information security: PHI Standards - Tier III Controls

III-1f PHI Standards to Augment Tier III Controls: Clinical Research Data

Overview

Version 1.0
Last Revision Date:Nov 18, 2011
Approval Date: June 11, 2012
Approval Authority:  Case Chief Information Security Officer

Purpose

As a risk mitigation action for enterprise-wide information protection, the Case Western Reserve University information security standards are defined for the handling of clinical research data involving patient data, often referred to as electronic personal health information (ePHI). Case Western Reserve is a Hybrid Entity and not a standard Covered Entity, and thus portions of the university are not subject to the full Health Information Privacy and Portability Act (HIPAA) regulatory provisions. However, Case Western Reserve recognizes the need for privacy protections of patient data collected for research purposes. These security controls are defined to protect the current state of clinical research systems, with the acknowledgement that the university will be moving clinical research data to a FISMA-Controlled research environment.

Scope

This procedure for protection of information applies to clinical research related information and information technology systems where identified patient data or ePHI are stored or processed. The governing Institutional Review Board (IRB) has oversight of the human-subjects research, and these controls are designed to address any privacy requirements imposed by IRBs and to mitigate risk of data loss or disclosure. These controls are designed to supplement the Tier III Information Security Controls.

University operations where Covered Entity status is applicable will also be subject to HIPAA regulations, which further augment these standards.

Cancellation

This interim policy will be incorporated in a new set of FISMA-based information security controls, and this document will be canceled when the broader effort is completed.

Procedure Statement

General

This procedure outlines basic controls necessary for all registered hosts which process, store, or transmit Restricted Information on Case Western Reserve IT systems. Because ePHI is considered a high impact for confidentiality, such data are categorized as Restricted.

Procedure

These are controls are to be applied in addition to the listed Case Western Reserve University Tier I and Tier III Controls. They are not comprehensive of all security controls applicable in the university environment.

Administrative Controls

  1. HIPAA Privacy/Security Training  All staff involved with clinical research involving human subjects must complete some training in the following areas:
    1. Mandatory training
      1. Annual survey of HIPAA Privacy and Security standards applicable from the IRB sponsoring hospital (e.g. University Hospitals, Cleveland Clinic, Metro Health, or Veterans Administration)
      2. One-time security awareness training under the CITI Training Program for Health Information Privacy and Security (HIPS).
      3. Systems administrators are to be certified in accordance with Tier III Controls.
      4. CWRU-supplied security awareness training. This is accomplished through the CWRU Securing The Human portal (see faculty training request form)
    2. Optional training
      1. Annual refresher training from the CITI program, as mandated by the particular research contract.
      2. For NIH funded research contracts, the NIH Protecting Human Research Participants" Web-based training course may also be required.
  2. Background Checks. Some research programs may require extensive background checks for all personnel with access to ePHI. These are obtained through Employee Relations at the CWRU Department of Human Resources.
  3. Audit of Information Systems. To ensure information is not stored in unauthorized systems, research groups shall use the university-provided Identity Finder product to find identified data on mobile, desktop, and server-based resources.
    1. Once identified data are found, they are to be either protected, removed, or properly de-identified.
    2. Identity Finder will be used to manage inventory of university computing systems supporting clinical research.
      1. Any lost device or data must be reported to the CWRU Help Desk (help.case.edu) within 24 hours of loss to ensure timely incident response.
  4. IRB Approval. Management of data obtained from hospital clinical systems for research purposes must be performed under an approved Institutional Review Board (IRB) protocol.
    1. An Information Systems Security Plan (ISSP) addressing security risks may be required by the IRB. The ISSP requirement is outlined in university’s Tier III Controls
    2. A privacy impact assessment.
    3. When all necessary controls are adequately addressed, approval to operate may be granted by either the IRB upon the recommendation of the Information Security Office.
    4. When an IRB Protocol ceases, all ePHI associated with the study shall archived and then purged from working systems according to standard procedures and protected from disclosure. Additional provisions must be made to move the archived research data to an appropriately protected and managed environment.

