San Diego Supercomputer Center at UC San Diego

Health Cyberinfrastructure Division

San Diego Supercomputer Center at UC San Diego

2015 Larry L. Sautter Award for Innovation in Information Technology

Project Title
Sherlock Cloud: Health Information Portability and Accountability Act (HIPAA)-Compliant Cloud for the University of California (UC) / Project Timeframe
September 2013 – Present
Submitter’s Name
Sandeep Chandra
Director, Health Cyberinfrastructure Division
San Diego Supercomputer Center

858.534.5031 / Relevant URLs


Project Leader
Sandeep Chandra, System Architect / Technologies Used
Apache
Aspera
Bro
Cognos
Commvault
DB2
Globalscape
Linux OEL
Oracle
Oracle Enterprise Manager
OSSEC
Puppet
RSA Authentication Manager
Shibboleth
Splunk
Tibco
Tivoli
VMWare
Vyatta
Windows Server 2008R2
Windows Server 2012R2
Project Team Members
Winston Armstrong, Information Security Officer
Kyle Barber, IT Systems Lead
David Beitler, Systems Engineer
Brian Hom, Security Analyst
Phillip Lopo, Security Analyst
Claire Mizumoto, Technical Project Manager
Leslie Morsek, Technical Project Manager
Mark Pumphrey, Systems Engineer
Danielle Whitehair, User Support Lead
Hua Uy, Systems Engineer

Introduction and Background

The Health Cyberinfrastructure (CI) Division at the San Diego Supercomputer Center recognized a need to provide secure and compliant datamanagement, application hosting, and computing capabilities to University of California (UC) and academic and government partners.As such, it embarked on a journey to establish the Sherlock Cloud infrastructure. Cloud computing provides a way for projects to scalably store and manage their data in a secure online environment. New projects can be deployed and managed without a large investment of time, cost, or infrastructure, and cloud resources can be tailored to the individual project’s computing needs while leveraging economies of scale and shared expertise.

When the Health CI Division debuted in November 2008, it had developed a cloud infrastructure that complied with the Federal Information System Management Act (FISMA), rendering it the largest FIMSA-certified cloud within the UC system. The cloud infrastructure was further developed in accordance with hundreds of National Institute of Standards and Technology (NIST) controls governing system access, information control, and management processes; it also addressed federal Cloud First requirements. The Division subsequently branded its cloud: Sherlock Cloud.

After working a few years with data governed by FISMA requirements, the Health CI Division decided to parlay this knowledge and expertiseand embark on an innovative journey to expand its cloud offering to include a Health Insurance Portability and Accountability Act (HIPAA)-compliant cloud environment, a niche and unique offeringwithin the UC. This expansion would not only strengthen the Sherlock Cloud infrastructure for UC campuses, divisions, and researchers, but it would also lay the groundwork for the Health CI Division’s designation as an SDSC “Center for Excellence” for secure HIPAA- and FISMA-compliant managed cloud services.

Conceptualization and Creation of the HIPAA-Compliant Cloud Environment

In mid-2013, the UC Office of the President (UCOP) approached the Health CI Division with aneed that would support UCOP achieve its mission of strategically managing risk to create greater financial stability for UC through its Enterprise Risk Management (ERMIS) initiative.To accomplish this mission, UCOPrequested a HIPAA-compliant cloud environment to host its data, which currently did not exist in the Sherlock Cloud infrastructure or anywhere else within the UC.Following collaborative discussions with UCOP, which entailed understanding and capturing the compliance requirements of the ERMIS platform and ensuring that the application, data and system access, and usability was maintained, the Health CI Division conceptualizedand devised the required architecture needed to build the HIPAA-compliant cloud environment, which required scalingthe Sherlock Cloud infrastructure, and began the innovative process of building this environment in September 2013.

Building the HIPAA-compliant cloud environment required innovation on the part of the Health CI Division, as HIPAA does not prescribe the exact physical and technical safeguardsa cloud service provider must employ to ensure its cloud complies with the Act to protect and secure sensitive Protected Health Information (PHI) data. Indeed, the Health CI Division accepted the challengeand identified those HIPAA safeguards it deemed necessary, and furtherincorporated its experiencewith the heightened physical and technical requirements of FISMA to create a HIPAA-compliant cloud environment that fully encapsulated the safeguards and statutoryframework of HIPAA.The approach involved identifying and applyinga comprehensive subset of security controls,as identified within the NIST guidelines, scaling the cloud infrastructure by identifying a number of operational and management services that could be deployed once and leveraged across the various projects hosted within the HIPAA cloud, and developing policies and processes that comprehensively encompass all elements of HIPAA compliance and auditability. In addition, some management services couldnot be shared across various projects because of compliance requirements and these limited set of services were operationalized to be easily instantiated for every project. This approach provided significant economies of scale, both at the services and software/hardware level, within the HIPAA-compliant cloud. The ingenuity of the Health CI Division to capitalize on its FISMA expertise undoubtedly provides a HIPAA-compliant cloud that exceeds the expectations of the Act’s objectives.

