Securing MicrosoftTechnologies for HITECHCompliance
                    2   | SharePoint Saturday New York City 2011
Thanks to Our Sponsors!
Introductions                                Systems in Balance••••   http://lifeincapslock.com
                    5   | SharePoint Saturday New York City 2011
Context: ARRA/HITECH: INFOSEC andconnected health information
What keeps a CMIO up at night? Unstructured datahttp://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-...
Minimum (NIST):Repeat After Me:
Enterprise Security Model    𝑺 = (𝑷 ∗ 𝑨 )         𝒙              𝒚Information Security (Collaborative Model)EqualsPeople (...
2012: From HIPAA to HITECH and “Meaningful Use”                                     11   | SharePoint Saturday New York...
Complexity: RM, ECM and eDiscovery𝑺 = (𝑷 ∗ 𝑨 ) do the HITECH math…                     𝒙   𝒚                         Appli...
Cryptzone SurveyGothenburg, 19 January 2012Survey finds almost half of SharePoint usersdisregard the security within Share...
Reference models: security, enterprisearchitecture and compliance forhealthcare
Complexity = Higher Risks and Costs
SOA: Service-Oriented Architecture“Hub” Model reduces complexity and variability while maintaining collaboration and      ...
Challenge: connect, collaborate and compartmentalizeMicrosoft Connected Health Framework Businessand Technical Framework (...
Enterprise Security Planning PRIVACY IMPACT ASSESSMENT    18 direct identifiers (HIPAA)    “content shielding”    data...
What usually happens…  User       •   Active Directory Device Browser     •   HTTPSSharePoint   •   PermissionsDatabase St...
Security Reference Architecture     User               •   Strong authentication    Device               •   Whole disk en...
Security Architecture – SPS2010                Authentication         Permissions                           Data Level    ...
Best Practices: privacy and security inMicrosoft SharePoint Server 2010,Azure and Office365
“Can’t Do it Alone:” On Premise Security Ecosystem• Native                          ISV          • Network• 20%           ...
Sample: Security Planning Checklist   Content types (PHI/PII)   ECM/OCR   Digital Rights Management (DRM)   Business C...
Best Practices: Preventative Model                              NIST Guidelines:                              2 Factor Aut...
Governance: Adapting the Joint Commission Continuous            Process Improvement Model      Plan      • Technical, Phys...
                        29   | SharePoint Saturday New York City 2011
                                30   | SharePoint Saturday New York City 2011
31   |SharePoint Saturday New York City 2011
32   |SharePoint Saturday New York City 2011
                        © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a r...
                                © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stor...
Thank You!•••                                  Phydian Systems•     http://lifeincapslock.com                             ...
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH Compliance
Upcoming SlideShare
Loading in...5
×

Securing Microsoft Technologies for HITECH Compliance

559

Published on

Presentation at SharePoint Saturday NYC, July 28, 2012. Event information here: http://www.sharepointsaturday.org/ny/Pages/LanyrdSpeakers.aspx

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
559
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing Microsoft Technologies for HITECH Compliance

