Security and Privacy in SharePoint 2010: Healthcare Best Practices
-
Upload
marie-michelle-strah-phd -
Category
Technology
-
view
2.092 -
download
1
description
Transcript of Security and Privacy in SharePoint 2010: Healthcare Best Practices
![Page 1: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/1.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Security and Privacy in SharePoint 2010: Healthcare
Webinar presented by: Planet Technologies and
CipherPoint Software
N O V E M B E R 2 , 2 0 1 1
![Page 2: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/2.jpg)
Agenda 1. Overview – Mr. Jim Hietala, CipherPoint Software
2. Security and Privacy in SharePoint 2010: Healthcare – Dr.
Marie-Michelle Strah, Planet Technologies
3. CipherPoint Demo and Case Studies – Mr. Mike Fleck,
CipherPoint Software
4. Q&A
![Page 3: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/3.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Presenters
www.go-planet.com
Microsoft Gold Partner
• 5x Federal Partner of
the Year
• 2x State and Local
Government Partner
of the Year
• 2011 xRM Partner of
the Year
![Page 4: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/4.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Objectives • Introduction: Why SharePoint for
healthcare?
• Context: ARRA/HITECH: INFOSEC and
connected health information
• Reference models: security, enterprise
architecture and compliance for
healthcare
• Best Practices: privacy and security in
Microsoft SharePoint Server 2010
Objectives
![Page 5: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/5.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
What keeps a CMIO up at night?
Excerpted from John D.
Halamka, MD Life as a
Healthcare CIO Blog…
• Unstructured data
• Compliance
• Security
• Workforce recruitment
http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-
edition.html
![Page 6: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/6.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Microsoft SharePoint in Healthcare
•Public/Private Partnerships
•Collaborative, Cross-disciplinary care delivery
•Web Content Management and Outreach
•Patient/Veteran Relationship Management
•Clinical Decision Support
•Data Analytics
•Logistics and Asset Management
•EHR Integration
•“Meaningful Use”
Enterprise Content
Management
Practice Management and Hospital
Administration
Research and Collaboration
Patient Engagement
![Page 7: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/7.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Planning for Security and the “Black Swan”
![Page 8: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/8.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer
Engagement
• Business Associates
![Page 9: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/9.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
Enterprise Security Model
![Page 10: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/10.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
From HIPAA to HITECH…
Health Insurance Portability and Accountability
Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat
1936)
The Health Information Technology for
Economic and Clinical Health Act (HITECH Act),
enacted on February 17, 2009
American Recovery and Reinvestment Act of
2009 (ARRA) (Pub L 111-5, 123 Stat 115)
![Page 11: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/11.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
𝐒 = (𝐏𝐱 ∗ 𝐀𝐲) do the HITECH math…
“Business Associates”:
• Legal
• Accounting
• Administrative
• Claims Processing
• Data Analysis
• QA
• Billing
• Contractors
45 CFR §160.103
Consumer Engagement
• Application of HIPAA Security
Standards to Business
Associates
• 42 USC §17931
• New Security Breach
Requirements
• 42 USC §17932(j)
• Electronic Access Mandatory
for Patients 42 USC 17935(e)
• Prohibited Sale of PHI without
Patient Authorization 42 USC
§17935(d)
![Page 12: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/12.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Complexity = Higher Risk and Costs
![Page 13: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/13.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
“Hub” Model reduces complexity and variability
while maintaining collaboration and interoperability
SOA (Service-Oriented Architecture)
![Page 14: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/14.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Microsoft Connected Health Framework Business and Technical Framework
(Joint Architecture)
http://hce.codeplex.com/
![Page 15: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/15.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Security Architecture SharePoint Server 2010
Au
tho
riza
tio
n
Authentication
Federated ID
Classic/Claims
IIS/STS
UP
M
Permissions
Security Groups
Bu
sin
ess
Co
nn
ec
tiv
ity
Se
rvic
es
Data Level Security
LOB Integration
Ha
rdw
are
Endpoint Security
Mobile
Remote
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)
![Page 16: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/16.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Behavioral Factors: Security Architecture
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)
• #hcsm
• User population challenges
-clinicians
-business associates
-domain knowledge
• “Prurient interest”
• Mobile technologies
![Page 17: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/17.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Enterprise Security Planning
PIA (Privacy Impact Assessment)
Encryption
Data at rest/data in motion
Perimeter topologies
Segmentation and compartmentalization of PHI/PII
(logical and physical)
Wireless (RFID/Bluetooth)
Business Continuity
Backup and Recovery
![Page 18: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/18.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Security Planning Considerations (SharePoint 2010)
Content types (PHI/PII)
ECM/OCR
Digital Rights Management (DRM)
Business Connectivity Services and
Visio Services (external data
sources)
– Excel, lists, SQL, custom data
providers
– Integrated Windows with
constrained Kerberos
Metadata and tagging (PHI/PII)
Blogs and wikis (PHI)
Plan permission levels and groups
(least privileges) – providers and
business associates
Plan site permissions
Fine-grained permissions (item-
level)
Security groups (custom)
Contribute permissions
![Page 19: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/19.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
•Technical, Physical, Administrative Safeguards
Plan
•Joint Commission, Policies, Procedures, IT Governance
Document
•Clinical, Administrative and Business Associates
Train
•Training, Compliance, Incidents, Access…. everything
Track
•Flexibility, Agility, Architect for Change
Review
Adapting the Joint Commission Continuous Process Improvement Model…
The Security Lifecycle: SharePoint Deployments
![Page 20: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/20.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Best Practices – Proactive Security Model
Involve HIPAA/HITECH specialists early in the planning process.
(This is NOT an IT problem)
Consider removing PHI from the equation.
(Compartmentalization and segregation)
Evaluate the outsourcing option. Trust, but verify.
Look to experts to help with existing implementations. (Domain
expertise in healthcare and clinical workflow as well as
HIPAA/HITECH privacy and security)
Use connected health framework reference model
Extend SharePoint: ISVs create effective and compliant solution
CipherPoint
Enterprise Content Management, Administration, Total Disk
Encryption, PII/508 Compliance
![Page 21: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/21.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Comprehensive Security Model
• Case Studies
• SharePoint is an enabler
for healthcare
transformation
• Introduction to
CipherPoint
![Page 22: Security and Privacy in SharePoint 2010: Healthcare Best Practices](https://reader033.fdocuments.in/reader033/viewer/2022052617/5482e08cb07959600c8b48de/html5/thumbnails/22.jpg)
© 2011 PLANET TECHNOLOGIES, INC.
Thank You and Contact Information
www.go-planet.com
Microsoft Gold Partner
• 5x Federal Partner of
the Year
• 2x State and Local
Government Partner
of the Year
• 2011 xRM Partner of
the Year