Originally presented at the Connecting Michigan for Health conference organized by the Michigan Health Information Network (MiHIN), this presentation talked through the benefits and use cases of leveraging cloud in Healthcare, as well as the realities of cloud security.

1. © 2014 Silverline – Confidential Do Not Distribute© 2014 Silverline – Confidential Do Not Distribute

2. © 2014 Silverline – Confidential Do Not Distribute

3. © 2014 Silverline – Confidential Do Not Distribute
The Michigan Health Information Network (MiHIN) is Michigan's
initiative to improve health care quality, efficient, and patient stagey
through the sharing of electronic health information, while reducing
costs.
• Official state designed entity for health information exchange across
Michigan and through integration with the eHealth Exchange.
• Nonprofit entity, functioning as a public and private collaboration between
the State of Michigan , sub-state health Information Exchanges, payers,
providers, and patients.

4. © 2014 Silverline – Confidential Do Not Distribute
• Who is Silverline?
• What can the Cloud do?
• Deploying the Cloud
• Security in the Cloud
• An example of the Cloud
• HIPAA and the Cloud

5. © 2014 Silverline – Confidential Do Not Distribute
• Serial Consultant
• Startups
• Cloud

6. © 2014 Silverline – Confidential Do Not Distribute
Headquartered in NYC with
resources around the US.
110
9.8/10
700+ Salesforce Deployments
Healthcare, Financial Services,
and Force.com
Provider, Health Plans,
Medical Devices, Wellness
Tools, Care Management
Services, Staffing/Recruiting
Firms
CalendarAnything, Visual
Relationship Mapping, and
The Watercooler: An Intranet
Platform

7. © 2014 Silverline – Confidential Do Not Distribute
Not Using the Cloud
Using the Cloud
70%
30%

8. © 2014 Silverline – Confidential Do Not Distribute
• Device Agnostic
• Predictable costs
• Reduced complexity due to coordination of hardware and software
• Faster and rapid deployment
• Universal access
• Proven management tools
• Streamlined M&A integration
• Realignment of IT resources to business imperatives
• Enhanced collaboration
• Improved analytics across applications
• Lack of tangible asset storage
…among others

9. © 2014 Silverline – Confidential Do Not Distribute
Health Plans
Improve visibility, collaboration, management,
and control over ongoing insurance policy
approvals, renewals, and changes with
sophisticated workflow and data validation
rules.
Medical Devices
Consolidate, Coordinate,
and Automate
Marketing/Sales Activities
and Streamline M&A Activity
Medical Supply
Replace ERPs. Consolidation of sales, inventory
management, and customer service into one
application, manage marketing efforts, track and
manage customer rewards, management and executive
dashboards
Healthcare Services
Automate and coordinate patient
lifecycle management and serve as
a lynch-pin between multiple
systems (inquiry, clinical,
scheduling & billing)
Health Information Network
Relationships between providers, patient care coordination, promote care
teams, connect patients, doctors, and healthcare facilities. TOC Notifications

10. © 2014 Silverline – Confidential Do Not Distribute
• Poor Information
o Messaging around cloud technology is often inaccurate, complex, and
not tailored to the audience. Leading to hesitancy and confusion,
rather than excitement and adoption
• Ambivalence
o “Cloud” represents leading-edge technology, the problem is that the
word “cloud” has become associated with so many different solutions,
products, apps, and offerings that people tend to disregard the value
• Lack of Trust
o Security is not the issue with cloud; trust is.

11. © 2014 Silverline – Confidential Do Not Distribute
• Applications designed for end-users delivered over
the web
• Examples – Salesforce, Workday, Concur
Software as a
Service (SaaS)
“Consume the Cloud”
• A set of tools and services designed to make coding
and deploying those applications quick and efficient
• Examples – Force.com, Google App Engine
Platform as a
Service (PaaS)
“Leverage the Cloud”
• The hardware and software that powers it all –
servers, storage, networks, operating systems
• Examples – Amazon Web Services, Azure, Rackspace
Infrastructure as
a Service (IaaS)
“Be a Cloud”
*Rackspace.com - “Whitepaper: Understanding the Cloud Computing Stack: SaaS, PaaS, IaaS”
*Blogs.technet.com – Cho’s Theories of Cloud Computing”

12. © 2014 Silverline – Confidential Do Not Distribute
Multi-tenant
Shared infrastructure and costs
Utility model
Service provider hosted
Single-tenant
No shared infrastructure
Higher, yet fixed cost
Greater flexibility
Highest level of security
Hosted at provider or enterprise
Composition of multiple cloud
environments (public/private)
Public
40%
*TechTarget's fall 2013 Cloud Pulse survey
Private
22%
Hybrid
38%

