Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to BECOME A SMARTER CLOUD CONSUMER - Ripping through the Rhetoric to Find Your Cloud & Control Your Risk
Similar to BECOME A SMARTER CLOUD CONSUMER - Ripping through the Rhetoric to Find Your Cloud & Control Your Risk (20)
Recently uploaded
Recently uploaded (20)
BECOME A SMARTER CLOUD CONSUMER - Ripping through the Rhetoric to Find Your Cloud & Control Your Risk
- 1. Kurt Hagerman | Chief Information Security Officer BECOME A SMARTER CLOUD CONSUMERRipping through the Rhetoric to Find Your Cloud & Control Your Risk 05/18/2015
- 2. Kurt Hagerman ABOUT KURT HAGERMAN Expert in attaining and maintaining compliance standards, including PCI, HIPAA, ISO 27001, among others. Has conducted hundreds of security reviews and audits across a number of industries including the payment space, healthcare, financial services and higher education. Industry Leadership • Cloud Security Alliance SME Council • ISACA • CSA • ISSA Chief Information Security Officer
- 3. So, you’ve decided to explore the cloud for your PHI but are worried about HIPAA compliance. HITRUST 2015: Become a Smarter Cloud Consumer
- 4. Have you done your research and come away confused about how various cloud vendors communicate about HIPAA compliance? It’s understandable given what they are saying. HITRUST 2015: Become a Smarter Cloud Consumer
- 5. IT’S NOT WHAT YOU SAY. IT’S WHAT YOU DO. Do you know what your vendor is really doing for you? Do you know who to call when something goes wrong? What about the privacy and breach rule? ? ? ? HITRUST 2014: PHI and the Cloud
- 6. What They’re Saying… HITRUST 2014: PHI and the Cloud
- 7. SECURITY • Outrageous statements being made • They sound good but ring hollow • What do they actually mean to you, the cloud consumer, and how will your vendor’s stance affect your compliance? Are you Confused? Frustrated? I know I am. HITRUST 2014: PHI and the Cloud
- 8. SNAKE OIL, ANYONE? • Vendors trivialize HIPAA compliance • Vendors over simplify the requirements to sell their services as a “silver bullet” • HIPAA is risk-based for a reason • There is no “Easy Button” HITRUST 2014: PHI and the Cloud
- 9. CONSIDER THE CLOUD MODELS Role Clarity HITRUST 2014: PHI and the Cloud
- 10. Consider the Cloud Models HITRUST 2014: PHI and the Cloud Your responsibilities, and those of your cloud vendor, vary based on the model used by the vendor.
- 11. Providers: AWS, Azure, Rackspace, SoftLayer, etc. • Typically only provide security for the underlying infrastructure • Any compliance attestations only apply to underlying infrastructure with no leverage available to customers • Vendors forced into signing BAAs, but theirs are typically weak based on the lack of security provided to the customer • Customer owns nearly 100 percent of the compliance responsibility INFRASTRUCTURE AS A SERVICE (IAAS) HITRUST 2014: PHI and the Cloud
- 12. Providers: AWS (Elastic Beanstalk), Salesforce (Force.com), IBM SmartCloud, CloudFoundry, HP Helion, etc. • Provide development tools and other building blocks for applications and secure these services • Compliance attestations apply to the service with limited leverage available to customers • Will sign BAAs, but typically provide little in terms of liability protection based on the limited security provided to the customer • Customer owns a majority of the compliance responsibility PLATFORM AS A SERVICE (PAAS) HITRUST 2014: PHI and the Cloud
- 13. Providers: Salesforce, Box, Epic, Allscripts, Athena, etc. • Own the entire stack up through the application • Any compliance attestations apply to the entire service with significant available to customers • BAAs are typically stronger based on security provided to customer data and contain reasonable liability language • Customer owns very little of the compliance responsibility (at least for the HIPAA security rule) SOFTWARE AS A SERVICE (SAAS) HITRUST 2014: PHI and the Cloud
- 14. • IaaS and PaaS are fairly close in terms of the split of responsibility between customer and vendor (PaaS more difficult to parse) • Significant shift from PaaS to SaaS in terms of vendor responsibility • Risk to your organization increases from IaaS to SaaS THE MODELS COMPARED HITRUST 2014: PHI and the Cloud
- 15. • Do you know what your vendor is really doing for you? • Do they provide information on the specific security controls that are included with their service? • Have they mapped their services and security controls to the HIPAA/HITECH requirements? • Does your vendor use third parties to provide services to you? • Have they (and their third parties) been independently assessed? • Do you know who to call when something goes wrong? • What about the privacy and breach rule? • How do I manage a compliance program with multiple vendors all providing my “cloud services”? IT’S NOT WHAT YOU SAY. IT’S WHAT YOU DO. HITRUST 2014: PHI and the Cloud
