SlideShare a Scribd company logo

Cloud-Native Security on Digital Health-Telehealth Use Case

Eiji Sasahara, Ph.D., MBA 笹原英司
Eiji Sasahara, Ph.D., MBA 笹原英司

1. Cybersecurity on Telehealth @NIST 2. Cybersecurity on Telehealth x Smart Home @NIST 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA 4. Cloud-Native Security on Telehealth @CSA 5. Conclusions

Technology
1 of 30
Cloud-Native Security on Digital Health -Telehealth Use Case- GVHS 2022 on December 9, 2022 EIJI SASAHARA, PH.D., MBA HEALTHCARE CLOUD INITIATIVE, NPO CLOUD SECURITY ALLIANCE HEALTH INFORMATION MANAGEMENT WG
AGENDA 1. Cybersecurity on Telehealth @NIST 2. Cybersecurity on Telehealth x Smart Home @NIST 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA 4. Cloud-Native Security on Telehealth @CSA 5. Conclusions 2 https://www.linkedin.com/in/esasahara https://www.facebook.com/esasahara https://twitter.com/esasahara
1. Cybersecurity on Telehealth @NIST (1) “NIST SP1800-30 Securing Telehealth Remote Patient Monitoring Ecosystem”, February 22, 2022 https://csrc.nist.gov/publications/detail/sp/1800-30/final SP 1800-30A: Executive Summary SP 1800-30B: Approach, Architecture, and Security Characteristics 1. Summary 2. How to Use This Guide 3. Approach 4. Architecture 5. Security and Privacy Characteristic Analysis 6. Functional Evaluation 7. Future Build Considerations SP 1800-30C: How-To Guides 3 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
1. Cybersecurity on Telehealth @NIST (2) Remote Patient Monitoring (RPM) Architecture 4 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
1. Cybersecurity on Telehealth @NIST (3) RPM Architecture Layers 5 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
1. Cybersecurity on Telehealth @NIST (4) Final RPM Architecture 6 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
1. Cybersecurity on Telehealth @NIST (5) Security Characteristics and Controls Mapping– NIST Cybersecurity Framework •IEC TR 80001-2-2 •HIPAA Security Rule •ISO/IEC 27001 7 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
2. Cybersecurity on Telehealth x Smart Home @NIST (1) NIST “Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”, August 29, 2022 https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home- integration/final Objective: identify and mitigate cybersecurity and privacy risks based on patient use of smart home devices interfacing with patient information systems  a practice guide that describes a reference architecture for smart home integration with healthcare systems as part of a telehealth program. Reference: “NIST IR 8259: Foundational Cybersecurity Activities for IoT Device Manufacturers”, May 29, 2020 https://www.nist.gov/publications/foundational-cybersecurity-activities-iot-device-manufacturers “NIST IR 8259A: IoT Device Cybersecurity Capability Core Baseline”, May 29, 2020 https://www.nist.gov/publications/iot-device-cybersecurity-capability-core-baseline “NIST IR 8259B:IoT Non-Technical Supporting Capability Core Baseline”, August 25, 2021 https://csrc.nist.gov/publications/detail/nistir/8259b/final 8
2. Cybersecurity on Telehealth x Smart Home @NIST (2) Components of Architecture 9 Architecture Components Patient Home Environment Smart Home Devices, Personal Firewall, Wireless Access Point Router, Internet Router Cloud Service Provider Environment Voice Assist Platform, Cloud Platform Healthcare Technology Integration Solution Environment Telehealth Integration Applications Health Delivery Organization (HDO) Environment Electronic Health Record (EHR) System, Patient Portal, Network Access Control, Network Firewall, VPN Telehealth Ecosystem Actors Patients, HDO Clinicians, Support/Maintenance Staff
2. Cybersecurity on Telehealth x Smart Home @NIST (3) High-Level Architecture 10 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
2. Cybersecurity on Telehealth x Smart Home @NIST (4) Scenario 1: Patient Visit Scheduling 11 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
2. Cybersecurity on Telehealth x Smart Home @NIST (5) Scenario 2: Patient Prescription Refill 12 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
2. Cybersecurity on Telehealth x Smart Home @NIST (6) Scenario 3: Patient Regimen Check-In 13 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
2. Cybersecurity on Telehealth x Smart Home @NIST (7) Security Control Map: NIST SP 800-53 Revision 5 •IEC TR 80001-2-2 •HIPAA Security Rule •ISO/IEC 27001 14 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(1) Cloud Security Alliance Health Information Management WG, “Telehealth Data in the Cloud”, June 16, 2020 https://cloudsecurityalliance.org/artifacts/telehealth-data-in-the-cloud/ [Contents] Introduction Privacy Concerns Security Concerns Governance Compliance Confidentiality Integrity Availability Incident Response and Management Maintaining a Continuous Monitoring Program Conclusion References 15 Source:CSA Health Information Management WG, “Telehealth Data in the Cloud”, June 16, 2020