13. © 2014 Silverline – Confidential Do Not Distribute
• Defining secure infrastructure models
• Lack of trust between participants in cloud ecosystems
• Bridging the gap between existing internal security standards and
those governing off-premise services.
• Loss of governance
• Responsibility ambiguity – deployment model plays a role
• Isolation failure – mechanisms separating storage/memory/ routing
• Vendor lock-in
• Compounded malicious behavior
• Service unavailability
*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption
*Cloud Standards Customer Council – Security for Cloud Computing – 10 Steps to Ensure Success

14. © 2014 Silverline – Confidential Do Not Distribute
*2014 Microsoft - Security Trends in Healthcare
Conduct
system-wide
data backups
that are
regularly
tested
Do not use
standardized
data
classification
Have a
disaster
recovery
program
Do not have
asset
management
policies and
conduct
asset
discovery
manually
Have
ineffective
controls for
removing
access when
employees
leave or are
reassigned
Have
immature
security
policies

15. © 2014 Silverline – Confidential Do Not Distribute
*Eran Feigenbaum – Director of Security for GoogleApps
30%
Using the Cloud
*Computerworld.com – “Cloud security concerns are overblown experts say”, Intermap Survey
Cloud-wary = 40% Cloud-wise = 15%

16. © 2014 Silverline – Confidential Do Not Distribute
*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption
Infrastructure: How can you ensure that your infrastructure
providers have appropriate security and disaster recovery
policies and stick to them?
Identity: How can you enforce rigorous authentication across
multiple interconnected systems without adversely affecting
flexibility and productivity?
Information: How can you classify and protect sensitive
information, and ensure compliance with policies and
regulations?

17. © 2014 Silverline – Confidential Do Not Distribute
Preventative Corrective Detective
*Wikipedia
Set in place to
prevent any
purposeful attack on
a cloud system.
Much like a warning
sign on a fence or
property, these
controls do not
reduce the
vulnerability of the
system
Upgrade the
strength of the
system by managing
and safeguarding
vulnerabilities. They
cover the attack and
reduce the damage
and violation when
an attack occurs
Used to reduce the
effect of an attack.
Take action as an
attack is occurring.
Used to detect any
attacks that may be
occurring in the
system. In the event
of an attack, the
detective control will
signal the
preventative or
corrective controls
Deterrent

18. © 2014 Silverline – Confidential Do Not Distribute
• Conduct a full risk and compliance assessment, including processes
o Interoperability and portability
o Compliance – business continuity, data recovery, logs/audit trails
o Vendor risk
o Supply chain and ecosystem
o Infrastructure and operations quality
• Secure your own information, people, identities, and roles
o User privileges
o Authentication
o Endpoint security (where applicable)
o Encryption (where applicable)
• Implement a strong governance framework
• Embrace a security-by-design approach
• Implement an active monitoring solution
*Symantec – “The Secure Cloud: Best Practices for Cloud Adoption
*Cloud Standards Customer Council – Security for Cloud Computing – 10 Steps to Ensure Success
• Evaluate security controls on physical infrastructure
and facilities

19. © 2014 Silverline – Confidential Do Not Distribute
• SMS Identify Confirmation
• IP Range Restrictions
• Two-factor authentication options
(outside of username/pw)
• Secure employee systems
o Updated browsers
o Email filters
o Device protection
• SAS 70 Type II, SysTrust, and ISO 27001
• Enhanced password policies
• Secure sessions
• Session timeout thresholds
• Transparency of instances
• Governance (employees, security staff,
counsel, assessments, policies)
• Incorporation into development process
*Salesforce.com
Data
Database Security
Host Security
Network Security
Physical Security
Operational Security

20. © 2014 Silverline – Confidential Do Not Distribute
*Salesforce.com

21. © 2014 Silverline – Confidential Do Not Distribute
• “Final Rule” – BAAs and SLAs are critical!
• Security and privacy controls
• Define an exit strategy
• HIPAA ready/certified vs. HIPAA compliant/audited
• Industry background of vendor – regulatory environment
• Understand encryption of health information – LCD for encryption
• Ensure data segregation, especially PHI – physical/electronic proximity
• Understand the cloud delivery model – public/private/hybrid
• Evaluate breach monitoring
• MU informing HIPAA - CMS vs. Office of Civil Rights (OCR)
*HealthITSecurity – How HIPAA affects Healthcare cloud computing decisions
*HIPAA Considerations in Evaluating Cloud Computing – Ober | Kaler

22. © 2014 Silverline – Confidential Do Not Distribute