securing microsoft technologies for hitech compliance

27
Securing Microsoft Technologies for HITECH Compliance: Update 2/13/2012 Marie-Michelle Strah, PhD SharePoint Saturday Philadelphia 2/4/2012

Upload: marie-michelle-strah-phd

Post on 05-Dec-2014

1.602 views

Category:

Technology


1 download

DESCRIPTION

Updated presentation 2/13/2012 with references from #spsphilly

TRANSCRIPT

Page 1: Securing Microsoft Technologies for HITECH Compliance

Securing Microsoft Technologies for

HITECH Compliance: Update 2/13/2012

Marie-Michelle Strah, PhD

SharePoint Saturday Philadelphia 2/4/2012

Page 2: Securing Microsoft Technologies for HITECH Compliance

http://ideas.appliedis.com

http://lifeincapslock.com

Introductions

Page 3: Securing Microsoft Technologies for HITECH Compliance

Objectives

Introduction: Why Microsoft Business Solutions

for healthcare?

•Context: ARRA/HITECH: INFOSEC and

connected health information

•Reference models: security, enterprise

architecture and compliance for

healthcare

•Best Practices: privacy and security in

Microsoft SharePoint Server 2010, Microsoft

Dynamics CRM and Office365

Panel: Q&A

Page 4: Securing Microsoft Technologies for HITECH Compliance

What keeps a CMIO up at night?

Excerpted from John D.

Halamka, MD Life as a

Healthcare CIO Blog…

• Unstructured data

• Compliance

• Security

• Workforce recruitment

http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-edition.html

Page 5: Securing Microsoft Technologies for HITECH Compliance

Planning for Security and the “Black Swan”

Page 6: Securing Microsoft Technologies for HITECH Compliance

Privacy

• Data (opt in/out)

• PHI

• PII

“Black Swans”

• Consumer Engagement

• Business Associates

2012 = Year of Privacy and ECM

Page 7: Securing Microsoft Technologies for HITECH Compliance

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)

Equals People (all actors and agents)

Times Architecture (technical, physical and

administrative)

Enterprise Security Model

Page 8: Securing Microsoft Technologies for HITECH Compliance

2012: From HIPAA to HITECH and “Meaningful Use”

• Health Insurance Portability and Accountability

Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat

1936)

• The Health Information Technology for

Economic and Clinical Health Act (HITECH Act),

enacted on February 17, 2009

• American Recovery and Reinvestment Act of

2009 (ARRA) (Pub L 111-5, 123 Stat 115)

Page 9: Securing Microsoft Technologies for HITECH Compliance

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) do the HITECH math…

“Business Associates”:

• Legal

• Accounting

• Administrative

• Claims Processing

• Data Analysis

• QA

• Billing 45 CFR §160.103

Consumer Engagement

Application of HIPAA Security

Standards to Business Associates 42 USC §17931

New Security Breach

Requirements 42 USC §17932(j)

Electronic Access Mandatory for

Patients 42 USC 17935(e)

Prohibited Sale of PHI without

Patient Authorization 42 USC §17935(d)

Complexity: RM, ECM and eDiscovery

Page 10: Securing Microsoft Technologies for HITECH Compliance

Recent Cryptzone Survey

Gothenburg, 19 January 2012

Survey finds almost half of

SharePoint users disregard the security within SharePoint, and

copy sensitive or confidential

documents to insecure hard

drives, USB keys or even email it to

a third party.

Read more: SharePoint Users

Develop Insecure Habits -

FierceContentManagement

Healthcare IT News

Sacramento, 23 November 2011

The theft of a computer during a

break-in in October has spurred a

$1B class action lawsuit against Sutter Health, according to a

report published today by the

Sacramento Bee. The computer

contained data on more than 4

million patients.

See also: Room for improvement

on security, HIMSS survey shows

You Don’t Believe Me?: In the News

Page 11: Securing Microsoft Technologies for HITECH Compliance

Complexity = Higher Risks and Costs

Page 12: Securing Microsoft Technologies for HITECH Compliance

“Hub” Model reduces complexity and variability while maintaining

collaboration and interoperability

SOA: Service-Oriented Architecture

Page 13: Securing Microsoft Technologies for HITECH Compliance

Challenge: connect, collaborate and compartmentalize

Microsoft Connected Health Framework Business

and Technical Framework (Joint Architecture)

http://hce.codeplex.com/

Page 14: Securing Microsoft Technologies for HITECH Compliance

Microsoft Business Solutions as part of a Connected Health

Framework

• Patient Encounters

• CPG

• HIPAA Direct Identifiers

• EEOI

• ePHI

• SharePoint 2010

• Dynamics CRM

• Office365

Unstructured Data

Intake Forms

EHR Integration

R&D

BPM

Clinical Workflow

Page 15: Securing Microsoft Technologies for HITECH Compliance

Microsoft Business Solutions as part of a Connected Health

Framework

Current example: multi-site resident treatment facility

-Provider emails (nurse/contract doctors) -Word documents (patient notes) on file servers - unsecured

