Secure Cloud Computing
for the Health Enterprise
  By Joel Amoussou, CEO, Efasoft Inc.
Contents



                  1   Regulatory Framework

                  2   Cloud Security Practices

                  ...
Healthcare Apps in the Cloud


                  Cloud Services: IaaS, SaaS, PaaS
                  Cloud Services: IaaS, ...
Drivers




                                          t
                                       en
                        ...
Regulatory Framework



                                 HIPAA


                    HITECH Act – HIPAA Security Updates

...
Impact of Regulations


                  HITECH Act
                                        USA Patriot Act
   •HIPAA app...
Tiger Team Recommendations


  Collection, Use and Disclosure
  Limitation: Third party service      When the decision to ...
Addressing HIPAA in the Cloud

 Access                                                          Disaster
 Control         ...
Security Issues in the Cloud


                  1                      2                        3

       •Reassigned IP ...
Security Controls in the Cloud


          1
          1       Image hardening and patching

           2
           2    ...
Identity and Access Management
                 (IAM)
                                   SPML
                            ...
Security Management Standards


                  ITIL: IT Service Management


                      ISO 17799: Code of P...
Auditing & Compliance

                          COBIT                ISO 27001




               SAS 70                G...
Collaboration




        Health Enterprise            Cloud Service
                                     Provider
       ...
www.efasoft.com
joel@efasoft.com
Upcoming SlideShare
Loading in …5
×

Secure Cloud Computing for the Health Enterprise

2,753 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,753
On SlideShare
0
From Embeds
0
Number of Embeds
1,082
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Secure Cloud Computing for the Health Enterprise

  1. 1. Secure Cloud Computing for the Health Enterprise By Joel Amoussou, CEO, Efasoft Inc.
  2. 2. Contents 1 Regulatory Framework 2 Cloud Security Practices 3 Security Management 4 Auditing & Compliance www.efasoft.com
  3. 3. Healthcare Apps in the Cloud Cloud Services: IaaS, SaaS, PaaS Cloud Services: IaaS, SaaS, PaaS CDSS EMR 5010 Analytics ICD10 www.efasoft.com
  4. 4. Drivers t en ym Pa ed as ity bil -B ala ge Sc sa e U siv Mas ty Elastici e nin g Tim ovisio $ r Q uick P Low Capital Costs www.efasoft.com
  5. 5. Regulatory Framework HIPAA HITECH Act – HIPAA Security Updates State and Federal Laws Meaningful Use Recommendations on Patient Consent www.efasoft.com
  6. 6. Impact of Regulations HITECH Act USA Patriot Act •HIPAA applies to Cloud Service Providers (CSPs) and online PHR •British Columbia and Nova vendors as Business Associates??? Scotia have enacted legislations •Breach Notification to address privacy issues related to storing patient data at •Accounting of disclosure providers (including CSPs) located in the US •Marketing and sale of PHI •Patient access and disclosure restrictions •Minimum data set www.efasoft.com
  7. 7. Tiger Team Recommendations Collection, Use and Disclosure Limitation: Third party service When the decision to disclose or organizations may not collect, use exchange the patient's identifiable or disclose personally identifiable health information from the health information for any provider's record is not in the purpose other than to provide the control of the provider or that services specified in the business provider's organized health care associate or service agreement arrangement ("OHCA"), patients with the data provider, and should be able to exercise necessary administrative meaningful consent to their functions, or as required by law. participation. www.efasoft.com
  8. 8. Addressing HIPAA in the Cloud Access Disaster Control Audit Backup Recovery •SSH Keys •Snapshot of block storage •Monitoring •No password-based volumes •Event logs to •Availability shell access secured •Encrypt and Zones dedicated Keep backups out (geographic •Strong Encryption of server of the cloud redundancy) data and filesystems •Backup log •Cloud storage is •Clustering •Private decryption files replicated across keys out of the cloud multiple •Replication •Security groups availability zones •Secure Transport www.efasoft.com
  9. 9. Security Issues in the Cloud 1 2 3 •Reassigned IP •CSP staff access to VM addresses instances and guest OS •Isolation in multitenancy •BGP Prefix Hijacking •Encryption not always possible while •OWASP Top 10 •DNS Attacks processing data in the cloud (as opposed to •Data Lineage •DoS and DDoS Attacks data at rest) •Data Provenance •Security groups not physically separated •Data Remanence (NIST 800-88) www.efasoft.com
  10. 10. Security Controls in the Cloud 1 1 Image hardening and patching 2 2 Host based IDS/IPS such as OSSEC 3 3 Health Monitoring & Security event logs 4 4 Effective Key Management (NIST 800-57) 5 5 Default deny-all mode, Host Firewall www.efasoft.com
  11. 11. Identity and Access Management (IAM) SPML Provisioning B SAML 2.0 A C XACML Identity Authorization Federation/SSO IAM WS-I Security E D Oauth Profile (SOA in Authentication the Cloud) across CSPs www.efasoft.com
  12. 12. Security Management Standards ITIL: IT Service Management ISO 17799: Code of Practice ISO 20000: Security Techniques Overview ISO 27001: Security Techniques Requirements ISO 27002: Code of Practice www.efasoft.com
  13. 13. Auditing & Compliance COBIT ISO 27001 SAS 70 GRC* ISO 27002 SysTrust WebTrust *Governance, Risk Management, and Compliance www.efasoft.com
  14. 14. Collaboration Health Enterprise Cloud Service Provider Understand responsibilities (who does Provide transparency into what about security?) security practices and policies. www.efasoft.com
  15. 15. www.efasoft.com joel@efasoft.com

×