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(2) Considerations for Health Delivery Organizations (HDOs) regarding a Telehealth Agreement with a Cloud Provider: 16 # Key Questions 1 Does the telehealth provider (TP) describe the purpose(s) for which PHI is collected, used, maintained, and shared in its privacy notices? 2 Does the TP have, disseminate, and implement operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PHI? 3 Has the TP conducted a privacy impact assessment, and are they willing to share it? 4 Does the HDO have privacy roles, responsibilities, and access requirements for contractors and service providers? 5 Does the TP monitor and audit privacy controls and internal privacy policies to ensure effective implementation? 6 Does the TP design information systems to support privacy by automating privacy controls?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(3) (Continue) 17 # Key Questions 7 Does the TP maintain an accurate accounting of disclosures of information held in each system of records under its control, including: a. Date, nature, and purpose of each disclosure of a record. b. Name and address of the person or organization to which the disclosure was made. c. The identity of who authorized the disclosure. 8 Does the TP document processes to ensure the integrity of PHI through existing security controls? 9 Does the TP identify the minimum PHI elements relevant and necessary to accomplish the legally authorized purpose of collection? 10 Does the TP provide means for individuals to authorize the collection, use, maintenance, and sharing of PHI before its collection? 11 Does the TP have a process for receiving and responding to complaints, concerns, or questions from individuals about organizational privacy practices? 12 Does the TP provide sufficient notice to the public and to individuals regarding its activities that impact privacy? (e.g. collection, use, sharing, safeguarding, maintenance, and disposal of PHI) 13 Does the TP share PHI externally?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(4) Governance Compliance 18 # Key Questions 1 Does the service provider’s service-level agreement (SLA) clearly define how the service provider protects the confidentiality, integrity, and availability of all customer information? 2 Does the service provider’s SLA specify that the HDO will retain ownership of its data? 3 Will the service provider use the data for any purpose other than service delivery? 4 Is the service provider’s service dependent on any third-party stakeholders? # Key Questions 1 Does the cloud service provider allow the HDO to directly audit the implementation and management of the security measures in place to protect the service and the data it holds? 2 Will the service provider allow the HDO to review recent audit reports thoroughly? 3 Is the service provider HIPAA compliant? 4 Does the service provider comply with the GDPR?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(5) Confidentiality Protecting data from improper disclosure 19 # Key Questions 1 Authentication and Access Control a. Does the HDO have an identity management strategy that supports the adoption of cloud services? b. Is there an effective internal process that ensures that identities are managed and protected throughout their lifecycles? c. Is there an effective audit process to ensure that user accounts are appropriately managed and protected? Does the service provider meet those control requirements? d. Are all passwords encrypted, especially system/service administrators? e. Is multi-factor authentication required, and, if so, is it available? f. Does authentication and access control extend to devices? 2 Multi-Tenancy g. Will the service provider allow the HDO to review a recent third-party audit report that includes an assessment of the security controls and practices related to virtualization and separation of customer data? h. Do the service provider’s customer registration processes provide an appropriate level of assurance based on the criticality and sensitivity of the information in the cloud service?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(6) (Continue) 20 # Key Questions 3 Patch and Vulnerability Management i. Is the service provider responsible for patching all components that make up the cloud service? j. Does the service provider’s SLA include service levels for patch and vulnerability management that comprise a defined maximum exposure window? k. Does the HDO currently have an effective patch and vulnerability management process? l. Will the service provider allow the HDO to perform regular vulnerability assessments? 4 Encryption m. Does the service provider encrypt the information placed in the cloud service for both data at rest and in transit? n. Does the cloud service use only approved encryption protocols and algorithms (as defined in Federal Information Processing Standards 140-2)? o. Which party is responsible for managing the cryptographic keys? p. Are there separate keys for each customer? 5 Data Persistence q. Does the service provider have an auditable process for the secure sanitization of storage media before it is made available to another customer? r. Does the service provider have an auditable process for safe disposal or destruction of equipment and storage media containing customer data?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(7) Integrity Maintenance of data over its full lifecycle with the assurance it is accurate and consistent. consistent. 21 # Key Questions 1 Does the service provider provide data backup or archiving services as part of their standard service offering to protect against data loss or corruption? 2 How are data backup and archiving services provided? 3 Does the data backup or archiving service adhere to business requirements related to protection against data loss? 4 What level of granularity does the service provider offer for data restoration? 5 Does the service provider regularly perform test restores to ensure that data is recoverable from backup media?