Contenu connexe Plus de Marie-Michelle Strah, PhD (12) Security and Privacy in SharePoint 2010: Healthcare Best Practices1. Security and Privacy in SharePoint 2010: Healthcare
Webinar presented by: Planet Technologies and
CipherPoint Software
NOVEMBER 2, 2011
© 2011 PLANET TECHNOLOGIES, INC.
2. Agenda
1. Overview – Mr. Jim Hietala, CipherPoint Software
2. Security and Privacy in SharePoint 2010: Healthcare – Dr.
Marie-Michelle Strah, Planet Technologies
3. CipherPoint Demo and Case Studies – Mr. Mike Fleck,
CipherPoint Software
4. Q&A
3. Presenters
Microsoft Gold Partner
• 5x Federal Partner of
the Year
• 2x State and Local
Government Partner
of the Year
• 2011 xRM Partner of
the Year
www.go-planet.com
© 2011 PLANET TECHNOLOGIES, INC.
4. Objectives
Objectives
• Introduction: Why SharePoint for
healthcare?
• Context: ARRA/HITECH: INFOSEC and
connected health information
• Reference models: security, enterprise
architecture and compliance for
healthcare
• Best Practices: privacy and security in
Microsoft SharePoint Server 2010
© 2011 PLANET TECHNOLOGIES, INC.
5. What keeps a CMIO up at night?
Excerpted from John D.
Halamka, MD Life as a
Healthcare CIO Blog…
• Unstructured data
• Compliance
• Security
• Workforce recruitment
http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-
edition.html
© 2011 PLANET TECHNOLOGIES, INC.
6. Microsoft SharePoint in Healthcare
•EHR Integration •Clinical Decision
•“Meaningful Use” Support
•Data Analytics
•Logistics and Asset
Management
Practice
Enterprise
Management
Content
and Hospital
Management
Administration
Patient Research and
Engagement Collaboration
•Public/Private
•Web Content Partnerships
Management and
Outreach •Collaborative,
Cross-
•Patient/Veteran disciplinary
Relationship care delivery
Management
© 2011 PLANET TECHNOLOGIES, INC.
8. Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer
Engagement
• Business Associates
© 2011 PLANET TECHNOLOGIES, INC.
9. Enterprise Security Model
������ ������
������ = (������ ∗ ������ )
Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
© 2011 PLANET TECHNOLOGIES, INC.
10. From HIPAA to HITECH…
Health Insurance Portability and Accountability
Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat
1936)
The Health Information Technology for
Economic and Clinical Health Act (HITECH Act),
enacted on February 17, 2009
American Recovery and Reinvestment Act of
2009 (ARRA) (Pub L 111-5, 123 Stat 115)
© 2011 PLANET TECHNOLOGIES, INC.
11. ������ = (������ ∗ ������ ) do the HITECH math… ������ ������
“Business Associates”: • Application of HIPAA Security
• Legal Standards to Business
Associates
• Accounting
• 42 USC §17931
• Administrative
• Claims Processing • New Security Breach
• Data Analysis Requirements
• QA • 42 USC §17932(j)
• Billing
• Contractors • Electronic Access Mandatory
for Patients 42 USC 17935(e)
45 CFR §160.103
• Prohibited Sale of PHI without
Patient Authorization 42 USC
Consumer Engagement §17935(d)
© 2011 PLANET TECHNOLOGIES, INC.
14. Microsoft Connected Health Framework Business and Technical Framework
(Joint Architecture)
http://hce.codeplex.com/
© 2011 PLANET TECHNOLOGIES, INC.
15. Security Architecture SharePoint Server 2010
Authentication Permissions Data Level Endpoint
Services
Hardware
UPM
Authorization
Business Connectivity
Federated ID Security Security Security
Classic/Claims Groups LOB Mobile
Integration Remote
IIS/STS
������ ������
������ = (������ ∗ ������ )
© 2011 PLANET TECHNOLOGIES, INC.
16. Behavioral Factors: Security Architecture
• #hcsm
• User population challenges
-clinicians
-business associates
-domain knowledge
• “Prurient interest”
• Mobile technologies
������ ������
������ = (������ ∗ ������ )
© 2011 PLANET TECHNOLOGIES, INC.
17. Enterprise Security Planning
PIA (Privacy Impact Assessment)
Encryption
Data at rest/data in motion
Perimeter topologies
Segmentation and compartmentalization of PHI/PII
(logical and physical)
Wireless (RFID/Bluetooth)
Business Continuity
Backup and Recovery
© 2011 PLANET TECHNOLOGIES, INC.
18. Security Planning Considerations (SharePoint 2010)
Content types (PHI/PII) Metadata and tagging (PHI/PII)
ECM/OCR Blogs and wikis (PHI)
Digital Rights Management (DRM) Plan permission levels and groups
Business Connectivity Services and (least privileges) – providers and
Visio Services (external data business associates
sources) Plan site permissions
– Excel, lists, SQL, custom data Fine-grained permissions (item-
providers level)
– Integrated Windows with Security groups (custom)
constrained Kerberos Contribute permissions
© 2011 PLANET TECHNOLOGIES, INC.
19. The Security Lifecycle: SharePoint Deployments
Adapting the Joint Commission Continuous Process Improvement Model…
Plan
•Technical, Physical, Administrative Safeguards
Document
•Joint Commission, Policies, Procedures, IT Governance
Train
•Clinical, Administrative and Business Associates
Track
•Training, Compliance, Incidents, Access…. everything
Review
•Flexibility, Agility, Architect for Change
© 2011 PLANET TECHNOLOGIES, INC.
20. Best Practices – Proactive Security Model
Involve HIPAA/HITECH specialists early in the planning process.
(This is NOT an IT problem)
Consider removing PHI from the equation.
(Compartmentalization and segregation)
Evaluate the outsourcing option. Trust, but verify.
Look to experts to help with existing implementations. (Domain
expertise in healthcare and clinical workflow as well as
HIPAA/HITECH privacy and security)
Use connected health framework reference model
Extend SharePoint: ISVs create effective and compliant solution
CipherPoint
Enterprise Content Management, Administration, Total Disk
Encryption, PII/508 Compliance
© 2011 PLANET TECHNOLOGIES, INC.
21. Comprehensive Security Model
• Case Studies
• SharePoint is an enabler
for healthcare
transformation
• Introduction to
CipherPoint
© 2011 PLANET TECHNOLOGIES, INC.
22. Thank You and Contact Information
Microsoft Gold Partner
• 5x Federal Partner of
the Year
• 2x State and Local
Government Partner
of the Year
• 2011 xRM Partner of
the Year
www.go-planet.com
© 2011 PLANET TECHNOLOGIES, INC.