HEALTHCARE, THE CLOUD, AND ITS SECURITY
Post on 27-Jan-2015
103 Views
Preview:
DESCRIPTION
Transcript
© 2014 Silverline – Confidential Do Not Distribute © 2014 Silverline – Confidential Do Not Distribute
© 2014 Silverline – Confidential Do Not Distribute
© 2014 Silverline – Confidential Do Not Distribute
The Michigan Health Information Network (MiHIN) is Michigan's initiative to improve health care quality, efficient, and patient stagey through the sharing of electronic health information, while reducing costs.
• Official state designed entity for health information exchange across Michigan and through integration with the eHealth Exchange.
• Nonprofit entity, functioning as a public and private collaboration between the State of Michigan , sub-state health Information Exchanges, payers, providers, and patients.
© 2014 Silverline – Confidential Do Not Distribute
• Who is Silverline?
• What can the Cloud do?
• Deploying the Cloud
• Security in the Cloud
• An example of the Cloud
• HIPAA and the Cloud
© 2014 Silverline – Confidential Do Not Distribute
• Serial Consultant
• Startups
• Cloud
© 2014 Silverline – Confidential Do Not Distribute
Headquartered in NYC with resources around the US.
110
9.8/10
700+ Salesforce Deployments
Healthcare, Financial Services, and Force.com
Provider, Health Plans, Medical Devices, Wellness Tools, Care Management Services, Staffing/Recruiting Firms
CalendarAnything, VisualRelationship Mapping, and The Watercooler: An Intranet Platform
© 2014 Silverline – Confidential Do Not Distribute
Not Using the Cloud
Using the Cloud
70%
30%
© 2014 Silverline – Confidential Do Not Distribute
• Device Agnostic
• Predictable costs
• Reduced complexity due to coordination of hardware and software
• Faster and rapid deployment
• Universal access
• Proven management tools
• Streamlined M&A integration
• Realignment of IT resources to business imperatives
• Enhanced collaboration
• Improved analytics across applications
• Lack of tangible asset storage
…among others
© 2014 Silverline – Confidential Do Not Distribute
Health Plans
Improve visibility, collaboration, management, and control over ongoing insurance policy
approvals, renewals, and changes with sophisticated workflow and data validation
rules.
Medical Devices
Consolidate, Coordinate, and Automate
Marketing/Sales Activities and Streamline M&A Activity
Medical Supply
Replace ERPs. Consolidation of sales, inventory management, and customer service into one
application, manage marketing efforts, track and manage customer rewards, management and executive
dashboards
Healthcare Services
Automate and coordinate patient lifecycle management and serve as
a lynch-pin between multiple systems (inquiry, clinical,
scheduling & billing)
Health Information Network
Relationships between providers, patient care coordination, promote care teams, connect patients, doctors, and healthcare facilities. TOC Notifications
© 2014 Silverline – Confidential Do Not Distribute
• Poor Information o Messaging around cloud technology is often inaccurate, complex, and
not tailored to the audience. Leading to hesitancy and confusion, rather than excitement and adoption
• Ambivalence o “Cloud” represents leading-edge technology, the problem is that the
word “cloud” has become associated with so many different solutions, products, apps, and offerings that people tend to disregard the value
• Lack of Trust o Security is not the issue with cloud; trust is.
© 2014 Silverline – Confidential Do Not Distribute
• Applications designed for end-users delivered over the web
• Examples – Salesforce, Workday, Concur
Software as a Service (SaaS)
“Consume the Cloud”
• A set of tools and services designed to make coding and deploying those applications quick and efficient
• Examples – Force.com, Google App Engine
Platform as a Service (PaaS)
“Leverage the Cloud”
• The hardware and software that powers it all –servers, storage, networks, operating systems
• Examples – Amazon Web Services, Azure, Rackspace
Infrastructure as a Service (IaaS)
“Be a Cloud”
*Rackspace.com - “Whitepaper: Understanding the Cloud Computing Stack: SaaS, PaaS, IaaS”*Blogs.technet.com – Cho’s Theories of Cloud Computing”
© 2014 Silverline – Confidential Do Not Distribute
Multi-tenant Shared infrastructure and costs Utility model Service provider hosted
Single-tenantNo shared infrastructureHigher, yet fixed costGreater flexibilityHighest level of securityHosted at provider or enterprise
Composition of multiple cloud environments (public/private)
Public40%
*TechTarget's fall 2013 Cloud Pulse survey
Private22%
Hybrid38%
© 2014 Silverline – Confidential Do Not Distribute
• Defining secure infrastructure models
• Lack of trust between participants in cloud ecosystems
• Bridging the gap between existing internal security standards and those governing off-premise services.
