using a public/private key authentication system (one key pair per user) and an additional VPN. Each user process (including the shell) runs in its own chroot jail with signatures of the jail system maintained. The user s home directory is password encrypted and the user only has write access within their home directory. Outbound network access is prevented by the firewall. Only cipher text is saved during system backups, with the corresponding clear text removed from the system within one hour of user logout. This process allows for an exceptional level of security by which data containing PHI can be managed and analyzed directly in a secure environment. On the VLAN holding limited data sets, direct user interface is through a UNIX shell accessed remotely via a password protected secure shell (SSH) connection and a additional VPN. This level of security is both FISMA and HIPPA compliant, allowing for highly sensitive data to managed and analyzed directly in a secure environment. Data on the servers reside behind industry strength firewalls running at both the server and VLAN level. Data are managed and analyzed using SQL, SAS, Stata or MATLAB. All data management and analysis applications are run directly on the server, thereby eliminating the need to house data on desktop or laptop computers that are more of a security risk. SSH X11 forwarding is used to allow users to display graphical information on local workstations. Access to the data is limited by CRISMA Data Management Team with permissions managed by the team and governed by the CRISMA executive committee. Pitt Information Technology administrators and non study personnel are unable to access unencrypted data. Intrusion detection scans are run weekly on the servers; the availability of operating system updates and patches are checked every six hours. All server logs are recorded onto a logging server, CRISMA Data Management Core SOP: Pitt Information Security 6.01.11 Page 3

with regular port scans run by NOC IT. Data usage All data must be managed and analyzed directly on the secure server. Downloading of PHI and limited data sets are prohibited except as specified in a properly executed DUA. Downloading of safe harbor data is allowed after appropriate honest brokering is performed in accordance with the CRISMA Data Management Core Honest Broker SOP. Safe harbor datasets must still be safeguarded on passwordprotected computers at all times in accordance with project specific IRB guidelines. Access to data is provided only after submission of proof of IRB approval, submission and proof of HIPPA and human subject research training. Approval This CRISMA Standard Operating Procedure was approved by the CRISMA Executive Committee of 6.01.2011. CRISMA Data Management Core SOP: Pitt Information Security 6.01.11 Page 4

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information