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(8) Availability Ability to ensure that required data is always accessible when and where needed. 22 # Key Questions 1 Does the SLA include an expected and minimum availability performance percentage over a clearly defined period? 2 Does the SLA include defined, scheduled outage windows? 3 Does the service provider utilize protocols and technologies that can protect against distributed denial-of-service (DDoS) attacks? 4 Do the network services directly managed or subscribed to by the HDO provide sufficient levels of availability? 5 Do the network services directly managed, or subscribed to by the HDO provide an adequate level of redundancy/fault tolerance? 6 Do the network services directly managed, or subscribed to by the HDO provide an adequate level of bandwidth? 7 Is the latency between the HDO network(s) and the service provider’s service at levels acceptable to achieve the desired user experience?
4. Cloud-Native Security on Telehealth @CSA(1) Cloud Security Alliance Health Information Management WG, “Telehealth Data in the Cloud”, June 10, 2021 https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home- integration/final [Contents] Introduction Governance Privacy Security Conclusion Reference 23 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
4. Cloud-Native Security on Telehealth @CSA(2) Information Governance: Establish the system, strategy, policies, procedures, guidelines, laws, and regulations that HDOs must adhere to. 24 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
4. Cloud-Native Security on Telehealth @CSA(3) Data Lifecycle: 25 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Definition 1. Create: Data is generated, acquired, or modified. 2. Store: Data is committed to a storage repository. 3. Use: Data is processed, viewed, or used in any other sort of activity. 4. Share: Data or information is made accessible to others. 5. Archive: Data is placed in long-term storage, per data retention guidelines and legal obligations. 6. Destroy: Data is no longer required and made inaccessible.
4. Cloud-Native Security on Telehealth @CSA(4) Cybersecurity and Pivacy Risk Relationship 26 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
4. Cloud-Native Security on Telehealth @CSA(5) Data Lifecycle and Cybersecurity(1) 27 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 1. Create: ・Any created data should fulfill a clear business need. ・HDOs must have consent to collect PHI or PII. ・Data creation regulatory requirements depend on where data is created. ・GDPR requires security be built in at the time of data creation. ・HIPAA requires protection for all PHI from inception to destruction. ・Data must be created in a secure environment. 2. Store: ・Data owners must determine where data originated and where it is stored. ・Service providers must protect cloud data (including access control and encryption). ・CSP should have a secure architecture that utilizes standard security best practices. (e.g. robust monitoring, auditing, and alerting capability) ・Data loss prevention system can help identify who is using the data and their location. ・CSP should complete a third party assessment and offer to share that insight with the HDO.
4. Cloud-Native Security on Telehealth @CSA(6) Data Lifecycle and Cybersecurity(2) 28 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 3. Use: ・Geography determines the regulatory requirements for both stored and processed data. (e.g. Telehealth solutions allow patients to access data from anywhere with internet access.) Organizations should use federation and multifactor authentication whenever possible access data. ・Identity and Access Management (IAM) is a vital part of securing data in use. ・Organizations should consider using an Application Programming Interface (API), which requires digital signatures to ensure security. 4. Share: ・When data sharing is required, the organization responsible for the data must ensure its security. IAM is critical for data security. ・Enact a Data Loss Prevention (DLP) program to discover, monitor, and protect data with regulatory or compliance implications in transit and at rest across the network, storage, and endpoints. Sharing requires data transmission from the cloud to all applicable data users. ・Encrypt data while in transit and use a secure protocol.
4. Cloud-Native Security on Telehealth @CSA(7) Data Lifecycle and Cybersecurity(3) 29 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 5. Archive: ・Essential data that does not require frequent access or modification often resides in a data archive. ・Archiving data provides many benefits, especially in terms of efficiency. ・Encrypt archived data and control access to the information. ・Keep personal data or healthcare data only if required for its original, intended purpose. 6. Destroy: ・Since cloud data exists in a shared, dispersed environment, typical data deletion and destruction methods (such as wiping) cannot ensure all data copies are destroyed. ・Encryption, followed by key destruction, is the best guarantee to ensure responsible data removal.
5. Conclusions 1. Adoption of NIST Cybersecurity Framework in Emerging Telehealth Services 2. Next Challenge: Integration of Telehealth with Smart Home 3. Privacy/Data Protection by Design: Agreement with Cloud Telehealth Providers 4. Cloud-Native Security with Continuous Data Lifecycle Management 30

