UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

Transcription

1 Page 1 of 11 I. PURPOSE AND BACKGROUND UW-Madison is committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA). This policy establishes requirements for technical security safeguards that will be used to process and transmit electronic Protected Health Information (PHI) as defined in Section II.G. This policy covers all units designated as within the health care component (HCC) at UW Madison (UW). Each unit is responsible for compliance with and implementation of this policy. Individuals who process, store or transmit electronic PHI are required to obtain technical security support from a unit in the UW HCC that can support this policy. The policy establishes guidance for compliance with HIPAA standards for access control, audit controls, integrity, person or entity authentication and transmission security. II. DEFINITIONS A. Addressable. When a standard adopted in 45 CFR includes addressable implementation specifications, a unit within the UW health care component must (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity s electronic protected health information and (ii) As applicable to the entity: (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate: (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate. B. Control Layer. The middle layer of the security architecture. Contains and manages all accounts, applications and devices used to process or store electronic PHI. Controls access to the Resource Layer. C. Electronic media. (1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or (2) Transmission media used to exchange information already in electronic

2 Page 2 of 11 storage media. Transmission media include, for example, the Internet (wideopen), extranet (using internet technology to link an external entity with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission (45 CFR Definitions). D. HIPAA. Health Insurance Portability and Accountability Act. E. Layered Security Architecture. A logical plan or blueprint for ensuring that security technologies work together properly to protect sensitive information or resources. The layered security architecture provides defense in depth with three layers: the Resource Layer, the Control Layer and the Perimeter Layer. F. Networks. A system that transmits data between devices, including the network operating system, cables and supporting hardware (firewalls, bridges, routers and switches). G. Open Network. A network that routes traffic from the public Internet. H. Perimeter Layer. The outer layer of the security architecture controlled by a unit within the UW HCC. Monitors and enforces network access policies, network access to resources and boundary services. I. Protected Health Information (PHI). Health information or health care payment information, including demographic information collected from an individual, which identifies the individual or can be used to identify the individual. PHI does not include student records held by educational institutions or employment records held by employers. For purposes of this policy, PHI means PHI transmitted or maintained in electronic form. J. Required. When a standard adopted in 45 CFR includes required implementation specifications, a unit within the UW health care component must implement the implementation specifications (45 CFR Definitions). K. Resource Layer. The innermost layer of the security architecture. Contains and manages accounts, applications and devices used to process or store PHI.

3 Page 3 of 11 L. Trusted Networks. Networks that either (1) do not carry public Internet traffic or (2) run on equipment managed by UW-Madison or (3) are behind a firewall or an access control device managed by a unit within the HCC. M. UW-Madison Health Care Component (UW HCC). Those units of the University of Wisconsin-Madison that have been designated by the University as part of its health care component under HIPAA. III. PROCEDURES The procedures below are designed to help each unit in the UW HCC create a security architecture that will support 45 CFR and ensure compliance with HIPAA regulations. Securing sensitive information or resources cannot be achieved by a few technical measures. Security is a process not just a product or a technology. The process needs a plan or a logical structure to ensure that all the technologies work properly together. In this document, the plan or blueprint is called a Layered Security Architecture. Each of the Technical Safeguards in 45 CFR (and other technical safeguards that might be required in the future) can be logically organized into a separate layer of the security architecture. Transmission Security ( (e)(1)) is implemented in the outer or Perimeter Layer. Access Control ( (a)(1)), Audit Controls ( (b)), Integrity ( (c)(1)) and Person or Entity Authentication ( (d)) are implemented in the middle or Control Layer. Finally, PHI is stored in the inner or Resource Layer. Once a unit in the UW HCC has implemented each of the provisions of 45 CFR as described below, they have created a layered security architecture. A properly functioning security architecture must be designed, developed, implemented, tested and maintained over time. Quickly acquiring and deploying technologies will not ensure that electronic PHI is secure. Implementing and maintaining a security architecture requires a one- to twoyear planning horizon that defines the desired state toward which the security infrastructure is evolving based on changing circumstances and requirements.

