Securing Microsoft Technologies for HITECH Compliance

Securing Microsoft Technologies for

HITECH Compliance: Update 2/13/2012

Marie-Michelle Strah, PhD

SharePoint Saturday Philadelphia 2/4/2012

http://ideas.appliedis.com

http://lifeincapslock.com

Introductions

Objectives

Introduction: Why Microsoft Business Solutions

for healthcare?

•Context: ARRA/HITECH: INFOSEC and

connected health information

•Reference models: security, enterprise

architecture and compliance for

healthcare

•Best Practices: privacy and security in

Microsoft SharePoint Server 2010, Microsoft

Dynamics CRM and Office365

Panel: Q&A

What keeps a CMIO up at night?

Excerpted from John D.

Halamka, MD Life as a

Healthcare CIO Blog…

• Unstructured data

• Compliance

• Security

• Workforce recruitment

http://geekdoctor.blogspot.com/2011/10/what-keeps-me-up-at-night-fy12-edition.html

Planning for Security and the “Black Swan”

Privacy

• Data (opt in/out)

• PHI

• PII

“Black Swans”

• Consumer Engagement

• Business Associates

2012 = Year of Privacy and ECM

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)

Equals People (all actors and agents)

Times Architecture (technical, physical and

administrative)

Enterprise Security Model

2012: From HIPAA to HITECH and “Meaningful Use”

• Health Insurance Portability and Accountability

Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat

1936)

• The Health Information Technology for

Economic and Clinical Health Act (HITECH Act),

enacted on February 17, 2009

• American Recovery and Reinvestment Act of

2009 (ARRA) (Pub L 111-5, 123 Stat 115)

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) do the HITECH math…

“Business Associates”:

• Legal

• Accounting

• Administrative

• Claims Processing

• Data Analysis

• QA

• Billing 45 CFR §160.103

Consumer Engagement

Application of HIPAA Security

Standards to Business Associates 42 USC §17931

New Security Breach

Requirements 42 USC §17932(j)

Electronic Access Mandatory for

Patients 42 USC 17935(e)

Prohibited Sale of PHI without

Patient Authorization 42 USC §17935(d)

Complexity: RM, ECM and eDiscovery

Recent Cryptzone Survey

Gothenburg, 19 January 2012

Survey finds almost half of

SharePoint users disregard the security within SharePoint, and

copy sensitive or confidential

documents to insecure hard

drives, USB keys or even email it to

a third party.

Read more: SharePoint Users

Develop Insecure Habits -

FierceContentManagement

Healthcare IT News

Sacramento, 23 November 2011

The theft of a computer during a

break-in in October has spurred a

$1B class action lawsuit against Sutter Health, according to a

report published today by the

Sacramento Bee. The computer

contained data on more than 4

million patients.

See also: Room for improvement

on security, HIMSS survey shows

You Don’t Believe Me?: In the News

Complexity = Higher Risks and Costs

“Hub” Model reduces complexity and variability while maintaining

collaboration and interoperability

SOA: Service-Oriented Architecture

Challenge: connect, collaborate and compartmentalize

Microsoft Connected Health Framework Business

and Technical Framework (Joint Architecture)

http://hce.codeplex.com/

Microsoft Business Solutions as part of a Connected Health

Framework

• Patient Encounters

• CPG

• HIPAA Direct Identifiers

• EEOI

• ePHI

• SharePoint 2010

• Dynamics CRM

• Office365

Unstructured Data

Intake Forms

EHR Integration

R&D

BPM

Clinical Workflow

Microsoft Business Solutions as part of a Connected Health

Framework

Current example: multi-site resident treatment facility

-Provider emails (nurse/contract doctors) -Word documents (patient notes) on file servers - unsecured

-PDFs (scanned records/PHI) on file servers – unsecured

-no encryption

-no search -no IAM beyond Windows authentication

-2011 EHR adoption

Current example 2: ePHI data with SSN being exported as whatever file type

-No control over what file type

-No way to force encryption

-No way to force a file save location (\\share\phi_encrypted_folder)