Recommended

IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARE
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARETRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARE
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCAREMervat Bamiah
 
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...IRJET Journal
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
Deep Learning and Big Data technologies for IoT Security
Deep Learning and Big Data technologies for IoT SecurityDeep Learning and Big Data technologies for IoT Security
Deep Learning and Big Data technologies for IoT SecurityIRJET Journal
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET Journal
 
IRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET Journal
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...IRJET Journal
 

Recommended

IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARE
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARETRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARE
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCAREMervat Bamiah
 
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...IRJET Journal
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
Deep Learning and Big Data technologies for IoT Security
Deep Learning and Big Data technologies for IoT SecurityDeep Learning and Big Data technologies for IoT Security
Deep Learning and Big Data technologies for IoT SecurityIRJET Journal
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET Journal
 
IRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET Journal
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...IRJET Journal
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...IRJET Journal
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...IRJET Journal
 
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET Journal
 
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREUSING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREIJCI JOURNAL
 
E-Health Care Cloud Solution
E-Health Care Cloud SolutionE-Health Care Cloud Solution
E-Health Care Cloud SolutionIRJET Journal
 
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET Journal
 
Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...eSAT Journals
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Dalton Valadares
 
Security and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesSecurity and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesIOSRjournaljce
 
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET Journal
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
Framework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home ServicesFramework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home Servicesijtsrd
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
IRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET Journal
 
Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case StudyEvelyn Donaldson
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Journals
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Publishing House
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of ThingsThe Security of Things Forum
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfamitkhanna2070
 
Healthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyHealthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyIJECEIAES
 
Metaverse and NFTs on the Healthcare Cloud
Metaverse and NFTs on the Healthcare CloudMetaverse and NFTs on the Healthcare Cloud
Metaverse and NFTs on the Healthcare CloudEiji Sasahara, Ph.D., MBA 笹原英司
 
米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOM米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOMEiji Sasahara, Ph.D., MBA 笹原英司
 

More Related Content

Similar to Cloud-Native Security on Digital Health-Telehealth Use Case

DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...IRJET Journal
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...IRJET Journal
 
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET Journal
 
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREUSING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREIJCI JOURNAL
 
E-Health Care Cloud Solution
E-Health Care Cloud SolutionE-Health Care Cloud Solution
E-Health Care Cloud SolutionIRJET Journal
 
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET Journal
 
Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...eSAT Journals
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Dalton Valadares
 
Security and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesSecurity and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesIOSRjournaljce
 
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET Journal
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
Framework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home ServicesFramework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home Servicesijtsrd
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
IRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET Journal
 
Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case StudyEvelyn Donaldson
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Journals
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Publishing House
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfamitkhanna2070
 
Healthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyHealthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyIJECEIAES
 

Similar to Cloud-Native Security on Digital Health-Telehealth Use Case (20)

DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
 
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
 
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREUSING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
 
E-Health Care Cloud Solution
E-Health Care Cloud SolutionE-Health Care Cloud Solution
E-Health Care Cloud Solution
 
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
 
Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
 
Security and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesSecurity and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile Devices
 
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
Framework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home ServicesFramework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home Services
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
IRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using Blockchain
 
Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case Study
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
 
Healthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyHealthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technology
 

More from Eiji Sasahara, Ph.D., MBA 笹原英司

米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOM米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOMEiji Sasahara, Ph.D., MBA 笹原英司
 
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティSDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティEiji Sasahara, Ph.D., MBA 笹原英司
 
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~Eiji Sasahara, Ph.D., MBA 笹原英司
 