The Health CI Division successfully developed and deployed theHIPAA-compliant cloudin April 2014, approximately 6 months after accepting the challenge.“The Health CI Division was able to seamlessly take our data and application infrastructure from an open environment to a secure HIPAA-compliant environment in approximately 6 months. This aggressive timeline would not have been feasible absent the expertise and necessary skillset possessed by the Health CI Division. The end product, which has now been in production for over a year, has greatly helped secure Risk management data and applications, and we are extremely pleased with the outcome,” said UCOP Director of Risk IT Systems, Nilofeur Samuel.

The Health CI Division’s short term goal of deploying a high functioning, secure cloud environment that could be used by UCOP to improve the effectiveness of UC Risk Initiative business processes was a stepping stone to its ultimate goal of establishingascalable HIPAA-compliant cloudat UC, which could be used by UC campuses, medical centers, departments, and researchers as well as outside academic and non-academic partnersseekingsecure and compliant managed IT and cloud hosting services for projects involving sensitive PHI and Personally Identifiable Information (PII)data. The Health CI Division successfully attained that goal, and created anenvironment that isscalable, sharable,interoperable, integrated, and used within UC, as well as nationally, as it currently supports the National Cancer Institute (NCI), National Institutes of Health (NIH), Centers for Medicare and Medicaid Services (CMS), and a number of UC institutions (e.g., UCOP, UCSF Medical Center, Calit2/Qualcomm Institute, etc.).

Maintenance of the HIPAA-Compliant Cloud Environment

To ensure the longevity and utility of the HIPAA-compliant cloud, the Health CI Division meticulously follows stringent guidelines and policies required to maintain its HIPAA-compliant status. Maintaining HIPAA compliance involves managing the entire software and hardware platform and the necessary management processes. Accordingly, the Health CI Division’s management, security, and systems teams continuously monitor, regularly test, and actively maintain the requirements including, but not limited to:

• Generating and maintaining policy and lifecycle documents (e.g., System Security, Incident Response, and Contingency);
• System vulnerability scanning, flaw remediation, continuous system monitoring, and log analysis;
• Conducting yearly security assessments and security testing for all staff with access to HIPAA data;
• Testing regularly for purposes of backup/archiving;
• Performing workforce clearances and background checks;
• Monitoring physical security controls, access controls, and authentication; and
• Ensuring data transmission security and data at rest security.

The diligence with which the Health CI Division works to maintain its compliance status strongly aids and improves the operational efficiency and usability/accessibilityof the UC system to support its variousprojects and research initiatives that are reliant on the safeguards provided by the HIPAA-compliant cloud. Anyone within the UC system can commence new projects and initiatives with confidence knowing that the Health CI Division has these established protocols in place and it recognizes the important role it plays in the success of current and future projects and initiatives.

Proven Methodology for HIPAA-Compliant Cloud Project Deployment

The Health CI Division is comprised of IT specialists who guide partners through the process of determining and understanding the steps necessary to meet and maintain their HIPAA-compliant cloud needs. The Division has developed a standard framework to gather the requisite information to ensure proper planning, deployment, and maintenance of a project. Consequently, with the advent of these four steps, it enables the HIPAA-compliant cloud to be shareable and readily implementable elsewhere within the UC.

Step 1: Determining Project Background and Scope

Before a project can be initiated, the Health CI Division must understand the project’s background and scope. Moreover, the project’s regulatory requirements (i.e., HIPAA) and security requirements and parameters must be identified. Armed with this information, it can then be determined how the Health CI Division can assist the partner with its project.

Step 2: Understanding Project Compliant Hosting Requirements

The Health CI Division must become familiar with the project’s compliant hosting requirements, which require the partner to detail specific technical requirements of the project (e.g., applications, compute and storage, service-level agreements, etc.).

Step 3: Proposing and Building a Platform

Next, the Health CI Division will jointly work with its partner to propose and architect the platform. This step entails outlining the system architecture for project deployment within Sherlock Cloud, defining and testing a proof-of-concept implementation, discussing costing options, developing a memorandum of understanding that outlines deliverables, roles and responsibilities and service level agreements, and initiating platform deployment upon contract award.

Step 4: Providing Ongoing Operations and Maintenance Support

Finally, as detailed in the previous section, the Health CI Division will work with its partner to maintain compliance requirements and provide ongoing operations and maintenance (e.g., infrastructure support, system administration and maintenance, change management, security/CISO support, and project management and coordination).

