This document provides a summary of a presentation on securing Microsoft technologies for HITECH compliance. It discusses how Microsoft business solutions can help with healthcare information security and compliance with privacy laws like HIPAA and HITECH. It outlines challenges around managing unstructured data, compliance, security, and recruitment in healthcare. The presentation addresses privacy, data security, and how technologies like SharePoint can help with managing electronic protected health information and personally identifiable information according to healthcare regulations.
3. Objectives
Introduction: Why Microsoft Business Solutions
for healthcare?
•Context: ARRA/HITECH: INFOSEC and
connected health information
•Reference models: security, enterprise
architecture and compliance for
healthcare
•Best Practices: privacy and security in
Microsoft SharePoint Server 2010, Microsoft
Dynamics CRM and Office365
Panel: Q&A
4. What keeps a CMIO up at night?
Excerpted from John D.
Halamka, MD Life as a
Healthcare CIO Blog…
• Unstructured data
• Compliance
• Security
• Workforce recruitment
http://geekdoctor.blogspot.com/2011/10/w
hat-keeps-me-up-at-night-fy12-edition.html
6. 2012 = Year of Privacy and ECM
Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer
Engagement
• Business Associates
7. Enterprise Security Model
������ ������
������ = (������ ∗ ������ )
Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
8. 2012: From HIPAA to HITECH and “Meaningful Use”
• Health Insurance Portability and Accountability
Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat
1936)
• The Health Information Technology for
Economic and Clinical Health Act (HITECH Act),
enacted on February 17, 2009
• American Recovery and Reinvestment Act of
2009 (ARRA) (Pub L 111-5, 123 Stat 115)
9. Complexity: RM, ECM and eDiscovery
������ ������
������ = (������ ∗ ������ ) do the HITECH math…
Application of HIPAA Security
Standards to Business Associates
“Business Associates”: 42 USC §17931
• Legal
• Accounting New Security Breach
• Administrative Requirements
• Claims Processing 42 USC §17932(j)
• Data Analysis
• QA Electronic Access Mandatory for
• Billing Patients 42 USC 17935(e)
45 CFR §160.103
Prohibited Sale of PHI without
Consumer Engagement Patient Authorization 42 USC
§17935(d)
10. You Don’t Believe Me?: In the News
Recent Cryptzone Survey Healthcare IT News
Gothenburg, 19 January 2012 Sacramento, 23 November 2011
Survey finds almost half of The theft of a computer during a
SharePoint users disregard the break-in in October has spurred a
security within SharePoint, and $1B class action lawsuit against
copy sensitive or confidential Sutter Health, according to a
documents to insecure hard report published today by the
drives, USB keys or even email it to Sacramento Bee. The computer
a third party. contained data on more than 4
million patients.
Read more: SharePoint Users
Develop Insecure Habits - See also: Room for improvement
FierceContentManagement on security, HIMSS survey shows
13. Challenge: connect, collaborate and compartmentalize
Microsoft Connected Health Framework Business
and Technical Framework (Joint Architecture)
http://hce.codeplex.com/
14. Microsoft Business Solutions as part of a Connected Health
Framework
• Patient Encounters
• CPG
• HIPAA Direct Identifiers Clinical
Workflow
• EEOI
• ePHI
EHR
Integration
Intake
Forms
Unstructured Data
• SharePoint 2010
• Dynamics CRM
• Office365
R&D
BPM
15. Microsoft Business Solutions as part of a Connected Health
Framework
Current example: multi-site resident treatment facility
-Provider emails (nurse/contract doctors)
-Word documents (patient notes) on file servers - unsecured
-PDFs (scanned records/PHI) on file servers – unsecured
-no encryption
-no search
-no IAM beyond Windows authentication
-2011 EHR adoption
Current example 2:
ePHI data with SSN being exported as whatever file type
-No control over what file type
-No way to force encryption
-No way to force a file save location (sharephi_encrypted_folder)
16. Enterprise Security Planning
• PRIVACY IMPACT ASSESSMENT
• 18 direct identifiers (HIPAA)
• “content shielding”
• Data architecture
• Encryption of data at rest/data in motion
• 2 factor authentication
• Perimeter topologies
• Segmentation and compartmentalization of PHI/PII
(logical and physical)
• Wireless (RFID/Bluetooth)
• Business Continuity
• Backup and Recovery
• Mobile Device Management/BYOD World
17. Security Architecture – SPS2010
Business Connectivity
Authorization
Services
Hardware
UPM
Authentication Permissions Data Level Endpoint
Federated ID Security Security Security
Classic/Claims Groups LOB Mobile
Integration Remote
IIS/STS
������ ������
������ = (������ ∗ ������ )
18. Behavioral Factors: Security Architecture
• #hcsm
• User population
challenges
• clinicians
• business associates
• domain knowledge
•“Prurient interest”
• Mobile technologies
������ ������
������ = (������ ∗ ������ )
19. “Can’t Do it Alone:” Security Ecosystem
• Native
ISV • Network
• 20% • Governance • Data at Rest
• UPM/IAM • 100%
• 60%
SP2010 ISV
On Premise Cloud 12/14/2011
• Office365
HIPAA/EU
compliance
• BAA
20. Sample: Security Planning Checklist
• Content types (PHI/PII)
• ECM/OCR
• Digital Rights Management (DRM)
• Business Connectivity Services and Visio Services (external data sources)
• Excel, lists, SQL, custom data providers
• Integrated Windows with constrained Kerberos
• Metadata and tagging (PHI/PII)
• Blogs and wikis (PHI)
• Plan permission levels and groups (least privileges) – providers and
business associates
• Plan site permissions
• Fine-grained permissions (item-level)
• Security groups (custom)
• Contribute permissions
21. Best Practices: Preventative Model
• Involve HIPAA specialists early in the planning
process. (This is NOT an IT problem)
• Privacy Impact Assessment: PHI, ePHI, PII
(Compartmentalization and segregation)
• Trust, but verify
• Look to experts to help with existing
implementations. (Domain expertise in
healthcare and clinical workflow as well as
HIPAA/HITECH privacy and security)
• Use connected health framework reference
model
• Governance, governance, governance
22. Governance: Adapting the Joint Commission Continuous
Process Improvement Model
Plan
• Technical, Physical, Administrative Safeguards
Document
• Joint Commission, Policies, Procedures, IT Governance
Train
• Clinical, Administrative and Business Associates
Track
• Training, Compliance, Incidents, Access…. everything
Review
• Flexibility, Agility, Architect for Change
26. References
• AIS Case Study on Records Management and
Compliance (SP2007):
http://www.appliedis.com/pdfs/Military%20Grade%20Co
mpliance%20for%20SharePoint%20WP.pdf
• Good Data Means Good Government:
http://gcn.com/Articles/2012/02/06/Good-metadata-and-
good-government.aspx?Page=2
• 2012 Healthcare Data Trends:
http://databreachinsurancequote.com/wp-
content/uploads/2012/01/2012_trends_healthcare_data.
pdf
27. Thank You! For more information…
http://ideas.appliedis.com
http://lifeincapslock.com