HEALTHCARE, THE CLOUD, AND ITS SECURITY

© 2014 Silverline – Confidential Do Not Distribute © 2014 Silverline – Confidential Do Not Distribute

© 2014 Silverline – Confidential Do Not Distribute


The Michigan Health Information Network (MiHIN) is Michigan's initiative to improve health care quality, efficient, and patient stagey through the sharing of electronic health information, while reducing costs.

• Official state designed entity for health information exchange across Michigan and through integration with the eHealth Exchange.

• Nonprofit entity, functioning as a public and private collaboration between the State of Michigan , sub-state health Information Exchanges, payers, providers, and patients.


• Who is Silverline?

• What can the Cloud do?

• Deploying the Cloud

• Security in the Cloud

• An example of the Cloud

• HIPAA and the Cloud


• Serial Consultant

• Startups

• Cloud


Headquartered in NYC with resources around the US.

110

9.8/10

700+ Salesforce Deployments

Healthcare, Financial Services, and Force.com

Provider, Health Plans, Medical Devices, Wellness Tools, Care Management Services, Staffing/Recruiting Firms

CalendarAnything, VisualRelationship Mapping, and The Watercooler: An Intranet Platform


Not Using the Cloud

Using the Cloud

70%

30%


• Device Agnostic

• Predictable costs

• Reduced complexity due to coordination of hardware and software

• Faster and rapid deployment

• Universal access

• Proven management tools

• Streamlined M&A integration

• Realignment of IT resources to business imperatives

• Enhanced collaboration

• Improved analytics across applications

• Lack of tangible asset storage

…among others


Health Plans

Improve visibility, collaboration, management, and control over ongoing insurance policy

approvals, renewals, and changes with sophisticated workflow and data validation

rules.

Medical Devices

Consolidate, Coordinate, and Automate

Marketing/Sales Activities and Streamline M&A Activity

Medical Supply

Replace ERPs. Consolidation of sales, inventory management, and customer service into one

application, manage marketing efforts, track and manage customer rewards, management and executive

dashboards

Healthcare Services

Automate and coordinate patient lifecycle management and serve as

a lynch-pin between multiple systems (inquiry, clinical,

scheduling & billing)

Health Information Network

Relationships between providers, patient care coordination, promote care teams, connect patients, doctors, and healthcare facilities. TOC Notifications


• Poor Information o Messaging around cloud technology is often inaccurate, complex, and

not tailored to the audience. Leading to hesitancy and confusion, rather than excitement and adoption

• Ambivalence o “Cloud” represents leading-edge technology, the problem is that the

word “cloud” has become associated with so many different solutions, products, apps, and offerings that people tend to disregard the value

• Lack of Trust o Security is not the issue with cloud; trust is.


• Applications designed for end-users delivered over the web

• Examples – Salesforce, Workday, Concur

Software as a Service (SaaS)

“Consume the Cloud”

• A set of tools and services designed to make coding and deploying those applications quick and efficient

• Examples – Force.com, Google App Engine

Platform as a Service (PaaS)

“Leverage the Cloud”

• The hardware and software that powers it all –servers, storage, networks, operating systems

• Examples – Amazon Web Services, Azure, Rackspace

Infrastructure as a Service (IaaS)

“Be a Cloud”

*Rackspace.com - “Whitepaper: Understanding the Cloud Computing Stack: SaaS, PaaS, IaaS”*Blogs.technet.com – Cho’s Theories of Cloud Computing”


Multi-tenant Shared infrastructure and costs Utility model Service provider hosted

Single-tenantNo shared infrastructureHigher, yet fixed costGreater flexibilityHighest level of securityHosted at provider or enterprise

Composition of multiple cloud environments (public/private)

Public40%

*TechTarget's fall 2013 Cloud Pulse survey

Private22%

Hybrid38%


• Defining secure infrastructure models

• Lack of trust between participants in cloud ecosystems

• Bridging the gap between existing internal security standards and those governing off-premise services.

• Loss of governance

• Responsibility ambiguity – deployment model plays a role

• Isolation failure – mechanisms separating storage/memory/ routing

• Vendor lock-in

• Compounded malicious behavior

• Service unavailability

*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption

*Cloud Standards Customer Council – Security for Cloud Computing – 10 Steps to Ensure Success


*2014 Microsoft - Security Trends in Healthcare

Conduct system-wide data backups

that are regularly

tested

Do not use standardized

data classification

Have a disaster recovery program

Do not have asset

management policies and

conduct asset

discovery manually

Have ineffective

controls for removing

access when employees leave or are reassigned

Have immature security policies


*Eran Feigenbaum – Director of Security for GoogleApps

30%Using the Cloud

*Computerworld.com – “Cloud security concerns are overblown experts say”, Intermap Survey

Cloud-wary = 40% Cloud-wise = 15%


*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption

Infrastructure: How can you ensure that your infrastructure providers have appropriate security and disaster recovery

policies and stick to them?

Identity: How can you enforce rigorous authentication across multiple interconnected systems without adversely affecting

flexibility and productivity?

Information: How can you classify and protect sensitive information, and ensure compliance with policies and

regulations?


Preventative Corrective Detective

*Wikipedia

Set in place to prevent any

purposeful attack on a cloud system.

Much like a warning sign on a fence or

property, these controls do not

reduce the vulnerability of the

system

Upgrade the strength of the

system by managing and safeguarding

vulnerabilities. They cover the attack and reduce the damage and violation when

an attack occurs

Used to reduce the effect of an attack. Take action as an

attack is occurring.

Used to detect any attacks that may be

occurring in the system. In the event

of an attack, the detective control will

signal the preventative or

corrective controls

Deterrent


• Conduct a full risk and compliance assessment, including processeso Interoperability and portability

o Compliance – business continuity, data recovery, logs/audit trails

o Vendor risk

o Supply chain and ecosystem

o Infrastructure and operations quality

• Secure your own information, people, identities, and roleso User privileges

o Authentication

o Endpoint security (where applicable)

o Encryption (where applicable)

• Implement a strong governance framework

• Embrace a security-by-design approach

• Implement an active monitoring solution

*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption*Cloud Standards Customer Council – Security for Cloud Computing – 10 Steps to Ensure Success

• Evaluate security controls on physical infrastructure and facilities


• SMS Identify Confirmation

• IP Range Restrictions

• Two-factor authentication options (outside of username/pw)

• Secure employee systems

o Updated browsers

o Email filters

o Device protection

• SAS 70 Type II, SysTrust, and ISO 27001

• Enhanced password policies

• Secure sessions

• Session timeout thresholds

• Transparency of instances

• Governance (employees, security staff, counsel, assessments, policies)

• Incorporation into development process*Salesforce.com

Data

Database Security

Host Security

Network Security

Physical Security

Operational Security


*Salesforce.com


• “Final Rule” – BAAs and SLAs are critical!

• Security and privacy controls

• Define an exit strategy

• HIPAA ready/certified vs. HIPAA compliant/audited

• Industry background of vendor – regulatory environment

• Understand encryption of health information – LCD for encryption

• Ensure data segregation, especially PHI – physical/electronic proximity

• Understand the cloud delivery model – public/private/hybrid

• Evaluate breach monitoring

• MU informing HIPAA - CMS vs. Office of Civil Rights (OCR)

*HealthITSecurity – How HIPAA affects Healthcare cloud computing decisions

*HIPAA Considerations in Evaluating Cloud Computing – Ober | Kaler


HEALTHCARE, THE CLOUD, AND ITS SECURITY

Healthcare

silverline confidential

cloud security

cloud trust

cloud adoption

secure cloud

cloud technology

cloud ecosystems

cloud hipaa