4. Drivers
t
en
ym
Pa
ed
as
ity
bil
-B
ala
ge
Sc
sa
e
U
siv
Mas
ty
Elastici
e
nin g Tim
ovisio
$
r
Q uick P
Low Capital Costs
www.efasoft.com
5. Regulatory Framework
HIPAA
HITECH Act – HIPAA Security Updates
State and Federal Laws
Meaningful Use
Recommendations on Patient Consent
www.efasoft.com
6. Impact of Regulations
HITECH Act
US Patriot Act
•HIPAA applies to Cloud Service
Providers (CSPs) and online PHR
•Canada Health Infoway
vendors as Business Associates???
certification requirements refer
•Breach Notification to HIPAA
•Accounting of disclosure •British Columbia and Nova
Scotia prohibit storing patient
•Marketing and sale of PHI data at providers (including
CSPs) located in the US
•Patient access and disclosure
restrictions
•Minimum data set
www.efasoft.com
7. Tiger Team Recommendations
Collection, Use and Disclosure
Limitation: Third party service When the decision to disclose or
organizations may not collect, use exchange the patient's identifiable
or disclose personally identifiable health information from the
health information for any provider's record is not in the
purpose other than to provide the control of the provider or that
services specified in the business provider's organized health care
associate or service agreement arrangement ("OHCA"), patients
with the data provider, and should be able to exercise
necessary administrative meaningful consent to their
functions, or as required by law. participation.
www.efasoft.com
8. Addressing HIPAA in the Cloud
Access Disaster
Control Audit Backup
Recovery
•SSH Keys •Snapshot of
block storage •Monitoring
•No password-based volumes
•Event logs to •Availability
shell access
secured •Encrypt and Zones
dedicated Keep backups out (geographic
•Strong Encryption of
server of the cloud redundancy)
data and filesystems
•Backup log •Cloud storage is •Clustering
•Private decryption
files replicated across
keys out of the cloud
multiple •Replication
•Security groups availability zones
•Secure Transport
www.efasoft.com
9. Security Issues in the Cloud
1 2 3
•Reassigned IP •CSP staff access to VM
addresses instances and guest OS •Isolation in
multitenancy
•BGP Prefix Hijacking •Encryption not always
possible while •OWASP Top 10
•DNS Attacks processing data in the
cloud (as opposed to •Data Lineage
•DoS and DDoS Attacks data at rest)
•Data Provenance
•Security groups not
physically separated •Data Remanence
(NIST 800-88)
www.efasoft.com
10. Security Controls in the Cloud
1
1 Image hardening and patching
2
2 Host based IDS/IPS such as OSSEC
3
3 Health Monitoring & Security event logs
4
4 Effective Key Management (NIST 800-57)
5
5 Default deny-all mode, Host Firewall
www.efasoft.com
11. Identity and Access Management
(IAM)
SPML
Provisioning
B
SAML 2.0 A C XACML
Identity Authorization
Federation/SSO
IAM
WS-I Security E D Oauth
Profile (SOA in Authentication
the Cloud) across CSPs
www.efasoft.com
12. Security Management Standards
ITIL: IT Service Management
ISO 17799: Code of Practice
ISO 20000: Security Techniques Overview
ISO 27001: Security Techniques Requirements
ISO 27002: Code of Practice
www.efasoft.com
13. Auditing & Compliance
COBIT ISO 27001
SAS 70 GRC* ISO 27002
SysTrust WebTrust
*Governance, Risk Management, and Compliance
www.efasoft.com
14. Collaboration
Health Enterprise Cloud Service
Provider
Understand
responsibilities (who does Provide transparency into
what about security?) security practices and
policies.
www.efasoft.com