3. Objectives
• ARRA/HITECH: INFOSEC and
connected health information
• Reference models: security, enterprise
architecture and compliance for
healthcare
• Overview of privacy and security in
SharePoint Server 2010
5. Privacy
• Data (opt in/out)
• PHI
• PII
“Black Swans”
• Consumer
Engagement
• Business
Associates
6. ������ ������
������ = (������ ∗ ������ )
Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
7. From HIPAA to HITECH…
• Health Insurance Portability and
Accountability Act of 1996 (HIPAA) (Pub L
104–191, 110 Stat 1936)
• The Health Information Technology for
Economic and Clinical Health Act (HITECH
Act), enacted on February 17, 2009
• American Recovery and Reinvestment Act
of 2009 (ARRA) (Pub L 111-5, 123 Stat 115)
8. ������ ������
������ = (������ ∗ ������ ) do the HITECH math…
Application of HIPAA Security
Standards to Business
“Business Associates”: Associates
• Legal 42 USC §17931
• Accounting
• Administrative New Security Breach
• Claims Processing Requirements
• Data Analysis 42 USC §17932(j)
• QA
• Billing Electronic Access Mandatory for
45 CFR §160.103 Patients 42 USC 17935(e)
Consumer Engagement Prohibited Sale of PHI without
Patient Authorization 42 USC
§17935(d)
9. ONC (Office of the
National Coordinator for
Healthcare IT)
• Health Information
Exchange (HIE)
• Accountable Care
Organizations (ACO)
• “Meaningful Use”
• Interoperability
• Service Oriented
Architecture (SOA)
Models for Healthcare
Information Technology
• Certification (ANSI) June
2011
• Conformance Testing
(NIST)
11. Electronic Healthcare = Complexity
Increases Opportunity for “Black Swans” (Security and Privacy
Risk)
12. SOA “Hub” Model reduces complexity and variability while maintaining
collaboration and interoperability
13. Codeplex: Health Connection
Engine
http://hce.codeplex.com/
• SOA
• “Plug and Play”
• Message represent clinical events, not data
items
• EHR data federated
• Connection to existing messaging
infrastructures
14. SharePoint 2010 as part of a
Connected Health Framework
• NOT a standalone solution
• Technical barriers
• Data barriers
• Staffing barriers
Office Business Applications (Office and
SharePoint) as part of healthcare
information architecture
15. Security Architecture – SPS2010
UPM
Hardware
Authorization
Services
Business Connectivity
Authentication Permissions Data Level Endpoint
Federated ID Security Security Security
Classic/Claims Groups LOB Integration Mobile
IIS/STS Remote
������ ������
������ = (������ ∗ ������ )
17. Why data security and privacy should matter to
your SharePoint Administrator…
Unfortunately, security and governance are absent
in many cases
Jay Simcox: Proactive vs. reactive approach
• https://www.nothingbutsharepoint.com/sites/eusp/Pages/sharepoint-data-
security-and-privacy-information-why-should-it-matter-to-you.aspx
18. Security Planning and SharePoint 2010
• Encryption
• Data at rest/data in motion
• Perimeter topologies
• Segmentation and compartmentalization
of PHI/PII (logical and physical)
• Wireless (RFID/Bluetooth)
• Business Continuity
• Backup and Recovery
19. Security Planning and SharePoint 2010
• Plan permission levels and groups (least
privileges) – providers and business
associates
• Plan site permissions
• Fine-grained permissions (item-level)
• Security groups (custom)
• Contribute permissions
20. Additional Security Planning
Considerations (SharePoint 2010)
• Content types (PHI/PII)
• ECM/OCR
• Business Connectivity Services and Visio Services
(external data sources)
– Excel, lists, SQL, custom data providers
– Integrated Windows with constrained
Kerberos
• Metadata and tagging (PHI/PII)
• Blogs and wikis (PHI)
21. SharePoint 2010: Identity and Access
Management in Healthcare
• SharePoint as enabler for healthcare:
– Access tracking and audits
– Access controls
• Recommend: third party tools (ControlPoint, AvePoint,
etc.)
• Recommend: IAM Solutions
– Mobility
– Workstations/Proximity
22. Best Practices - Prevention
• Involve HIPAA specialists early in the planning process.
(This is NOT an IT problem)
• Consider removing PHI from the equation.
(Compartmentalization and segregation)
• Evaluate the outsourcing option. (Example: FPWeb)
• Look to experts to help with existing implementations.
(Domain expertise in healthcare and clinical workflow as
well as HIPAA/HITECH privacy and security)
• Use connected health framework reference model and
other HC specific applications (Dynamics CRM for Patient
Relationship Management/Case Management,
HealthVault, Amalga, IAM)
23. Adapting the Joint Commission
Continuous Process Improvement Model…
Plan
• Technical, Physical, Administrative Safeguards
Document
• Joint Commission, Policies, Procedures, IT Governance
Train
• Clinical, Administrative and Business Associates
Track
• Training, Compliance, Incidents, Access…. everything
Review
• Flexibility, Agility, Architect for Change
24. Case Studies
• SharePoint 2007 Upgrade – Behavioral
Health
• SharePoint 2010 and Clinical Trial Data
– Research (Biotech and Pharma)
• Patient Relationship Management
(Consumer Engagement) – SharePoint
2010 and CRM