4 Page 4 of 11 Finally, a security architecture requires the support of locally developed policies. 45 CFR distinguishes between required and addressable specifications. Each unit in the UW HCC must implement the required implementation specifications. For addressable implementation specifications, each unit in the UW HCC must decide whether and how to implement the specification based on risk assessment and an assessment of whether the implementation specification is reasonable and appropriate. The implementation details or decision not to implement must be documented in local policy. Therefore, each unit in the UW HCC will (a) develop a phased Migration Plan, (b) write local policies and procedures to support the implementation and (c) implement a Layered Security Architecture to secure electronic PHI. The preliminary migration plan must be written by April 14, The final migration plan must be written by October 14, 2003 and completed by April 20, The migration plan will be maintained by the HIPAA Security coordinator within each UW HCC unit. After April 20, 2005, each unit will review policies and procedures as needed. A. Migration Plans The Layered Security Architecture will be implemented using a phased Migration plan: The Preparatory phase prior to April 14, 2003 and the Implementation Phase (April 14, 2003 April 20, 2005). i. Preparatory Phase. Prior to April 14, 2003 each unit in the UW HCC will conduct an inventory and risk assessment of all computer systems and networks on which electronic PHI is stored, processed or transferred. An Access Control Profile will be completed for all users who have access to electronic PHI. On the basis of risk assessment, all reasonable technical efforts will be made to protect the privacy and confidentiality of electronic PHI until the migration plan is fully implemented. The Risk

5 Page 5 of 11 Assessment will be updated and remain current as new computer systems and new networks are added. The Access Control Profile will be updated and remain current as users are added and deleted. Also, by April 14, 2003, each unit in the UW HCC will produce a preliminary Migration Plan to implement the Layered Security Architecture (Section III.C). ii. Implementation Phase. By October 14, 2003 each unit in the UW HCC will produce a final Migration Plan. Each unit in the UW HCC has until April 20, 2005 to complete the Migration Plan. B. Local Policies Each unit in the UW HCC will develop local policies to support implementation of the Layered Security Architecture. The list of policies will include, at a minimum, those listed in section IV.A.iv. C. Layered Security Architecture Each unit in the UW HCC will create a Layered Security Architecture that will contain three layers: The Resource Layer where electronic PHI is stored, the Control Layer where Access Control, Audit Controls, Integrity and Person or Entity Authentication standards are implemented and the Perimeter Layer where Transmission Security is implemented. i. Control Layer To establish the Control Layer of the security architecture, each unit in the UW HCC will implement the following standards: 1. Access Control ( (a)(1)). An Access Control Profiles based on role, user or context will be maintained defining access to systems on which electronic PHI is stored. Unique user identification will be used to access electronic PHI (required). Break-the-Glass emergency procedures for system access based on alternative or manual methods will also be maintained (required). Where indicated by risk assessment (addressable) (1) electronic

6 Page 6 of 11 procedures that terminate an electronic session after a predetermined period will be implemented and (2) mechanisms to encrypt and decrypt electronic PHI will be implemented. 2. Audit Controls ( (b)). Event logging for systems that process or store electronic PHI will be maintained (required). System logs should be maintained showing logons and logoffs. Logs must be retained for six years ( (c)(2)). 3. Integrity ( (c)(1)). Where indicated by risk assessment (addressable), electronic mechanisms to corroborate that electronic PHI has not been altered or destroyed in an unauthorized manner will be implemented. 4. Person or Entity Authentication ( (d)). When accessing electronic PHI, unique user ID and password must be implemented (required). User IDs will be maintained in the Access Control Profile. ii. Perimeter Layer Transmission Security ( (e)(1)). To establish the Perimeter Layer of the security architecture, each unit in the UW HCC will document the physical network boundary that separates the Resource and Control Layers from open networks. Additionally, each unit in the UW HCC should implement integrity control and encryption standards by (addressable): 1. Installing and configuring network devices that will limit the risk of unauthorized access and data being sent to an unintended address. 2. Installing and configuring network traffic control and monitoring devices, such as a firewall, establishing the

7 Page 7 of 11 border of the internal network to protect the Resource Layer. Logs should be kept for the purpose of event reporting and auditing. If logs are kept, they must be maintained for six years ( (c)(2)). 3. Use encryption to send electronic PHI beyond the perimeter layer over devices that are not on a trusted network.

