Dan: from our call with Steve and two lawyers on 10/17: GPC Hosted Services = suite of software that exists at all sites.
Not true? Thanks, Laurel From: Dan Connolly [mailto:dconno...@kumc.edu] Sent: Tuesday, October 21, 2014 10:24 AM To: Verhagen, Laurel A Cc: gpc-dev@listserv.kumc.edu Subject: RE: encryption at rest? Which direction is that? pointer, please? -- Dan ________________________________ From: Verhagen, Laurel A [verhagen.lau...@mcrf.mfldclin.edu] Sent: Tuesday, October 21, 2014 10:21 AM To: Dan Connolly Cc: gpc-dev@listserv.kumc.edu<mailto:gpc-dev@listserv.kumc.edu> Subject: RE: encryption at rest? Direction was that gpc hosted services includes local implementations. Does this require additional clarification? I was asked how we plan to cover this requirement. Thanks, Laurel From: Dan Connolly [mailto:dconno...@kumc.edu] Sent: Tuesday, October 21, 2014 10:11 AM To: Verhagen, Laurel A Cc: gpc-dev@listserv.kumc.edu<mailto:gpc-dev@listserv.kumc.edu> Subject: RE: encryption at rest? The agenda asks how sites are handling this, but "GPC Hosted Services" aren't a site responsibility. At-rest encryption is part of the (emerging) standard operating procedure that we (KUMC Medical Informatics) use for AWS-hosted stuff. We pioneered it in our telehousecalls<https://telehousecalls.org/> project. -- Dan ________________________________ From: Verhagen, Laurel A [verhagen.lau...@mcrf.mfldclin.edu] Sent: Tuesday, October 21, 2014 9:52 AM To: Dan Connolly Cc: gpc-dev@listserv.kumc.edu<mailto:gpc-dev@listserv.kumc.edu> Subject: RE: encryption at rest? Dan, The "GREATER PLAINS COLLABORATIVE COOPERATIVE MEDICAL INFORMATICS DATA SHARING AND NETWORK INFRASTRUCTURE AGREEMENT" document (file name: PCORI GPC Data Sharing Agmnt) includes the following passage on page 10: 1. The GPC Infrastructure and Software Development Core will maintain the GPC Hosted Services. Any information transmitted (data in motion) and will be secured in accordance with the Security Rule by the Participant sending the data in motion. Any information stored (data at rest) will be secured in accordance with the Security Rule by the Party receiving and storing the data at rest. Participants will provide information regarding implementation as reasonably requested by the GPC Governing Council. Support for additional services and processes will be determined and approved by the GPC Governing Council. Our site asked for clarification, such as what does "data stored" mean (data sets for studies, i2b2 database, cdm datamarts, etc.)? What strategies are applied? After writing the agenda, I received the following from Steve Fennel: 1) How will GPC data in motion be protected? All data in motion will be encrypted. Specially, data files will be sent via SCP. Alternatively, if the application involves REDCap, it will utilize SSL. 2) Will data at rest be encrypted up to NIST standards? Yes, data at rest will use a NIST approved encryption algorithm (specifically AES). As the software dev core is responsible for reporting our strategies to the GPC Governing Council, it seems relevant to discuss, if only briefly. Did you want to handle this offline? Thanks, Laurel From: Dan Connolly [mailto:dconno...@kumc.edu] Sent: Tuesday, October 21, 2014 9:21 AM To: Verhagen, Laurel A Cc: gpc-dev@listserv.kumc.edu<mailto:gpc-dev@listserv.kumc.edu> Subject: encryption at rest? Laurel, I see "Encryption of data at rest (stipulation of the GPC Agreement) - how are sites handing this?" in today's agenda. What's the source of that item? Which "GPC Agreement"? -- Dan ________________________________ The contents of this message may contain private, protected and/or privileged information. If you received this message in error, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained within. Please contact the sender and advise of the erroneous delivery by return e-mail or telephone. Thank you for your cooperation. ________________________________ The contents of this message may contain private, protected and/or privileged information. If you received this message in error, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained within. Please contact the sender and advise of the erroneous delivery by return e-mail or telephone. Thank you for your cooperation. ______________________________________________________________________ The contents of this message may contain private, protected and/or privileged information. If you received this message in error, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained within. Please contact the sender and advise of the erroneous delivery by return e-mail or telephone. Thank you for your cooperation.
_______________________________________________ Gpc-dev mailing list Gpc-dev@listserv.kumc.edu http://listserv.kumc.edu/mailman/listinfo/gpc-dev