- 16. 1. Identifying the division of responsibility between you and your cloud vendor 2. Ensuring the services your vendor is providing are properly mapped to your risk assessment 3. Getting the evidence you need for your audit 4. Obtaining objective attestation documentation from the vendor for the controls they have full or partial responsibility for 5. Monitoring ongoing compliance of your vendors 6. Receiving support from vendor during a breach event SIX COMPLIANCE CHALLENGES HITRUST 2014: PHI and the Cloud
- 17. BE A SMARTER CLOUD CONSUMER You need to deal with vendors who will be transparent about what they do and how it assists you in mitigating risk and addressing compliance requirements. CAVEAT EMPTOR HITRUST 2014: PHI and the Cloud
- 18. Your Vendor Should: • Provide a clear, concise explanation of the specific security controls they include in their service and how these directly assist you in meeting your compliance obligations • Articulate the boundaries between their responsibility and yours • Provide documentation that backs up assertions about being “HIPAA Compliant,” including independent audit reports that clearly state: - the scope of the assessment - the control framework used - how compliance can be leveraged by you BE A SMARTER CLOUD CONSUMERCAVEAT EMPTOR HITRUST 2014: PHI and the Cloud
- 19. What about Business Associate Agreements? Many vendors say they are “business associate-friendly” and that they will sign a BAA. • Does their BAA include language that clearly states what services they are providing and what responsibility they are taking for security incidents? • Do they suggest this language when reviewing yours? HITRUST 2014: PHI and the Cloud
- 20. Thank You Questions? Kurt Hagerman Email kurt.hagerman@firehost.com Phone +1 877 262 3473 HITRUST 2014: PHI and the Cloud
Editor's Notes
- -- Quickly introduce yourself and the company. -- Establish your talk’s purpose. -- Explain what this presentation and discussion will and will not be; This is your preamble – expectation-setting and table-setting is key. -- Decide how you want to address questions. At the end? Or throughout. Set that expectation with the audience up front. (Depends on size of your audience, personalities in the room, and length of your prezo.)
- Throughout the prezo, you should give the audience a reminder of where you are in the logic flow so they have bearings. This is part one – macro industry perspective, which will lead you to provide bearings on where FireHost fits in this mix. Start by saying you will set the table on the cloud industry, its dynamics, and challenges. Remark how the challenges, when you get to them, are well-known but poorly addressed to date, especially if you look beyond vendor marketing. (This will set up FireHost’s bearings – why we even exist in the first place.)
- Bullets: DO YOU KNOW WHAT YOUR VENDOR IS REALLY DOING FOR YOU? WHAT ABOUT THE PRIVACY AND BREACH RULE? DO YOU KNOW WHO TO CALL WHEN SOMETHING GOES WRONG? Different cloud models – applicability to healthcare applications Every one is different Confusion in marketplace about BAA (Amazon) Omnibus changed rules – not a yard stick… Who’s taking responsibility ? Easier achieved with a single vendor who provides Transparency w/I vendors – understanding what your vendor does and how that helps you achieve compliance – go beyond jargon It’s not about what you say, it’s about what you do. Performance aspect – peoples lives depend on it
- Note to Casey/Josh: We did this slide for HIMSS 15.
- …There are serious gaps. There are areas of focus that are not getting enough attention to make cloud computing safe. Security and compliance are atop this list. And what they ultimately point to is risk… You need to reduce risk as data proliferates and security threats expand in parallel. The gap in managing risk, security, and compliance exists for multiple reasons. Acumen and expertise are limited across the industry. Price often trumps security. Performance (infrastructure and applications) also trumps security. As the momentum, innovation, and marketing of cloud continues with insufficient attention to risk, security, and compliance, the gap widens. This widening effect between innovation and risk/security makes it increasingly difficult for service providers and vendors to close the gap. Simply put, the cloud market risks innovating much faster than security can keep up. Today, how a business addresses these gaps carries major implications. And how a cloud provider addresses these gaps for its customers is one of those implications. We’ll get into this later, but do you do it yourself? Or do you offload the burden to a provider? If the latter, who? That choice is as strategic as it has ever been…
- Let’s put the data breach parade in perspective. Consider the healthcare industry. According to the U.S. Department of Health and Human Services (DHHS): 944 incidents affecting personal information from about 30.1 million people. theft (17.4 million) Data loss (7.2 million) Hacking (3.6 million) Unauthorized access accounts (1.9 million) Ponemon says the business community suffers $5.6B/year in damage caused by data breaches.