8 Page 8 of 11 IV. DOCUMENTATION REQUIREMENTS A. Each unit in the UW HCC must maintain the following documentation: i. Information Technology Asset Inventory ii. Access Control Profile iii. Migration Plan iv. Required Policies 1. Encryption Policy 2. Account Creation and Access Control Policy 3. Audit Policy 4. Authentication Policy 5. Network Device Security Policy 6. Password Policy 7. Remote Access Policy 8. Server Security Policy 9. Wireless Communication Policy v. Optional Policies 1. Information Sensitivity Policy 2. Internet DMZ Equipment Policy 3. Third-Party Connection Policy 4. Virtual Private Network Policy B. Documentation must be retained for six years ( (c)(2)). V. FORMS The following forms provide guidance for the documentation requirements in Section IV. The Information Technology Asset Inventory, Migration Plan and Access Control Profile forms are the basic documentation needed prior to the Implementation Phase. The policy forms provide guidelines for writing local policies during the Implementation Phase. Each unit in the UW HCC must adapt the suggested policies based on local needs and the requirements of risk assessment. Documents can be formatted in any manner, to include electronic

9 Page 9 of 11 formatting. A. Encryption Policy. A policy template for the use of Encryption Technology. B. Access Control Profile. A list of all users, their unique user ID, all systems and applications containing electronic PHI to which they have access and a risk categorization from high to low. C. Account Creation and Access Control Policy. A policy template for account creation, access and authorization control. D. Audit Policy. A policy template for conducting local audits. E. Authentication Policy. A policy template for entity and data authentication. F. Information Sensitivity Policy. A policy template for disclosure of sensitive information. G. Internet DMZ Policy. A policy template for operation of computer equipment outside the organization s firewall. H. IT Asset Inventory. A worksheet for maintaining an inventory of computer devices. I. Network Device Security Policy. A policy template for the configuration of network devices connecting to a production network. J. Migration Plan. A plan outline for implementing a Layered Security Architecture to secure electronic PHI to include activities and completion dates. K. Password Policy. A policy template for the establishment and maintenance of password criteria. L. Remote Access Policy. A policy template for allowing remote access to computer systems. M. Server Security Policy. A policy template for configuring internal servers. N. Third-Party Connection Agreement. A policy template for allowing general-purpose access to the organization s network. O. Third-Party Connection Policy. A policy template for allowing third parties to connect to the organization s network for limited purposes. P. Virtual Private Network Policy. A policy template for the possible use of remote access using Virtual Private Network Connections.

10 Page 10 of 11 Q. Wireless Communication Policy. A policy template for the possible use of wireless connection to the organization s network. VI. REFERENCES A. Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule Federal Register, Vol. 68, No. 34, Thursday February 20, 2003, U.S. GPO. B. Willson, N. and D. Blum, Security Project Cookbook, The Burton Group: Network Strategy Methodologies & Best Practices, v1, 14 August, C. SANS, The SANS Security Policy Project VII. RELATED POLICIES This policy does not cover Administrative and Physical Safeguards. It does, however, rely on the existence of these policies for its implementation. VIII. FURTHER INFORMATION Timeline summary: A. April 14, 2003 i. Risk Assessment and Inventory completed

11 Page 11 of 11 ii. Access Control Profile completed iii. Preliminary Migration Plan written B. October 14, 2003 i. Final Migration Plan written C. April 20, 2005 i. Migration Plan completed Approvals(Date): Chancellor: 03/24/03 Chancellor s Task Force on HIPAA Privacy 03/05/03 UW-Madison Privacy Officer 03/05/03 UW Office of Administrative Legal Services 03/05/03