ARCHIVED: Completed project: Private and sensitive data management (EP Action Item 59)

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Primary UITS contact: Anurag Shankar

Completed: September 16, 2015

Description: As closer ties are formed between UITS and entities that generate and use sensitive data, there is a need for broader coordination among UITS divisions. Research Technologies led the initial implementation of HIPAA-capable systems that served researchers at the IU School of Medicine working with electronic protected health information, and became one of the first academic high-performance computing centers to do so. Activities that require protection of sensitive data are now expanding to other sensitive data, such as census data, social sciences data, and to other applications such as clinical care and course management.

As NIH-funded organizations are increasingly required to meet stricter FISMA (Federal Information Security Management Act) standards, this program will play a role in ensuring the appropriate controls meet those standards. Other organizations such as ICPSR (Interuniversity Consortium for Political and Social Research) provide guidance and resources to promote data preservation, access, security, and confidentiality.

Outcome: A well-coordinated, collaborative institutional approach to managing the risks of working with any sensitive data, regardless of its source and comprehensive of all governing policies, will better secure private and sensitive data, position UITS as a strong partner in that effort, and lay the groundwork for IU to have a strategic advantage for research, care, and education.

Milestones and status:

  • January 2008: Research Technologies systems and Intelligent Infrastructure approved for management of ePHI as per HIPAA by University Council
  • March 2010: Additional applications (Slashtmp and REDCap) approved for managing ePHI
  • December 2010: Planning for secure data space in Woodburn Hall with Political Science (James Russell) begins
  • May 2011: Chris England and HELPnet establish prototype Windows Server in SPEA to support social sciences research with sensitive data (RADaRS = Restricted Access Data Remote Server, RSR = Remote Server for Research)
  • March 2012: Planning for aligning Oncourse with HIPAA to support the IU School of Medicine begins
  • April 2012: HIPAA training by Leslie Pfeffer Completed; 147 staff attended the sessions.
  • May 30, 2012: IPPS Committee Meeting (Vince Sheehan, Chair)
  • August 29, 2012: IPPS Committee Meeting (Vince Sheehan, Chair)
  • August 2012: Plan to develop Alfresco Share as a HIPAA-capable file sharing application approved by IPPS Committee in August meeting
  • August 2012: IPPS Committee disbanded at August meeting as the process for developing and approving cyberinfrastructure services for HIPAA and other sensitive research data applications
  • December 2012: Barnett presents to Operations Committee
  • March 2013: Barnett becomes Chair, Coalition for Advanced Scientific Computing (CASC) HIPAA Working Group
  • April 2013: OnCore Clinical Trials Management system and Remedy Informatics Biobank system (both managed by Enterprise Infrastructure) recommended to manage ePHI by Compliance Committee (see ARCHIVED: Clinical Research Systems Implementation)
  • Summer 2013: SPEA RADaRS and RSR system capacity expanded through Research Technologies funding (4x increase in cores and RAM, 2x increase in storage)
  • August 2013: Social Science Research Commons (SSRC, Woodburn Hall 200) opens and provides consolidated "front office" support for sensitive social sciences data at IUB
  • October 2013: RT HIPAA Consulting Service approved and funded by OVPIT
  • October 2013: RT HIPAA Consulting Service process and procedure for self-assertion of HIPAA approved by OVPIT and HIPAA Compliance Committee
  • October 2013: Alfresco Share completed as HIPAA-capable application
  • January 2014: Shifted to a FISMA model for documentation and process
  • April 23, 2014: Barnett and Shankar deliver workshop on HIPAA alignment to CASC, Arlington, VA
  • May 2014: Completed 5-year external risk and gap analysis for all UITS aligned services
  • June 24, 2014: Barnett presentation on security high performance computing at Academic Medical Conference, Chapel Hill, NC
  • August 2014: Windows server administrator in RT dedicated to supporting sensitive social sciences data on Windows environments
  • August 26, 2014: Barnett and Shankar deliver workshop on HIPAA alignment to NSF Cybersecurity Summit, Arlington, VA
  • October 2014: Conveyant system approved for ePHI
  • June 2015: To establish an appropriate governance structure, Anurag Shankar and his project responsibilities are transferred to the Center for Applied Cybersecurity Research (CACR), under the direction of Von Welch.

Upcoming events:

  • Alignment of Identity Management services, including CAS, in order to support many applications that depend on IU IDM for authentication
  • Partnership with IU Health (Toya Key) to approve UITS systems to manage clinical data from IU Health
  • Alignment of Coeus Online IRB system (Jim Thomas) with HIPAA for research administration
  • Collaboration with ORA to streamline IRB approval for research data management using UITS systems previously approved for ePHI
  • Collaboration with Internal Audit to align audit and security review categories and strategies
  • Alignment of IU wireless network with HIPAA
  • Spring 2015: Transition management of existing Windows RADaRS server to Research Technologies in conjunction with SPEA and HELPnet (status of RSR server to be determined); continue partnerships with SSRC and provide data stewardship; broaden access to additional schools and departments
  • July 2015: William Barnett becomes Chief Research Information Officer for the Indiana CTSI and Regenstrief Institute, taking on a new role in this project.

Comment process: Email Anurag Shankar.

Benefits:

  • Better protection of sensitive data
  • Ability to scale protected systems to accommodate growing need
  • Ability to extend use of protected information to new applications
  • Improved institutional risk management for sensitive data
  • Improved cyberinfrastructures in support of research, care, and education
  • Improved grant competitiveness for both biomedical and social sciences research with sensitive data

Related information: CITI Training for Human Subjects Protection and Responsible Conduct of Research: http://researchadmin.iu.edu/EO/eo_citi.html

Project leads:

  • Von Welch, lead
  • Anurag Shankar, technical lead

Partners:

  • Kosali Simon, SPEA
  • James Russell, College IT Office
  • Chris England, SPEA
  • Emily Meanwell, Social Science Research Commons
  • Titus Schleyer, Regenstrief
  • Christopher Callahan, Regenstrief
  • Bill Barnett, CRIO, Indiana CTSI
  • Toya Key, IU Health

Governance:

  • HIPAA Compliance Committee: Leslie Pfeffer, Office of Research Administration, chair
  • IUSM Office of the CIO: Vince Sheehan, CIO
  • UISO: Tom Davis, Director
  • Internal Audit: Dennis Gillespie, Asst. IS Director, Internal Audit

This is document bbxa in the Knowledge Base.
Last modified on 2018-01-18 17:13:09.