securing microsoft technologies for hitech compliance
DESCRIPTION
Updated presentation 2/13/2012 with references from #spsphillyTRANSCRIPT
Securing Microsoft Technologies for
HITECH Compliance: Update 2/13/2012
Marie-Michelle Strah, PhD
SharePoint Saturday Philadelphia 2/4/2012
http://ideas.appliedis.com
http://lifeincapslock.com
Introductions
Objectives
Introduction: Why Microsoft Business Solutions
for healthcare?
•Context: ARRA/HITECH: INFOSEC and
connected health information
•Reference models: security, enterprise
architecture and compliance for
healthcare
•Best Practices: privacy and security in
Microsoft SharePoint Server 2010, Microsoft
Dynamics CRM and Office365
Panel: Q&A
What keeps a CMIO up at night?
Excerpted from John D.
Halamka, MD Life as a
Healthcare CIO Blog…
• Unstructured data
• Compliance
• Security
• Workforce recruitment
http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-edition.html
Planning for Security and the “Black Swan”
Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer Engagement
• Business Associates
2012 = Year of Privacy and ECM
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)
Equals People (all actors and agents)
Times Architecture (technical, physical and
administrative)
Enterprise Security Model
2012: From HIPAA to HITECH and “Meaningful Use”
• Health Insurance Portability and Accountability
Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat
1936)
• The Health Information Technology for
Economic and Clinical Health Act (HITECH Act),
enacted on February 17, 2009
• American Recovery and Reinvestment Act of
2009 (ARRA) (Pub L 111-5, 123 Stat 115)
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) do the HITECH math…
“Business Associates”:
• Legal
• Accounting
• Administrative
• Claims Processing
• Data Analysis
• QA
• Billing 45 CFR §160.103
Consumer Engagement
Application of HIPAA Security
Standards to Business Associates 42 USC §17931
New Security Breach
Requirements 42 USC §17932(j)
Electronic Access Mandatory for
Patients 42 USC 17935(e)
Prohibited Sale of PHI without
Patient Authorization 42 USC §17935(d)
Complexity: RM, ECM and eDiscovery
Recent Cryptzone Survey
Gothenburg, 19 January 2012
Survey finds almost half of
SharePoint users disregard the security within SharePoint, and
copy sensitive or confidential
documents to insecure hard
drives, USB keys or even email it to
a third party.
Read more: SharePoint Users
Develop Insecure Habits -
FierceContentManagement
Healthcare IT News
Sacramento, 23 November 2011
The theft of a computer during a
break-in in October has spurred a
$1B class action lawsuit against Sutter Health, according to a
report published today by the
Sacramento Bee. The computer
contained data on more than 4
million patients.
See also: Room for improvement
on security, HIMSS survey shows
You Don’t Believe Me?: In the News
Complexity = Higher Risks and Costs
“Hub” Model reduces complexity and variability while maintaining
collaboration and interoperability
SOA: Service-Oriented Architecture
Challenge: connect, collaborate and compartmentalize
Microsoft Connected Health Framework Business
and Technical Framework (Joint Architecture)
http://hce.codeplex.com/
Microsoft Business Solutions as part of a Connected Health
Framework
• Patient Encounters
• CPG
• HIPAA Direct Identifiers
• EEOI
• ePHI
• SharePoint 2010
• Dynamics CRM
• Office365
Unstructured Data
Intake Forms
EHR Integration
R&D
BPM
Clinical Workflow
Microsoft Business Solutions as part of a Connected Health
Framework
Current example: multi-site resident treatment facility
-Provider emails (nurse/contract doctors) -Word documents (patient notes) on file servers - unsecured
-PDFs (scanned records/PHI) on file servers – unsecured
-no encryption
-no search -no IAM beyond Windows authentication
-2011 EHR adoption
Current example 2: ePHI data with SSN being exported as whatever file type
-No control over what file type
-No way to force encryption
-No way to force a file save location (\\share\phi_encrypted_folder)
Enterprise Security Planning
• PRIVACY IMPACT ASSESSMENT
• 18 direct identifiers (HIPAA)
• “content shielding”
• Data architecture
• Encryption of data at rest/data in motion
• 2 factor authentication
• Perimeter topologies
• Segmentation and compartmentalization of PHI/PII (logical and physical)
• Wireless (RFID/Bluetooth)
• Business Continuity
• Backup and Recovery
• Mobile Device Management/BYOD World
Security Architecture – SPS2010 A
uth
ori
zati
on
Authentication
Federated ID
Classic/Claims
IIS/STS U
PM
Permissions
Security Groups
Bu
sin
es
s C
on
ne
cti
vit
y
Serv
ices
Data Level Security
LOB Integration
Hard
ware
Endpoint Security
Mobile
Remote
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)
Behavioral Factors: Security Architecture
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)
• #hcsm
• User population
challenges
• clinicians
• business associates
• domain knowledge
•“Prurient interest”
• Mobile technologies
• Native
• 20%
SP2010
• Governance
• UPM/IAM
• 60%
ISV • Network
• Data at Rest
• 100%
ISV
Cloud 12/14/2011
• Office365
HIPAA/EU
compliance
• BAA
On Premise
“Can’t Do it Alone:” Security Ecosystem
• Content types (PHI/PII)
• ECM/OCR
• Digital Rights Management (DRM)
• Business Connectivity Services and Visio Services (external data sources)
• Excel, lists, SQL, custom data providers
• Integrated Windows with constrained Kerberos
• Metadata and tagging (PHI/PII)
• Blogs and wikis (PHI)
• Plan permission levels and groups (least privileges) – providers and business associates
• Plan site permissions
• Fine-grained permissions (item-level)
• Security groups (custom)
• Contribute permissions
Sample: Security Planning Checklist
Best Practices: Preventative Model
• Involve HIPAA specialists early in the planning
process. (This is NOT an IT problem)
• Privacy Impact Assessment: PHI, ePHI, PII
(Compartmentalization and segregation)
• Trust, but verify
• Look to experts to help with existing
implementations. (Domain expertise in
healthcare and clinical workflow as well as
HIPAA/HITECH privacy and security)
• Use connected health framework reference
model
• Governance, governance, governance
• Technical, Physical, Administrative Safeguards
Plan
• Joint Commission, Policies, Procedures, IT Governance
Document
• Clinical, Administrative and Business Associates
Train
• Training, Compliance, Incidents, Access…. everything
Track
• Flexibility, Agility, Architect for Change
Review
Governance: Adapting the Joint Commission Continuous
Process Improvement Model
• Unstructured Data
– Scan
– Quarantine PII
– Tag
• Compliance and Reporting
– Enhance control of all ePHI and PII
– In line with HIPAA and HITECH Act regulation
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
• Security
– Easily set Rules and Permissions in bulk
– Run scheduled reports on all SharePoint Activity
– Safely archive inactive data for compliance
• Workflow Management
– Rearrange taxonomy to meet evolving business needs
– Full fidelity backup and restoration of data
– Improved performance, environment monitoring
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
References
• AIS Case Study on Records Management and
Compliance (SP2007):
http://www.appliedis.com/pdfs/Military%20Grade%20Co
mpliance%20for%20SharePoint%20WP.pdf
• Good Data Means Good Government:
http://gcn.com/Articles/2012/02/06/Good-metadata-and-
good-government.aspx?Page=2
• 2012 Healthcare Data Trends:
http://databreachinsurancequote.com/wp-
content/uploads/2012/01/2012_trends_healthcare_data.
http://ideas.appliedis.com
http://lifeincapslock.com
Thank You! For more information…