- Now turn these questions toward your industry. Whether that data is used for internal operations or is generated from interaction with patients, healthcare organizations demand data integrity, availability, and confidentiality. That’s what’s at stake. Triangulating security, compliance, and risk reduction enables this. It’s a critical need. Again, is this something you can or want to do on your own?
- Difference between compliance and security - misperceptions Just because you’re compliant and checking boxes, doesn’t mean you’re secure – don’t confuse the two Compliance should not lead your security efforts – security should Compliance is a reporting function of a security program – it’s how you demonstrate that you meet a set of requirements Just achieving compliance is like getting a C grade – it gets you by but doesn’t get you ahead. Too much outrageous marketing around cloud provider compliance It’s not about what they say it’s about what they do – For You. Secure providers need to understand the compliance challenges their customers face and be able to articulate how their security solution helps them reduce risk and make their compliance journey easier, quicker and cheaper. Need to have trained staff with experience across a wide range of security and compliance regulations
- As you consider the threat landscape and the security needed to protect your business, you also need to consider compliance as an additional variable in the risk reduction equation. Compliance requirements can be vague. They change over time. There are many parts to compliance and many vendors and consultants as a result. Amid the compliance “puzzle” is its relationship with security and risk management. All three are inter-related, right? You reduce risk by protecting data and meeting compliance requirements. Although many companies address security and compliance separately, you’d agree that they should be managed together as one risk management strategy. Easier said than done. Regardless of the size of your company or IT staff, you need experts. You need security and compliance specialists by your side. You need time. You need full-time attention. It’s a lot to ask. Which leads to the obvious questions: Can you manage compliance, security, and risk reduction yourself? Do you have the resources? Do you have the personnel, expertise, and time? And even if you do have the resources, do you want to manage it yourself? Or do you want to offload this burden and focus on other strategic priorities? If you want to offload, who can literally take on that burden? You need a highly secure cloud provider, not just any cloud provider. There is a difference. How do you distinguish providers beyond their sales pitches or marketing claims on websites? After all, actions speak louder than words.
- …Simply put… …We offload much of the burden of managing compliance and security. Whether you have resources and expertise on staff, we can do this for you, freeing you up to tackle more important initiatives. I know I’ve rhetorically asked this multiple times, but do you really want to manage security and compliance by yourself? We can help. We are full-time experts. This is what we do. We are an extension of your team
- (Pivot toward compliance now. Explain that you’ve spent some time on our approach to security contrary to the rest of the industry. Then acknowledge that this is inevitably setting your business up for innovative services that can help address more risk reduction efforts, such as compliance. Describe CaaS and its uniqueness in the market.) (Acknowledge the opportunity for additional services to be added to CaaS over time, such as cyber insurance.) FireHost reduces risk by combining security and compliance as one solution. Our offering is fluid and removes much of the hassle of managing various vendors. The community of partners you typically would engage are handled by us – we put the puzzle pieces together for you. Think about how much time and resources that can save you.
- DOCUMENTATION Security protocols PCI validation HITRUST certification SSAE 16 attestation ISO 27001 certification Documention provides structured, transparent compliance documentation, and reports about FH services – free of charge PCI validation; HITRUST certification, SSAE 16 attestation, ISO 27001 certification, etc. Outline of FireHost security protocols ________________________________________________ Rapid Compliance Portal Self-assessment & reporting tools, tech support for both PCI & HIPAA Tools to document, print and submit an SAQ to processor Tailored compliance guidance based on individual need ________________________________________________ External & Internal Vulnerability Scans Assesses technical vulnerabilities Clients can perform scans with any frequency Offers Attestation of Scan Compliance (PCI) and other reports Customers can access their scans directly Internal scans can be scheduled to run on-demand