ゲノムデータのサイバーセキュリティとアクセス制御
ゲノムデータのサイバーセキュリティとアクセス制御ゲノムデータのサイバーセキュリティとアクセス制御
ゲノムデータのサイバーセキュリティとアクセス制御Eiji Sasahara, Ph.D., MBA 笹原英司
 
プライバシーエンジニアリング技術標準化の欧米比較
プライバシーエンジニアリング技術標準化の欧米比較プライバシーエンジニアリング技術標準化の欧米比較
プライバシーエンジニアリング技術標準化の欧米比較Eiji Sasahara, Ph.D., MBA 笹原英司
 
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理Eiji Sasahara, Ph.D., MBA 笹原英司
 
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
最新事例に学ぶクラウドネイティブな医療AIのセキュリティEiji Sasahara, Ph.D., MBA 笹原英司
 
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023Eiji Sasahara, Ph.D., MBA 笹原英司
 
バイオエコノミー産業の サイバーセキュリティ最新動向
バイオエコノミー産業の サイバーセキュリティ最新動向バイオエコノミー産業の サイバーセキュリティ最新動向
バイオエコノミー産業の サイバーセキュリティ最新動向Eiji Sasahara, Ph.D., MBA 笹原英司
 
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザインEiji Sasahara, Ph.D., MBA 笹原英司
 
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説Eiji Sasahara, Ph.D., MBA 笹原英司
 
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説Eiji Sasahara, Ph.D., MBA 笹原英司
 
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~Eiji Sasahara, Ph.D., MBA 笹原英司
 
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)Eiji Sasahara, Ph.D., MBA 笹原英司
 
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理Eiji Sasahara, Ph.D., MBA 笹原英司
 

More from Eiji Sasahara, Ph.D., MBA 笹原英司 (20)

Metaverse and NFTs on the Healthcare Cloud
Metaverse and NFTs on the Healthcare CloudMetaverse and NFTs on the Healthcare Cloud
Metaverse and NFTs on the Healthcare Cloud
 
米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOM米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOM
 
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティSDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
 
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
 
ゲノムデータのサイバーセキュリティとアクセス制御
ゲノムデータのサイバーセキュリティとアクセス制御ゲノムデータのサイバーセキュリティとアクセス制御
ゲノムデータのサイバーセキュリティとアクセス制御
 
プライバシーエンジニアリング技術標準化の欧米比較
プライバシーエンジニアリング技術標準化の欧米比較プライバシーエンジニアリング技術標準化の欧米比較
プライバシーエンジニアリング技術標準化の欧米比較
 
医療におけるサードパーティベンダーリスク管理
医療におけるサードパーティベンダーリスク管理医療におけるサードパーティベンダーリスク管理
医療におけるサードパーティベンダーリスク管理
 
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
 
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
 
医療クラウドにおけるランサムウェア攻撃予防対策
医療クラウドにおけるランサムウェア攻撃予防対策医療クラウドにおけるランサムウェア攻撃予防対策
医療クラウドにおけるランサムウェア攻撃予防対策
 
遠隔医療のクラウド利用とリスク管理
遠隔医療のクラウド利用とリスク管理遠隔医療のクラウド利用とリスク管理
遠隔医療のクラウド利用とリスク管理
 
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
 
バイオエコノミー産業の サイバーセキュリティ最新動向
バイオエコノミー産業の サイバーセキュリティ最新動向バイオエコノミー産業の サイバーセキュリティ最新動向
バイオエコノミー産業の サイバーセキュリティ最新動向
 
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
 
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
 
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
 
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
 
医療におけるブロックチェーン利用
医療におけるブロックチェーン利用医療におけるブロックチェーン利用
医療におけるブロックチェーン利用
 
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
 
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
 

Recently uploaded

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Recently uploaded (20)

