Securing Microsoft Technologies for HITECH Compliance
Upcoming SlideShare
Loading in...5
×
 

Securing Microsoft Technologies for HITECH Compliance

on

  • 690 views

Presentation at SharePoint Saturday NYC, July 28, 2012. Event information here: http://www.sharepointsaturday.org/ny/Pages/LanyrdSpeakers.aspx

Presentation at SharePoint Saturday NYC, July 28, 2012. Event information here: http://www.sharepointsaturday.org/ny/Pages/LanyrdSpeakers.aspx

Statistics

Views

Total Views
690
Views on SlideShare
658
Embed Views
32

Actions

Likes
0
Downloads
5
Comments
0

2 Embeds 32

http://lanyrd.com 31
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Securing Microsoft Technologies for HITECH Compliance Securing Microsoft Technologies for HITECH Compliance Presentation Transcript

  • Securing MicrosoftTechnologies for HITECHCompliance
  •     2 | SharePoint Saturday New York City 2011
  • Thanks to Our Sponsors! View slide
  • Introductions Systems in Balance•••• http://lifeincapslock.com View slide
  •     5 | SharePoint Saturday New York City 2011
  • Context: ARRA/HITECH: INFOSEC andconnected health information
  • What keeps a CMIO up at night? Unstructured datahttp://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-edition.html
  • Minimum (NIST):Repeat After Me:
  • Enterprise Security Model 𝑺 = (𝑷 ∗ 𝑨 ) 𝒙 𝒚Information Security (Collaborative Model)EqualsPeople (all actors and agents)TimesArchitecture (technical, physical andadministrative)
  • 2012: From HIPAA to HITECH and “Meaningful Use” 11 | SharePoint Saturday New York City 2011
  • Complexity: RM, ECM and eDiscovery𝑺 = (𝑷 ∗ 𝑨 ) do the HITECH math… 𝒙 𝒚 Application of HIPAA Security Standards to Business Associates“Business Associates”: 42 USC §17931• Legal• Accounting New Security Breach Requirements• Administrative 42 USC §17932(j)• Claims Processing• Data Analysis Electronic Access Mandatory for• QA Patients 42 USC 17935(e)• Billing45 CFR §160.103 Prohibited Sale of PHI without Patient Authorization 42 USC §17935(d)Consumer Engagement
  • Cryptzone SurveyGothenburg, 19 January 2012Survey finds almost half of SharePoint usersdisregard the security within SharePoint, andcopy sensitive or confidential documents toinsecure hard drives, USB keys or even emailit to a third party.Read more: SharePoint Users DevelopInsecure Habits - FierceContentManagement
  • Reference models: security, enterprisearchitecture and compliance forhealthcare
  • Complexity = Higher Risks and Costs
  • SOA: Service-Oriented Architecture“Hub” Model reduces complexity and variability while maintaining collaboration and interoperability
  • Challenge: connect, collaborate and compartmentalizeMicrosoft Connected Health Framework Businessand Technical Framework (Joint Architecture)http://hce.codeplex.com/
  • Enterprise Security Planning PRIVACY IMPACT ASSESSMENT  18 direct identifiers (HIPAA)  “content shielding”  data architecture Mobile Device Management/BYOD World 18 | SharePoint Saturday New York City 2011
  • What usually happens… User • Active Directory Device Browser • HTTPSSharePoint • PermissionsDatabase Storage 19 | SharePoint Saturday New York City 2011
  • Security Reference Architecture User • Strong authentication Device • Whole disk encryption Browser • HTTPS SharePoint • Permissions Database • Auditing & alerting Storage • Document & List encryption • Mandatory access controls 20 | SharePoint Saturday New York City 2011
  • Security Architecture – SPS2010 Authentication Permissions Data Level Endpoint ServicesAuthorization UPM Hardware Business Connectivity Federated ID Security Security Security Classic/Claims Groups LOB Mobile Integration Remote IIS/STS 𝑺 = (𝑷 ∗ 𝑨 ) 𝒙 𝒚
  • Best Practices: privacy and security inMicrosoft SharePoint Server 2010,Azure and Office365
  • “Can’t Do it Alone:” On Premise Security Ecosystem• Native ISV • Network• 20% • Governance • Data at Rest • UPM/IAM • 100% • 60% SP2010 ISV 23 | SharePoint Saturday New York City 2011
  • Sample: Security Planning Checklist Content types (PHI/PII) ECM/OCR Digital Rights Management (DRM) Business Connectivity Services and Visio Services (external data sources) Excel, lists, SQL, custom data providers Integrated Windows with constrained Kerberos Metadata and tagging (PHI/PII) Blogs and wikis (PHI) Plan permission levels and groups (least privileges) – providers and business associates Plan site permissions Fine-grained permissions (item-level) Security groups (custom) Contribute permissions 25 | SharePoint Saturday New York City 2011
  • Best Practices: Preventative Model NIST Guidelines: 2 Factor Authentication Encryption of Data at RestTrust, but verify… Encryption of Data in MotionIt’s all about the data…18 HIPAA Direct Identifiers Clinical Expertise
  • Governance: Adapting the Joint Commission Continuous Process Improvement Model Plan • Technical, Physical, Administrative Safeguards Document • Joint Commission, Policies, Procedures, IT Governance Train • Clinical, Administrative and Business Associates Track • Training, Compliance, Incidents, Access…. everything Review • Flexibility, Agility, Architect for Change
  •      29 | SharePoint Saturday New York City 2011
  •        30 | SharePoint Saturday New York City 2011
  • 31 |SharePoint Saturday New York City 2011
  • 32 |SharePoint Saturday New York City 2011
  •       © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 34 | SharePoint Saturday New York City 2011
  •        © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 35 | SharePoint Saturday New York City 2011
  • Thank You!••• Phydian Systems• http://lifeincapslock.com Systems in Balance••••