Security and Privacy in SharePoint 2010: Healthcare
2 likes1,284 views
The document discusses security and privacy considerations for implementing SharePoint 2010 in healthcare organizations. It outlines regulations like HIPAA and HITECH that govern privacy and security of personal health information. It recommends planning permissions, access controls, encryption and other technical, physical and administrative safeguards. The document also recommends using SharePoint as part of a connected health framework and involving privacy experts when implementing SharePoint solutions that handle protected health information.
Security and Privacy in SharePoint 2010: Healthcare
- 1. Security and Privacy in SharePoint 2010: Healthcare Marie-Michelle Strah, PhD Richmond SharePoint User Group August 31, 2011
- 2. http://lifeincapslock.com http://www.sswug.org/usercenter/profile.aspx?id=563806 www.broadpoint.net http://www.meetup.com/fedspug-wspdc
- 3. Objectives • ARRA/HITECH: INFOSEC and connected health information • Reference models: security, enterprise architecture and compliance for healthcare • Overview of privacy and security in SharePoint Server 2010
- 4. Planning for Security and the “Black Swan”
- 5. Privacy • Data (opt in/out) • PHI • PII “Black Swans” • Consumer Engagement • Business Associates
- 6. = ( ∗ ) Information Security (Collaborative Model) Equals People (all actors and agents) Times Architecture (technical, physical and administrative)
- 7. From HIPAA to HITECH… • Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936) • The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009 • American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115)
- 8. = ( ∗ ) do the HITECH math… Application of HIPAA Security Standards to Business “Business Associates”: Associates • Legal 42 USC §17931 • Accounting • Administrative New Security Breach • Claims Processing Requirements • Data Analysis 42 USC §17932(j) • QA • Billing Electronic Access Mandatory for 45 CFR §160.103 Patients 42 USC 17935(e) Consumer Engagement Prohibited Sale of PHI without Patient Authorization 42 USC §17935(d)
- 9. ONC (Office of the National Coordinator for Healthcare IT) • Health Information Exchange (HIE) • Accountable Care Organizations (ACO) • “Meaningful Use” • Interoperability • Service Oriented Architecture (SOA) Models for Healthcare Information Technology • Certification (ANSI) June 2011 • Conformance Testing (NIST)
- 10. Microsoft Connected Health Framework Business and Technical Framework (Joint Architecture)
- 11. Electronic Healthcare = Complexity Increases Opportunity for “Black Swans” (Security and Privacy Risk)
- 12. SOA “Hub” Model reduces complexity and variability while maintaining collaboration and interoperability
- 13. Codeplex: Health Connection Engine http://hce.codeplex.com/ • SOA • “Plug and Play” • Message represent clinical events, not data items • EHR data federated • Connection to existing messaging infrastructures
- 14. SharePoint 2010 as part of a Connected Health Framework • NOT a standalone solution • Technical barriers • Data barriers • Staffing barriers Office Business Applications (Office and SharePoint) as part of healthcare information architecture
- 15. Security Architecture – SPS2010 UPM Hardware Authorization Services Business Connectivity Authentication Permissions Data Level Endpoint Federated ID Security Security Security Classic/Claims Groups LOB Integration Mobile IIS/STS Remote = ( ∗ )
- 16. Behavioral Factors: Security Architecture – SPS2010 • #hcsm • User population challenges -healthcare/providers -business associates • “Prurient interest” = ( ∗ )
- 17. Why data security and privacy should matter to your SharePoint Administrator… Unfortunately, security and governance are absent in many cases Jay Simcox: Proactive vs. reactive approach • https://www.nothingbutsharepoint.com/sites/eusp/Pages/sharepoint-data- security-and-privacy-information-why-should-it-matter-to-you.aspx
- 18. Security Planning and SharePoint 2010 • Encryption • Data at rest/data in motion • Perimeter topologies • Segmentation and compartmentalization of PHI/PII (logical and physical) • Wireless (RFID/Bluetooth) • Business Continuity • Backup and Recovery
- 19. Security Planning and SharePoint 2010 • Plan permission levels and groups (least privileges) – providers and business associates • Plan site permissions • Fine-grained permissions (item-level) • Security groups (custom) • Contribute permissions
- 20. Additional Security Planning Considerations (SharePoint 2010) • Content types (PHI/PII) • ECM/OCR • Business Connectivity Services and Visio Services (external data sources) – Excel, lists, SQL, custom data providers – Integrated Windows with constrained Kerberos • Metadata and tagging (PHI/PII) • Blogs and wikis (PHI)
- 21. SharePoint 2010: Identity and Access Management in Healthcare • SharePoint as enabler for healthcare: – Access tracking and audits – Access controls • Recommend: third party tools (ControlPoint, AvePoint, etc.) • Recommend: IAM Solutions – Mobility – Workstations/Proximity
- 22. Best Practices - Prevention • Involve HIPAA specialists early in the planning process. (This is NOT an IT problem) • Consider removing PHI from the equation. (Compartmentalization and segregation) • Evaluate the outsourcing option. (Example: FPWeb) • Look to experts to help with existing implementations. (Domain expertise in healthcare and clinical workflow as well as HIPAA/HITECH privacy and security) • Use connected health framework reference model and other HC specific applications (Dynamics CRM for Patient Relationship Management/Case Management, HealthVault, Amalga, IAM)
- 23. Adapting the Joint Commission Continuous Process Improvement Model… Plan • Technical, Physical, Administrative Safeguards Document • Joint Commission, Policies, Procedures, IT Governance Train • Clinical, Administrative and Business Associates Track • Training, Compliance, Incidents, Access…. everything Review • Flexibility, Agility, Architect for Change
- 24. Case Studies • SharePoint 2007 Upgrade – Behavioral Health • SharePoint 2010 and Clinical Trial Data – Research (Biotech and Pharma) • Patient Relationship Management (Consumer Engagement) – SharePoint 2010 and CRM
- 25. Questions?
- 26. http://lifeincapslock.com http://www.sswug.org/usercenter/profile.aspx?id=563806 www.broadpoint.net http://www.meetup.com/fedspug-wspdc