Challenges of Integrating Data. Driving Factors A Systems Development Lifecycle Primer Data Security Considerations Integration Approach Questions

(1)

Challenges of Integrating Data

• Driving Factors

• A Systems Development Lifecycle

Primer

• Data Security Considerations

• Integration Approach

(2)

Driving Factors

• Integration of significant disparate data

• Security and anonymity of data

(3)

Integration Approach

A Common Platform for All Communities

Web Access via Common User Interface

Recruiting Agencies

Sperm Bank Data

Physician Data

Health Professionals

Existing Registries

Web Access via Common User Interface

Central non

indicative data

Need Similar:

–

Planning

- Interface

- Requirements Gathering

–

Development -

Implementation

-

Testing

(4)

SDLC Overview

Requirements Analysis Software Design SRS HLD LLD System Design Installation & Transition Maintenance & Operations System

Int. & Test Software

Development

Legend: SRS = Software Requirements Specification

HLD = High Level Design LLD = Low level Design

Development Model Considerations

• Are all system requirements known, or definable, up-front?

• Are there No or few hierarchical dependencies?

• Sequential phases; no overlap planned

• Is the entire system needed at one time (no early capability

required)?

(5)

Data Security Requirements

I. Administrative Requirements

II. Physical Security Requirements

III. Technical Security Services

IV. Technical Security Mechanisms

V. Electronic Signature Standards

(6)

I. Administrative Requirements

Requirement Implementation

Certification Certification by internal process or external accrediting agency Chain of Trust Agreement Written agreements in place with all third parties handling data

Contingency Plan Plan covering criticality analysis, data backup, disaster recovery, emergency operation, and testing and revision

Mechanism for Processing Record Policy for routine and exceptional processing

Information Access Control Policy for access authorization, establishment, and modification Internal Audit Internal Audit Regular auditing procedures and process

Personnel Security Assure supervision of maintenance personnel by knowledgeable and authorized person, record of access authorizations, assure proper

authorizations for operations (and as necessary, maintenance) personnel, personnel clearance procedure, personnel security policy/procedure, system users and maintainers trained in security

Security Configuration Management Must cover documentation, hardware/software installation and maintenance, inventory procedures, security testing, virus checking

Security Incident Procedures Must cover risk analysis, risk management, sanction policy, security policy Security Management Process Must cover risk analysis, risk management, sanction policy, security policy Termination Procedures Must mandate change locks and passwords, remove from access lists,

remove user accounts, turn in physical access materials

Training Awareness training for all personnel, periodic security reminders, virus protection education, education in monitoring access attempts and reporting access discrepancies, education in password management

(7)

II. Physical Security Requirements

Requirement

Implementation

Assigned Security

Responsibility

Documented responsible organization or individual

Media Controls

Access control, Tracking Mechanism, Backup, Storage,

Disposal

Physical Access Controls

Disaster recovery, emergency operation, equipment

movement controls, facility security plan, physical access

authorization validation procedure, maintenance records,

need-to-know policy, visitor sign-in and escort policy,

testing and revision

Policy on Workstation Use

Standard security functions and process

Secure Workstation Location

Removal from unsecured areas physically and visually

Security Awareness Training

Training and refreshing of security awareness

(8)

III. Technical Security Requirements

Requirement

Implementation

Access Control

Must – procedure for emergency access, one of –

role/user/context access, optional encryption

Audit Control

Mechanisms to record system activity and identify suspect

access

Authorization Control

Role or User based access

Data Authentication

Data integrity confirmation by checksum, double keying,

MAC or digital signature

Entity Authentication

Must – automatic log off, unique user id; one of – biometric,

password, PIN, telephone callback, token

(9)

IV. Technical Security Mechanisms

Required: Integrity

Controls,

Message

Authentication

One of:

Access Control, Encryption

Required if using a network:

Alarm, Audit Trail, Entity

(10)

V. Electronic Signature Standards

(Not required for any proposed standard transactions, must be digital

signatures if required)

Required:

Message Integrity, Non-repudiation, Entity

Authentication

Optional: Attributes,

Continuity, Countersigning, Independent

verification, Interoperability, Multiple Signatures,

Transportability

(11)

Compliance Issues Examples

• Sarbanes-Oxley

• Gramm-Leach-Bliley

• Health Insurance Portability and

(12)

Data Gathering/Integrity

• Voluntary vs. Required

• Source Verification

• Duplicate Data Remediation

(13)

Next Steps to be

Considering

I.P.

Information Technology Department

Budgeting

Scheduling

I.P.

Budgeting

Scheduling

I.P.

Budgeting

Scheduling

Interface

Development

Web Access via Common User

Interface

Web Access via Common User

Interface

Central

Data

1. Study/Scope

2. Budget

3. Plan/Schedule

4. Develop

5. Test

6. Implement

(14)

Questions

Earl M. Furfine

[email protected]

301-980-8088

(15)

References

• REFERENCES

• [1] ‘Standards for Privacy of Individually Identifiable Health Information – A brief summary of the final rule’ – American Medical Informatics Association

(AMIA)(http://www.amia.org/resource/policy/chip/final_rule_summary.html)

• [2] ‘Frequently Asked Questions About Electronic Transaction Standards Adopted Under HIPAA’ – Department of Health and Human Services (http://aspe.dhhs.gov/admnsimp/faqtx.htm)

• [3] ‘Frequently Asked Questions About Security and Electronic Signature Standards’ – Department of Health and Human Services (http://aspe.dhhs.gov/admnsimp/faqsec.htm)

• [4] ‘Notice of Proposed Rule Making for the Security and Electronic Signature Standards’ – Department of Health and Human Services (http://aspe.os.dhhs.gov/admnsimp/nprm/seclist.htm)

• [5] ‘Addressing HIPAA Compliance Issues Technical White

Paper”’(http://whitepapers.securityfocus.com/option,com_categoryreport/task,customquestion/title,584/pathway,no/ vid,429/id,/cid,/)