• Loss of governance
• Responsibility ambiguity – deployment model plays a role
• Isolation failure – mechanisms separating storage/memory/ routing
• Vendor lock-in
• Compounded malicious behavior
• Service unavailability
*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption
*Cloud Standards Customer Council – Security for Cloud Computing – 10 Steps to Ensure Success
© 2014 Silverline – Confidential Do Not Distribute
*2014 Microsoft - Security Trends in Healthcare
Conduct system-wide data backups
that are regularly
tested
Do not use standardized
data classification
Have a disaster recovery program
Do not have asset
management policies and
conduct asset
discovery manually
Have ineffective
controls for removing
access when employees leave or are reassigned
Have immature security policies
© 2014 Silverline – Confidential Do Not Distribute
*Eran Feigenbaum – Director of Security for GoogleApps
30%Using the Cloud
*Computerworld.com – “Cloud security concerns are overblown experts say”, Intermap Survey
Cloud-wary = 40% Cloud-wise = 15%
© 2014 Silverline – Confidential Do Not Distribute
*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption
Infrastructure: How can you ensure that your infrastructure providers have appropriate security and disaster recovery
policies and stick to them?
Identity: How can you enforce rigorous authentication across multiple interconnected systems without adversely affecting
flexibility and productivity?
Information: How can you classify and protect sensitive information, and ensure compliance with policies and
regulations?
© 2014 Silverline – Confidential Do Not Distribute
Preventative Corrective Detective
*Wikipedia
Set in place to prevent any
purposeful attack on a cloud system.
Much like a warning sign on a fence or
property, these controls do not
reduce the vulnerability of the
system
Upgrade the strength of the
system by managing and safeguarding
vulnerabilities. They cover the attack and reduce the damage and violation when
an attack occurs
Used to reduce the effect of an attack. Take action as an
attack is occurring.
Used to detect any attacks that may be
occurring in the system. In the event
of an attack, the detective control will
signal the preventative or
corrective controls
Deterrent
© 2014 Silverline – Confidential Do Not Distribute
• Conduct a full risk and compliance assessment, including processeso Interoperability and portability
o Compliance – business continuity, data recovery, logs/audit trails
o Vendor risk
o Supply chain and ecosystem
o Infrastructure and operations quality
• Secure your own information, people, identities, and roleso User privileges
o Authentication
o Endpoint security (where applicable)
o Encryption (where applicable)
• Implement a strong governance framework
• Embrace a security-by-design approach
• Implement an active monitoring solution
*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption*Cloud Standards Customer Council – Security for Cloud Computing – 10 Steps to Ensure Success
• Evaluate security controls on physical infrastructure and facilities
© 2014 Silverline – Confidential Do Not Distribute
• SMS Identify Confirmation
• IP Range Restrictions
• Two-factor authentication options (outside of username/pw)
• Secure employee systems
o Updated browsers
o Email filters
o Device protection
• SAS 70 Type II, SysTrust, and ISO 27001
• Enhanced password policies
• Secure sessions
• Session timeout thresholds
• Transparency of instances
• Governance (employees, security staff, counsel, assessments, policies)
• Incorporation into development process*Salesforce.com
Data
Database Security
Host Security
Network Security
Physical Security
Operational Security
© 2014 Silverline – Confidential Do Not Distribute
*Salesforce.com
© 2014 Silverline – Confidential Do Not Distribute
• “Final Rule” – BAAs and SLAs are critical!
• Security and privacy controls
• Define an exit strategy
• HIPAA ready/certified vs. HIPAA compliant/audited
• Industry background of vendor – regulatory environment
• Understand encryption of health information – LCD for encryption
• Ensure data segregation, especially PHI – physical/electronic proximity
• Understand the cloud delivery model – public/private/hybrid
• Evaluate breach monitoring
• MU informing HIPAA - CMS vs. Office of Civil Rights (OCR)
*HealthITSecurity – How HIPAA affects Healthcare cloud computing decisions
*HIPAA Considerations in Evaluating Cloud Computing – Ober | Kaler
© 2014 Silverline – Confidential Do Not Distribute
top related