  1. 1. Securing MicrosoftTechnologies for HITECHCompliance
  2. 2.     2 | SharePoint Saturday New York City 2011
  3. 3. Thanks to Our Sponsors!
  4. 4. Introductions Systems in Balance•••• http://lifeincapslock.com
  5. 5.     5 | SharePoint Saturday New York City 2011
  6. 6. Context: ARRA/HITECH: INFOSEC andconnected health information
  7. 7. What keeps a CMIO up at night? Unstructured datahttp://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-edition.html
  8. 8. Minimum (NIST):Repeat After Me:
  9. 9. Enterprise Security Model 𝑺 = (𝑷 ∗ 𝑨 ) 𝒙 𝒚Information Security (Collaborative Model)EqualsPeople (all actors and agents)TimesArchitecture (technical, physical andadministrative)
  10. 10. 2012: From HIPAA to HITECH and “Meaningful Use” 11 | SharePoint Saturday New York City 2011
  11. 11. Complexity: RM, ECM and eDiscovery𝑺 = (𝑷 ∗ 𝑨 ) do the HITECH math… 𝒙 𝒚 Application of HIPAA Security Standards to Business Associates“Business Associates”: 42 USC §17931• Legal• Accounting New Security Breach Requirements• Administrative 42 USC §17932(j)• Claims Processing• Data Analysis Electronic Access Mandatory for• QA Patients 42 USC 17935(e)• Billing45 CFR §160.103 Prohibited Sale of PHI without Patient Authorization 42 USC §17935(d)Consumer Engagement
  12. 12. Cryptzone SurveyGothenburg, 19 January 2012Survey finds almost half of SharePoint usersdisregard the security within SharePoint, andcopy sensitive or confidential documents toinsecure hard drives, USB keys or even emailit to a third party.Read more: SharePoint Users DevelopInsecure Habits - FierceContentManagement
  13. 13. Reference models: security, enterprisearchitecture and compliance forhealthcare
  14. 14. Complexity = Higher Risks and Costs
  15. 15. SOA: Service-Oriented Architecture“Hub” Model reduces complexity and variability while maintaining collaboration and interoperability
  16. 16. Challenge: connect, collaborate and compartmentalizeMicrosoft Connected Health Framework Businessand Technical Framework (Joint Architecture)http://hce.codeplex.com/
  17. 17. Enterprise Security Planning PRIVACY IMPACT ASSESSMENT  18 direct identifiers (HIPAA)  “content shielding”  data architecture Mobile Device Management/BYOD World 18 | SharePoint Saturday New York City 2011
  18. 18. What usually happens… User • Active Directory Device Browser • HTTPSSharePoint • PermissionsDatabase Storage 19 | SharePoint Saturday New York City 2011
  19. 19. Security Reference Architecture User • Strong authentication Device • Whole disk encryption Browser • HTTPS SharePoint • Permissions Database • Auditing & alerting Storage • Document & List encryption • Mandatory access controls 20 | SharePoint Saturday New York City 2011
  20. 20. Security Architecture – SPS2010 Authentication Permissions Data Level Endpoint ServicesAuthorization UPM Hardware Business Connectivity Federated ID Security Security Security Classic/Claims Groups LOB Mobile Integration Remote IIS/STS 𝑺 = (𝑷 ∗ 𝑨 ) 𝒙 𝒚
  21. 21. Best Practices: privacy and security inMicrosoft SharePoint Server 2010,Azure and Office365
  22. 22. “Can’t Do it Alone:” On Premise Security Ecosystem• Native ISV • Network• 20% • Governance • Data at Rest • UPM/IAM • 100% • 60% SP2010 ISV 23 | SharePoint Saturday New York City 2011
  23. 23. Sample: Security Planning Checklist Content types (PHI/PII) ECM/OCR Digital Rights Management (DRM) Business Connectivity Services and Visio Services (external data sources) Excel, lists, SQL, custom data providers Integrated Windows with constrained Kerberos Metadata and tagging (PHI/PII) Blogs and wikis (PHI) Plan permission levels and groups (least privileges) – providers and business associates Plan site permissions Fine-grained permissions (item-level) Security groups (custom) Contribute permissions 25 | SharePoint Saturday New York City 2011
  24. 24. Best Practices: Preventative Model NIST Guidelines: 2 Factor Authentication Encryption of Data at RestTrust, but verify… Encryption of Data in MotionIt’s all about the data…18 HIPAA Direct Identifiers Clinical Expertise
  25. 25. Governance: Adapting the Joint Commission Continuous Process Improvement Model Plan • Technical, Physical, Administrative Safeguards Document • Joint Commission, Policies, Procedures, IT Governance Train • Clinical, Administrative and Business Associates Track • Training, Compliance, Incidents, Access…. everything Review • Flexibility, Agility, Architect for Change
  26. 26.      29 | SharePoint Saturday New York City 2011
  27. 27.        30 | SharePoint Saturday New York City 2011
  28. 28. 31 |SharePoint Saturday New York City 2011
  29. 29. 32 |SharePoint Saturday New York City 2011
  30. 30.       © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 34 | SharePoint Saturday New York City 2011
  31. 31.        © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 35 | SharePoint Saturday New York City 2011
  32. 32. Thank You!••• Phydian Systems• http://lifeincapslock.com Systems in Balance••••
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×