Scribd
Upload
45 views32 pages

Day1 HIPAA Conference 2011 Securing Info Cloud

The document discusses securing health information in the cloud. It describes the advantages of cloud computing for healthcare providers and identifies major security and privacy concerns when using the cloud. These include issues around data ownership, access control, and meeting various compliance requirements. The document recommends taking a strategic approach to information security and compliance in the cloud by expressing policies across physical and virtual environments and maintaining separation of duties between security and IT operations.

Uploaded by

rgiacco
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
45 views32 pages

Day1 HIPAA Conference 2011 Securing Info Cloud

The document discusses securing health information in the cloud. It describes the advantages of cloud computing for healthcare providers and identifies major security and privacy concerns when using the cloud. These include issues around data ownership, access control, and meeting various compliance requirements. The document recommends taking a strategic approach to information security and compliance in the cloud by expressing policies across physical and virtual environments and maintaining separation of duties between security and IT operations.

Uploaded by

rgiacco
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

SECURING HEALTH INFORMATION IN THE CLOUD

Feisal Nanji, Executive Director, Techumen feisal@techumen.com

Conflict of Interest Disclosure


Feisal Nanji, MPP, CISSP Has no real or apparent conflicts of interest to report.

LEARNING OBJECTIVES
Describe the advantages of Cloud computing for Health Providers Identify the major concerns of securing health information in the cloud Recognize the key steps to overcoming health information security and privacy issues in the cloud Define a suitable audit and compliance process to ensure security and privacy in the cloud
3

WHAT SHOULD YOU TAKE AWAY?


1. Level set Core technology for cloud computing 2. Cloud computing -- variants 3. What are the key compliance / security concerns of the cloud? 4. How should we manage security in the cloud?
5

CORE TECHNOLOGY
Fast networks Web enabled eco-system The Virtual Machine

VIRTUALIZATION CONCERNS
Increases complexity Strains infrastructure Can cause large-scale failure Requires special maintenance

THIS ALLOWS
Computing capability on demand Resource pooling storage, CPU Rapid deployment and scaling of IT services Easy measurement of whats been used

LEADING TO CLOUD VARIANTS.


Infrastructure as a service (IaaS) Platform as a service (PaaS) Software as a service (SaaS)

10

Infrastructure as a Service (IaaS)


APPLICATION PROGRAMMING INTERFACES VIRTUALIZATION AND CORE CONNECTIVITY HARDWARE AND DATA CENTER FACILITIES

11

Platform as a Service (PaaS)


INTEGRATION AND MIDDLEWARE APPLICATION PROGRAMMING INTERFACES VIRTUALIZATION AND CORE CONNECTIVITY HARDWARE AND DATA CENTER FACILITIES

12

Software as a Service (SaaS)


PRESENTATION APPLICATIONS DATA AND CONTENT INTEGRATION AND MIDDLEWARE APPLICATION PROGRAMMING INTERFACES VIRTUALIZATION AND CORE CONNECTIVITY HARDWARE AND DATA CENTER FACILITIES 13

CLOUD: A SUMMARY
Essential Characteristics

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (SaaS)

Service Models

Public

Private

Hybrid

Community

Deployment Models

14

CLOUD HELPING HEALTH CARE.


Providers, EMR vendors, Health Plans, Government, HIE etc. Cheaper and faster Better compliance (security)???

15

TRADITIONAL DATA CENTER SECURITY APPROACHES


Physical configuration management governs deployment and control implementation --- standards for specification, configuration, and operation Physical control as the ultimate breakwater for logical access control to platforms and applications Enterprise policies and organization for separation of duties and control Patch testing and patch management physical-platform- by-physicalplatform Data and applications are wherever the machine is and networks are between machines
16

BUT AS PHYSICAL VISIBILITY IS LOST.


Where is the data? Who can see the data? Who has seen the data? Has data been tampered? Where is processing performed? How is processing configured? Does backup happen? How? Where?
17

AND COMPLIANCE -- IS NOT JUST SECURITY


1 2 3 4 5 6 7 8 9 10

HIPAA Security Medical Fraud e- Prescribing Mental and behavioral health Health Information Exchange Health Quality reporting Policy, Procedure Mgt. Medical Research Payment Card Industry (PCI) FTC Red Flags Rule
18

HEALTH CARE COMPLIANCE AND THE CLOUD

19

Information Security

Compliance Processes

Information Architecture

Requires an interconnected strategy


20

ARE YOU CLOUD READY?


Have you standardized most commonly repeated operating procedures? Have you fully automated deployment and management? Can you provide self-service access for users? Are your business units ready to share the same infrastructure?
21

MAJOR CLOUD COMPLIANCE ISSUES INCLUDE: Data ownership and control


Trust ,consequences and chain of custody Access and authentication

Facilities and service provision


e.g. shared data centers / resources

Administration
Policies, transparency, auditing

22

KEY CLOUD SECURITY CONCERNS


Virtualization software (e.g., hypervisor) risk exposure Inability to determine location of data or processing Mobility among VMs contradicts control principles; boundaries become unreliable and blurred Limited visibility into host O/Ss and virtual network (to find vulnerabilities and assess/report configuration, patching)
23

LEAD TO VERY GRANULAR ISSUES:


Security policies need to shift "up the stack" to match logical attributes Network Access control and Intrusion Prevention Root kit Detection Inter VM traffic analysis
24

KEY CONSIDERATIONS
Move away from physical attributes for meeting compliance Application, Identity and Content awareness

25

CORE RECOMMENDATIONS
Think of information security as a set of adaptive services integrated with compliance requirements and Information Architecture/Design Get security vendors to deliver their security controls in a virtualized form

Express security policy across physical, virtualized and private cloudcomputing environments Maintain separation of duties between security policy enforcement and IT operations
26

27

Feisal Nanji, Executive Director feisal@techumen.com

28

29

30

31

32

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy