Finding and Securing ephi in SharePoint and SharePoint Online

Transcription

1 Finding and Securing ephi in SharePoint and SharePoint Online

2 Executive Summary The healthcare industry and related verticals such as insurance are under pressure to share information and collaborate in an effort to reduce the costs of medical care. Arguably Microsoft SharePoint (either on-premises or in the Cloud) is the market leader for collaboration among teams both inside and outside an organization. The obvious challenge, however, is to properly secure SharePoint and other file sharing and collaboration environments for use cases that involve electronic Protected Healthcare Information (ephi) and other regulated or sensitive data. CipherPoint Software offers products to find, encrypt, control access, and log access to ephi in file sharing and collaboration platforms, both on Premises and in Cloud environments. The purpose of this document is to demonstrate how an organization can use CipherPoint s products to identify locations that contain ephi, secure those locations exactly according to the HIPAA, HITECH, and NIST guidance, and then be able to quickly respond to an incident and report any permitted or denied access to an individual s ephi. CipherPoint s approach not only reduces the Total Cost of Ownership associated with security solutions but also reduces the costs and time it takes to respond to security incidents.

3 Finding ephi in SharePoint and Office 365 Finding ephi in any repository is an extremely complicated effort, especially with file repositories such as SharePoint. Correlating words contained within a document to find the right combinations of the 18 HIPAA identifiers will always require technology and human intervention. A few ways to reduce the effort required to find ephi include: Interview employees to identify how they are using the collaboration application. What business functions and information are they likely to store in SharePoint? Use CipherPoint Eclipse for Healthcare to scan your SharePoint Document Libraries and Lists for HIPAA identifiers. Once you have confirmed whether or not ephi resides in SharePoint, you can decide if there is a business need for that information to be in the platform. Securing ephi in SharePoint and Office 365 SharePoint provides native access controls to ensure that only certain users or groups have access to a particular collaboration site or document library. A common approach is to align the SharePoint permissions model with Active Directory group membership which is, in turn, aligned with corporate Role-Based Access Control (RBAC) policies. Once configured, organizations need to carefully audit and manage access to ephi. Permissions management is a common point of failure as permissions can be changed by multiple users and at different levels of granularity (e.g. Site, Library, or Item). What s needed is an approach that not only secures the confidentiality of ephi but also provides evidence that the necessary security controls are in place. Further, meeting those security objectives while simultaneously enabling operational efficiencies through the adoption of SharePoint is a significant benefit for any organization trying to deploy scarce budget dollars as effectively as possible. The key security controls for ephi include:

4 A RBAC policy that clearly defines those who have a business need to access ephi Access controls that are managed and enforceable per the organization s RBAC policy Activity logging to track permitted and denied access requests to ephi and to provide non-repudiation Data at rest encryption and encryption key management in accordance with the guidelines in NIST Separation of duties among IT operations and the Information Security or Risk and Compliance departments CipherPoint Solution The CipherPoint solution is specifically architected to maintain the confidentiality of information stored in SharePoint environments and other multi-tenant file sharing and collaboration platforms. Customers can use CipherPoint s technology to: Find ephi in SharePoint Transparently encrypt it according to the NIST guidelines Control and audit access to ephi per need to know policies Report and respond to accesses to ephi The approach above allows an organization to not only demonstrate the due diligence required to avoid the fines associated with HIPAA/HITECH breaches or improper disclosures of patient information but also to quickly and cost effectively respond to a potential breach of ephi. CipherPoint s solution includes a centralized management console, which allows organizations to locate and manage the security and transparent encryption of ephi. This architecture provides true separation of duties and enforces need to know policies allowing the SharePoint administrators or third party Cloud providers to manage the platform and the Compliance team to manage security of ephi therein. The Compliance team

5 administers the security controls without requiring elevated access to SharePoint, only the authorized end-users are able to access ephi, and the CipherPoint system tracks permitted and denied requests to documents and changes made to security controls. CipherPoint s technology is transparent to end-users in order to remove any obstacles to adoption of SharePoint or Office 365. Below are a series of screen captures demonstrating the use of CipherPoint s products to find and secure ephi in SharePoint and report on all access requests for an individual s ephi. Using CipherPoint Eclipse for Healthcare to find ephi Figure 1 Example: Scanning Rules below shows an example of scanning rules to identify potential ephi stored in SharePoint. In this example, the assumption is that any SharePoint item that contains a date, ICD code, and a social security number is likely to contain ephi. Further, the SharePoint List or Document Library where that item is stored likely contains many other items containing ephi.

6 Figure 1 Example: Scanning Rules After executing the scan configuration shown in Figure 1 Example: Scanning Rules, the Eclipse Console returns a report including a summary of the number of matches for each individual rule as well as the number of matches for any particular SharePoint item (Figure 2 Example: Scan Results). At this point you can use CipherPoint Eclipse for Healthcare product to secure the ephi according to the HIPAA/HITECH regulations as well as corporate guidelines.

