Joel Amoussou, profile picture
Uploaded byJoel Amoussou
982 views

Secure Cloud Computing for the Health Enterprise

Secure Cloud Computing for the Health Enterprise discusses securing healthcare applications in the cloud. It addresses the regulatory framework including HIPAA, security practices like access control and encryption, and security management standards. Auditing and compliance are also covered to ensure cloud providers meet regulatory requirements for healthcare data. Overall it provides guidance to healthcare enterprises on collaborating with cloud providers to securely deploy applications while protecting sensitive patient information.

Embed presentation

Secure Cloud Computing for the Health Enterprise By Joel Amoussou, CEO, Efasoft Inc.
Contents 1 Regulatory Framework 2 Cloud Security Practices 3 Security Management 4 Auditing & Compliance www.efasoft.com
Healthcare Apps in the Cloud Cloud Services: IaaS, SaaS, PaaS Cloud Services: IaaS, SaaS, PaaS CDSS EMR 5010 Analytics ICD10 www.efasoft.com
Drivers t en ym Pa ed as ity bil -B ala ge Sc sa e U siv Mas ty Elastici e nin g Tim ovisio $ r Q uick P Low Capital Costs www.efasoft.com
Regulatory Framework HIPAA HITECH Act – HIPAA Security Updates State and Federal Laws Meaningful Use Recommendations on Patient Consent www.efasoft.com
Impact of Regulations HITECH Act US Patriot Act •HIPAA applies to Cloud Service Providers (CSPs) and online PHR •Canada Health Infoway vendors as Business Associates??? certification requirements refer •Breach Notification to HIPAA •Accounting of disclosure •British Columbia and Nova Scotia prohibit storing patient •Marketing and sale of PHI data at providers (including CSPs) located in the US •Patient access and disclosure restrictions •Minimum data set www.efasoft.com
Tiger Team Recommendations Collection, Use and Disclosure Limitation: Third party service When the decision to disclose or organizations may not collect, use exchange the patient's identifiable or disclose personally identifiable health information from the health information for any provider's record is not in the purpose other than to provide the control of the provider or that services specified in the business provider's organized health care associate or service agreement arrangement ("OHCA"), patients with the data provider, and should be able to exercise necessary administrative meaningful consent to their functions, or as required by law. participation. www.efasoft.com
Addressing HIPAA in the Cloud Access Disaster Control Audit Backup Recovery •SSH Keys •Snapshot of block storage •Monitoring •No password-based volumes •Event logs to •Availability shell access secured •Encrypt and Zones dedicated Keep backups out (geographic •Strong Encryption of server of the cloud redundancy) data and filesystems •Backup log •Cloud storage is •Clustering •Private decryption files replicated across keys out of the cloud multiple •Replication •Security groups availability zones •Secure Transport www.efasoft.com
Security Issues in the Cloud 1 2 3 •Reassigned IP •CSP staff access to VM addresses instances and guest OS •Isolation in multitenancy •BGP Prefix Hijacking •Encryption not always possible while •OWASP Top 10 •DNS Attacks processing data in the cloud (as opposed to •Data Lineage •DoS and DDoS Attacks data at rest) •Data Provenance •Security groups not physically separated •Data Remanence (NIST 800-88) www.efasoft.com
Security Controls in the Cloud 1 1 Image hardening and patching 2 2 Host based IDS/IPS such as OSSEC 3 3 Health Monitoring & Security event logs 4 4 Effective Key Management (NIST 800-57) 5 5 Default deny-all mode, Host Firewall www.efasoft.com
Identity and Access Management (IAM) SPML Provisioning B SAML 2.0 A C XACML Identity Authorization Federation/SSO IAM WS-I Security E D Oauth Profile (SOA in Authentication the Cloud) across CSPs www.efasoft.com
Security Management Standards ITIL: IT Service Management ISO 17799: Code of Practice ISO 20000: Security Techniques Overview ISO 27001: Security Techniques Requirements ISO 27002: Code of Practice www.efasoft.com
Auditing & Compliance COBIT ISO 27001 SAS 70 GRC* ISO 27002 SysTrust WebTrust *Governance, Risk Management, and Compliance www.efasoft.com
Collaboration Health Enterprise Cloud Service Provider Understand responsibilities (who does Provide transparency into what about security?) security practices and policies. www.efasoft.com
www.efasoft.com joel@efasoft.com

More Related Content

PPTX
PCI DSS v 3.0 and Oracle Security Mapping
byTroy Kitch
 
PDF
AnyConnect Secure Mobility
byCisco Canada
 
PPTX
Protéger ses données, identités & appareils avec Windows 10
byMicrosoft Technet France
 
