SlideShare a Scribd company logo

Securing Microsoft Technologies for HITECH Compliance

Marie-Michelle Strah, PhD
Marie-Michelle Strah, PhD

This document provides a summary of a presentation on securing Microsoft technologies for HITECH compliance. It discusses how Microsoft business solutions can help with healthcare information security and compliance with privacy laws like HIPAA and HITECH. It outlines challenges around managing unstructured data, compliance, security, and recruitment in healthcare. The presentation addresses privacy, data security, and how technologies like SharePoint can help with managing electronic protected health information and personally identifiable information according to healthcare regulations.

Related slideshows

IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference Architecture
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
1 of 27
Download to read offline
Securing Microsoft Technologies for HITECH Compliance: Update 2/13/2012 Marie-Michelle Strah, PhD SharePoint Saturday Philadelphia 2/4/2012
Introductions http://ideas.appliedis.com http://lifeincapslock.com
Objectives Introduction: Why Microsoft Business Solutions for healthcare? •Context: ARRA/HITECH: INFOSEC and connected health information •Reference models: security, enterprise architecture and compliance for healthcare •Best Practices: privacy and security in Microsoft SharePoint Server 2010, Microsoft Dynamics CRM and Office365 Panel: Q&A
What keeps a CMIO up at night? Excerpted from John D. Halamka, MD Life as a Healthcare CIO Blog… • Unstructured data • Compliance • Security • Workforce recruitment http://geekdoctor.blogspot.com/2011/10/w hat-keeps-me-up-at-night-fy12-edition.html
Planning for Security and the “Black Swan”
2012 = Year of Privacy and ECM Privacy • Data (opt in/out) • PHI • PII “Black Swans” • Consumer Engagement • Business Associates
Enterprise Security Model ������ ������ ������ = (������ ∗ ������ ) Information Security (Collaborative Model) Equals People (all actors and agents) Times Architecture (technical, physical and administrative)
2012: From HIPAA to HITECH and “Meaningful Use” • Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936) • The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009 • American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115)
Complexity: RM, ECM and eDiscovery ������ ������ ������ = (������ ∗ ������ ) do the HITECH math… Application of HIPAA Security Standards to Business Associates “Business Associates”: 42 USC §17931 • Legal • Accounting New Security Breach • Administrative Requirements • Claims Processing 42 USC §17932(j) • Data Analysis • QA Electronic Access Mandatory for • Billing Patients 42 USC 17935(e) 45 CFR §160.103 Prohibited Sale of PHI without Consumer Engagement Patient Authorization 42 USC §17935(d)
You Don’t Believe Me?: In the News Recent Cryptzone Survey Healthcare IT News Gothenburg, 19 January 2012 Sacramento, 23 November 2011 Survey finds almost half of The theft of a computer during a SharePoint users disregard the break-in in October has spurred a security within SharePoint, and $1B class action lawsuit against copy sensitive or confidential Sutter Health, according to a documents to insecure hard report published today by the drives, USB keys or even email it to Sacramento Bee. The computer a third party. contained data on more than 4 million patients. Read more: SharePoint Users Develop Insecure Habits - See also: Room for improvement FierceContentManagement on security, HIMSS survey shows
Complexity = Higher Risks and Costs
SOA: Service-Oriented Architecture “Hub” Model reduces complexity and variability while maintaining collaboration and interoperability
Challenge: connect, collaborate and compartmentalize Microsoft Connected Health Framework Business and Technical Framework (Joint Architecture) http://hce.codeplex.com/
Microsoft Business Solutions as part of a Connected Health Framework • Patient Encounters • CPG • HIPAA Direct Identifiers Clinical Workflow • EEOI • ePHI EHR Integration Intake Forms Unstructured Data • SharePoint 2010 • Dynamics CRM • Office365 R&D BPM
