Making Sense of the Cloud's Confusing
Shared Responsibility Model
Healthcare IT News Webinar: July 19, 2016

Shared Responsibility Can Create Confusion
CONFUSION & MISMATCHED EXPECTATIONS
?
Roles & Responsibilities
?
Data Security
?
Breach Reporting
?
Service Models
PROPRIETARY&CONFIDENTIAL 2

Objectives
•Refresher on HIPAA, the BAA and the Security Rule
•Understand the key roles in data ownership and how that relates to
shared responsibility in the cloud
•Understand Cloud deployment and service models
•Review the benefits and disadvantages of each service model
•Discuss a typical responsibility model aligned with the HIPAA Security
Ruleaswellasausecase
•Describe considerations for moving to the cloud
PROPRIETARY&CONFIDENTIAL 3

Background:
HIPAA Security Rules & The BAA

Business Associate Agreement (BAA)
The Fundamental Purpose of a BAA is to Protect Patient Data
•The CoveredEntitymust enter into a BAA with a Business Associate
•TheBusinessAssociatemusthaveaBAAwithSubcontractors
•Three Major Obligations of a BAA:
- Facilitate Patient Rights
- Complete Risk Analysis, Policies and Procedures
- Report Breaches and Liability
BAA Obligations FlowOutward
PROPRIETARY&CONFIDENTIAL 5

BA Breach Reporting
Internal Logging
External
Reporting
• Unsuccessful Security Incidents
• Breaches of less than 500 records
• Successful Security Incidents
• Breaches of more than 500 records
PROPRIETARY&CONFIDENTIAL 6

HIPAA Fines & Penalties
Violation Category
Did Not Know
Reasonable Cause
Willful Neglect: Corrected
Willful Neglect: Not Corrected
Each Violation
$100 - $50,000
$1,000 - $50,000
$10,000 - $50,000
$50,000
All Identical Violations
per Calendar Year
$1,500,000
$1,500,000
$1,500,000
$1,500,000
PROPRIETARY&CONFIDENTIAL 7

Key Roles in Data Ownership
Data Subject
An individual who is the
subject of personal data
Data Controller
A person (alone or jointly with
other persons) determines the
purpose for which, and the
manner in which any personal
data may be processed
Data Processor
Any person (other than an
employee of the data
controller) who processes data
on behalf of the controller
Data Steward
Responsible for data content,
context, and business rules
Data Custodians
Responsible for the safe
custody, transport, storage of the
data, and implementation
of business rules
Data Owner
Holds legal rights and complete
control over a single piece or
set of data elements. Define
distribution and policies
PROPRIETARY&CONFIDENTIAL 8

Cloud Service & Deployment Models

The Cloud Reference Model
Cloud Consumer
Cloud Auditor
Security
Audit
Portability / Interoperability
Security
Privacy
Cloud Service Management
Provisioning / Configuration
Service Layer
SaaS
Business Support
Cloud Broker
Service
Intermediation
Service
Aggregation
Privacy
Impact Audit PaaS
IaaS
Performance Service
Audit Arbitrage
Resource Abstraction & Control Layer
Physical Resource Layer
Hardware Facility
PROPRIETARY&CONFIDENTIAL 10

The Cloud Reference Model
Cloud Consumer
Cloud Auditor
Security
Audit
Portability / Interoperability
Security
Privacy
Cloud Service Management
Provisioning / Configuration
Service Layer
SaaS
Business Support
Cloud Broker
Service
Intermediation
Service
Aggregation
Privacy
Impact Audit PaaS
IaaS
Performance Service
Audit Arbitrage
Resource Abstraction & Control Layer
Physical Resource Layer
Hardware Facility
PROPRIETARY&CONFIDENTIAL 11

The Cloud Reference Model
Cloud Consumer
Cloud Auditor
Security
Audit
Portability / Interoperability
Security
Privacy
Cloud Service Management
Provisioning / Configuration
Service Layer
SaaS
Business Support
Cloud Broker
Service
Intermediation
Service
Aggregation
Privacy
Impact Audit PaaS
IaaS
Performance Service
Audit Arbitrage
Resource Abstraction & Control Layer
Physical Resource Layer
Hardware Facility
PROPRIETARY&CONFIDENTIAL 12

The Cloud Reference Model
Cloud Consumer
Cloud Auditor
Security
Audit
Portability / Interoperability
Security
Privacy
Cloud Service Management
Provisioning / Configuration
Service Layer
SaaS
Business Support
Cloud Broker
Service
Intermediation
Service
Aggregation
Privacy
Impact Audit PaaS
IaaS
Performance Service
Audit Arbitrage
Resource Abstraction & Control Layer
Physical Resource Layer
Hardware Facility
PROPRIETARY&CONFIDENTIAL 13

