Jennifer Bonifas Director, Computer Services

Mike MasseAsst. Director & Lead Network Administrator

Adam HalsteadDirector, Software Development and Informatics

Data Security

• What data storage is available and provided by DOM?• How secure is the storage service?• Will my research involve PHI?• Who can ensure the PHI will meet HIPAA compliance or other agency 

compliance?• What can I do to protect research data?• Who is responsible for access controls?

Helpdesk Network

Security & Compliance

Software Development & Informatics

Website Development

Helpdesk

• Available 7:00AM to 4:30PM weekdays 

• Phone:  608.265.4466    (phone tree – options 3 answering service)

• Email:  help@medicine.wisc.edu

• Walk‐ins: 5273 UW Medical Foundation Centennial Building

• Answering service available for global issues (server or multiple computers down)

IT Responsibilities –Protect your data

• Know how to handle data properly

• Know the kind of data it is and what laws or standards might govern its use ‐ for example, HIPAA, FERPA, or UW‐Madison restricted data 

• Consult with DOM Helpdesk 

• Department of Medicine helpdesk must review, approve, order and implement computers, software and peripherals

• Department IT requires technical controls and security procedures to support your computing needs

IT Responsibilities –Protect your identity and the University

• Use strong passwords • Do not share your passwords• Never share equipment with people outside of work, including family members• Don’t disclose identity information (SSN, birthdate, address) on the phone, through mail, or on the internet unless you have initiated the contact and you know the other party involved

• Avoid email scams• Never click on unsolicited links included in emails

Healthcare Data Breaches by YearBetween 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records. That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day.

OCR Breach Portal Cases Currently Under Investigation

417 Reported breaches for the last 24 months

are currently under investigation by the Office for Civil Rights. (OCR) .

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

1.4 million patient records breached in UnityPoint Health phishing attackThis is the second breach for the health system this year, and the biggest health data breach of 2018 in the U.S.

Source: https://www.hhs.gov/hipaa/for-professionals/compliance-

enforcement/agreements/mdanderson/index.html

Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations

MD Anderson argued that it was not obligated to encrypt its devices and asserted that the ePHI at issue was for “research” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable.The ALJ rejected these arguments.

Helpdesk, Network and Security

• All computing devices used for work or on the DOM network must be approved, obtained, and supported by DOM IT. 

• All software used for work purposes must be approved, obtained, and supported by DOM IT. 

• Personally owned computers and laptops are prohibited on wired SMPH network

• All laptops and desktops going offsite must be encrypted

• Computers must be returned when employees leave and properly disposed for HIPAA compliance

DOM Server Infrastructure

700+ CPU Cores

20,000+ GPU Cores

3+ Petabytes Data Storage

6+ Terabytes RAM

Standard Desktop Applications

Adobe Creative Suite

Scientific Desktop Applications

Locally Hosted Secure Applications

Custom Built Applications

Examples:

UWAIRP – UW Atherosclerosis Imaging Research Program manages imaging data and metadata for various cardiology research programs

Seahorse – Laboratory Information Management System (LIMS) for biological samples

CoRRIE – Research Study recruitment registry and contact management

ConsultingConsulting services are available to assist in needs analysis and budget for inclusion in research grant applications.

Contact Adam Halstead:

agwhalst@medicine.wisc.edu

RedCapVanderbilt software approved for UW‐Madison use

Managed at DOM

Longitudinal studies 

Smaller research projects

Store PHI data

Custom appsNew project requests are reviewed by Research Committee 

Custom applications can be written when 3rd party software cannot meet the research needs

Research data management

Data mining

Software Development and Informatics The Software Development and Informatics (SDI) group provides technical applications to advance the administrative, educational, and research missions of the Department of Medicine. Our team is made up of experts in the fields of software development, bioinformatics, and database administration.Email: sdihelp@medicine.wisc.edu

Data Sets and Security

• Involve DOM IT at the IRB application phase so that we can help provide you with appropriate data security and storage language

• Feasibility Requirement ‐ Projects involving PHI and non‐exempt human subjects research include a feasibility review by the DOM Compliance Officer

• Compliance Officer and DOM IT will• Assist with data storage, data transfers, and security services• Ensure contracts and data security plans are congruent with the contracts in WISPER (DUAs).

• Ensure that data received for studies is protected and compliant with regulations.

HIPAA Risk Analysis of DOM

• Vulnerability: Agreements ( DUAs, BAAs, MOUs) that are signed by campus that are not reviewed by our IT department 

• IT and Compliance need to review all agreements that involve research data in order to ensure there are data security plans in place to address control and technical safeguards 

• All DUAs and BAAs received by Betty via WISPER will be forwarded to the Compliance Officer and IT in order to ensure they are reviewed for data security compliance

Takeaways

PlanAs you start your research and/or start up a lab, involve DOM IT

help@medicine.wisc.edu

Consider your IT needs in your grants.  Contact DOM IT to plan

SupportAll computers and networking devices must be ordered by DOM IT and authorized to be on the DOM network

SecurityThe DOM network is managed as if all data is PHI