security and privacy in sharepoint 2010: healthcare best practices

© 2011 PLANET TECHNOLOGIES, INC.

Security and Privacy in SharePoint 2010: Healthcare

Webinar presented by: Planet Technologies and

CipherPoint Software

N O V E M B E R 2 , 2 0 1 1

Agenda 1. Overview – Mr. Jim Hietala, CipherPoint Software

2. Security and Privacy in SharePoint 2010: Healthcare – Dr.

Marie-Michelle Strah, Planet Technologies

3. CipherPoint Demo and Case Studies – Mr. Mike Fleck,

CipherPoint Software

4. Q&A


Presenters

www.go-planet.com

Microsoft Gold Partner

• 5x Federal Partner of

the Year

• 2x State and Local

Government Partner

of the Year

• 2011 xRM Partner of

the Year

http://www.go-planet.com/




Objectives • Introduction: Why SharePoint for

healthcare?

• Context: ARRA/HITECH: INFOSEC and

connected health information

• Reference models: security, enterprise

architecture and compliance for

healthcare

• Best Practices: privacy and security in

Microsoft SharePoint Server 2010

Objectives


What keeps a CMIO up at night?

Excerpted from John D.

Halamka, MD Life as a

Healthcare CIO Blog…

• Unstructured data

• Compliance

• Security

• Workforce recruitment

http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-

edition.html


Microsoft SharePoint in Healthcare

•Public/Private Partnerships

•Collaborative, Cross-disciplinary care delivery

•Web Content Management and Outreach

•Patient/Veteran Relationship Management

•Clinical Decision Support

•Data Analytics

•Logistics and Asset Management

•EHR Integration

•“Meaningful Use”

Enterprise Content

Management

Practice Management and Hospital

Administration

Research and Collaboration

Patient Engagement


Planning for Security and the “Black Swan”


Privacy

• Data (opt in/out)

• PHI

• PII

“Black Swans”

• Consumer

Engagement

• Business Associates


𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)

Equals

People (all actors and agents)

Times

Architecture (technical, physical and

administrative)

Enterprise Security Model


From HIPAA to HITECH…

Health Insurance Portability and Accountability

Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat

1936)

The Health Information Technology for

Economic and Clinical Health Act (HITECH Act),

enacted on February 17, 2009

American Recovery and Reinvestment Act of

2009 (ARRA) (Pub L 111-5, 123 Stat 115)


𝐒 = (𝐏𝐱 ∗ 𝐀𝐲) do the HITECH math…

“Business Associates”:

• Legal

• Accounting

• Administrative

• Claims Processing

• Data Analysis

• QA

• Billing

• Contractors

45 CFR §160.103

Consumer Engagement

• Application of HIPAA Security

Standards to Business

Associates

• 42 USC §17931

• New Security Breach

Requirements

• 42 USC §17932(j)

• Electronic Access Mandatory

for Patients 42 USC 17935(e)

• Prohibited Sale of PHI without

Patient Authorization 42 USC

§17935(d)


Complexity = Higher Risk and Costs


“Hub” Model reduces complexity and variability

while maintaining collaboration and interoperability

SOA (Service-Oriented Architecture)


Microsoft Connected Health Framework Business and Technical Framework

(Joint Architecture)

http://hce.codeplex.com/

http://hce.codeplex.com/


Security Architecture SharePoint Server 2010

Au

tho

riza

tio

n

Authentication

Federated ID

Classic/Claims

IIS/STS

UP

M

Permissions

Security Groups

Bu

sin

ess

Co

nn

ec

tiv

ity

Se

rvic

es

Data Level Security

LOB Integration

Ha

rdw

are

Endpoint Security

Mobile

Remote

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)


Behavioral Factors: Security Architecture

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)

• #hcsm

• User population challenges

-clinicians

-business associates

-domain knowledge

• “Prurient interest”

• Mobile technologies


Enterprise Security Planning

PIA (Privacy Impact Assessment)

Encryption

Data at rest/data in motion

Perimeter topologies

Segmentation and compartmentalization of PHI/PII

(logical and physical)

Wireless (RFID/Bluetooth)

Business Continuity

Backup and Recovery


Security Planning Considerations (SharePoint 2010)

Content types (PHI/PII)

ECM/OCR

Digital Rights Management (DRM)

Business Connectivity Services and

Visio Services (external data

sources)

– Excel, lists, SQL, custom data

providers

– Integrated Windows with

constrained Kerberos

Metadata and tagging (PHI/PII)

Blogs and wikis (PHI)

Plan permission levels and groups

(least privileges) – providers and

business associates

Plan site permissions

Fine-grained permissions (item-

level)

Security groups (custom)

Contribute permissions


•Technical, Physical, Administrative Safeguards

Plan

•Joint Commission, Policies, Procedures, IT Governance

Document

•Clinical, Administrative and Business Associates

Train

•Training, Compliance, Incidents, Access…. everything

Track

•Flexibility, Agility, Architect for Change

Review

Adapting the Joint Commission Continuous Process Improvement Model…

The Security Lifecycle: SharePoint Deployments


Best Practices – Proactive Security Model

Involve HIPAA/HITECH specialists early in the planning process.

(This is NOT an IT problem)

Consider removing PHI from the equation.

(Compartmentalization and segregation)

Evaluate the outsourcing option. Trust, but verify.

Look to experts to help with existing implementations. (Domain

expertise in healthcare and clinical workflow as well as

HIPAA/HITECH privacy and security)

Use connected health framework reference model

Extend SharePoint: ISVs create effective and compliant solution

CipherPoint

Enterprise Content Management, Administration, Total Disk

Encryption, PII/508 Compliance


Comprehensive Security Model

• Case Studies

• SharePoint is an enabler

for healthcare

transformation

• Introduction to

CipherPoint


Thank You and Contact Information

www.go-planet.com

Microsoft Gold Partner

• 5x Federal Partner of

the Year

• 2x State and Local

Government Partner

of the Year

• 2011 xRM Partner of

the Year