-PDFs (scanned records/PHI) on file servers – unsecured

-no encryption

-no search -no IAM beyond Windows authentication

-2011 EHR adoption

Current example 2: ePHI data with SSN being exported as whatever file type

-No control over what file type

-No way to force encryption

-No way to force a file save location (\\share\phi_encrypted_folder)

Page 16: Securing Microsoft Technologies for HITECH Compliance

Enterprise Security Planning

• PRIVACY IMPACT ASSESSMENT

• 18 direct identifiers (HIPAA)

• “content shielding”

• Data architecture

• Encryption of data at rest/data in motion

• 2 factor authentication

• Perimeter topologies

• Segmentation and compartmentalization of PHI/PII (logical and physical)

• Wireless (RFID/Bluetooth)

• Business Continuity

• Backup and Recovery

• Mobile Device Management/BYOD World

Page 17: Securing Microsoft Technologies for HITECH Compliance

Security Architecture – SPS2010 A

uth

ori

zati

on

Authentication

Federated ID

Classic/Claims

IIS/STS U

PM

Permissions

Security Groups

Bu

sin

es

s C

on

ne

cti

vit

y

Serv

ices

Data Level Security

LOB Integration

Hard

ware

Endpoint Security

Mobile

Remote

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)

Page 18: Securing Microsoft Technologies for HITECH Compliance

Behavioral Factors: Security Architecture

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)

• #hcsm

• User population

challenges

• clinicians

• business associates

• domain knowledge

•“Prurient interest”

• Mobile technologies

Page 19: Securing Microsoft Technologies for HITECH Compliance

• Native

• 20%

SP2010

• Governance

• UPM/IAM

• 60%

ISV • Network

• Data at Rest

• 100%

ISV

Cloud 12/14/2011

• Office365

HIPAA/EU

compliance

• BAA

On Premise

“Can’t Do it Alone:” Security Ecosystem

Page 20: Securing Microsoft Technologies for HITECH Compliance

• Content types (PHI/PII)

• ECM/OCR

• Digital Rights Management (DRM)

• Business Connectivity Services and Visio Services (external data sources)

• Excel, lists, SQL, custom data providers

• Integrated Windows with constrained Kerberos

• Metadata and tagging (PHI/PII)

• Blogs and wikis (PHI)

• Plan permission levels and groups (least privileges) – providers and business associates

• Plan site permissions

• Fine-grained permissions (item-level)

• Security groups (custom)

• Contribute permissions

Sample: Security Planning Checklist

Page 21: Securing Microsoft Technologies for HITECH Compliance

Best Practices: Preventative Model

• Involve HIPAA specialists early in the planning

process. (This is NOT an IT problem)

• Privacy Impact Assessment: PHI, ePHI, PII

(Compartmentalization and segregation)

• Trust, but verify

• Look to experts to help with existing

implementations. (Domain expertise in

healthcare and clinical workflow as well as

HIPAA/HITECH privacy and security)

• Use connected health framework reference

model

• Governance, governance, governance

Page 22: Securing Microsoft Technologies for HITECH Compliance

• Technical, Physical, Administrative Safeguards

Plan

• Joint Commission, Policies, Procedures, IT Governance

Document

• Clinical, Administrative and Business Associates

Train

• Training, Compliance, Incidents, Access…. everything

Track

• Flexibility, Agility, Architect for Change

Review

Governance: Adapting the Joint Commission Continuous

Process Improvement Model

Page 23: Securing Microsoft Technologies for HITECH Compliance
Page 24: Securing Microsoft Technologies for HITECH Compliance

• Unstructured Data

– Scan

– Quarantine PII

– Tag

• Compliance and Reporting

– Enhance control of all ePHI and PII

– In line with HIPAA and HITECH Act regulation

© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,

without the prior written consent of AvePoint, Inc.

Page 25: Securing Microsoft Technologies for HITECH Compliance

• Security

– Easily set Rules and Permissions in bulk

– Run scheduled reports on all SharePoint Activity

– Safely archive inactive data for compliance

• Workflow Management

– Rearrange taxonomy to meet evolving business needs

– Full fidelity backup and restoration of data

– Improved performance, environment monitoring

© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,

without the prior written consent of AvePoint, Inc.

Page 26: Securing Microsoft Technologies for HITECH Compliance

References

• AIS Case Study on Records Management and

Compliance (SP2007):

http://www.appliedis.com/pdfs/Military%20Grade%20Co

mpliance%20for%20SharePoint%20WP.pdf

• Good Data Means Good Government:

http://gcn.com/Articles/2012/02/06/Good-metadata-and-

good-government.aspx?Page=2

• 2012 Healthcare Data Trends:

http://databreachinsurancequote.com/wp-

content/uploads/2012/01/2012_trends_healthcare_data.

pdf

Page 27: Securing Microsoft Technologies for HITECH Compliance

http://ideas.appliedis.com

http://lifeincapslock.com

Thank You! For more information…