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

Cloud-Native Security on Digital Health-Telehealth Use Case

  • 1. Cloud-Native Security on Digital Health -Telehealth Use Case- GVHS 2022 on December 9, 2022 EIJI SASAHARA, PH.D., MBA HEALTHCARE CLOUD INITIATIVE, NPO CLOUD SECURITY ALLIANCE HEALTH INFORMATION MANAGEMENT WG
  • 2. AGENDA 1. Cybersecurity on Telehealth @NIST 2. Cybersecurity on Telehealth x Smart Home @NIST 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA 4. Cloud-Native Security on Telehealth @CSA 5. Conclusions 2 https://www.linkedin.com/in/esasahara https://www.facebook.com/esasahara https://twitter.com/esasahara
  • 3. 1. Cybersecurity on Telehealth @NIST (1) “NIST SP1800-30 Securing Telehealth Remote Patient Monitoring Ecosystem”, February 22, 2022 https://csrc.nist.gov/publications/detail/sp/1800-30/final SP 1800-30A: Executive Summary SP 1800-30B: Approach, Architecture, and Security Characteristics 1. Summary 2. How to Use This Guide 3. Approach 4. Architecture 5. Security and Privacy Characteristic Analysis 6. Functional Evaluation 7. Future Build Considerations SP 1800-30C: How-To Guides 3 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 4. 1. Cybersecurity on Telehealth @NIST (2) Remote Patient Monitoring (RPM) Architecture 4 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 5. 1. Cybersecurity on Telehealth @NIST (3) RPM Architecture Layers 5 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 6. 1. Cybersecurity on Telehealth @NIST (4) Final RPM Architecture 6 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 7. 1. Cybersecurity on Telehealth @NIST (5) Security Characteristics and Controls Mapping– NIST Cybersecurity Framework •IEC TR 80001-2-2 •HIPAA Security Rule •ISO/IEC 27001 7 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 8. 2. Cybersecurity on Telehealth x Smart Home @NIST (1) NIST “Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”, August 29, 2022 https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home- integration/final Objective: identify and mitigate cybersecurity and privacy risks based on patient use of smart home devices interfacing with patient information systems  a practice guide that describes a reference architecture for smart home integration with healthcare systems as part of a telehealth program. Reference: “NIST IR 8259: Foundational Cybersecurity Activities for IoT Device Manufacturers”, May 29, 2020 https://www.nist.gov/publications/foundational-cybersecurity-activities-iot-device-manufacturers “NIST IR 8259A: IoT Device Cybersecurity Capability Core Baseline”, May 29, 2020 https://www.nist.gov/publications/iot-device-cybersecurity-capability-core-baseline “NIST IR 8259B:IoT Non-Technical Supporting Capability Core Baseline”, August 25, 2021 https://csrc.nist.gov/publications/detail/nistir/8259b/final 8
  • 9. 2. Cybersecurity on Telehealth x Smart Home @NIST (2) Components of Architecture 9 Architecture Components Patient Home Environment Smart Home Devices, Personal Firewall, Wireless Access Point Router, Internet Router Cloud Service Provider Environment Voice Assist Platform, Cloud Platform Healthcare Technology Integration Solution Environment Telehealth Integration Applications Health Delivery Organization (HDO) Environment Electronic Health Record (EHR) System, Patient Portal, Network Access Control, Network Firewall, VPN Telehealth Ecosystem Actors Patients, HDO Clinicians, Support/Maintenance Staff
  • 10. 2. Cybersecurity on Telehealth x Smart Home @NIST (3) High-Level Architecture 10 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 11. 2. Cybersecurity on Telehealth x Smart Home @NIST (4) Scenario 1: Patient Visit Scheduling 11 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 12. 2. Cybersecurity on Telehealth x Smart Home @NIST (5) Scenario 2: Patient Prescription Refill 12 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 13. 2. Cybersecurity on Telehealth x Smart Home @NIST (6) Scenario 3: Patient Regimen Check-In 13 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 14. 2. Cybersecurity on Telehealth x Smart Home @NIST (7) Security Control Map: NIST SP 800-53 Revision 5 •IEC TR 80001-2-2 •HIPAA Security Rule •ISO/IEC 27001 14 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 15. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(1) Cloud Security Alliance Health Information Management WG, “Telehealth Data in the Cloud”, June 16, 2020 https://cloudsecurityalliance.org/artifacts/telehealth-data-in-the-cloud/ [Contents] Introduction Privacy Concerns Security Concerns Governance Compliance Confidentiality Integrity Availability Incident Response and Management Maintaining a Continuous Monitoring Program Conclusion References 15 Source:CSA Health Information Management WG, “Telehealth Data in the Cloud”, June 16, 2020
  • 16. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(2) Considerations for Health Delivery Organizations (HDOs) regarding a Telehealth Agreement with a Cloud Provider: 16 # Key Questions 1 Does the telehealth provider (TP) describe the purpose(s) for which PHI is collected, used, maintained, and shared in its privacy notices? 2 Does the TP have, disseminate, and implement operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PHI? 3 Has the TP conducted a privacy impact assessment, and are they willing to share it? 4 Does the HDO have privacy roles, responsibilities, and access requirements for contractors and service providers? 5 Does the TP monitor and audit privacy controls and internal privacy policies to ensure effective implementation? 6 Does the TP design information systems to support privacy by automating privacy controls?
