Security and Privacy in SharePoint 2010: Healthcare
-
Upload
marie-michelle-strah-phd -
Category
Technology
-
view
2.772 -
download
2
description
Transcript of Security and Privacy in SharePoint 2010: Healthcare
![Page 1: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/1.jpg)
Security and Privacy in SharePoint 2010: Healthcare
Marie-Michelle Strah, PhD
Richmond SharePoint User Group
August 31, 2011
![Page 2: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/2.jpg)
http://lifeincapslock.com
http://www.sswug.org/usercenter/profile.aspx?id=563806
www.broadpoint.net
http://www.meetup.com/fedspug-wspdc
![Page 3: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/3.jpg)
Objectives
• ARRA/HITECH: INFOSEC and connected health information
• Reference models: security, enterprise architecture and compliance for healthcare
• Overview of privacy and security in SharePoint Server 2010
![Page 4: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/4.jpg)
Planning for Security and the “Black Swan”
![Page 5: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/5.jpg)
Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer
Engagement
• Business
Associates
![Page 6: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/6.jpg)
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
![Page 7: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/7.jpg)
From HIPAA to HITECH…
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936)
• The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009
• American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115)
![Page 8: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/8.jpg)
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) do the HITECH math…
“Business Associates”:
• Legal
• Accounting
• Administrative
• Claims Processing
• Data Analysis
• QA
• Billing
45 CFR §160.103
Consumer Engagement
Application of HIPAA Security
Standards to Business
Associates
42 USC §17931
New Security Breach
Requirements
42 USC §17932(j)
Electronic Access Mandatory for
Patients 42 USC 17935(e)
Prohibited Sale of PHI without
Patient Authorization 42 USC
§17935(d)
![Page 9: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/9.jpg)
ONC (Office of the
National Coordinator for
Healthcare IT)
• Health Information
Exchange (HIE)
• Accountable Care
Organizations (ACO)
• “Meaningful Use”
• Interoperability
• Service Oriented
Architecture (SOA)
Models for Healthcare
Information Technology
• Certification (ANSI) June
2011
• Conformance Testing
(NIST)
![Page 10: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/10.jpg)
Microsoft Connected Health Framework Business and Technical
Framework (Joint Architecture)
![Page 11: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/11.jpg)
Electronic Healthcare = Complexity
Increases Opportunity for “Black Swans” (Security and Privacy
Risk)
![Page 12: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/12.jpg)
SOA “Hub” Model reduces complexity and variability while maintaining
collaboration and interoperability
![Page 13: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/13.jpg)
Codeplex: Health Connection Engine
http://hce.codeplex.com/
• SOA
• “Plug and Play”
• Message represent clinical events, not data items
• EHR data federated
• Connection to existing messaging infrastructures
![Page 14: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/14.jpg)
SharePoint 2010 as part of a Connected Health Framework
• NOT a standalone solution
• Technical barriers
• Data barriers
• Staffing barriers
Office Business Applications (Office and SharePoint) as part of healthcare
information architecture
![Page 15: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/15.jpg)
Security Architecture – SPS2010
Au
tho
riza
tio
n
Authentication
Federated ID
Classic/Claims
IIS/STS
UP
M
Permissions
Security Groups
Bu
sin
ess
Co
nn
ecti
vity
Se
rvic
es
Data Level Security
LOB Integration
Har
dw
are
Endpoint Security
Mobile
Remote
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)
![Page 16: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/16.jpg)
Behavioral Factors: Security Architecture – SPS2010
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)
• #hcsm
• User population
challenges
-healthcare/providers
-business associates
• “Prurient interest”
![Page 17: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/17.jpg)
• https://www.nothingbutsharepoint.com/sites/eusp/Pages/sharepoint-data-security-and-privacy-information-why-should-it-matter-to-you.aspx
Why data security and privacy should matter to your SharePoint Administrator… Unfortunately, security and governance are absent in many cases Jay Simcox: Proactive vs. reactive approach
![Page 18: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/18.jpg)
Security Planning and SharePoint 2010
• Encryption
• Data at rest/data in motion
• Perimeter topologies
• Segmentation and compartmentalization of PHI/PII (logical and physical)
• Wireless (RFID/Bluetooth)
• Business Continuity
• Backup and Recovery
![Page 19: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/19.jpg)
Security Planning and SharePoint 2010
• Plan permission levels and groups (least privileges) – providers and business associates
• Plan site permissions
• Fine-grained permissions (item-level)
• Security groups (custom)
• Contribute permissions
![Page 20: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/20.jpg)
Additional Security Planning Considerations (SharePoint 2010)
• Content types (PHI/PII)
• ECM/OCR
• Business Connectivity Services and Visio Services (external data sources)
– Excel, lists, SQL, custom data providers
– Integrated Windows with constrained Kerberos
• Metadata and tagging (PHI/PII)
• Blogs and wikis (PHI)
![Page 21: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/21.jpg)
SharePoint 2010: Identity and Access Management in Healthcare
• SharePoint as enabler for healthcare:
– Access tracking and audits
– Access controls
• Recommend: third party tools (ControlPoint, AvePoint, etc.)
• Recommend: IAM Solutions – Mobility
– Workstations/Proximity
![Page 22: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/22.jpg)
Best Practices - Prevention
• Involve HIPAA specialists early in the planning process. (This is NOT an IT problem)
• Consider removing PHI from the equation. (Compartmentalization and segregation)
• Evaluate the outsourcing option. (Example: FPWeb)
• Look to experts to help with existing implementations. (Domain expertise in healthcare and clinical workflow as well as HIPAA/HITECH privacy and security)
• Use connected health framework reference model and other HC specific applications (Dynamics CRM for Patient Relationship Management/Case Management, HealthVault, Amalga, IAM)
![Page 23: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/23.jpg)
• Technical, Physical, Administrative Safeguards
Plan
• Joint Commission, Policies, Procedures, IT Governance
Document
• Clinical, Administrative and Business Associates
Train
• Training, Compliance, Incidents, Access…. everything
Track
• Flexibility, Agility, Architect for Change
Review
Adapting the Joint Commission Continuous Process Improvement Model…
![Page 24: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/24.jpg)
Case Studies
• SharePoint 2007 Upgrade – Behavioral Health
• SharePoint 2010 and Clinical Trial Data – Research (Biotech and Pharma)
• Patient Relationship Management (Consumer Engagement) – SharePoint 2010 and CRM
![Page 25: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/25.jpg)
Questions?
![Page 26: Security and Privacy in SharePoint 2010: Healthcare](https://reader033.fdocuments.us/reader033/viewer/2022042813/547e9f8a5906b5d8718b46cf/html5/thumbnails/26.jpg)
http://lifeincapslock.com
http://www.sswug.org/usercenter/profile.aspx?id=563806
www.broadpoint.net
http://www.meetup.com/fedspug-wspdc