HIPAA and HITECH Compliance for SharePoint - Cipherpoint Software

HIPAA and HITECH
Compliance for
SharePoint

Problem Overview
The United States Congress passed the Health Insurance Portability and
Accountability Act (HIPAA) into law in 1996. Most people in the security industry
remember the inclusion of the HIPAA Privacy rule in 2000, and the Security Rule
a few years later. HIPAA did result in consumers having more authority over their
information and improved security conditions as they were. Over the years,
however, HIPAA has lacked any real enforcement, and has been considered by
many to be “toothless” when it comes to incenting healthcare providers and
other covered entities to implement the programs required to maintain privacy of
patient data.
Several recent developments have changed this, and given HIPAA its “teeth.”
These changes include the Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009, and a more rigorous enforcement posture
from the Department of Health and Human Services (DHHS) and Centers for
Medicaid and Medicare Services (CMS). HITECH in particular brought a breach
notification requirement which requires healthcare organizations to inform the
public when protected healthcare information is lost or stolen. It also expanded
the definition of organizations that must comply with the provisions of HIPAA to
include business associates such as service providers. The more aggressive
enforcement posture of DHHS and CMS have resulted in many public breach
notifications and in several recent fines levied on large organizations.
The healthcare industry has taken notice of these more stringent requirements,
stiffer penalties, and the public breach disclosure. Security projects to address
HIPAA requirements are getting more attention and funding in many healthcare
organizations, and the use of data encryption to comply with the regulations and
provide safe harbor in the event of a breach is a top initiative.
Overview of HIPAA and HITECH
The HIPAA and HITECH Acts together include specific guidance on privacy,
information security, and breach notification. A summary of the HIPAA and
HITECH provisions that relate to the privacy and security of Protected Health
Information (PHI), and electronic PHI (ePHI) is as follows:
• Privacy Rule: The Privacy Rule in HIPAA specifies requirements for the
appropriate use, disclosure of, and access to Protected Health
Information (PHI) and electronic protected healthcare information.
• Security Rule: The Security Rule specifies the administrative, physical,
and technical controls required to protect ePHI. Note, it does not require
the use of encryption but recommends it where appropriate.
CipherPoint Software | www.cipherpoint.com | 888.657.5355 | 4600 S. Syracuse, 9 th Floor, Denver, CO 80237
2

• Administrative Safeguards – these include requirements to perform
risk assessments, to manage risk, requirements to develop and
review information system activity reports, to manage information
access, to implement security incident response and reporting, and
to implement a security program and train the staff.
• Technical Safeguards – these include common technical security
controls such as user authentication, authorization, access control,
encryption, data integrity, and audit logging. HIPAA describes the use
of encryption as an addressable versus a mandatory requirement for
both data at rest and for data in transmission. Making encryption an
addressable requirement means that organizations can choose to
implement alternate approaches, so long as they afford a similar level
of protection. Because of the new breach notification requirement
described below, organizations increasingly prefer encryption versus
alternative approaches.
• Physical Safeguards – these include controls related to physical
access to information and systems including workstation access
controls, device and media controls, and facility access control. These
controls address physical loss or theft of ePHI from workstations and
removable media.
HITECH Breach Notification Rule: The HITECH breach notification rule requires
that covered entities must promptly notify the affected individuals in the event of
a breach of ePHI. An important aspect of this rule, however, is that it specifies
that the use of encryption can provide safe harbor against breach notification.
See below (emphasis added).
“Entities subject to the HHS and FTC regulations that secure health information
as specified by the guidance through encryption or destruction are relieved from
having to notify in the event of a breach of such information.”i
The guidance from Health and Human Services on implementing encryption
references NIST 800-111 from the National Institute of Standards and
Technology (NIST). That publication includes several recommendations for
encryption and key management. To reduce their guidance to a few bullet
points:
• Give careful thought and planning to encryption key management as it
pertains to operationalizing the generation, use, distribution, storage,
retrieval, rotation, and destruction of encryption keys.
• Secure the access to and storage of the keys.
CipherPoint Software | www.cipherpoint.com | 888.657.5355 | 4600 S. Syracuse, 9 th Floor, Denver, CO 80237
3

