security and privacy in sharepoint 2010: healthcare best practices
DESCRIPTION
Webinar 11/2/2011 presented by M. Strah, Planet Technologies and M. Fleck, CipherPoint Software.TRANSCRIPT
© 2011 PLANET TECHNOLOGIES, INC.
Security and Privacy in SharePoint 2010: Healthcare
Webinar presented by: Planet Technologies and
CipherPoint Software
N O V E M B E R 2 , 2 0 1 1
Agenda 1. Overview – Mr. Jim Hietala, CipherPoint Software
2. Security and Privacy in SharePoint 2010: Healthcare – Dr.
Marie-Michelle Strah, Planet Technologies
3. CipherPoint Demo and Case Studies – Mr. Mike Fleck,
CipherPoint Software
4. Q&A
© 2011 PLANET TECHNOLOGIES, INC.
Presenters
www.go-planet.com
Microsoft Gold Partner
• 5x Federal Partner of
the Year
• 2x State and Local
Government Partner
of the Year
• 2011 xRM Partner of
the Year
© 2011 PLANET TECHNOLOGIES, INC.
Objectives • Introduction: Why SharePoint for
healthcare?
• Context: ARRA/HITECH: INFOSEC and
connected health information
• Reference models: security, enterprise
architecture and compliance for
healthcare
• Best Practices: privacy and security in
Microsoft SharePoint Server 2010
Objectives
© 2011 PLANET TECHNOLOGIES, INC.
What keeps a CMIO up at night?
Excerpted from John D.
Halamka, MD Life as a
Healthcare CIO Blog…
• Unstructured data
• Compliance
• Security
• Workforce recruitment
http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-
edition.html
© 2011 PLANET TECHNOLOGIES, INC.
Microsoft SharePoint in Healthcare
•Public/Private Partnerships
•Collaborative, Cross-disciplinary care delivery
•Web Content Management and Outreach
•Patient/Veteran Relationship Management
•Clinical Decision Support
•Data Analytics
•Logistics and Asset Management
•EHR Integration
•“Meaningful Use”
Enterprise Content
Management
Practice Management and Hospital
Administration
Research and Collaboration
Patient Engagement
© 2011 PLANET TECHNOLOGIES, INC.
Planning for Security and the “Black Swan”
© 2011 PLANET TECHNOLOGIES, INC.
Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer
Engagement
• Business Associates
© 2011 PLANET TECHNOLOGIES, INC.
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
Enterprise Security Model
© 2011 PLANET TECHNOLOGIES, INC.
From HIPAA to HITECH…
Health Insurance Portability and Accountability
Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat
1936)
The Health Information Technology for
Economic and Clinical Health Act (HITECH Act),
enacted on February 17, 2009
American Recovery and Reinvestment Act of
2009 (ARRA) (Pub L 111-5, 123 Stat 115)
© 2011 PLANET TECHNOLOGIES, INC.
𝐒 = (𝐏𝐱 ∗ 𝐀𝐲) do the HITECH math…
“Business Associates”:
• Legal
• Accounting
• Administrative
• Claims Processing
• Data Analysis
• QA
• Billing
• Contractors
45 CFR §160.103
Consumer Engagement
• Application of HIPAA Security
Standards to Business
Associates
• 42 USC §17931
• New Security Breach
Requirements
• 42 USC §17932(j)
• Electronic Access Mandatory
for Patients 42 USC 17935(e)
• Prohibited Sale of PHI without
Patient Authorization 42 USC
§17935(d)
© 2011 PLANET TECHNOLOGIES, INC.
Complexity = Higher Risk and Costs
© 2011 PLANET TECHNOLOGIES, INC.
“Hub” Model reduces complexity and variability
while maintaining collaboration and interoperability
SOA (Service-Oriented Architecture)
© 2011 PLANET TECHNOLOGIES, INC.
Microsoft Connected Health Framework Business and Technical Framework
(Joint Architecture)
http://hce.codeplex.com/
© 2011 PLANET TECHNOLOGIES, INC.
Security Architecture SharePoint Server 2010
Au
tho
riza
tio
n
Authentication
Federated ID
Classic/Claims
IIS/STS
UP
M
Permissions
Security Groups
Bu
sin
ess
Co
nn
ec
tiv
ity
Se
rvic
es
Data Level Security
LOB Integration
Ha
rdw
are
Endpoint Security
Mobile
Remote
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)
© 2011 PLANET TECHNOLOGIES, INC.
Behavioral Factors: Security Architecture
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)
• #hcsm
• User population challenges
-clinicians
-business associates
-domain knowledge
• “Prurient interest”
• Mobile technologies
© 2011 PLANET TECHNOLOGIES, INC.
Enterprise Security Planning
PIA (Privacy Impact Assessment)
Encryption
Data at rest/data in motion
Perimeter topologies
Segmentation and compartmentalization of PHI/PII
(logical and physical)
Wireless (RFID/Bluetooth)
Business Continuity
Backup and Recovery
© 2011 PLANET TECHNOLOGIES, INC.
Security Planning Considerations (SharePoint 2010)
Content types (PHI/PII)
ECM/OCR
Digital Rights Management (DRM)
Business Connectivity Services and
Visio Services (external data
sources)
– Excel, lists, SQL, custom data
providers
– Integrated Windows with
constrained Kerberos
Metadata and tagging (PHI/PII)
Blogs and wikis (PHI)
Plan permission levels and groups
(least privileges) – providers and
business associates
Plan site permissions
Fine-grained permissions (item-
level)
Security groups (custom)
Contribute permissions
© 2011 PLANET TECHNOLOGIES, INC.
•Technical, Physical, Administrative Safeguards
Plan
•Joint Commission, Policies, Procedures, IT Governance
Document
•Clinical, Administrative and Business Associates
Train
•Training, Compliance, Incidents, Access…. everything
Track
•Flexibility, Agility, Architect for Change
Review
Adapting the Joint Commission Continuous Process Improvement Model…
The Security Lifecycle: SharePoint Deployments
© 2011 PLANET TECHNOLOGIES, INC.
Best Practices – Proactive Security Model
Involve HIPAA/HITECH specialists early in the planning process.
(This is NOT an IT problem)
Consider removing PHI from the equation.
(Compartmentalization and segregation)
Evaluate the outsourcing option. Trust, but verify.
Look to experts to help with existing implementations. (Domain
expertise in healthcare and clinical workflow as well as
HIPAA/HITECH privacy and security)
Use connected health framework reference model
Extend SharePoint: ISVs create effective and compliant solution
CipherPoint
Enterprise Content Management, Administration, Total Disk
Encryption, PII/508 Compliance
© 2011 PLANET TECHNOLOGIES, INC.
Comprehensive Security Model
• Case Studies
• SharePoint is an enabler
for healthcare
transformation
• Introduction to
CipherPoint
© 2011 PLANET TECHNOLOGIES, INC.
Thank You and Contact Information
www.go-planet.com
Microsoft Gold Partner
• 5x Federal Partner of
the Year
• 2x State and Local
Government Partner
of the Year
• 2011 xRM Partner of
the Year