Microsoft Business Solutions as part of a Connected Health Framework Current example: multi-site resident treatment facility -Provider emails (nurse/contract doctors) -Word documents (patient notes) on file servers - unsecured -PDFs (scanned records/PHI) on file servers – unsecured -no encryption -no search -no IAM beyond Windows authentication -2011 EHR adoption Current example 2: ePHI data with SSN being exported as whatever file type -No control over what file type -No way to force encryption -No way to force a file save location (sharephi_encrypted_folder)
Enterprise Security Planning • PRIVACY IMPACT ASSESSMENT • 18 direct identifiers (HIPAA) • “content shielding” • Data architecture • Encryption of data at rest/data in motion • 2 factor authentication • Perimeter topologies • Segmentation and compartmentalization of PHI/PII (logical and physical) • Wireless (RFID/Bluetooth) • Business Continuity • Backup and Recovery • Mobile Device Management/BYOD World
Security Architecture – SPS2010 Business Connectivity Authorization Services Hardware UPM Authentication Permissions Data Level Endpoint Federated ID Security Security Security Classic/Claims Groups LOB Mobile Integration Remote IIS/STS ������ ������ ������ = (������ ∗ ������ )
Behavioral Factors: Security Architecture • #hcsm • User population challenges • clinicians • business associates • domain knowledge •“Prurient interest” • Mobile technologies ������ ������ ������ = (������ ∗ ������ )
“Can’t Do it Alone:” Security Ecosystem • Native ISV • Network • 20% • Governance • Data at Rest • UPM/IAM • 100% • 60% SP2010 ISV On Premise Cloud 12/14/2011 • Office365 HIPAA/EU compliance • BAA
Sample: Security Planning Checklist • Content types (PHI/PII) • ECM/OCR • Digital Rights Management (DRM) • Business Connectivity Services and Visio Services (external data sources) • Excel, lists, SQL, custom data providers • Integrated Windows with constrained Kerberos • Metadata and tagging (PHI/PII) • Blogs and wikis (PHI) • Plan permission levels and groups (least privileges) – providers and business associates • Plan site permissions • Fine-grained permissions (item-level) • Security groups (custom) • Contribute permissions
Best Practices: Preventative Model • Involve HIPAA specialists early in the planning process. (This is NOT an IT problem) • Privacy Impact Assessment: PHI, ePHI, PII (Compartmentalization and segregation) • Trust, but verify • Look to experts to help with existing implementations. (Domain expertise in healthcare and clinical workflow as well as HIPAA/HITECH privacy and security) • Use connected health framework reference model • Governance, governance, governance
Governance: Adapting the Joint Commission Continuous Process Improvement Model Plan • Technical, Physical, Administrative Safeguards Document • Joint Commission, Policies, Procedures, IT Governance Train • Clinical, Administrative and Business Associates Track • Training, Compliance, Incidents, Access…. everything Review • Flexibility, Agility, Architect for Change
Securing Microsoft Technologies for HITECH Compliance
• Unstructured Data – Scan – Quarantine PII – Tag • Compliance and Reporting – Enhance control of all ePHI and PII – In line with HIPAA and HITECH Act regulation © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
• Security – Easily set Rules and Permissions in bulk – Run scheduled reports on all SharePoint Activity – Safely archive inactive data for compliance • Workflow Management – Rearrange taxonomy to meet evolving business needs – Full fidelity backup and restoration of data – Improved performance, environment monitoring © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
References • AIS Case Study on Records Management and Compliance (SP2007): http://www.appliedis.com/pdfs/Military%20Grade%20Co mpliance%20for%20SharePoint%20WP.pdf • Good Data Means Good Government: http://gcn.com/Articles/2012/02/06/Good-metadata-and- good-government.aspx?Page=2 • 2012 Healthcare Data Trends: http://databreachinsurancequote.com/wp- content/uploads/2012/01/2012_trends_healthcare_data. pdf
Thank You! For more information… http://ideas.appliedis.com http://lifeincapslock.com