PDF
Cloud Security:Threats & Mitgations
byIndicThreads
 
PDF
OpSource Enterprise-Class Security
byOpSource
 
PDF
Bloombase Spitfire SOA Security Server Specifications
byBloombase
 
PDF
Topdanmark- Cisco
byCisco Case Studies
 
PPS
Mii Oracle Biz Map 2009
byDira Sabrina
 
PCI DSS v 3.0 and Oracle Security Mapping
byTroy Kitch
 
AnyConnect Secure Mobility
byCisco Canada
 
Protéger ses données, identités & appareils avec Windows 10
byMicrosoft Technet France
 
Cloud Security:Threats & Mitgations
byIndicThreads
 
OpSource Enterprise-Class Security
byOpSource
 
Bloombase Spitfire SOA Security Server Specifications
byBloombase
 
Topdanmark- Cisco
byCisco Case Studies
 
Mii Oracle Biz Map 2009
byDira Sabrina
 

What's hot

PPTX
From Cisco ACS to ISE
byMahzad Zahedi
 
PPTX
Defending the Data Center: Managing Users from the Edge to the Application
byCisco Security
 
PDF
Cyberoam cr300i
bypuneet1990
 
PDF
Isa server 2006 guide
byvmamar
 
PPT
Secure webl gate way
byvfmindia
 
PPTX
From Physical to Virtual to Cloud
byCisco Security
 
PPTX
Select your career path
byMD. IFTEKARUL ALAM
 
PPTX
Security Avalanche
byMichele Leroux Bustamante
 
PDF
ISA Server 2006 Administration
byLearnItFirst.com
 
From Cisco ACS to ISE
byMahzad Zahedi
 
Defending the Data Center: Managing Users from the Edge to the Application
byCisco Security
 
Cyberoam cr300i
bypuneet1990
 
Isa server 2006 guide
byvmamar
 
Secure webl gate way
byvfmindia
 
From Physical to Virtual to Cloud
byCisco Security
 
Select your career path
byMD. IFTEKARUL ALAM
 
Security Avalanche
byMichele Leroux Bustamante
 
ISA Server 2006 Administration
byLearnItFirst.com
 

Similar to Secure Cloud Computing for the Health Enterprise

PDF
Enterprise Applications on AWS
byAmazon Web Services LATAM
 
PDF
Cloud Security - Made simple
bySameer Paradia
 
PPTX
Enterprise Security in Cloud
byLenin Aboagye
 
PPTX
Enterprise Security in Hybrid Cloud ISACA-SV 2012
bySymosis Security (Previously C-Level Security)
 
PDF
110307 cloud security requirements gourley
byGovCloud Network
 
PDF
Cloud Security Alliance - Guidance
bySubra Kumaraswamy CISSP CISM
 
PDF
Cloud computing due diligence WTF?
bySecurity BSides London
 
PPTX
17h30 aws enterprise_app_jvaria
byLuiz Gustavo Santos
 
PDF
Seguridad en SQL Azure Windows azure
byEduardo Castro
 
PDF
Enterprise Strategy for Cloud Security
byBob Rhubart
 
PDF
Cloud Security: Perception Vs. Reality
byInternap
 
PDF
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
PDF
Who owns security in the cloud
byTrend Micro
 
PDF
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
PDF
Neupart Isaca April 2012
byLars Neupart
 
PPTX
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
byKhazret Sapenov
 
PPT
Cloudy with a chance of downtime
byAFCOM
 
PDF
Cloudsecurity
bydrewz lin
 
PPTX
The Cloud Beckons, But is it Safe?
byLegal Services National Technology Assistance Project (LSNTAP)
 
PDF
Information Security and Cloud Computing
byPaul Miller
 
Enterprise Applications on AWS
byAmazon Web Services LATAM
 
Cloud Security - Made simple
bySameer Paradia
 
Enterprise Security in Cloud
byLenin Aboagye
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
bySymosis Security (Previously C-Level Security)
 
110307 cloud security requirements gourley
byGovCloud Network
 
Cloud Security Alliance - Guidance
bySubra Kumaraswamy CISSP CISM
 
Cloud computing due diligence WTF?
bySecurity BSides London
 
17h30 aws enterprise_app_jvaria
byLuiz Gustavo Santos
 
Seguridad en SQL Azure Windows azure
byEduardo Castro
 
Enterprise Strategy for Cloud Security
byBob Rhubart
 
Cloud Security: Perception Vs. Reality
byInternap
 
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
Who owns security in the cloud
byTrend Micro
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
Neupart Isaca April 2012
byLars Neupart
 