The Cloud Reference Model
Cloud Consumer
Cloud Auditor
Security
Audit
Portability / Interoperability
Security
Privacy
Cloud Service Management
Provisioning / Configuration
Service Layer
SaaS
Business Support
Cloud Broker
Service
Intermediation
Service
Aggregation
Privacy
Impact Audit PaaS
IaaS
Performance Service
Audit Arbitrage
Resource Abstraction & Control Layer
Physical Resource Layer
Hardware Facility
PROPRIETARY&CONFIDENTIAL 14

The Cloud Reference Model
Cloud Consumer
Cloud Auditor
Security
Audit
Portability / Interoperability
Security
Privacy
Cloud Service Management
Provisioning / Configuration
Service Layer
SaaS
Business Support
Cloud Broker
Service
Intermediation
Service
Aggregation
Privacy
Impact Audit PaaS
IaaS
Performance Service
Audit Arbitrage
Resource Abstraction & Control Layer
Physical Resource Layer
Hardware Facility
PROPRIETARY&CONFIDENTIAL 15

Cloud Deployment Models
Private
Cloud
• Owned or leased by a
single organization
• Operated solely for that
organization
Community
Cloud
•Shared by several
organizations
• Supports a specific
community
Hybrid
Cloud
• Combination of two or
more cloud models
Public
Cloud
•Owned by an
organization selling
cloud services
• Sold to the public or
large organizations
PROPRIETARY&CONFIDENTIAL 16

The BAA & Cloud Service Models

Cloud Service Models
Presentation Layer
API's
SaaS
Applications
Software as a Service
Data Content
Integration & Middleware
API's
Connectivity
Hardware
Facilities
PaaS
Platform as a Service
IaaS
Infrastructure as a Service
PROPRIETARY&CONFIDENTIAL 18

SaaS
Software delivery method. Provides access to software as a web-based service. Allows
access to business functionality, at less cost than purchasing software outright.
Customers CAN
Customers CANNOT
• Use provider's applications running on cloud infrastructure
• Access applications via client devices (e.g. thin-client web-
based, or a program interface
• Manage or control underlying infrastructure, including
network, servers, operating systems, storage, application
capabilities
PROPRIETARY&CONFIDENTIAL 19

SaaS Characteristics
Characteristics
Benefits
• Hosted App Management
• Software on Demand
• App and data access from anywhere
• Manage Ease of use / minimal administration
• Automatic updates and patch management
• Standardization and compatibility
• Global accessibility
PROPRIETARY&CONFIDENTIAL 20

BAA and the SaaS Model
Patient Data
Platform Applications Identity & Access Management Data Owner/Process can see and control
Limited to user interface and data presentation
Operating Systems, Network & Firewall Configurations
No control or visibility offered to Owner/Processor
Client-Side Data Server-Side Network Traffic
Encryption Encryption Protection
Cloud Foundation Services
Compute Storage Database Networking
PROPRIETARY&CONFIDENTIAL 21

PaaS
A platform allowing customers to develop, run, and manage applications without the
complexity of building and maintaining the infrastructure.
Customers CAN
Customers CANNOT
• Deploy applications that they purchased or developed
- Using programming languages, libraries, services, and other tools
• Control deployed applications
• Possibly control configuration settings for app-hosting
environment
• Manage or control underlying infrastructure, including OS
PROPRIETARY&CONFIDENTIAL 22

PaaS Characteristics
Characteristics
Benefits
• Support multiple language and frameworks
• Multiple hosted environments
•Flexibility
•Allow choice and reduce vendor "Lock-in"
• Ability to auto-scale
• OS can be changed/upgraded frequently
• One environment, globally distributed development teams
• Services from diverse resources around the globe
•Reduced cost
PROPRIETARY&CONFIDENTIAL 23

BAA and the PaaS Model
Patient Data
Platform Applications Identity & Access Management
Data Owner/Process can see and control
Operating Systems, Network & Firewall Configurations
No control or visibility offered to Owner/Processor
Client-Side Data Server-Side Network Traffic
Encryption Encryption Protection
Cloud Foundation Services
Compute Storage Database Networking
PROPRIETARY&CONFIDENTIAL 24

IaaS
Computer infrastructure delivered as a service. Software and servers are purchased as fully
outsourced and billed on usage.
Customers CAN
Customers CANNOT
• Provision processing, storage, networks and other resources
• Deploy and run arbitrary software, including OS and apps
• Control the OS
• Possibly control some networking components (host
firewalls
• Manage or control underlying infrastructure
PROPRIETARY&CONFIDENTIAL 25