Enterprise Security Planning

• PRIVACY IMPACT ASSESSMENT

• 18 direct identifiers (HIPAA)

• “content shielding”

• Data architecture

• Encryption of data at rest/data in motion

• 2 factor authentication

• Perimeter topologies

• Segmentation and compartmentalization of PHI/PII (logical and physical)

• Wireless (RFID/Bluetooth)

• Business Continuity

• Backup and Recovery

• Mobile Device Management/BYOD World

Security Architecture – SPS2010 A

uth

ori

zati

on

Authentication

Federated ID

Classic/Claims

IIS/STS U

PM

Permissions

Security Groups

Bu

sin

es

s C

on

ne

cti

vit

y

Serv

ices

Data Level Security

LOB Integration

Hard

ware

Endpoint Security

Mobile

Remote

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)

Behavioral Factors: Security Architecture

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)

• #hcsm

• User population

challenges

• clinicians

• business associates

• domain knowledge

•“Prurient interest”

• Mobile technologies

• Native

• 20%

SP2010

• Governance

• UPM/IAM

• 60%

ISV • Network

• Data at Rest

• 100%

ISV

Cloud 12/14/2011

• Office365

HIPAA/EU

compliance

• BAA

On Premise

“Can’t Do it Alone:” Security Ecosystem

• Content types (PHI/PII)

• ECM/OCR

• Digital Rights Management (DRM)

• Business Connectivity Services and Visio Services (external data sources)

• Excel, lists, SQL, custom data providers

• Integrated Windows with constrained Kerberos

• Metadata and tagging (PHI/PII)

• Blogs and wikis (PHI)

• Plan permission levels and groups (least privileges) – providers and business associates

• Plan site permissions

• Fine-grained permissions (item-level)

• Security groups (custom)

• Contribute permissions

Sample: Security Planning Checklist

Best Practices: Preventative Model

• Involve HIPAA specialists early in the planning

process. (This is NOT an IT problem)

• Privacy Impact Assessment: PHI, ePHI, PII

(Compartmentalization and segregation)

• Trust, but verify

• Look to experts to help with existing

implementations. (Domain expertise in

healthcare and clinical workflow as well as

HIPAA/HITECH privacy and security)

• Use connected health framework reference

model

• Governance, governance, governance

• Technical, Physical, Administrative Safeguards

Plan

• Joint Commission, Policies, Procedures, IT Governance

Document

• Clinical, Administrative and Business Associates

Train

• Training, Compliance, Incidents, Access…. everything

Track

• Flexibility, Agility, Architect for Change

Review

Governance: Adapting the Joint Commission Continuous

Process Improvement Model

• Unstructured Data

– Scan

– Quarantine PII

– Tag

• Compliance and Reporting

– Enhance control of all ePHI and PII

– In line with HIPAA and HITECH Act regulation

© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,

without the prior written consent of AvePoint, Inc.

• Security

– Easily set Rules and Permissions in bulk

– Run scheduled reports on all SharePoint Activity

– Safely archive inactive data for compliance

• Workflow Management

– Rearrange taxonomy to meet evolving business needs

– Full fidelity backup and restoration of data

– Improved performance, environment monitoring

© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,

without the prior written consent of AvePoint, Inc.

References

• AIS Case Study on Records Management and

Compliance (SP2007):

http://www.appliedis.com/pdfs/Military%20Grade%20Co

mpliance%20for%20SharePoint%20WP.pdf

• Good Data Means Good Government:

http://gcn.com/Articles/2012/02/06/Good-metadata-and-

good-government.aspx?Page=2

• 2012 Healthcare Data Trends:

http://databreachinsurancequote.com/wp-

content/uploads/2012/01/2012_trends_healthcare_data.

pdf

http://ideas.appliedis.com

http://lifeincapslock.com

Thank You! For more information…