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
byKhazret Sapenov
 
Cloudy with a chance of downtime
byAFCOM
 
Cloudsecurity
bydrewz lin
 
The Cloud Beckons, But is it Safe?
byLegal Services National Technology Assistance Project (LSNTAP)
 
Information Security and Cloud Computing
byPaul Miller
 

Recently uploaded

PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 

Secure Cloud Computing for the Health Enterprise

  • 1.
    Secure Cloud Computing forthe Health Enterprise By Joel Amoussou, CEO, Efasoft Inc.
  • 2.
    Contents 1 Regulatory Framework 2 Cloud Security Practices 3 Security Management 4 Auditing & Compliance www.efasoft.com
  • 3.
    Healthcare Apps inthe Cloud Cloud Services: IaaS, SaaS, PaaS Cloud Services: IaaS, SaaS, PaaS CDSS EMR 5010 Analytics ICD10 www.efasoft.com
  • 4.
    Drivers t en ym Pa ed as ity bil -B ala ge Sc sa e U siv Mas ty Elastici e nin g Tim ovisio $ r Q uick P Low Capital Costs www.efasoft.com
  • 5.
    Regulatory Framework HIPAA HITECH Act – HIPAA Security Updates State and Federal Laws Meaningful Use Recommendations on Patient Consent www.efasoft.com
  • 6.
    Impact of Regulations HITECH Act US Patriot Act •HIPAA applies to Cloud Service Providers (CSPs) and online PHR •Canada Health Infoway vendors as Business Associates??? certification requirements refer •Breach Notification to HIPAA •Accounting of disclosure •British Columbia and Nova Scotia prohibit storing patient •Marketing and sale of PHI data at providers (including CSPs) located in the US •Patient access and disclosure restrictions •Minimum data set www.efasoft.com
  • 7.
    Tiger Team Recommendations Collection, Use and Disclosure Limitation: Third party service When the decision to disclose or organizations may not collect, use exchange the patient's identifiable or disclose personally identifiable health information from the health information for any provider's record is not in the purpose other than to provide the control of the provider or that services specified in the business provider's organized health care associate or service agreement arrangement ("OHCA"), patients with the data provider, and should be able to exercise necessary administrative meaningful consent to their functions, or as required by law. participation. www.efasoft.com
  • 8.
    Addressing HIPAA inthe Cloud Access Disaster Control Audit Backup Recovery •SSH Keys •Snapshot of block storage •Monitoring •No password-based volumes •Event logs to •Availability shell access secured •Encrypt and Zones dedicated Keep backups out (geographic •Strong Encryption of server of the cloud redundancy) data and filesystems •Backup log •Cloud storage is •Clustering •Private decryption files replicated across keys out of the cloud multiple •Replication •Security groups availability zones •Secure Transport www.efasoft.com
  • 9.
    Security Issues inthe Cloud 1 2 3 •Reassigned IP •CSP staff access to VM addresses instances and guest OS •Isolation in multitenancy •BGP Prefix Hijacking •Encryption not always possible while •OWASP Top 10 •DNS Attacks processing data in the cloud (as opposed to •Data Lineage •DoS and DDoS Attacks data at rest) •Data Provenance •Security groups not physically separated •Data Remanence (NIST 800-88) www.efasoft.com
  • 10.
    Security Controls inthe Cloud 1 1 Image hardening and patching 2 2 Host based IDS/IPS such as OSSEC 3 3 Health Monitoring & Security event logs 4 4 Effective Key Management (NIST 800-57) 5 5 Default deny-all mode, Host Firewall www.efasoft.com
  • 11.
    Identity and AccessManagement (IAM) SPML Provisioning B SAML 2.0 A C XACML Identity Authorization Federation/SSO IAM WS-I Security E D Oauth Profile (SOA in Authentication the Cloud) across CSPs www.efasoft.com
  • 12.
    Security Management Standards ITIL: IT Service Management ISO 17799: Code of Practice ISO 20000: Security Techniques Overview ISO 27001: Security Techniques Requirements ISO 27002: Code of Practice www.efasoft.com
  • 13.
    Auditing & Compliance COBIT ISO 27001 SAS 70 GRC* ISO 27002 SysTrust WebTrust *Governance, Risk Management, and Compliance www.efasoft.com
  • 14.
    Collaboration Health Enterprise Cloud Service Provider Understand responsibilities (who does Provide transparency into what about security?) security practices and policies. www.efasoft.com
  • 15.