How Pa. secures data on the Web
When the Office of Mental Retardation in Pennsylvania's Public Welfare Department began work on the Home and Community Services Information System in 1999, the idea of building a Web-based application was 'still very new,' said Gary Rossman, division chief of DPW's Bureau of Information Systems and HCSIS project manager.
Rossman and his team conducted a series of regional forums around the state, trying to acquaint people with the idea. 'Banks were just beginning to use the Internet,' Rossman said. HCSIS borrowed some security tools from online banking.
'We were also one of the early Web-based systems that worked to become ADA-compliant with Bobby certification,' and used screen readers, he said. Bobby is an online tool that analyzes Web pages for their accessibility to people with disabilities. In addition to complying with Americans with Disabilities Act standards, HCSIS also complies with Health Insurance Portability and Accountability Act requirements.
The HCSIS application resides on a Unisys server running Windows 2000 Datacenter SP2 for the Web application servers and database server. It also utilizes Microsoft .Net technology.
Data is stored in an Oracle9i database, and the HCSIS infrastructure is housed at the Bureau of Information Systems in Harrisburg.
Because so much sensitive data runs on HCSIS, the system has some special security features. For example, its technical architecture uses Oracle's Fine Grained Access Controls to limit access to data. FGA ensures that a Cumberland County user can only access data specific to Cumberland County.
HCSIS has performed so well for Pennsylvania that other states are borrowing it. 'We've transferred the code for the quality management module to Massachusetts,' Rossman said. 'Because it's federally funded from the Health and Human Services Department, the code is in the public domain for other states.' As a result, Massachusetts now has a version of HCSIS in operation.
Trudy Walsh is a senior writer for GCN.