This document discusses ClickSoftware's cloud service architecture for securely storing and processing protected health information (PHI) in compliance with HIPAA regulations. It outlines the technical, administrative, and physical security controls used at each layer including authentication and authorization, network segmentation, encryption of data at rest and in transit, logging and monitoring, and an incident response plan. The architecture leverages Amazon Web Services (AWS) security features and ClickSoftware implements additional controls around access management, encryption, auditing and response procedures to securely host and process PHI in the cloud.

1. Overcoming HIPAA Challenges
Cloud Service Architecture
Marius Aharonovich, Cloud Security Architect

2. Agenda
 Cloud Service Overview
 Architecture
 PHI Security Controls – Approach
 Security – Infrastructure
 Administrative Controls
 Technical Controls
 Incidents Detection and Response
2

3. Cloud Services – Overview (1/2)
3
 Mobile Workforce Management & Optimization
 Dispatcher/Mobile/GIS
 Number of Cloud Customer: 60+
 Data stored and processed:
 Personal and Protected Health Information (PHI)
 Customer’s and Customer’s Clients’ Information

4. Cloud Services – Overview (2/2)
 Software as a Service
 Amazon Web Services (AWS) Based
 Holding 3 Regions (US, EU, AUS)
 HIPAA business associate
 Operation team
 Cloud Ops, NOC & Support 24x7, DevOps, Security
 SLA – 99.9%
 DR – Other Region / Availability Zone
 Data Daily Backup – AWS S3 in encrypted format
4

5. Architecture
5
VPC – Virtual Private Cloud
SaaS – Software as a Service
DC – Domain Controller
CSSO – Service Optimization
WEB
HTTPS
Amazon Firewall / Internet GW
Client
A
CSSO
MSSQL
Full Redundant
(Mirroring)
Client
C
CSSO
Client
B
CSSO
SiteMinder
Authentication
GIS (PTV)
DC
BDC
ELB
ELB
ELB
SaaS
VPC
ClickSoftware
SaaS

6.  Covered Entity (Customers)
 Business Associate (ClickSoftware Cloud Services)
 Private Data / PHI must be Processed with:
 Limited purposes
 Not kept for longer than is necessary
 Mitigation of unauthorized access
 No transfer to third parties without adequate protection
PHI Security Controls – Approach
6

7. • AWS assurance programs:
 SOC2 & SOC3 & FIPS 140-2 (encryption) & NIST (media re-use)
 ISO 27001- Information Security Management System (ISMS)
 HIPAA (& BAA) – Health Insurance Portability and Accountability Act
• AWS addresses common infrastructure security threats, such as:
 Distributed Denial of Service (DDoS) attacks
 Man In the Middle (MITM) attacks
 IP spoofing
 Port scanning
 Packet sniffing by other tenants
Security – Infrastructure
7

8. • Security Personnel – Security and Privacy Officer
• ISO 27001 and HIPAA compliance (& BAA)
• Information Security and Privacy Policy
• Risk Assessments
• Code Inspections
• Penetration Tests
Administrative Controls (1/3)
8

9. • Internal Security Audits:
 Brute-forces & changes in groups, servers, applications and GPO
 Changes in AWS Security Groups & ELB
 AWS tools: Trusted Advisor, Credentials Report
Administrative Controls (2/3)
Credentials Report:
Username (Console / API)
user_creation_time
password_enabled/disabled
password_last_used
mfa_active/inactive
access_key_active/inactive
Security Group changes: Email:
Hello,
AWS Auditing Alert - Please check the log lines below
2015-01-27 06:31:53 AM: Object: Security Group(sg-XX)
ObjectId: tcp Decription: Security Group IpProtocol
RANGE (YY) had been added
9

10.  Employees:
 NDA, Employee Security Requirements
 Security Awareness Training (OPS, NOC, Support, R&D)
 Background Screening
• Specific policies and Procedures
 DRP
 Backup & Restore
 Data Sanitization (PHI disposal: database, logs, backup)
Administrative Controls (3/3)
10

11.  AAA – Authentication, Password policy, Strict Permissions, Logs
 Active Directory
 Identity Manager
 SSO - Federation and SAML2
 URL filter and Reverse Proxy
 IPS & WAF & DDoS Protection
 Antimalware, Security Patches
Technical Controls (1/3)
11

12.  Network Segmentation and Traffic Control
 VPC - Private, isolated and controlled section of AWS
 Dedicated Database Instance / Dedicated HIPAA Environment
 AWS Security Groups (inbound & outbound)
 Authorized IP Addresses
 Remote Access:
 AWS Management console: TLS with Two Factor Authentication (TFA)
 AWS Environment: VPN/TLS with TFA
Technical Controls (2/3)
12

13.  HTTPS access – TLS termination
 AWS ELB / Security Gateway
 Web Server
 Data at-rest encryption:
 Elastic Block Store (EBS) encryption
 Mobile local database encryption
 De-Identified Health Information - Static & dynamic data masking
 Audit of actions in PHI Database
Technical Controls (3/3)
13

14.  Detect and Notify
 SIEM - Logs collection, aggregation, correlation
 AWS Changes detection, CloudTrail / CloudWatch
 On-going Audits
 Contain – Isolation, blocking, prevention of further damage
 Recover (snapshots)
 After Action – Forensics (snapshots)
 Breach notification
 Timeline
 Legal & Marketing cooperation
Incidents Detection and Response
14

15. Thank you