SharePoint Saturday Philadelphia presentation 2/4/2012. Special thanks to CipherPoint Software and AvePoint for preparation and sharing panel time.
Best practices in planning and design of enterprise security and master data management strategies for HITECH compliance of both SharePoint 2010 on premise and Office 365 instances for use in covered healthcare entities.
6. Objectives
Introduction: Why Microsoft Business Solutions
for healthcare?
•Context: ARRA/HITECH: INFOSEC and
connected health information
•Reference models: security, enterprise
architecture and compliance for
healthcare
•Best Practices: privacy and security in
Microsoft SharePoint Server 2010, Microsoft
Dynamics CRM and Office365
Panel: Q&A
7. What keeps a CMIO up at night?
Excerpted from John D.
Halamka, MD Life as a
Healthcare CIO Blog…
• Unstructured data
• Compliance
• Security
• Workforce recruitment
http://geekdoctor.blogspot.com/2011/10/w
hat-keeps-me-up-at-night-fy12-edition.html
9. 2012 = Year of Privacy and ECM
Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer
Engagement
• Business Associates
10. Enterprise Security Model
������ ������
������ = (������ ∗ ������ )
Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
11. 2012: From HIPAA to HITECH and “Meaningful Use”
• Health Insurance Portability and Accountability
Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat
1936)
• The Health Information Technology for
Economic and Clinical Health Act (HITECH Act),
enacted on February 17, 2009
• American Recovery and Reinvestment Act of
2009 (ARRA) (Pub L 111-5, 123 Stat 115)
12. Complexity: RM, ECM and eDiscovery
������ ������
������ = (������ ∗ ������ ) do the HITECH math…
Application of HIPAA Security
Standards to Business Associates
“Business Associates”: 42 USC §17931
• Legal
• Accounting New Security Breach
• Administrative Requirements
• Claims Processing 42 USC §17932(j)
• Data Analysis
• QA Electronic Access Mandatory for
• Billing Patients 42 USC 17935(e)
45 CFR §160.103
Prohibited Sale of PHI without
Consumer Engagement Patient Authorization 42 USC
§17935(d)
13. You Don’t Believe Me?: In the News
Recent Cryptzone Survey Healthcare IT News
Gothenburg, 19 January 2012 Sacramento, 23 November 2011
Survey finds almost half of The theft of a computer during a
SharePoint users disregard the break-in in October has spurred a
security within SharePoint, and $1B class action lawsuit against
copy sensitive or confidential Sutter Health, according to a
documents to insecure hard report published today by the
drives, USB keys or even email it to Sacramento Bee. The computer
a third party. contained data on more than 4
million patients.
Read more: SharePoint Users
Develop Insecure Habits - See also: Room for improvement
FierceContentManagement on security, HIMSS survey shows
16. Challenge: connect, collaborate and compartmentalize
Microsoft Connected Health Framework Business
and Technical Framework (Joint Architecture)
http://hce.codeplex.com/
17. Microsoft Business Solutions as part of a Connected Health
Framework
• Patient Encounters
• CPG
• HIPAA Direct Identifiers Clinical
Workflow
• EEOI
• ePHI
EHR
Integration
Intake
Forms
Unstructured Data
• SharePoint 2010
• Dynamics CRM
• Office365
R&D
BPM
18. Microsoft Business Solutions as part of a Connected Health
Framework
Current example: multi-site resident treatment facility
-Provider emails (nurse/contract doctors)
-Word documents (patient notes) on file servers - unsecured
-PDFs (scanned records/PHI) on file servers – unsecured
-no encryption
-no search
-no IAM beyond Windows authentication
-2011 EHR adoption
Current example 2:
ePHI data with SSN being exported as whatever file type
-No control over what file type
-No way to force encryption
-No way to force a file save location (sharephi_encrypted_folder)
19. Enterprise Security Planning
• PRIVACY IMPACT ASSESSMENT
• 18 direct identifiers (HIPAA)
• “content shielding”
• Data architecture
• Encryption of data at rest/data in motion
• 2 factor authentication
• Perimeter topologies
• Segmentation and compartmentalization of PHI/PII
(logical and physical)
• Wireless (RFID/Bluetooth)
• Business Continuity
• Backup and Recovery
• Mobile Device Management/BYOD World
20. Security Architecture – SPS2010
Business Connectivity
Authorization
Services
Hardware
UPM
Authentication Permissions Data Level Endpoint
Federated ID Security Security Security
Classic/Claims Groups LOB Mobile
Integration Remote
IIS/STS
������ ������
������ = (������ ∗ ������ )
21. Behavioral Factors: Security Architecture
• #hcsm
• User population
challenges
• clinicians
• business associates
• domain knowledge
•“Prurient interest”
• Mobile technologies
������ ������
������ = (������ ∗ ������ )
22. “Can’t Do it Alone:” Security Ecosystem
• Native
ISV • Network
• 20% • Governance • Data at Rest
• UPM/IAM • 100%
• 60%
SP2010 ISV
On Premise Cloud 12/14/2011
• Office365
HIPAA/EU
compliance
• BAA
23. Sample: Security Planning Checklist
• Content types (PHI/PII)
• ECM/OCR
• Digital Rights Management (DRM)
• Business Connectivity Services and Visio Services (external data sources)
• Excel, lists, SQL, custom data providers
• Integrated Windows with constrained Kerberos
• Metadata and tagging (PHI/PII)
• Blogs and wikis (PHI)
• Plan permission levels and groups (least privileges) – providers and
business associates
• Plan site permissions
• Fine-grained permissions (item-level)
• Security groups (custom)
• Contribute permissions
24. Best Practices: Preventative Model
• Involve HIPAA specialists early in the planning
process. (This is NOT an IT problem)
• Privacy Impact Assessment: PHI, ePHI, PII
(Compartmentalization and segregation)
• Trust, but verify
• Look to experts to help with existing
implementations. (Domain expertise in
healthcare and clinical workflow as well as
HIPAA/HITECH privacy and security)
• Use connected health framework reference
model
• Governance, governance, governance
25. Governance: Adapting the Joint Commission Continuous
Process Improvement Model
Plan
• Technical, Physical, Administrative Safeguards
Document
• Joint Commission, Policies, Procedures, IT Governance
Train
• Clinical, Administrative and Business Associates
Track
• Training, Compliance, Incidents, Access…. everything
Review
• Flexibility, Agility, Architect for Change
26.
27. The Ideal
Employees Contractors Partners
Need to know
Need to manage
InfoSec IT Ops Legal
28. The Reality
Employees IT Ops Contractors Partners
Manage
Know
InfoSec Legal
29. The Challenge
• There is no endpoint
• There is no perimeter
• Users own the data
Employees Contractors Partners
• No one owns the risk
• Security doesn’t have control
• IT Ops own the databases
• IT Ops own the servers
• IT Ops own the apps (SharePoint)
InfoSec IT Ops Legal