Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and Privacy in SharePoint 2010: Healthcare Best Practices


Published on

Webinar 11/2/2011 presented by M. Strah, Planet Technologies and M. Fleck, CipherPoint Software.

Published in: Technology, Business
  • Be the first to like this

Security and Privacy in SharePoint 2010: Healthcare Best Practices

  1. 1. Security and Privacy in SharePoint 2010: Healthcare Webinar presented by: Planet Technologies and CipherPoint Software NOVEMBER 2, 2011 © 2011 PLANET TECHNOLOGIES, INC.
  2. 2. Agenda 1. Overview – Mr. Jim Hietala, CipherPoint Software 2. Security and Privacy in SharePoint 2010: Healthcare – Dr. Marie-Michelle Strah, Planet Technologies 3. CipherPoint Demo and Case Studies – Mr. Mike Fleck, CipherPoint Software 4. Q&A
  3. 3. Presenters Microsoft Gold Partner • 5x Federal Partner of the Year • 2x State and Local Government Partner of the Year • 2011 xRM Partner of the Year© 2011 PLANET TECHNOLOGIES, INC.
  4. 4. Objectives Objectives • Introduction: Why SharePoint for healthcare? • Context: ARRA/HITECH: INFOSEC and connected health information • Reference models: security, enterprise architecture and compliance for healthcare • Best Practices: privacy and security in Microsoft SharePoint Server 2010© 2011 PLANET TECHNOLOGIES, INC.
  5. 5. What keeps a CMIO up at night?Excerpted from John D.Halamka, MD Life as aHealthcare CIO Blog…• Unstructured data• Compliance• Security• Workforce recruitment edition.html © 2011 PLANET TECHNOLOGIES, INC.
  6. 6. Microsoft SharePoint in Healthcare •EHR Integration •Clinical Decision •“Meaningful Use” Support •Data Analytics •Logistics and Asset Management Practice Enterprise Management Content and Hospital Management Administration Patient Research and Engagement Collaboration •Public/Private •Web Content Partnerships Management and Outreach •Collaborative, Cross- •Patient/Veteran disciplinary Relationship care delivery Management© 2011 PLANET TECHNOLOGIES, INC.
  7. 7. Planning for Security and the “Black Swan”© 2011 PLANET TECHNOLOGIES, INC.
  8. 8. Privacy • Data (opt in/out) • PHI • PII “Black Swans” • Consumer Engagement • Business Associates© 2011 PLANET TECHNOLOGIES, INC.
  9. 9. Enterprise Security Model ������ ������ ������ = (������ ∗ ������ ) Information Security (Collaborative Model) Equals People (all actors and agents) Times Architecture (technical, physical and administrative)© 2011 PLANET TECHNOLOGIES, INC.
  10. 10. From HIPAA to HITECH…  Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936)  The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009  American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115)© 2011 PLANET TECHNOLOGIES, INC.
  11. 11. ������ = (������ ∗ ������ ) do the HITECH math… ������ ������“Business Associates”: • Application of HIPAA Security• Legal Standards to Business Associates• Accounting • 42 USC §17931• Administrative• Claims Processing • New Security Breach• Data Analysis Requirements• QA • 42 USC §17932(j)• Billing• Contractors • Electronic Access Mandatory for Patients 42 USC 17935(e)45 CFR §160.103 • Prohibited Sale of PHI without Patient Authorization 42 USCConsumer Engagement §17935(d) © 2011 PLANET TECHNOLOGIES, INC.
  12. 12. Complexity = Higher Risk and Costs© 2011 PLANET TECHNOLOGIES, INC.
  13. 13. SOA (Service-Oriented Architecture)“Hub” Model reduces complexity and variabilitywhile maintaining collaboration and interoperability© 2011 PLANET TECHNOLOGIES, INC.
  14. 14. Microsoft Connected Health Framework Business and Technical Framework (Joint Architecture)© 2011 PLANET TECHNOLOGIES, INC.
  15. 15. Security Architecture SharePoint Server 2010 Authentication Permissions Data Level Endpoint Services Hardware UPM Authorization Business Connectivity Federated ID Security Security Security Classic/Claims Groups LOB Mobile Integration Remote IIS/STS ������ ������ ������ = (������ ∗ ������ ) © 2011 PLANET TECHNOLOGIES, INC.
  16. 16. Behavioral Factors: Security Architecture • #hcsm • User population challenges -clinicians -business associates -domain knowledge • “Prurient interest” • Mobile technologies ������ ������ ������ = (������ ∗ ������ )© 2011 PLANET TECHNOLOGIES, INC.
  17. 17. Enterprise Security Planning PIA (Privacy Impact Assessment) Encryption Data at rest/data in motion Perimeter topologies Segmentation and compartmentalization of PHI/PII (logical and physical) Wireless (RFID/Bluetooth) Business Continuity Backup and Recovery© 2011 PLANET TECHNOLOGIES, INC.
  18. 18. Security Planning Considerations (SharePoint 2010)  Content types (PHI/PII)  Metadata and tagging (PHI/PII)  ECM/OCR  Blogs and wikis (PHI)  Digital Rights Management (DRM)  Plan permission levels and groups  Business Connectivity Services and (least privileges) – providers and Visio Services (external data business associates sources)  Plan site permissions – Excel, lists, SQL, custom data  Fine-grained permissions (item- providers level) – Integrated Windows with  Security groups (custom) constrained Kerberos  Contribute permissions© 2011 PLANET TECHNOLOGIES, INC.
  19. 19. The Security Lifecycle: SharePoint DeploymentsAdapting the Joint Commission Continuous Process Improvement Model… Plan •Technical, Physical, Administrative Safeguards Document •Joint Commission, Policies, Procedures, IT Governance Train •Clinical, Administrative and Business Associates Track •Training, Compliance, Incidents, Access…. everything Review •Flexibility, Agility, Architect for Change© 2011 PLANET TECHNOLOGIES, INC.
  20. 20. Best Practices – Proactive Security Model  Involve HIPAA/HITECH specialists early in the planning process. (This is NOT an IT problem)  Consider removing PHI from the equation. (Compartmentalization and segregation)  Evaluate the outsourcing option. Trust, but verify.  Look to experts to help with existing implementations. (Domain expertise in healthcare and clinical workflow as well as HIPAA/HITECH privacy and security)  Use connected health framework reference model  Extend SharePoint: ISVs create effective and compliant solution CipherPoint Enterprise Content Management, Administration, Total Disk Encryption, PII/508 Compliance © 2011 PLANET TECHNOLOGIES, INC.
  21. 21. Comprehensive Security Model• Case Studies• SharePoint is an enabler for healthcare transformation• Introduction to CipherPoint© 2011 PLANET TECHNOLOGIES, INC.
  22. 22. Thank You and Contact Information Microsoft Gold Partner • 5x Federal Partner of the Year • 2x State and Local Government Partner of the Year • 2011 xRM Partner of the Year© 2011 PLANET TECHNOLOGIES, INC.