Secure Cloud Computing for the Health Enterprise


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secure Cloud Computing for the Health Enterprise

  1. 1. Secure Cloud Computing for the Health Enterprise By Joel Amoussou, CEO, Efasoft Inc.
  2. 2. Contents 1 Regulatory Framework 2 Cloud Security Practices 3 Security Management 4 Auditing & Compliance
  3. 3. Healthcare Apps in the Cloud Cloud Services: IaaS, SaaS, PaaS Cloud Services: IaaS, SaaS, PaaS CDSS EMR 5010 Analytics ICD10
  4. 4. Drivers t en ym Pa ed as ity bil -B ala ge Sc sa e U siv Mas ty Elastici e nin g Tim ovisio $ r Q uick P Low Capital Costs
  5. 5. Regulatory Framework HIPAA HITECH Act – HIPAA Security Updates State and Federal Laws Meaningful Use Recommendations on Patient Consent
  6. 6. Impact of Regulations HITECH Act USA Patriot Act •HIPAA applies to Cloud Service Providers (CSPs) and online PHR •British Columbia and Nova vendors as Business Associates??? Scotia have enacted legislations •Breach Notification to address privacy issues related to storing patient data at •Accounting of disclosure providers (including CSPs) located in the US •Marketing and sale of PHI •Patient access and disclosure restrictions •Minimum data set
  7. 7. Tiger Team Recommendations Collection, Use and Disclosure Limitation: Third party service When the decision to disclose or organizations may not collect, use exchange the patient's identifiable or disclose personally identifiable health information from the health information for any provider's record is not in the purpose other than to provide the control of the provider or that services specified in the business provider's organized health care associate or service agreement arrangement ("OHCA"), patients with the data provider, and should be able to exercise necessary administrative meaningful consent to their functions, or as required by law. participation.
  8. 8. Addressing HIPAA in the Cloud Access Disaster Control Audit Backup Recovery •SSH Keys •Snapshot of block storage •Monitoring •No password-based volumes •Event logs to •Availability shell access secured •Encrypt and Zones dedicated Keep backups out (geographic •Strong Encryption of server of the cloud redundancy) data and filesystems •Backup log •Cloud storage is •Clustering •Private decryption files replicated across keys out of the cloud multiple •Replication •Security groups availability zones •Secure Transport
  9. 9. Security Issues in the Cloud 1 2 3 •Reassigned IP •CSP staff access to VM addresses instances and guest OS •Isolation in multitenancy •BGP Prefix Hijacking •Encryption not always possible while •OWASP Top 10 •DNS Attacks processing data in the cloud (as opposed to •Data Lineage •DoS and DDoS Attacks data at rest) •Data Provenance •Security groups not physically separated •Data Remanence (NIST 800-88)
  10. 10. Security Controls in the Cloud 1 1 Image hardening and patching 2 2 Host based IDS/IPS such as OSSEC 3 3 Health Monitoring & Security event logs 4 4 Effective Key Management (NIST 800-57) 5 5 Default deny-all mode, Host Firewall
  11. 11. Identity and Access Management (IAM) SPML Provisioning B SAML 2.0 A C XACML Identity Authorization Federation/SSO IAM WS-I Security E D Oauth Profile (SOA in Authentication the Cloud) across CSPs
  12. 12. Security Management Standards ITIL: IT Service Management ISO 17799: Code of Practice ISO 20000: Security Techniques Overview ISO 27001: Security Techniques Requirements ISO 27002: Code of Practice
  13. 13. Auditing & Compliance COBIT ISO 27001 SAS 70 GRC* ISO 27002 SysTrust WebTrust *Governance, Risk Management, and Compliance
  14. 14. Collaboration Health Enterprise Cloud Service Provider Understand responsibilities (who does Provide transparency into what about security?) security practices and policies.
  15. 15.