Discusses achieving HIPAA compliance in the cloud amidst the confusing marketing that is being done in the space. Provides compliance guidance relative to the three basic cloud models - IaaS, PaaS and SaaS. Discusses what to look for in vendors, questions to ask and expectations you should have when talking with cloud vendors about HIPAA compliance.
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
BECOME A SMARTER CLOUD CONSUMER - Ripping through the Rhetoric to Find Your Cloud & Control Your Risk
1. Kurt Hagerman | Chief Information Security Officer
BECOME A SMARTER CLOUD
CONSUMERRipping through the Rhetoric to Find Your Cloud & Control Your Risk
05/18/2015
2. Kurt Hagerman
ABOUT KURT HAGERMAN
Expert in attaining and maintaining
compliance standards, including PCI, HIPAA,
ISO 27001, among others. Has conducted
hundreds of security reviews and audits
across a number of industries including the
payment space, healthcare, financial services
and higher education.
Industry Leadership
• Cloud Security Alliance SME Council
• ISACA
• CSA
• ISSA
Chief Information Security Officer
3. So, you’ve decided to explore
the cloud for your PHI but are
worried about HIPAA
compliance.
HITRUST 2015: Become a Smarter Cloud Consumer
4. Have you done your research and
come away confused about how
various cloud vendors
communicate about HIPAA
compliance?
It’s understandable given
what they are saying.
HITRUST 2015: Become a Smarter Cloud Consumer
5. IT’S NOT WHAT YOU SAY. IT’S WHAT YOU DO.
Do you know what
your vendor is really
doing for you?
Do you know who to
call when something
goes wrong?
What about the
privacy and
breach rule?
?
?
?
HITRUST 2014: PHI and the Cloud
7. SECURITY
• Outrageous statements being made
• They sound good but ring hollow
• What do they actually mean to you, the
cloud consumer, and how will your
vendor’s stance affect your compliance?
Are you Confused? Frustrated?
I know I am.
HITRUST 2014: PHI and the Cloud
8. SNAKE OIL, ANYONE?
• Vendors trivialize HIPAA
compliance
• Vendors over simplify
the requirements
to sell their services as a
“silver bullet”
• HIPAA is risk-based for
a reason
• There is no
“Easy Button”
HITRUST 2014: PHI and the Cloud
10. Consider the Cloud Models
HITRUST 2014: PHI and the Cloud
Your responsibilities, and those of your cloud vendor,
vary based on the model used by the vendor.
11. Providers: AWS, Azure, Rackspace, SoftLayer, etc.
• Typically only provide security for the
underlying infrastructure
• Any compliance attestations only apply
to underlying infrastructure with no
leverage available to customers
• Vendors forced into signing BAAs,
but theirs are typically weak
based on the lack of security
provided to the customer
• Customer owns nearly 100 percent
of the compliance responsibility
INFRASTRUCTURE AS A SERVICE (IAAS)
HITRUST 2014: PHI and the Cloud
12. Providers: AWS (Elastic Beanstalk), Salesforce (Force.com),
IBM SmartCloud, CloudFoundry, HP Helion, etc.
• Provide development tools and other building
blocks for applications and
secure these services
• Compliance attestations apply to the service
with limited leverage available
to customers
• Will sign BAAs, but typically provide
little in terms of liability protection
based on the limited security
provided to the customer
• Customer owns a majority of the compliance
responsibility
PLATFORM AS A SERVICE (PAAS)
HITRUST 2014: PHI and the Cloud
13. Providers: Salesforce, Box, Epic, Allscripts, Athena, etc.
• Own the entire stack up through
the application
• Any compliance attestations apply to the
entire service with significant available to
customers
• BAAs are typically stronger based
on security provided to customer
data and contain reasonable
liability language
• Customer owns very little of the
compliance responsibility (at least
for the HIPAA security rule)
SOFTWARE AS A SERVICE (SAAS)
HITRUST 2014: PHI and the Cloud
14. • IaaS and PaaS are fairly close in
terms of the split of responsibility
between customer and vendor (PaaS
more difficult to parse)
• Significant shift from PaaS to SaaS
in terms of vendor responsibility
• Risk to your organization increases
from IaaS to SaaS
THE MODELS COMPARED
HITRUST 2014: PHI and the Cloud
15. • Do you know what your vendor is really doing for you?
• Do they provide information on the specific security controls
that are included with their service?