Technical Controls

  1. Use of Personally Owned Equipment. All ePHI used in research settings shall only be stored or maintained in university-owned or licensed systems. No personally owned devices (e.g. personal laptops, tablets, smart phones, etc.) shall be used to store, manage, or transmit ePHI.
  2. Encryption. All non-server systems authorized for management of ePHI systems shall have standard university encryption utilities implemented for protection of Restricted data from inadvertent disclosure.
    1. Desktops and mobile computers (standard laptops) running Windows or MacOS shall use the university’s managed PGP Whole Disk Encryption utility to protect local data.
    2. Linux desktop operating systems, shall use standard on-disk encryption methods. The standard includes the use of Seagate Momentus FDE hard drives (available for both laptop and desktop computers with a BIOS).
      1. Options for full disk encryption using software will be addressed on a case-by-case basis.
      2. In all cases, the university shall retain institutional control of all logical keys, passphrases, and access to encrypted data through the Case Western Reserve University Information Security Office.
    3. Mobile data (USB key drives) shall use the university standard encrypted USB drives.
      1. For the storage and use of ePHI, the managed IronKey Enterprise devices shall be used exclusively.
      2. Where warranted by Institutional Review Board, managed IronKey drives may be obtained from University Hospitals under their management process.
    4. Communication of Restricted data, including ePHI, via email in clear text is prohibited. Communication utilizing end-to-end encryption methods shall be used for Restricted data.
    5. Users are discouraged from using mobile systems (e.g. smart phones, tablet computers) to store and process Restricted data. If needed, mobile systems shall employ appropriate encryption techniques to protect stored Restricted data from loss or disclosure.
  3. Email.  In accordance with CWRU Tier I Controls, email systems are prohibited from transferring identified patient data without an adequate implementation of one of these protections:
      1. File encryption (e.g. using PGP) implemented in a full end-to-end encryption method (asymmetric key encryption).
      2. Digital certificate encryption (e.g S/MIME) of message body and attachments.
      3. CWRU personnel located in partner hospitals will be encouraged to use the local (non-CWRU) email systems for clinical support.

Physical Controls

  1. Research Data Repositories. Research data repositories for identified patient data shall be hosted in one of the two centrally-managed Case Western Reserve University data centers.
      1. Appropriate migration plans to data centers must be included in the Tier III ISSP (security plan).
      2. Cloud-based options that meet strong access controls may be permitted on a case-by-case basis.
  2. Facility Access.  All server resources that process, store, and manage Restricted information shall be hosted in a facility that permits audit-able physical access controls, which will protect the Restricted information through:
      1. Physical access controls which restrict access to minimum essential personnel.
      2. Data Center specific firewall network filtering.
      3. Intrusion prevention systems.
      4. Host vulnerability management.
      5. Appropriate environmental controls such as cooling, humidity controls.
      6. Electrical power requirements and emergency uninterruptible power supplies.

Responsibility


Case End Users: Assure controls based on Case information categories are implemented.

Case ITS Information Security Staff: Monitor security risks on a continual basis and regularly update the procedural controls based on changing security threat scenarios.

Case Registered System Owners: Assure that Tier I controls are applied where applicable. Take reasonable steps to remove Tier II and Tier III data from Tier I systems.

Principal Investigators: Ensure approprite security controls are in place.

Definitions 

Host: Any network capable device utilizing network services. A host may be a personal computer, a network appliance, server resources, printers, scanners, copiers.
Covered Entity: A health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this sub-chapter [e.g., HIPAA Administrative Simplification transaction standards].
ePHI: electronic personal health information
FISMA: Federal Information Security Management Act- a framework of security controls for information used by the US Federal Government for its agencies and contractors.
HIPAA: Health Insurance Portability and Availability Act
HITECH Act: Health Information Technology for Economic and Clinical Health Act
IRB: Institutional Review Board
NIH: National Institutes of Health
PGP: Pretty Good Privacy, and encryption product licensed by the university from Symantec Corporation.
System: a single or group of computers, laptops, tablets, data storage media, or server resources, consisting of hardware, operating system software, and application software, which contain research data.

Standards Review Cycle

This procedure will be reviewed every year until cancellation.