Security and Privacy in SharePoint 2010: Healthcare Best Practices

Security and Privacy in SharePoint 2010: Healthcare

Webinar presented by: Planet Technologies and
CipherPoint Software

NOVEMBER 2, 2011

© 2011 PLANET TECHNOLOGIES, INC.

Agenda
1. Overview – Mr. Jim Hietala, CipherPoint Software

2. Security and Privacy in SharePoint 2010: Healthcare – Dr.
Marie-Michelle Strah, Planet Technologies

3. CipherPoint Demo and Case Studies – Mr. Mike Fleck,
CipherPoint Software

4. Q&A

Presenters

Microsoft Gold Partner

• 5x Federal Partner of
the Year
• 2x State and Local
Government Partner
of the Year
• 2011 xRM Partner of
the Year

www.go-planet.com


Objectives

Objectives
• Introduction: Why SharePoint for
healthcare?
• Context: ARRA/HITECH: INFOSEC and
connected health information
• Reference models: security, enterprise
architecture and compliance for
healthcare
• Best Practices: privacy and security in
Microsoft SharePoint Server 2010


What keeps a CMIO up at night?

Excerpted from John D.
Halamka, MD Life as a
Healthcare CIO Blog…

• Unstructured data
• Compliance
• Security
• Workforce recruitment

http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-
edition.html

Microsoft SharePoint in Healthcare

•EHR Integration •Clinical Decision
•“Meaningful Use” Support
•Data Analytics
•Logistics and Asset
Management

Practice
Enterprise
Management
Content
and Hospital
Management
Administration

Patient Research and
Engagement Collaboration
•Public/Private
•Web Content Partnerships
Management and
Outreach •Collaborative,
Cross-
•Patient/Veteran disciplinary
Relationship care delivery
Management


Planning for Security and the “Black Swan”


Privacy
• Data (opt in/out)
• PHI
• PII

“Black Swans”

• Consumer
Engagement
• Business Associates

Enterprise Security Model

��
�� = (�� ∗ �� )
Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)


From HIPAA to HITECH…

 Health Insurance Portability and Accountability
Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat
1936)
 The Health Information Technology for
Economic and Clinical Health Act (HITECH Act),
enacted on February 17, 2009
 American Recovery and Reinvestment Act of
2009 (ARRA) (Pub L 111-5, 123 Stat 115)


�� = (�� ∗ �� ) do the HITECH math… ��

“Business Associates”: • Application of HIPAA Security
• Legal Standards to Business
Associates
• Accounting
• 42 USC §17931
• Administrative
• Claims Processing • New Security Breach
• Data Analysis Requirements
• QA • 42 USC §17932(j)
• Billing
• Contractors • Electronic Access Mandatory
for Patients 42 USC 17935(e)
45 CFR §160.103
• Prohibited Sale of PHI without
Patient Authorization 42 USC
Consumer Engagement §17935(d)


Complexity = Higher Risk and Costs


SOA (Service-Oriented Architecture)

“Hub” Model reduces complexity and variability
while maintaining collaboration and interoperability


Microsoft Connected Health Framework Business and Technical Framework
(Joint Architecture)
http://hce.codeplex.com/

Security Architecture SharePoint Server 2010

Authentication Permissions Data Level Endpoint

Services

Hardware
UPM
Authorization

Business Connectivity
Federated ID Security Security Security
Classic/Claims Groups LOB Mobile
Integration Remote
IIS/STS

��
�� = (�� ∗ �� )

Behavioral Factors: Security Architecture

• #hcsm
• User population challenges
-clinicians
-business associates
-domain knowledge
• “Prurient interest”
• Mobile technologies

��
�� = (�� ∗ �� )

Enterprise Security Planning

 PIA (Privacy Impact Assessment)
 Encryption
 Data at rest/data in motion
 Perimeter topologies
 Segmentation and compartmentalization of PHI/PII
(logical and physical)
 Wireless (RFID/Bluetooth)
 Business Continuity
 Backup and Recovery


Security Planning Considerations (SharePoint 2010)

 Content types (PHI/PII)  Metadata and tagging (PHI/PII)
 ECM/OCR  Blogs and wikis (PHI)
 Digital Rights Management (DRM)  Plan permission levels and groups
 Business Connectivity Services and (least privileges) – providers and
Visio Services (external data business associates
sources)  Plan site permissions
– Excel, lists, SQL, custom data  Fine-grained permissions (item-
providers level)
– Integrated Windows with  Security groups (custom)
constrained Kerberos  Contribute permissions


The Security Lifecycle: SharePoint Deployments

Adapting the Joint Commission Continuous Process Improvement Model…
Plan

•Technical, Physical, Administrative Safeguards

Document

•Joint Commission, Policies, Procedures, IT Governance

Train

•Clinical, Administrative and Business Associates

Track

•Training, Compliance, Incidents, Access…. everything

Review

•Flexibility, Agility, Architect for Change


Best Practices – Proactive Security Model

 Involve HIPAA/HITECH specialists early in the planning process.
(This is NOT an IT problem)
 Consider removing PHI from the equation.
(Compartmentalization and segregation)
 Evaluate the outsourcing option. Trust, but verify.
 Look to experts to help with existing implementations. (Domain
expertise in healthcare and clinical workflow as well as
HIPAA/HITECH privacy and security)
 Use connected health framework reference model

 Extend SharePoint: ISVs create effective and compliant solution
CipherPoint
Enterprise Content Management, Administration, Total Disk
Encryption, PII/508 Compliance

Comprehensive Security Model

• Case Studies
• SharePoint is an enabler
for healthcare
transformation
• Introduction to
CipherPoint


Thank You and Contact Information

Microsoft Gold Partner

• 5x Federal Partner of
the Year
• 2x State and Local
Government Partner
of the Year
• 2011 xRM Partner of
the Year

www.go-planet.com


Security and Privacy in SharePoint 2010: Healthcare Best Practices

Recommandé

Recommandé

Contenu connexe

Plus de Marie-Michelle Strah, PhD

Plus de Marie-Michelle Strah, PhD (12)

Dernier

Dernier (20)

Security and Privacy in SharePoint 2010: Healthcare Best Practices