NCSA wiki will be offline Friday, Apr 19, 2024, from 1600 hours until Sun, Apr 21, 2024 in order to upgrade Confluence.
| Panel |
|---|
Document Name: NCSA HIPAA Facility ACHE Facility Security Procedures Approved: June 29, 2016 |
| Table of Contents |
|---|
Purpose
This document specifies the procedures for bringing people and equipment in and out of a secured facility for processing or storing sensitive data, such as ePHI (electronic Personal Health Information) and CUI (Controlled Unclassified Information), covered by regulations like HIPAA.
Scope
This applies to facilities operated by the NCSA Health Care Componentfor handling sensitive data, such as , the Advanced Computational Health Enclave.
Procedures
NCSA will track approvals and changes made to the applicable environment, keeping records for 6 years or from the inception of the program. Each step of the following workflows is approved by a member of the NCSA Health Care Component the NCSA Staff with ACHE Access (for ePHI, this is the NCSA Covered Entity) while logged in with their personal credentials, and each approval sends emails to the approver and other relevant parties.
Please note that in the following procedures, the NCSA CISO is assumed to also be the NCSA HIPAA Liaison.
Adding/Removing Personnel with Physical Access
The building manager has the only physical key and can use it to allow access for emergency personnel or if the electronic access control mechanism is broken. In these cases, they log access afterwards with a ticket assigned to the HIPAA Liaison CISO subject "Emergency Access for HIPAA Enclavethe ACHE". This tells who was let in, when, and why. No one is left unescorted if they are not part of the covered entityNCSA Staff with ACHE Access.
All other access is made with an electronic control that identifies each person individually. People given electronic access must be a part of the covered entityNCSA Staff with ACHE Access. The workflow for granting access is as follows.
- Request is submitted by the building manager to the HIPAA Liaison CISO on behalf of a staff member with the reason for the request.
- The HIPAA Liaison CISO checks that they are in the covered entity and NCSA Staff with ACHE Access and approves or rejects the request.
- If approved, the building manager adds the person to the access control list.
- The workflow is closed by the building manager. This sends an email to the building manager, HIPAA LiaisonCISO, the new staff member with access, and their manager.
The process for removing access can be triggered either via a role change from staff to non-staff (e.g., during the employee exit process) , or at the request of the HIPAA LiaisonCISO.
- Request is submitted and goes to the HIPAA Liaison CISO for approval.
- Building manager receives approved request and removes access.
- Building manager closes the ticket. (If not closed within 24 hours or creation, Security Office is alerted). An email is sent to the person who lost access, their manager, the building manager, and the HIPAA LiaisonCISO.
Providing Access for non-Emergency Maintenance
Maintenance requests start with the building manager who works with Facilities & Services. The process for non-emergency maintenance is as follows.
- The building manager submits a request with a description of the maintenance request.
- The HIPAA Liaison CISO approves or rejects the request.
- If approved, the building manager submits a work order to F&S.
- The building manager provides an escort(s) who is a part of the covered entity and NCSA Staff with ACHE Access and who stays with the maintenance person while in the secured area.
- After the work is completed, the building manager records when it was completed and by whom along with the identity of the escort.
- The workflow is closed by the building manager. An email is sent to the HIPAA Liaison CISO and building manager.
Physical Security in a Disaster
If there is a disaster that causes the access control mechanisms to fail open, University staff may or may not be allowed near the facility for some time. When they are allowed back, the building manager is responsible for providing physical security to any remaining systems until controls are restored. This may mean that a person within the covered entity NCSA Staff with ACHE Access is physically watching the area or that equipment is moved to secure, offline storage.
The response must be documented and given to the HIPAA LiaisonCISO. This documentation must include:
- Any potential exposure period during which staff were not allowed near the enclave
- Any missing equipment or equipment that has been clearly tampered with
- Who was responsible for watching the equipment and during what time periods
- How, who and when systems were moved to a secure, offline storage facility
- Who has access to the offline storage facility
Modifying Physical Security Controls
A request to modify physical security controls can start with the building manager, Security Office or HIPAA LiaisonCISO. The workflow is as follows.
- The building manager makes sure the request has sufficient detail and forwards it to the Security Office for approval.
- The Security Office reviews the changes and evaluates the impact of the change. The request is then rejected or approved and forwards approved requests to the HIPAA Liaison CISO for approval.
- The HIPAA Liaison CISO approves or rejects the request.
- If approved, the building manager submits a work order to F&S.
- The building manager provides an escort(s) who is a part of the covered entity and of the NCSA Staff with ACHE Access and who stays with the maintenance person or vendor while in the secured area doing the work.
- After the work is completed, the building manager records when it was completed and by whom along with the identity of the escort.
- The workflow is closed by the building manager. An email is sent to the HIPAA LiaisonCISO, Security Office, and building manager.
Moving Equipment with
...
Sensitive Data
If equipment with sensitive data (ePHI, CUI, etc.) is moved, it must stay within the secured facility or be moved to another secured facility. The following process is followed.
- A request to move equipment with dates and customer impacts is submitted to the HIPAA LiaisonCISO.
- The HIPAA Liaison CISO works with the appropriate offices to ensure the schedule works for the customers impacted.
- If applicable, data is backed up using a unique encryption key known to the person making the backup and the HIPAA LiaisonCISO.
- If leaving the secured facility, ePHI sensitive data will be securely wiped and verified by the Security Office.
- The system will be powered-off and moved.
- The system will be restored and verified by system administrators.
- The ticket is closed by system administrators and an email is sent to the building manager, HIPAA LiaisonCISO, and others involved in the ticket or workflow.
Sanitizing Media for Removal
Media must be sanitized before disposal outside of the secure facility. This includes returning disks to vendors or repurposing equipment.
Wiping is done on a dedicated workstation by a method approved by the Security Office.
Anyone in the covered entity NCSA Staff with ACHE Access may initiate the process to remove media from the facility, but it follows the following process.
- A request with the reason for removal is sent to the HIPAA Liaison CISO who approves or rejects.
The requestor will place the media in the provided secure container.
Container shall be locked with a key kept in the secure area.
Security team will transport secure container for wiping / destruction.
The security team will unlock with second key kept at wiping / destruction station.
Each device will be wiped or destroyed per Security Office policy
The person wiping the media will electronically record the details of the wiped media and when it was sanitized. Then they will return the secure container to the secure area area.
The media is given to the building manager who closes the workflow and sends the drive on. If necessary, they have the original requestor fill out the RMA paperwork.
...