Securing Microsoft Technologies for HITECH Compliance
- 2. Introductions
http://ideas.appliedis.com
http://lifeincapslock.com
- 3. Objectives
Introduction: Why Microsoft Business Solutions
for healthcare?
•Context: ARRA/HITECH: INFOSEC and
connected health information
•Reference models: security, enterprise
architecture and compliance for
healthcare
•Best Practices: privacy and security in
Microsoft SharePoint Server 2010, Microsoft
Dynamics CRM and Office365
Panel: Q&A
- 4. What keeps a CMIO up at night?
Excerpted from John D.
Halamka, MD Life as a
Healthcare CIO Blog…
• Unstructured data
• Compliance
• Security
• Workforce recruitment
http://geekdoctor.blogspot.com/2011/10/w
hat-keeps-me-up-at-night-fy12-edition.html
- 6. 2012 = Year of Privacy and ECM
Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer
Engagement
• Business Associates
- 7. Enterprise Security Model
������ ������
������ = (������ ∗ ������ )
Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
- 8. 2012: From HIPAA to HITECH and “Meaningful Use”
• Health Insurance Portability and Accountability
Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat
1936)
• The Health Information Technology for
Economic and Clinical Health Act (HITECH Act),
enacted on February 17, 2009
• American Recovery and Reinvestment Act of
2009 (ARRA) (Pub L 111-5, 123 Stat 115)
- 9. Complexity: RM, ECM and eDiscovery
������ ������
������ = (������ ∗ ������ ) do the HITECH math…
Application of HIPAA Security
Standards to Business Associates
“Business Associates”: 42 USC §17931
• Legal
• Accounting New Security Breach
• Administrative Requirements
• Claims Processing 42 USC §17932(j)
• Data Analysis
• QA Electronic Access Mandatory for
• Billing Patients 42 USC 17935(e)
45 CFR §160.103
Prohibited Sale of PHI without
Consumer Engagement Patient Authorization 42 USC
§17935(d)
- 10. You Don’t Believe Me?: In the News
Recent Cryptzone Survey Healthcare IT News
Gothenburg, 19 January 2012 Sacramento, 23 November 2011
Survey finds almost half of The theft of a computer during a
SharePoint users disregard the break-in in October has spurred a
security within SharePoint, and $1B class action lawsuit against
copy sensitive or confidential Sutter Health, according to a
documents to insecure hard report published today by the
drives, USB keys or even email it to Sacramento Bee. The computer
a third party. contained data on more than 4
million patients.
Read more: SharePoint Users
Develop Insecure Habits - See also: Room for improvement
FierceContentManagement on security, HIMSS survey shows
- 13. Challenge: connect, collaborate and compartmentalize
Microsoft Connected Health Framework Business
and Technical Framework (Joint Architecture)
http://hce.codeplex.com/
- 14. Microsoft Business Solutions as part of a Connected Health
Framework
• Patient Encounters
• CPG
• HIPAA Direct Identifiers Clinical
Workflow
• EEOI
• ePHI
EHR
Integration
Intake
Forms
Unstructured Data
• SharePoint 2010
• Dynamics CRM
• Office365
R&D
BPM
- 15. Microsoft Business Solutions as part of a Connected Health
Framework
Current example: multi-site resident treatment facility
-Provider emails (nurse/contract doctors)
-Word documents (patient notes) on file servers - unsecured
-PDFs (scanned records/PHI) on file servers – unsecured
-no encryption
-no search
-no IAM beyond Windows authentication
-2011 EHR adoption
Current example 2:
ePHI data with SSN being exported as whatever file type
-No control over what file type
-No way to force encryption
-No way to force a file save location (sharephi_encrypted_folder)
- 16. Enterprise Security Planning
• PRIVACY IMPACT ASSESSMENT
• 18 direct identifiers (HIPAA)
• “content shielding”
• Data architecture
• Encryption of data at rest/data in motion
• 2 factor authentication
• Perimeter topologies
• Segmentation and compartmentalization of PHI/PII
(logical and physical)
• Wireless (RFID/Bluetooth)
• Business Continuity
• Backup and Recovery
• Mobile Device Management/BYOD World
- 17. Security Architecture – SPS2010
Business Connectivity
Authorization
Services
Hardware
UPM
Authentication Permissions Data Level Endpoint
Federated ID Security Security Security
Classic/Claims Groups LOB Mobile
Integration Remote
IIS/STS
������ ������
������ = (������ ∗ ������ )
- 18. Behavioral Factors: Security Architecture
• #hcsm
• User population
challenges
• clinicians
• business associates
• domain knowledge
•“Prurient interest”
• Mobile technologies
������ ������
������ = (������ ∗ ������ )
- 19. “Can’t Do it Alone:” Security Ecosystem
• Native
ISV • Network
• 20% • Governance • Data at Rest
• UPM/IAM • 100%
• 60%
SP2010 ISV
On Premise Cloud 12/14/2011
• Office365
HIPAA/EU
compliance
• BAA
- 20. Sample: Security Planning Checklist
• Content types (PHI/PII)
• ECM/OCR
• Digital Rights Management (DRM)
• Business Connectivity Services and Visio Services (external data sources)
• Excel, lists, SQL, custom data providers
• Integrated Windows with constrained Kerberos
• Metadata and tagging (PHI/PII)
• Blogs and wikis (PHI)
• Plan permission levels and groups (least privileges) – providers and
business associates
• Plan site permissions
• Fine-grained permissions (item-level)
• Security groups (custom)
• Contribute permissions
- 21. Best Practices: Preventative Model
• Involve HIPAA specialists early in the planning
process. (This is NOT an IT problem)
• Privacy Impact Assessment: PHI, ePHI, PII
(Compartmentalization and segregation)
• Trust, but verify
• Look to experts to help with existing
implementations. (Domain expertise in
healthcare and clinical workflow as well as
HIPAA/HITECH privacy and security)
• Use connected health framework reference
model
• Governance, governance, governance
- 22. Governance: Adapting the Joint Commission Continuous
Process Improvement Model
Plan
• Technical, Physical, Administrative Safeguards
Document
• Joint Commission, Policies, Procedures, IT Governance
Train
• Clinical, Administrative and Business Associates
Track
• Training, Compliance, Incidents, Access…. everything
Review
• Flexibility, Agility, Architect for Change
- 24. • Unstructured Data
– Scan
– Quarantine PII
– Tag
• Compliance and Reporting
– Enhance control of all ePHI and PII
– In line with HIPAA and HITECH Act regulation
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
- 25. • Security
– Easily set Rules and Permissions in bulk
– Run scheduled reports on all SharePoint Activity
– Safely archive inactive data for compliance
• Workflow Management
– Rearrange taxonomy to meet evolving business needs
– Full fidelity backup and restoration of data
– Improved performance, environment monitoring
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
- 26. References
• AIS Case Study on Records Management and
Compliance (SP2007):
http://www.appliedis.com/pdfs/Military%20Grade%20Co
mpliance%20for%20SharePoint%20WP.pdf
• Good Data Means Good Government:
http://gcn.com/Articles/2012/02/06/Good-metadata-and-
good-government.aspx?Page=2
• 2012 Healthcare Data Trends:
http://databreachinsurancequote.com/wp-
content/uploads/2012/01/2012_trends_healthcare_data.
pdf
- 27. Thank You! For more information…
http://ideas.appliedis.com
http://lifeincapslock.com