IaaS Characteristics
Characteristics
Benefits
• Support Scale
• Converged Network and IT Capacity Pool
• Self-service, on-demand capacity
• High reliability and resilience
• OS can be changed/upgraded frequently
• One environment, globally distributed development teams
• Services from diverse resources around the globe
•Reduced cost
PROPRIETARY&CONFIDENTIAL 26

BAA and the IaaS Model
Patient Data
Platform Applications Identity & Access Management Customer Accountability
Shared Responsibility
Operating Systems, Network & Firewall Configurations
No Control or Visibility
Client-Side Data Server-Side Network Traffic
Encryption Encryption Protection
Cloud Foundation Services
Compute Storage Database Networking
PROPRIETARY&CONFIDENTIAL 27

Data Access with Service Models
Information SaaS PaaS IaaS Local
Networking ✘ ✘ ✘ ✔
Storage ✘ ✘ ✘ ✔
Servers ✘ ✘ ✘ ✔
Virtualization ✘ ✘ ✘ ✔
OS ✘ ✘ ✔ ✔
Middleware ✘ ✘ ✔ ✔
Runtime ✘ ✘ ✔ ✔
Data ✘ ✔ ✔ ✔
Application ✘ ✔ ✔ ✔
Access ✔ ✔ ✔ ✔
Control
PROPRIETARY&CONFIDENTIAL 28

Cloud Managed Service Models
Basic DIY Model Managed Cloud Services Model
Patient Data Patient Data
Platform Applications Identity & Access Management Platform Applications Identity & Access Management
Operating Systems, Network & Firewall Configurations Operating Systems, Network & Firewall Configurations
Client-Side Data Server-Side Network Traffic Client-Side Data Server-Side Network Traffic
Encryption Encryption Protection Encryption Encryption Protection
Cloud Foundation Services Cloud Foundation Services
Compute Storage Database Networking Compute Storage Database Networking
Customer Responsibility Customer Responsibility
Cloud Service Provider Responsibility Managed Services Provider Responsibility
Cloud Service Provider Responsibility
PROPRIETARY&CONFIDENTIAL 29

HIPAA Security Rule Responsibility RACI (Responsible, Accountable, Consulted, Informed)
Requirement Covered Entity Business Services Provider Cloud Provider
Associate
Security Management Process A, R R I IAssigned Security
Responsibility A, R R I IWorkforce Security A, R
R I IAccess Management A R
R IIncident Procedures AR C, I
IContingency Plans AR C, I
IEvaluation AC, I R
IBusiness Assoc. Contracts A, R I -
-Physical Access Controls AI I
RLogical Access Controls AC, I R
IWorkstation Use & Security A, R R I
-Device & Media Controls AC, I R
R
Audit Controls A R R C, I
Data & System Integrity A R R C, I
Person or Entity Authentication A C, I R I
Transmission Security A R R C, I
Policies, Procedures & Documentation A, R C, I C, I C, I
PROPRIETARY&CONFIDENTIAL 30

IaaS Deployment RACI
Use Case Scenario
Covered Entity
Cloud-based Appointment
Setting Application
Infrastructure managed
by dedicated healthcare
cloud provider
Infrastructure located on
a Public Cloud
Task
Provision Storage Account
Provision IaaS Networking
Firewall Management, Configuration
Breach Notification Plan
Data Encryption at Rest & In Flight
Provision IaaS Virtual Machine
OS Deployment & Hardening
OS Security Patch Management
Backup
Antivirus/Antimalware, Endpoint Protection
App Installation, Configuration
Monitoring (fabric, OS, app platform)
Monitoring Alerting / Notification
Desired State Configuration
Vulnerability Scanning
Provision Application Services instance
CMS Install, Setup, and Maintenance
Covered Entity
II
II
II
II
II
II
II
II
I
Business Associate
C, I
C, I
C, I
C, I
C, I
C, I
I
C, I
C, I
I
C
C, I
I
C, I
I
A, R
A, R
Services Provider
A, R
A, R
A, R
A, R
A, R
A, R
A, R
A, R
A, R
A, R
A, R
A, R
A, R
A, R
A, R
I
C, I
PROPRIETARY&CONFIDENTIAL 31
Iaa
S
App
s

Best Practices Summary

Summary
Know your workload requirements
Integration requirements and dependencies
Specific architecture, compliance and security requirements
Fit the service model to workload requirements
IaaS vs. PaaS vs. SaaS
Different levels of control and information access
Define responsibilities with your provider
Create a RACI with your provider up front
Establish regular reviews to ensure responsibilities for you and
the provider are fulfilled
PROPRIETARY & CONFIDENTIAL 33

Questions?
PROPRIETARY&CONFIDENTIAL 34
Penalties

(602) 635-4002
chris.bowen@cleardata.com
1600 W. Broadway Road Tempe, AZ 85282
Chris Bowen, MBA, CIPP/US, CIPT
Chief Privacy & Security Officer