Security and Privacy in SharePoint 2010: Healthcare

Marie-Michelle Strah, PhD

Richmond SharePoint User Group

August 31, 2011

http://lifeincapslock.com

http://www.sswug.org/usercenter/profile.aspx?id=563806

www.broadpoint.net

http://www.meetup.com/fedspug-wspdc

Objectives

• ARRA/HITECH: INFOSEC and connected health information

• Reference models: security, enterprise architecture and compliance for healthcare

• Overview of privacy and security in SharePoint Server 2010

Planning for Security and the “Black Swan”

Privacy

• Data (opt in/out)

• PHI

• PII

“Black Swans”

• Consumer

Engagement

• Business

Associates

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)

Equals

People (all actors and agents)

Times

Architecture (technical, physical and

administrative)

From HIPAA to HITECH…

• Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936)

• The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009

• American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115)

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) do the HITECH math…

“Business Associates”:

• Legal

• Accounting

• Administrative

• Claims Processing

• Data Analysis

• QA

• Billing

45 CFR §160.103

Consumer Engagement

Application of HIPAA Security

Standards to Business

Associates

42 USC §17931

New Security Breach

Requirements

42 USC §17932(j)

Electronic Access Mandatory for

Patients 42 USC 17935(e)

Prohibited Sale of PHI without

Patient Authorization 42 USC

§17935(d)

ONC (Office of the

National Coordinator for

Healthcare IT)

• Health Information

Exchange (HIE)

• Accountable Care

Organizations (ACO)

• “Meaningful Use”

• Interoperability

• Service Oriented

Architecture (SOA)

Models for Healthcare

Information Technology

• Certification (ANSI) June

2011

• Conformance Testing

(NIST)

Microsoft Connected Health Framework Business and Technical

Framework (Joint Architecture)

Electronic Healthcare = Complexity

Increases Opportunity for “Black Swans” (Security and Privacy

Risk)

SOA “Hub” Model reduces complexity and variability while maintaining

collaboration and interoperability

Codeplex: Health Connection Engine

http://hce.codeplex.com/

• SOA

• “Plug and Play”

• Message represent clinical events, not data items

• EHR data federated

• Connection to existing messaging infrastructures

SharePoint 2010 as part of a Connected Health Framework

• NOT a standalone solution

• Technical barriers

• Data barriers

• Staffing barriers

Office Business Applications (Office and SharePoint) as part of healthcare

information architecture

Security Architecture – SPS2010

Au

tho

riza

tio

n

Authentication

Federated ID

Classic/Claims

IIS/STS

UP

M

Permissions

Security Groups

Bu

sin

ess

Co

nn

ecti

vity

Se

rvic

es

Data Level Security

LOB Integration

Har

dw

are

Endpoint Security

Mobile

Remote

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)

Behavioral Factors: Security Architecture – SPS2010

𝑺 = (𝑷𝒙 ∗ 𝑨𝒚)

• #hcsm

• User population

challenges

-healthcare/providers

-business associates

• “Prurient interest”

• https://www.nothingbutsharepoint.com/sites/eusp/Pages/sharepoint-data-security-and-privacy-information-why-should-it-matter-to-you.aspx

Why data security and privacy should matter to your SharePoint Administrator… Unfortunately, security and governance are absent in many cases Jay Simcox: Proactive vs. reactive approach

Security Planning and SharePoint 2010

• Encryption

• Data at rest/data in motion

• Perimeter topologies

• Segmentation and compartmentalization of PHI/PII (logical and physical)

• Wireless (RFID/Bluetooth)

• Business Continuity

• Backup and Recovery

Security Planning and SharePoint 2010

• Plan permission levels and groups (least privileges) – providers and business associates

• Plan site permissions

• Fine-grained permissions (item-level)

• Security groups (custom)

• Contribute permissions

Additional Security Planning Considerations (SharePoint 2010)

• Content types (PHI/PII)

• ECM/OCR

• Business Connectivity Services and Visio Services (external data sources)

– Excel, lists, SQL, custom data providers

– Integrated Windows with constrained Kerberos

• Metadata and tagging (PHI/PII)

• Blogs and wikis (PHI)

SharePoint 2010: Identity and Access Management in Healthcare

• SharePoint as enabler for healthcare:

– Access tracking and audits

– Access controls

• Recommend: third party tools (ControlPoint, AvePoint, etc.)

• Recommend: IAM Solutions – Mobility

– Workstations/Proximity

Best Practices - Prevention

• Involve HIPAA specialists early in the planning process. (This is NOT an IT problem)

• Consider removing PHI from the equation. (Compartmentalization and segregation)

• Evaluate the outsourcing option. (Example: FPWeb)

• Look to experts to help with existing implementations. (Domain expertise in healthcare and clinical workflow as well as HIPAA/HITECH privacy and security)

• Use connected health framework reference model and other HC specific applications (Dynamics CRM for Patient Relationship Management/Case Management, HealthVault, Amalga, IAM)

• Technical, Physical, Administrative Safeguards

Plan

• Joint Commission, Policies, Procedures, IT Governance

Document

• Clinical, Administrative and Business Associates

Train

• Training, Compliance, Incidents, Access…. everything

Track

• Flexibility, Agility, Architect for Change

Review

Adapting the Joint Commission Continuous Process Improvement Model…

Case Studies

• SharePoint 2007 Upgrade – Behavioral Health

• SharePoint 2010 and Clinical Trial Data – Research (Biotech and Pharma)

• Patient Relationship Management (Consumer Engagement) – SharePoint 2010 and CRM

Questions?

http://lifeincapslock.com

http://www.sswug.org/usercenter/profile.aspx?id=563806

www.broadpoint.net

http://www.meetup.com/fedspug-wspdc