Security and Privacy in SharePoint 2010: Healthcare Best Practices

Agenda 1. Overview – Mr. Jim Hietala, CipherPoint Software 2. Security and Privacy in SharePoint 2010: Healthcare – Dr. Marie-Michelle Strah, Planet Technologies 3. CipherPoint Demo and Case Studies – Mr. Mike Fleck, CipherPoint Software 4. Q&A

Objectives Objectives • Introduction: Why SharePoint for healthcare? • Context: ARRA/HITECH: INFOSEC and connected health information • Reference models: security, enterprise architecture and compliance for healthcare • Best Practices: privacy and security in Microsoft SharePoint Server 2010© 2011 PLANET TECHNOLOGIES, INC.

What keeps a CMIO up at night?Excerpted from John D.Halamka, MD Life as aHealthcare CIO Blog…• Unstructured data• Compliance• Security• Workforce recruitment http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12- edition.html © 2011 PLANET TECHNOLOGIES, INC.

Microsoft SharePoint in Healthcare •EHR Integration •Clinical Decision •“Meaningful Use” Support •Data Analytics •Logistics and Asset Management Practice Enterprise Management Content and Hospital Management Administration Patient Research and Engagement Collaboration •Public/Private •Web Content Partnerships Management and Outreach •Collaborative, Cross- •Patient/Veteran disciplinary Relationship care delivery Management© 2011 PLANET TECHNOLOGIES, INC.

Enterprise Security Model �� = (�� ∗ �� ) Information Security (Collaborative Model) Equals People (all actors and agents) Times Architecture (technical, physical and administrative)© 2011 PLANET TECHNOLOGIES, INC.

From HIPAA to HITECH…  Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936)  The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009  American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115)© 2011 PLANET TECHNOLOGIES, INC.

�� = (�� ∗ �� ) do the HITECH math… �� “Business Associates”: • Application of HIPAA Security• Legal Standards to Business Associates• Accounting • 42 USC §17931• Administrative• Claims Processing • New Security Breach• Data Analysis Requirements• QA • 42 USC §17932(j)• Billing• Contractors • Electronic Access Mandatory for Patients 42 USC 17935(e)45 CFR §160.103 • Prohibited Sale of PHI without Patient Authorization 42 USCConsumer Engagement §17935(d) © 2011 PLANET TECHNOLOGIES, INC.

Security Architecture SharePoint Server 2010 Authentication Permissions Data Level Endpoint Services Hardware UPM Authorization Business Connectivity Federated ID Security Security Security Classic/Claims Groups LOB Mobile Integration Remote IIS/STS �� = (�� ∗ �� ) © 2011 PLANET TECHNOLOGIES, INC.

Behavioral Factors: Security Architecture • #hcsm • User population challenges -clinicians -business associates -domain knowledge • “Prurient interest” • Mobile technologies �� = (�� ∗ �� )© 2011 PLANET TECHNOLOGIES, INC.

Enterprise Security Planning PIA (Privacy Impact Assessment) Encryption Data at rest/data in motion Perimeter topologies Segmentation and compartmentalization of PHI/PII (logical and physical) Wireless (RFID/Bluetooth) Business Continuity Backup and Recovery© 2011 PLANET TECHNOLOGIES, INC.

Security Planning Considerations (SharePoint 2010)  Content types (PHI/PII)  Metadata and tagging (PHI/PII)  ECM/OCR  Blogs and wikis (PHI)  Digital Rights Management (DRM)  Plan permission levels and groups  Business Connectivity Services and (least privileges) – providers and Visio Services (external data business associates sources)  Plan site permissions – Excel, lists, SQL, custom data  Fine-grained permissions (item- providers level) – Integrated Windows with  Security groups (custom) constrained Kerberos  Contribute permissions© 2011 PLANET TECHNOLOGIES, INC.

The Security Lifecycle: SharePoint DeploymentsAdapting the Joint Commission Continuous Process Improvement Model… Plan •Technical, Physical, Administrative Safeguards Document •Joint Commission, Policies, Procedures, IT Governance Train •Clinical, Administrative and Business Associates Track •Training, Compliance, Incidents, Access…. everything Review •Flexibility, Agility, Architect for Change© 2011 PLANET TECHNOLOGIES, INC.

Best Practices – Proactive Security Model  Involve HIPAA/HITECH specialists early in the planning process. (This is NOT an IT problem)  Consider removing PHI from the equation. (Compartmentalization and segregation)  Evaluate the outsourcing option. Trust, but verify.  Look to experts to help with existing implementations. (Domain expertise in healthcare and clinical workflow as well as HIPAA/HITECH privacy and security)  Use connected health framework reference model  Extend SharePoint: ISVs create effective and compliant solution CipherPoint Enterprise Content Management, Administration, Total Disk Encryption, PII/508 Compliance © 2011 PLANET TECHNOLOGIES, INC.

Thank You and Contact Information Microsoft Gold Partner • 5x Federal Partner of the Year • 2x State and Local Government Partner of the Year • 2011 xRM Partner of the Year www.go-planet.com© 2011 PLANET TECHNOLOGIES, INC.

Security and Privacy in SharePoint 2010: Healthcare Best Practices

by Marie-Michelle Strah, PhD

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 3

Statistics

Security and Privacy in SharePoint 2010: Healthcare Best Practices Presentation Transcript