• Have they mapped their services and security controls to the
HIPAA/HITECH requirements?
• Does your vendor use third parties to provide services to
you?
• Have they (and their third parties) been independently
assessed?
• Do you know who to call when something goes wrong?
• What about the privacy and breach rule?
• How do I manage a compliance program with multiple
vendors all providing my “cloud services”?
IT’S NOT WHAT YOU SAY. IT’S WHAT YOU DO.
HITRUST 2014: PHI and the Cloud
16. 1. Identifying the division of responsibility
between you and your cloud vendor
2. Ensuring the services your vendor
is providing are properly mapped
to your risk assessment
3. Getting the evidence you need for
your audit
4. Obtaining objective attestation
documentation from the vendor for
the controls they have full or partial
responsibility for
5. Monitoring ongoing compliance
of your vendors
6. Receiving support from vendor
during a breach event
SIX COMPLIANCE CHALLENGES
HITRUST 2014: PHI and the Cloud
17. BE A SMARTER CLOUD CONSUMER
You need to deal with vendors who will
be transparent about what they do and
how it assists you in mitigating risk and
addressing compliance requirements.
CAVEAT EMPTOR
HITRUST 2014: PHI and the Cloud
18. Your Vendor Should:
• Provide a clear, concise explanation of the specific security
controls they include in their service and how these directly
assist you in meeting your compliance obligations
• Articulate the boundaries between their responsibility and yours
• Provide documentation that backs up assertions about being
“HIPAA Compliant,” including independent audit reports that
clearly state:
- the scope of the assessment
- the control framework used
- how compliance can be leveraged by you
BE A SMARTER CLOUD CONSUMERCAVEAT EMPTOR
HITRUST 2014: PHI and the Cloud
19. What about Business Associate Agreements?
Many vendors say they are “business associate-friendly”
and that they will sign a BAA.
• Does their BAA include language
that clearly states what services they
are providing and what responsibility they are taking for
security incidents?
• Do they suggest this language
when reviewing yours?
HITRUST 2014: PHI and the Cloud
-- Quickly introduce yourself and the company.
-- Establish your talk’s purpose.
-- Explain what this presentation and discussion will and will not be; This is your preamble – expectation-setting and table-setting is key.
-- Decide how you want to address questions. At the end? Or throughout. Set that expectation with the audience up front. (Depends on size of your audience, personalities in the room, and length of your prezo.)
Throughout the prezo, you should give the audience a reminder of where you are in the logic flow so they have bearings.
This is part one – macro industry perspective, which will lead you to provide bearings on where FireHost fits in this mix.
Start by saying you will set the table on the cloud industry, its dynamics, and challenges.
Remark how the challenges, when you get to them, are well-known but poorly addressed to date, especially if you look beyond vendor marketing. (This will set up FireHost’s bearings – why we even exist in the first place.)
Bullets:
DO YOU KNOW WHAT YOUR VENDOR IS REALLY DOING FOR YOU?
WHAT ABOUT THE PRIVACY AND BREACH RULE?
DO YOU KNOW WHO TO CALL WHEN SOMETHING GOES WRONG?
Different cloud models – applicability to healthcare applications
Every one is different
Confusion in marketplace about BAA (Amazon)
Omnibus changed rules – not a yard stick…
Who’s taking responsibility ?
Easier achieved with a single vendor who provides
Transparency w/I vendors – understanding what your vendor does and how that helps you achieve compliance – go beyond jargon
It’s not about what you say, it’s about what you do.
Performance aspect – peoples lives depend on it
Note to Casey/Josh: We did this slide for HIMSS 15.
…There are serious gaps. There are areas of focus that are not getting enough attention to make cloud computing safe.
Security and compliance are atop this list.
And what they ultimately point to is risk…
You need to reduce risk as data proliferates and security threats expand in parallel.
The gap in managing risk, security, and compliance exists for multiple reasons.
Acumen and expertise are limited across the industry.
Price often trumps security.
Performance (infrastructure and applications) also trumps security.
As the momentum, innovation, and marketing of cloud continues with insufficient attention to risk, security, and compliance, the gap widens.
This widening effect between innovation and risk/security makes it increasingly difficult for service providers and vendors to close the gap.
Simply put, the cloud market risks innovating much faster than security can keep up.
Today, how a business addresses these gaps carries major implications.
And how a cloud provider addresses these gaps for its customers is one of those implications.