  • 17. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(3) (Continue) 17 # Key Questions 7 Does the TP maintain an accurate accounting of disclosures of information held in each system of records under its control, including: a. Date, nature, and purpose of each disclosure of a record. b. Name and address of the person or organization to which the disclosure was made. c. The identity of who authorized the disclosure. 8 Does the TP document processes to ensure the integrity of PHI through existing security controls? 9 Does the TP identify the minimum PHI elements relevant and necessary to accomplish the legally authorized purpose of collection? 10 Does the TP provide means for individuals to authorize the collection, use, maintenance, and sharing of PHI before its collection? 11 Does the TP have a process for receiving and responding to complaints, concerns, or questions from individuals about organizational privacy practices? 12 Does the TP provide sufficient notice to the public and to individuals regarding its activities that impact privacy? (e.g. collection, use, sharing, safeguarding, maintenance, and disposal of PHI) 13 Does the TP share PHI externally?
  • 18. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(4) Governance Compliance 18 # Key Questions 1 Does the service provider’s service-level agreement (SLA) clearly define how the service provider protects the confidentiality, integrity, and availability of all customer information? 2 Does the service provider’s SLA specify that the HDO will retain ownership of its data? 3 Will the service provider use the data for any purpose other than service delivery? 4 Is the service provider’s service dependent on any third-party stakeholders? # Key Questions 1 Does the cloud service provider allow the HDO to directly audit the implementation and management of the security measures in place to protect the service and the data it holds? 2 Will the service provider allow the HDO to review recent audit reports thoroughly? 3 Is the service provider HIPAA compliant? 4 Does the service provider comply with the GDPR?
  • 19. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(5) Confidentiality Protecting data from improper disclosure 19 # Key Questions 1 Authentication and Access Control a. Does the HDO have an identity management strategy that supports the adoption of cloud services? b. Is there an effective internal process that ensures that identities are managed and protected throughout their lifecycles? c. Is there an effective audit process to ensure that user accounts are appropriately managed and protected? Does the service provider meet those control requirements? d. Are all passwords encrypted, especially system/service administrators? e. Is multi-factor authentication required, and, if so, is it available? f. Does authentication and access control extend to devices? 2 Multi-Tenancy g. Will the service provider allow the HDO to review a recent third-party audit report that includes an assessment of the security controls and practices related to virtualization and separation of customer data? h. Do the service provider’s customer registration processes provide an appropriate level of assurance based on the criticality and sensitivity of the information in the cloud service?
  • 20. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(6) (Continue) 20 # Key Questions 3 Patch and Vulnerability Management i. Is the service provider responsible for patching all components that make up the cloud service? j. Does the service provider’s SLA include service levels for patch and vulnerability management that comprise a defined maximum exposure window? k. Does the HDO currently have an effective patch and vulnerability management process? l. Will the service provider allow the HDO to perform regular vulnerability assessments? 4 Encryption m. Does the service provider encrypt the information placed in the cloud service for both data at rest and in transit? n. Does the cloud service use only approved encryption protocols and algorithms (as defined in Federal Information Processing Standards 140-2)? o. Which party is responsible for managing the cryptographic keys? p. Are there separate keys for each customer? 5 Data Persistence q. Does the service provider have an auditable process for the secure sanitization of storage media before it is made available to another customer? r. Does the service provider have an auditable process for safe disposal or destruction of equipment and storage media containing customer data?
  • 21. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(7) Integrity Maintenance of data over its full lifecycle with the assurance it is accurate and consistent. consistent. 21 # Key Questions 1 Does the service provider provide data backup or archiving services as part of their standard service offering to protect against data loss or corruption? 2 How are data backup and archiving services provided? 3 Does the data backup or archiving service adhere to business requirements related to protection against data loss? 4 What level of granularity does the service provider offer for data restoration? 5 Does the service provider regularly perform test restores to ensure that data is recoverable from backup media?