More Related Content

Securing Microsoft Technologies for HITECH Compliance

  • 1. Securing Microsoft Technologies for HITECH Compliance: Update 2/13/2012 Marie-Michelle Strah, PhD SharePoint Saturday Philadelphia 2/4/2012
  • 2. Introductions http://ideas.appliedis.com http://lifeincapslock.com
  • 3. Objectives Introduction: Why Microsoft Business Solutions for healthcare? •Context: ARRA/HITECH: INFOSEC and connected health information •Reference models: security, enterprise architecture and compliance for healthcare •Best Practices: privacy and security in Microsoft SharePoint Server 2010, Microsoft Dynamics CRM and Office365 Panel: Q&A
  • 4. What keeps a CMIO up at night? Excerpted from John D. Halamka, MD Life as a Healthcare CIO Blog… • Unstructured data • Compliance • Security • Workforce recruitment http://geekdoctor.blogspot.com/2011/10/w hat-keeps-me-up-at-night-fy12-edition.html
  • 5. Planning for Security and the “Black Swan”
  • 6. 2012 = Year of Privacy and ECM Privacy • Data (opt in/out) • PHI • PII “Black Swans” • Consumer Engagement • Business Associates
  • 7. Enterprise Security Model ������ ������ ������ = (������ ∗ ������ ) Information Security (Collaborative Model) Equals People (all actors and agents) Times Architecture (technical, physical and administrative)
  • 8. 2012: From HIPAA to HITECH and “Meaningful Use” • Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936) • The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009 • American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115)
  • 9. Complexity: RM, ECM and eDiscovery ������ ������ ������ = (������ ∗ ������ ) do the HITECH math… Application of HIPAA Security Standards to Business Associates “Business Associates”: 42 USC §17931 • Legal • Accounting New Security Breach • Administrative Requirements • Claims Processing 42 USC §17932(j) • Data Analysis • QA Electronic Access Mandatory for • Billing Patients 42 USC 17935(e) 45 CFR §160.103 Prohibited Sale of PHI without Consumer Engagement Patient Authorization 42 USC §17935(d)
  • 10. You Don’t Believe Me?: In the News Recent Cryptzone Survey Healthcare IT News Gothenburg, 19 January 2012 Sacramento, 23 November 2011 Survey finds almost half of The theft of a computer during a SharePoint users disregard the break-in in October has spurred a security within SharePoint, and $1B class action lawsuit against copy sensitive or confidential Sutter Health, according to a documents to insecure hard report published today by the drives, USB keys or even email it to Sacramento Bee. The computer a third party. contained data on more than 4 million patients. Read more: SharePoint Users Develop Insecure Habits - See also: Room for improvement FierceContentManagement on security, HIMSS survey shows
  • 11. Complexity = Higher Risks and Costs
  • 12. SOA: Service-Oriented Architecture “Hub” Model reduces complexity and variability while maintaining collaboration and interoperability
  • 13. Challenge: connect, collaborate and compartmentalize Microsoft Connected Health Framework Business and Technical Framework (Joint Architecture) http://hce.codeplex.com/
  • 14. Microsoft Business Solutions as part of a Connected Health Framework • Patient Encounters • CPG • HIPAA Direct Identifiers Clinical Workflow • EEOI • ePHI EHR Integration Intake Forms Unstructured Data • SharePoint 2010 • Dynamics CRM • Office365 R&D BPM
  • 15. Microsoft Business Solutions as part of a Connected Health Framework Current example: multi-site resident treatment facility -Provider emails (nurse/contract doctors) -Word documents (patient notes) on file servers - unsecured -PDFs (scanned records/PHI) on file servers – unsecured -no encryption -no search -no IAM beyond Windows authentication -2011 EHR adoption Current example 2: ePHI data with SSN being exported as whatever file type -No control over what file type -No way to force encryption -No way to force a file save location (sharephi_encrypted_folder)
  • 16. Enterprise Security Planning • PRIVACY IMPACT ASSESSMENT • 18 direct identifiers (HIPAA) • “content shielding” • Data architecture • Encryption of data at rest/data in motion • 2 factor authentication • Perimeter topologies • Segmentation and compartmentalization of PHI/PII (logical and physical) • Wireless (RFID/Bluetooth) • Business Continuity • Backup and Recovery • Mobile Device Management/BYOD World
  • 17. Security Architecture – SPS2010 Business Connectivity Authorization Services Hardware UPM Authentication Permissions Data Level Endpoint Federated ID Security Security Security Classic/Claims Groups LOB Mobile Integration Remote IIS/STS ������ ������ ������ = (������ ∗ ������ )
  • 18. Behavioral Factors: Security Architecture • #hcsm • User population challenges • clinicians • business associates • domain knowledge •“Prurient interest” • Mobile technologies ������ ������ ������ = (������ ∗ ������ )
  • 19. “Can’t Do it Alone:” Security Ecosystem • Native ISV • Network • 20% • Governance • Data at Rest • UPM/IAM • 100% • 60% SP2010 ISV On Premise Cloud 12/14/2011 • Office365 HIPAA/EU compliance • BAA
  • 20. Sample: Security Planning Checklist • Content types (PHI/PII) • ECM/OCR • Digital Rights Management (DRM) • Business Connectivity Services and Visio Services (external data sources) • Excel, lists, SQL, custom data providers • Integrated Windows with constrained Kerberos • Metadata and tagging (PHI/PII) • Blogs and wikis (PHI) • Plan permission levels and groups (least privileges) – providers and business associates • Plan site permissions • Fine-grained permissions (item-level) • Security groups (custom) • Contribute permissions
  • 21. Best Practices: Preventative Model • Involve HIPAA specialists early in the planning process. (This is NOT an IT problem) • Privacy Impact Assessment: PHI, ePHI, PII (Compartmentalization and segregation) • Trust, but verify • Look to experts to help with existing implementations. (Domain expertise in healthcare and clinical workflow as well as HIPAA/HITECH privacy and security) • Use connected health framework reference model • Governance, governance, governance
  • 22. Governance: Adapting the Joint Commission Continuous Process Improvement Model Plan • Technical, Physical, Administrative Safeguards Document • Joint Commission, Policies, Procedures, IT Governance Train • Clinical, Administrative and Business Associates Track • Training, Compliance, Incidents, Access…. everything Review • Flexibility, Agility, Architect for Change
  • 24. • Unstructured Data – Scan – Quarantine PII – Tag • Compliance and Reporting – Enhance control of all ePHI and PII – In line with HIPAA and HITECH Act regulation © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • 25. • Security – Easily set Rules and Permissions in bulk – Run scheduled reports on all SharePoint Activity – Safely archive inactive data for compliance • Workflow Management – Rearrange taxonomy to meet evolving business needs – Full fidelity backup and restoration of data – Improved performance, environment monitoring © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • 26. References • AIS Case Study on Records Management and Compliance (SP2007): http://www.appliedis.com/pdfs/Military%20Grade%20Co mpliance%20for%20SharePoint%20WP.pdf • Good Data Means Good Government: http://gcn.com/Articles/2012/02/06/Good-metadata-and- good-government.aspx?Page=2 • 2012 Healthcare Data Trends: http://databreachinsurancequote.com/wp- content/uploads/2012/01/2012_trends_healthcare_data. pdf
  • 27. Thank You! For more information… http://ideas.appliedis.com http://lifeincapslock.com