Working With NIST 800-171, HIPAA, and Other Controlled Data Sets

As Binghamton University matures as a research institution, the need to collect, store, and provide access to HIPAA, FERPA, PII, CUI, and similarly controlled data sets increases as well.  This is no easy task given the high degree of security and isolation required by the policies which govern these various data classification types.  While it is theoretically possible to bring the entirety of Binghamton University’s campus-wide infrastructure up to the strictest standards set forth by NIST 800-171 and other frameworks, doing so would be prohibitively expensive, time consuming, and be overly constraining for the vast majority of use cases the campus infrastructure is designed to support.

Given the need and the constraints outlined above, Binghamton University ITS in collaboration with the Binghamton Research Foundation, has opted to build out an entirely new “Bubble” infrastructure, up to the standards set forth in by the NIST 800-171 Framework.  This infrastructure is virtually isolated from the rest of the campus network (VPN required for access), utilizes its own IAM / Active Directory for access controls, and makes use of VMWare’s NSX to provide project isolation within the “Bubble” environment.  It is the expectation of the ITS Research Support group that any data for which the existing campus infrastructure is insufficient would, going forward, end up in this environment.

As Binghamton University continues to grow (new health care campus in Johnson City), this “bubble” environment will expand to virtually encapsulate entire data centers which will store HIPAA, Medicare, and other controlled medical data.  As a result, the foundations and standards established by this new environment will serve as the technical blueprint for any relevant data in the future.  

Last Updated: 6/6/18