  • 22. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(8) Availability Ability to ensure that required data is always accessible when and where needed. 22 # Key Questions 1 Does the SLA include an expected and minimum availability performance percentage over a clearly defined period? 2 Does the SLA include defined, scheduled outage windows? 3 Does the service provider utilize protocols and technologies that can protect against distributed denial-of-service (DDoS) attacks? 4 Do the network services directly managed or subscribed to by the HDO provide sufficient levels of availability? 5 Do the network services directly managed, or subscribed to by the HDO provide an adequate level of redundancy/fault tolerance? 6 Do the network services directly managed, or subscribed to by the HDO provide an adequate level of bandwidth? 7 Is the latency between the HDO network(s) and the service provider’s service at levels acceptable to achieve the desired user experience?
  • 23. 4. Cloud-Native Security on Telehealth @CSA(1) Cloud Security Alliance Health Information Management WG, “Telehealth Data in the Cloud”, June 10, 2021 https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home- integration/final [Contents] Introduction Governance Privacy Security Conclusion Reference 23 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
  • 24. 4. Cloud-Native Security on Telehealth @CSA(2) Information Governance: Establish the system, strategy, policies, procedures, guidelines, laws, and regulations that HDOs must adhere to. 24 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
  • 25. 4. Cloud-Native Security on Telehealth @CSA(3) Data Lifecycle: 25 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Definition 1. Create: Data is generated, acquired, or modified. 2. Store: Data is committed to a storage repository. 3. Use: Data is processed, viewed, or used in any other sort of activity. 4. Share: Data or information is made accessible to others. 5. Archive: Data is placed in long-term storage, per data retention guidelines and legal obligations. 6. Destroy: Data is no longer required and made inaccessible.
  • 26. 4. Cloud-Native Security on Telehealth @CSA(4) Cybersecurity and Pivacy Risk Relationship 26 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
  • 27. 4. Cloud-Native Security on Telehealth @CSA(5) Data Lifecycle and Cybersecurity(1) 27 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 1. Create: ・Any created data should fulfill a clear business need. ・HDOs must have consent to collect PHI or PII. ・Data creation regulatory requirements depend on where data is created. ・GDPR requires security be built in at the time of data creation. ・HIPAA requires protection for all PHI from inception to destruction. ・Data must be created in a secure environment. 2. Store: ・Data owners must determine where data originated and where it is stored. ・Service providers must protect cloud data (including access control and encryption). ・CSP should have a secure architecture that utilizes standard security best practices. (e.g. robust monitoring, auditing, and alerting capability) ・Data loss prevention system can help identify who is using the data and their location. ・CSP should complete a third party assessment and offer to share that insight with the HDO.
  • 28. 4. Cloud-Native Security on Telehealth @CSA(6) Data Lifecycle and Cybersecurity(2) 28 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 3. Use: ・Geography determines the regulatory requirements for both stored and processed data. (e.g. Telehealth solutions allow patients to access data from anywhere with internet access.) Organizations should use federation and multifactor authentication whenever possible access data. ・Identity and Access Management (IAM) is a vital part of securing data in use. ・Organizations should consider using an Application Programming Interface (API), which requires digital signatures to ensure security. 4. Share: ・When data sharing is required, the organization responsible for the data must ensure its security. IAM is critical for data security. ・Enact a Data Loss Prevention (DLP) program to discover, monitor, and protect data with regulatory or compliance implications in transit and at rest across the network, storage, and endpoints. Sharing requires data transmission from the cloud to all applicable data users. ・Encrypt data while in transit and use a secure protocol.
  • 29. 4. Cloud-Native Security on Telehealth @CSA(7) Data Lifecycle and Cybersecurity(3) 29 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 5. Archive: ・Essential data that does not require frequent access or modification often resides in a data archive. ・Archiving data provides many benefits, especially in terms of efficiency. ・Encrypt archived data and control access to the information. ・Keep personal data or healthcare data only if required for its original, intended purpose. 6. Destroy: ・Since cloud data exists in a shared, dispersed environment, typical data deletion and destruction methods (such as wiping) cannot ensure all data copies are destroyed. ・Encryption, followed by key destruction, is the best guarantee to ensure responsible data removal.
  • 30. 5. Conclusions 1. Adoption of NIST Cybersecurity Framework in Emerging Telehealth Services 2. Next Challenge: Integration of Telehealth with Smart Home 3. Privacy/Data Protection by Design: Agreement with Cloud Telehealth Providers 4. Cloud-Native Security with Continuous Data Lifecycle Management 30