Regulated Data: HIPAA and FISMA Compliance

Regulatory compliance is rapidly emerging as a major challenge for IT organizations with little or no prior experience with regulated data.   Environments such as high performance computing and university central IT are now facing both HIPAA and FISMA as protected health information (PHI) leaks out of academic healthcare settings and government contracts and grants begin to impose FISMA terms.   CACR specializes in cybersecurity and compliance in these environments.

Unique Expertise

CACR's expertise is derived from nearly a decade of experience tackling cyber compliance for the University Information Technology Services (UITS), IU's central IT organization.   UITS began facing regulated data in 2007 as rising storage, analysis, and management needs began to force biomedical researchers toward central systems.  Anticipating this appetite for capacity to escalate, IU made a decision to launch a significant effort to make its centrally provisioned research cyberinfrastructure HIPAA compliant.   This early and unique exposure to regulatory issues outside healthcare IT played a key role in the development and implementation of a standards-based cybersecurity Risk Management Framework (RMF).  CACR leverages this comprehensive, flexible, and reusable framework to tackle HIPAA and FISMA at IU.

Supporting Indiana University

IU has a substantial clinical footprint.  Its Schools of Medicine, Optometry, Nursing, Public Health, and Speech and Hearing comprise over 5000 faculty and staff.  Clinical researchers in these schools use a number of services provided by UITS.  CACR ensures that these services meet the HIPAA Security Rule requirements.   The NIST-based UITS RMF developed by CACR for HIPAA includes institutional governance, NIST 800-53 controls, risk assessment and response, awareness and training, and semi-annual reviews.  CACR leverages the RMF in a manner that not only serves UITS but also other IT units and research groups on campus.  As new systems are added, the UITS RMF expands, making compliance easier for subsequent systems.  CACR provides IU-customized documentation templates that accommodate both new UITS systems and departmental IT units and research groups that utilize these systems.  CACR also provides HIPAA assistance, consulting, and training to both UITS and the campus at large.

National Presence

CACR provides HIPAA and FISMA resources nationally and has assisted numerous research and academic institutions such as the University of Kentucky, University of Chicago, Ball State University, NCSA, NCAR, and more.  Other organizations that have leveraged CACR's HIPAA and FISMA expertise include the Coalition for Advanced Scientific Computation (CASC), where CACR played a key role in the formation of a Regulated Data Working Group to address the growing need for compliance, and the Central for Trustworthy Scientific Computing (CTSC), where CACR provides regulated data training to NSF-funded, large research facilities.  CACR is also a regular presence at conferences such as Internet2 Technology Exchange and the American Medical Center Conference on Privacy and Security where it covers HIPAA and FISMA compliance.

CACR's Regulated Data Resources

CACR  provides the following HIPAA and FISMA resources.  

• Documentation Templates and Instructions
  • To help document compliance (system, software, controls, and risk), CACR provides a collection of NIST/FISMA derived templates with in-line instructions and example text that can be used to address both HIPAA and FISMA simultaneously.
• Building a NIST Risk Management Framework for HIPAA and FISMA Compliance
  • A Powerpoint presentation from a half-day tutorial at the 2016 NSF Cybersecurity Summit that covers the regulations, risk management, NIST RMF, and how to leverage it for compliance.

Compliance Links

External

• HHS HIPAA Site - The main HIPAA site managed by the Dept. of Health and Human Services.
• DHS FISMA Site - The main FISMA site managed by the Dept. of Homeland Security.
• NIST Special Publications 800 Site  - Including SP 800-53, 800-66, etc.
• NIST HIPAA Security Rule Toolkit - Java based tool which asks a thousand questions and exports a document with answers.
• HIPAA Security Risk Assessment Tool - Spreadsheets with questions pertaining to each HIPAA Security Rule that document risk and remediation from the Office of the National Coordinator for Health IT.

IU

• HIPAA documents in the IU Knowledge Base
• IU HIPAA Privacy and Security Compliance site

Contact

Please email uitshipa@iu.edu.