The CipherPoint team and our partners at Planet Technologies put on a nice educational webcast today on this topic. If your responsibilities involve SharePoint in a healthcare environment, I would encourage you to check the webcast recording out here:

http://www.cipherpointsoftware.com/Linked_files/2011_11_02_SharePoint_Security_in_Healthcare.wmv

In addition, if you are looking for a SharePoint integrator or consultant with a deep understanding of healthcare compliance and security issues, and how they affect SharePoint site architecture and implementation, I highly recommend that you talk to Planet. Their new healthcare practice, led by Marie-Michelle Strah, has deep experience in this area.

Also in the news today, a significant healthcare data breach involving Tricare Health Management and their business associate, SAIC, and has resulted in a class action lawsuit being filed, to the tune of $4.9 Billion, or $1,000 for each of the 4.9 Million records lost. This particular breach involved PII including social security numbers, and presumably ePHI as well, given that some personal health information on each individual was lost. The data breach vector was the ever-popular "lost backup tape", and the information was of course unencrypted.

More details on the breach and the resulting class action lawsuit can be found here:

Http://www.govinfosecurity.com/articles.php?art_id=4158

A few thoughts on this.

First, as this example demonstrates, outsourcing business functions does not mean that you've outsourced the risk. Assessing and understanding the risk that you have from your outsourcing partners is important. With the HITECH act expanding the scope of HIPAA to directly cover business associates, the importance of really understanding and managing risk from your outsourcing partners is increased.  

Second, healthcare organizations have more to worry about than HIPAA/HITECH penalties and fines, in the event of security breaches. The brand damage consequences from security breaches are real. In addition, the possibilities of class action lawsuits in the event of serious, egregious breaches are also real, and potentially very costly.

Last but not least, encrypting PII and ePHI are best practices for this sensitive and regulated data, whether it is at rest in platforms such as SharePoint, in transit, or when it is stored on backup tapes. Encryption technologies are readily available that can simply and cost-effectively provide this functionality. In addition, the encryption solutions of today are a far cry from products ten years ago that required PhD's in encryption key management. Encryption need not be intimidating or expensive. Products like CipherPointSP and CipherPointKM make encryption controls simple to deploy, and affordable for small businesses and large enterprises alike.

JD