Specific Impacts of the HIPAA-Compliant Cloud Environment

The HIPAA-compliant cloud has been extremely successful and the extent of its impact on multiple areas across campuses continues to grow and this enables the Health CI Division to add functionalities and capabilities that strengthen its cloud offering.Moreover, the flexibility and scalability of the compute, storage, software and services platform supports a variety of research and data projects requiring a secure, access-controlled environment. The Health CI Division partners with various departments, medical centers, and researchers to engage in projects that have yielded significant benefits in areas such as patient care, business continuity, and medical research.

Research & Collaboration

A driving factor behind the development of the HIPAA-compliant cloud was to support researchers and their projects. The Health CI Division team understands the requirements of research computing, and how the needs of professors and investigators may differ from those of the typical end user of commercial cloud platforms.Coupling the expertise of the Division with the availability of the HIPAA-compliant cloud enhances the quality of research and competitiveness, as researchers (1) are now able to pursue initiatives that were previously unavailable due to the lack of a cost-effective and secure cloud environment, (2) have access to highly technical and experienced Health CI staff who are intimately familiar with HIPAA requirements and can assist where and when needed, and (3) can reach back to the entire SDSC networkof cyberinfrastructure specialists for support, which spans numerous fields of expertise.

Some of the research initiatives it supports include:

• Be There San Diego:The Health CI Division partnered with various healthcare organizations to build and deploy a system to support a research project that focuses on helping reduce heart attacks and strokes in the San Diego area, with the goal that San Diego be the first “heart attack and stroke free zone” in the nation.The system was deployed in January 2015. This project received funding through the Health Care Innovation grant that was funded by CMS.
• GeoDatabase (GeoDB):The GeoDBproject is funded by an NCI grant to develop a geo-database that facilitates the matching of geographic information system (GIS) data to GPS data, compares different spatial techniques for creating exposure variables, and assesses relationships across several data sets. In collaboration with the Qualcomm Institute, the Health CI Division created a HIPAA environment for related GIS projects. The Health CI Division built and deployed the geo-database in June 2014.

Another essential factor underlying the development of the HIPAA-compliant cloud was the ability to partner and collaborate with IT organizations in need of this service.The Health CI Division now partners with various IT organizations to collaborate and develop custom frameworks that support their projects. To do so, a comprehensive joint service model that defines roles, responsibilities, and processes to be used is cooperatively developed by the parties. The availability of the HIPAA-compliant cloud to IT organizations has additionally broadened the spectrum of available resources, as the Division now works with UC Medical Centers IT departments to provide disaster recovery and business continuity services.

Health Care

The Health CI Division provides the UCSF Medical Center with a fully managed replication and disaster recovery service for its clinical applications as well as a business continuity service. As such, to improve the qualityand preserve the integrity of patient care, the Health CI Division in conjunction with the UCSF Medical Center have developed stringent proceduresto follow during a disaster and have implemented stringent RPO and RTO parameters to minimize data loss. With this service, patients can rest assured knowing that should a disaster occur, UCSF Medical Center has the ability to recover vital technology infrastructure, systems, and information needed to support each patient’s care.

Technology Infrastructure Innovation

With the addition of the HIPAA-compliant cloud, the UC system now has an environment to host sensitive PHI and PII data and support projects that must meet HIPAA regulations. This improvement to UC’s IT environment enhances multiple services, as it provides a mechanism within the university to achieve various goals and missions (i.e., strategically managing risk to create greater financial stability for UC and promoting patient care during times of disaster). The Health CI Division’s technological infrastructure innovation allows it to further provide its services at a reasonable cost, thereby reducing the costfor UC campuses, departments, and researchers. Specifically, Sherlock Cloud consists of three main environments (i.e., HIPAA, FISMA, and Agile). While each environment has a set of management services specific to that environment, all three environments leverage a set of shared management services and share the same physical hardware resource pool. Sherlock Cloud uses virtualization technologies to achieve hardware economies of scale and increased system utilization through the secure sharing of hardware and storage devices. This provides economies of scale by lowering project costs and increasing resource reliability and uptime.

Figure 1: Sherlock Cloud Platform

Conclusion

The Health CI Division has greatly contributed to UC’s innovation in information technology landscape through its deployment of the HIPAA-compliant cloud. Despite being fairly new to this landscape, the Health CI Division has already received various accolades – demonstrating assessable success criteria – and it intends to continually develop and expand its HIPAA-compliant cloud offerings and expertise. The journey did not end with the deployment of this cloud environment, but rather another leg of the journey commenced. The Health CI Division looks forward to continually working with the various UC campuses, medical centers, and researchers as well as those partners outside the UC framework to deliver top-notch HIPAA-compliant cloud offerings and services that continue to meet and exceed their systems and security expectations.

1 | Page