We’ll get into this later, but do you do it yourself? Or do you offload the burden to a provider? If the latter, who?
That choice is as strategic as it has ever been…
Let’s put the data breach parade in perspective. Consider the healthcare industry. According to the U.S. Department of Health and Human Services (DHHS):
944 incidents affecting personal information from about 30.1 million people.
theft (17.4 million)
Data loss (7.2 million)
Hacking (3.6 million)
Unauthorized access accounts (1.9 million)
Ponemon says the business community suffers $5.6B/year in damage caused by data breaches.
Now turn these questions toward your industry.
Whether that data is used for internal operations or is generated from interaction with patients, healthcare organizations demand data integrity, availability, and confidentiality.
That’s what’s at stake.
Triangulating security, compliance, and risk reduction enables this.
It’s a critical need.
Again, is this something you can or want to do on your own?
Difference between compliance and security - misperceptions
Just because you’re compliant and checking boxes, doesn’t mean you’re secure – don’t confuse the two
Compliance should not lead your security efforts – security should
Compliance is a reporting function of a security program – it’s how you demonstrate that you meet a set of requirements
Just achieving compliance is like getting a C grade – it gets you by but doesn’t get you ahead.
Too much outrageous marketing around cloud provider compliance
It’s not about what they say it’s about what they do – For You.
Secure providers need to understand the compliance challenges their customers face and be able to articulate how their security solution helps them reduce risk and make their compliance journey easier, quicker and cheaper.
Need to have trained staff with experience across a wide range of security and compliance regulations
As you consider the threat landscape and the security needed to protect your business, you also need to consider compliance as an additional variable in the risk reduction equation.
Compliance requirements can be vague. They change over time.
There are many parts to compliance and many vendors and consultants as a result.
Amid the compliance “puzzle” is its relationship with security and risk management.
All three are inter-related, right?
You reduce risk by protecting data and meeting compliance requirements.
Although many companies address security and compliance separately, you’d agree that they should be managed together as one risk management strategy.
Easier said than done.
Regardless of the size of your company or IT staff, you need experts. You need security and compliance specialists by your side. You need time. You need full-time attention.
It’s a lot to ask.
Which leads to the obvious questions:
Can you manage compliance, security, and risk reduction yourself?
Do you have the resources? Do you have the personnel, expertise, and time?
And even if you do have the resources, do you want to manage it yourself?
Or do you want to offload this burden and focus on other strategic priorities?
If you want to offload, who can literally take on that burden?
You need a highly secure cloud provider, not just any cloud provider.
There is a difference.
How do you distinguish providers beyond their sales pitches or marketing claims on websites?
After all, actions speak louder than words.
…Simply put…
…We offload much of the burden of managing compliance and security.
Whether you have resources and expertise on staff, we can do this for you, freeing you up to tackle more important initiatives.
I know I’ve rhetorically asked this multiple times, but do you really want to manage security and compliance by yourself?
We can help. We are full-time experts. This is what we do.
We are an extension of your team
(Pivot toward compliance now. Explain that you’ve spent some time on our approach to security contrary to the rest of the industry. Then acknowledge that this is inevitably setting your business up for innovative services that can help address more risk reduction efforts, such as compliance. Describe CaaS and its uniqueness in the market.)
(Acknowledge the opportunity for additional services to be added to CaaS over time, such as cyber insurance.)
FireHost reduces risk by combining security and compliance as one solution.
Our offering is fluid and removes much of the hassle of managing various vendors.
The community of partners you typically would engage are handled by us – we put the puzzle pieces together for you.
Think about how much time and resources that can save you.
DOCUMENTATION
Security protocols
PCI validation
HITRUST certification
SSAE 16 attestation
ISO 27001 certification
Documention provides structured, transparent compliance documentation, and reports about FH services – free of charge
PCI validation; HITRUST certification, SSAE 16 attestation, ISO 27001 certification, etc.
Outline of FireHost security protocols
________________________________________________
Rapid Compliance Portal
Self-assessment & reporting tools, tech support for both PCI & HIPAA
Tools to document, print and submit an SAQ to processor
Tailored compliance guidance based on individual need
________________________________________________
External & Internal Vulnerability Scans
Assesses technical vulnerabilities
Clients can perform scans with any frequency
Offers Attestation of Scan Compliance (PCI) and other reports
Customers can access their scans directly
Internal scans can be scheduled to run on-demand