7 Figure 2 Example: Scan Results Using CipherPoint Eclipse for Healthcare to secure ephi CipherPoint Eclipse for Healthcare includes transparent at rest encryption, access controls, and activity logging. The software is unique in that it automatically manages encryption keys in accordance with NIST which is the standard referenced by the Health and Human Services guidance on implementing encryption. 1 A key provision of that standard, and one of the most difficult guidelines in which to comply, is refreshing the data encryption keys every two years. As you can see in Figure 3 Change Key Rotationbelow, a security administrator can easily configure the CipherPoint product to automatically generate, change, and (optionally) expire encryption keys not only to achieve compliance with HIPAA/HITECH but also to maintain compliance over time. 1

8 Figure 3 Change Key Rotation There is no need to configure auditing in the CipherPoint product; the system will automatically log all permitted and denied requests to documents containing ephi, as well as any changes to the security configuration. You may optionally apply access control lists to the locations containing ephi if the existing SharePoint permissions and the management of those permissions are not sufficient for your compliance requirements. The access control lists can contain Active Directory users and groups or whatever identities SharePoint is using, such as a custom claims provider. Reporting Access to ephi The CipherPoint solution includes a reporting capability to provide a history of not only access requests to ephi but also the security controls applied to that information. The HIPAA Object Access Report allows customers to generate a report of all permitted and

9 denied access requests to ephi during a configurable time interval. The Security Manifest Report allows customers to automatically document the security controls in place at a point in time. Together these reports allow organizations to not only document successful and denied access attempts to ephi, but also prove they have the proper security controls in place. Responding to an incident Figure 4 HIPAA Object Access Report Fortunately, an incident does not necessarily mean that there has been a breach of ephi. When a security incident occurs it is critical to not only prove that your organization was exercising due diligence in regards to securing ephi, but also to quickly confirm whether an individual s ephi was improperly disclosed. CipherPoint Eclipse for Healthcare can be used to locate all the SharePoint items that contain the ephi of a specific individual and then correlate that information with the audit records to report all access requests to that ephi. For example, the specific individual whose ephi we need to identify is Vinny Boombatz. CipherPoint Eclipse for Healthcare allows you to easily build scanning rules to search for Mr. Boombatz s first name, last name, admittance date, and the last four digits of his Social Security Number.

10 Figure 5: Scan for Specific ephi Executing the scan using the rules shown in Figure 5: Scan for Specific ephi will quickly identify the SharePoint items that contain Mr. Boombatz s ephi. The CipherPoint Eclipse Console audit logs can then be searched to report on all accesses to those items containing the ephi in question including the ability to export the results in Comma Separate Value (CSV) format. The audit logs include exactly what access requests occurred, which user made those request, the network location of that user, and whether the request resulted in access to ephi.

11 Figure 6 Reporting access to ephi Conclusion The healthcare industry has been provided with numerous incentives to collaborate in order to reduce costs but those incentives are coupled with requirements to strictly enforce security of ephi. The leader in the collaboration market is Microsoft SharePoint, and the CipherPoint suite provides organizations with a simple and cost effective solution to find, secure, and audit access to ephi in this environment. The combination of SharePoint and CipherPoint allows organizations not only to achieve the business efficiencies associated with collaboration, but also reduce the costs and risks associated with HIPAA/HITECH compliance and other patient privacy mandates. About CipherPoint Software, Inc. CipherPoint identifies, secures, and audits access to sensitive and regulated data onpremises and in cloud file sharing and collaboration systems with a single data security

12 management console. CipherPoint s solution is unique in keeping privileged IT administrators and outside attackers that target IT level access from being able to view sensitive information. CipherPoint is uniquely capable of securing data across file servers, on-premises SharePoint, Office365, SharePoint Online, and other cloud collaboration systems. CipherPoint s products are easy to deploy and manage, and scalable to meet the needs of large enterprises. A winner of the SINET 16 award as a top security company in 2012, CipherPoint is headquartered in Denver, Colorado, and was founded by IT security experts with deep experience in building successful security technology companies. Customers in healthcare, financial services, manufacturing, government, and other industries, in Europe, North America, and Asia rely on CipherPoint to protect access to sensitive and regulated information. CipherPoint is proud to be a member of the Microsoft Business Critical SharePoint Program. Copyright 2015, all rights reserved. CipherPoint is a registered trademark of CipherPoint Software, Inc. CipherPoint Eclipse,CipherPoint Eclipse for SharePoint, CipherPoint Eclipse for SharePoint Online/Office 365, CipherPoint Eclipse for Healthcare, CipherPoint Eclipse for File Servers, CipherPoint Eclipse Data Security Console and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc.. SharePoint, SharePoint Online, and Office 365 are trademarks of Microsoft. Doc. ID: CPWP008