• Government organizations must use FIPS approved algorithms and
validated modules.
• Use AES encryption whenever possible
SharePoint and the Healthcare Industry
Sensitive healthcare data stored in SharePoint is concern. Effectively addressing
the issue requires a mix of strong data governance, access control, and content
encryption. SharePoint use in healthcare is growing. A study from 2009 by
InfoTech Research Group found that 40% of organizations were planning
SharePoint implementations. This figure has undoubtedly grown in the past two
years. The ease of use afforded by SharePoint sites makes it extremely easy to
store sensitive information, including ePHI, in SharePoint repositories.
The downside risk of getting security wrong is increasing as well. Figures from
the most recent Ponemon Data Breach study (2011) put the cost of recovering
from data breaches at $268 per record lost, up 22% from the prior year. For
organizations experiencing data breaches involving large numbers of individuals,
the cost adds up fast. The same study found that the average total cost per
organization was $7.2 million. The healthcare industry is not immune to these
developments, and in fact some of the largest publicly disclosed data breaches
in 2010 and early 2011 were from healthcare payer and provider organizations.
Some of the more egregious data breaches involved insiders (administrators and
clinicians) “taking a peek” at the healthcare information of high profile patients,
and then leaking this information to the press.
CipherPoint solution
CipherPoint software provides transparent encryption, access control, and
activity logging of sensitive content stored in SharePoint. The solution was
specifically architected to provide layered security and to keep platform,
database, and system administrators from viewing sensitive or regulated
information, including ePHI.
Control Feature Description
Authentication Authentication passthrough
CipherPointSP and CipherPointSP Enterprise do
not require their own authentication system.
Organizations continue to authenticate
SharePoint users with their existing solution.
Authorization Access Control CipherPointSP Enterprise provides the ability to
CipherPoint Software | www.cipherpoint.com | 888.657.5355 | 4600 S. Syracuse, 9 th Floor, Denver, CO 80237
4

Policies
enforce an additional layer of access control to
the protected SharePoint lists and libraries. This
capability ensures IT staff cannot maliciously or
mistakenly modify permissions.
Audit Logging Activity Logging The CipherPointKM software includes a central
log database of permitted and denied access
requests to protected information, certain security
configuration changes of your SharePoint
site/farm, and administrative activity on the
CipherPointKM.
AES Encryption Transparent Content
Encryption
The CipherPoint solution uses standard AES
encryption with 256 bit key lengths.
Key Management
FIPS 140-2
Algorithms and
modules
Automated key
management
CipherPointKM uses Key Management policies to
allow organization to easily translate their
compliance requirements into an automated key
management process. Based on these reusable
policies, the CipherPointKM software will manage
the creation, rotation, expiration, distribution, and
storage of cryptographic keys without any
ongoing manual intervention.
The CipherPointKM software uses FIPS 140-2
validated algorithms, random number sources,
and cryptographic modules.
Conclusion
Encryption is an approved method to secure ePHI and relieve an organization
from having to disclose a breach. The use of data at rest encryption is one
important layer in an overall defense in depth security and compliance program.
When it comes to using SharePoint to store and manage ePHI, the CipherPoint
solution delivers the controls healthcare organizations need to secure their
sensitive information, and to meet their compliance requirements. CipherPoint’s
solution for healthcare organizations helps them to meet access control, system
activity reporting, transparent encryption, and automated key management
HIPAA and HITECH requirements, in a single, easy to deploy solution that is
centrally managed and transparent to end-users.
About CipherPoint Software, Inc.
CipherPoint secures sensitive and regulated content in web-based application
environments including cloud, SaaS, and premise-based collaboration platforms
such as Microsoft SharePoint. Headquartered in Denver, Colorado, CipherPoint
was founded by IT security experts with deep experience in building successful
security technology companies. CipherPoint is committed to helping our
CipherPoint Software | www.cipherpoint.com | 888.657.5355 | 4600 S. Syracuse, 9 th Floor, Denver, CO 80237
5

customers meet their security objectives, to building value for our shareholders,
to fostering a stimulating work environment for employees, and to improving our
community through volunteering.
CipherPoint's web tier transparent data encryption technology secures content
and data from the web tier, affording the highest level of threat protection to
sensitive and regulated content. CipherPoint's initial products secure
information in Microsoft SharePoint, which is the market leader in content
management and collaboration. CipherPoint builds and delivers security
technology that is easy to deploy and manage, secure, and scalable to meet the
needs of large enterprises. Threats to sensitive information come from outside
attackers, and from insiders including rogue employees and IT administrators. In
addition, an increasing number of compliance regulations are requiring
encryption for regulated data. Security control strategies are rapidly shifting
away from reliance on perimeter security devices, towards protection of data at
the application layer. With the increased use of collaboration platforms as
repositories for sensitive and regulated data, and with the dramatic growth in
unstructured data in the enterprise, organizations urgently require advanced
content security solutions that secure information from the web-tier.
Copyright 2012, all rights reserved. CipherPoint® is a registered trademark of CipherPoint Software, Inc.. CipherPointSP, CipherPointSP Standard,
CipherPointSP Enterprise, CipherPointKM, CipherPointCS, and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc. SharePoint is a
trademark of Microsoft.
Doc. ID: CPWP003
i http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
CipherPoint Software | www.cipherpoint.com | 888.657.5355 | 4600 S. Syracuse, 9 th Floor, Denver, CO 80237
6