View
57
Download
0
Category
Preview:
Citation preview
Kurt Hagerman | Chief Information Security Officer
BECOME A SMARTER CLOUD CONSUMERRipping through the Rhetoric to Find Your Cloud & Control Your Risk
05/18/2015
Kurt Hagerman
ABOUT KURT HAGERMAN
Expert in attaining and maintaining compliance standards, including PCI, HIPAA, ISO 27001, among others. Has conducted hundreds of security reviews and audits across a number of industries including the payment space, healthcare, financial services and higher education. Industry Leadership
• Cloud Security Alliance SME Council
• ISACA• CSA• ISSA
Chief Information Security Officer
So, you’ve decided to explore the cloud for your PHI but are worried about
HIPAA compliance.
HITRUST 2015: Become a Smarter Cloud Consumer
Have you done your research and come away confused about how various cloud
vendors communicate about HIPAA compliance?
It’s understandable given what they are saying.
HITRUST 2015: Become a Smarter Cloud Consumer
IT’S NOT WHAT YOU SAY. IT’S WHAT YOU DO.
Do you know what your vendor is really doing for you?Do you know who to call when something goes wrong?What about theprivacy andbreach rule?
???
HITRUST 2014: PHI and the Cloud
What They’re Saying…
HITRUST 2014: PHI and the Cloud
SECURITY
• Outrageous statements being made• They sound good but ring hollow
• What do they actually mean to you, the cloud consumer, and how will your vendor’s stance affect your
compliance?
Are you Confused? Frustrated?I know I am.
HITRUST 2014: PHI and the Cloud
SNAKE OIL, ANYONE?
• Vendors trivialize HIPAA compliance
• Vendors over simplify the requirementsto sell their services as a “silver bullet”
• HIPAA is risk-based for a reason
• There is no“Easy Button”
HITRUST 2014: PHI and the Cloud
CONSIDER THE CLOUD MODELS
Role Clarity
HITRUST 2014: PHI and the Cloud
Consider the Cloud Models
HITRUST 2014: PHI and the Cloud
Your responsibilities, and those of your cloud vendor, vary based on the model used by the vendor.
Providers: AWS, Azure, Rackspace, SoftLayer, etc.
• Typically only provide security for the underlying infrastructure
• Any compliance attestations only apply to underlying infrastructure with no leverage available to customers
• Vendors forced into signing BAAs, but theirs are typically weak based on the lack of security provided to the customer
• Customer owns nearly 100 percent of the compliance responsibility
INFRASTRUCTURE AS A SERVICE (IAAS)
HITRUST 2014: PHI and the Cloud
Providers: AWS (Elastic Beanstalk), Salesforce (Force.com), IBM SmartCloud, CloudFoundry, HP Helion, etc.
• Provide development tools and other building blocks for applications and secure these services
• Compliance attestations apply to the service with limited leverage available to customers
• Will sign BAAs, but typically provide little in terms of liability protection based on the limited security provided to the customer
• Customer owns a majority of the compliance responsibility
PLATFORM AS A SERVICE (PAAS)
HITRUST 2014: PHI and the Cloud
Providers: Salesforce, Box, Epic, Allscripts, Athena, etc.
• Own the entire stack up through the application
• Any compliance attestations apply to the entire service with significant available to customers
• BAAs are typically stronger based on security provided to customer data and contain reasonable liability language
• Customer owns very little of the compliance responsibility (at least for the HIPAA security rule)
SOFTWARE AS A SERVICE (SAAS)
HITRUST 2014: PHI and the Cloud
• IaaS and PaaS are fairly close in terms of the split of responsibility between customer and vendor (PaaS more difficult to parse)
• Significant shift from PaaS to SaaS in terms of vendor responsibility
• Risk to your organization increases from IaaS to SaaS
THE MODELS COMPARED
HITRUST 2014: PHI and the Cloud
• Do you know what your vendor is really doing for you?
• Do they provide information on the specific security controls that are included with their service?
• Have they mapped their services and security controls to the HIPAA/HITECH requirements?
• Does your vendor use third parties to provide services to you?
• Have they (and their third parties) been independently assessed?
• Do you know who to call when something goes wrong?
• What about the privacy and breach rule?• How do I manage a compliance program with
multiple vendors all providing my “cloud services”?
IT’S NOT WHAT YOU SAY. IT’S WHAT YOU DO.
HITRUST 2014: PHI and the Cloud
1. Identifying the division of responsibility between you and your cloud vendor
2. Ensuring the services your vendor is providing are properly mapped to your risk assessment
3. Getting the evidence you need for your audit
4. Obtaining objective attestation documentation from the vendor for the controls they have full or partial responsibility for
5. Monitoring ongoing compliance of your vendors
6. Receiving support from vendor during a breach event
SIX COMPLIANCE CHALLENGES
HITRUST 2014: PHI and the Cloud
BE A SMARTER CLOUD CONSUMER
You need to deal with vendors who will be transparent about
what they do and how it assists you in mitigating risk and
addressing compliance requirements.
CAVEAT EMPTOR
HITRUST 2014: PHI and the Cloud
Your Vendor Should:• Provide a clear, concise explanation of the specific
security controls they include in their service and how these directly assist you in meeting your compliance obligations
• Articulate the boundaries between their responsibility and yours
• Provide documentation that backs up assertions about being “HIPAA Compliant,” including independent audit reports that clearly state:
- the scope of the assessment- the control framework used
- how compliance can be leveraged by you
BE A SMARTER CLOUD CONSUMERCAVEAT EMPTOR
HITRUST 2014: PHI and the Cloud
What about Business Associate Agreements?
Many vendors say they are “business associate-friendly” and that they will sign a BAA.
• Does their BAA include language that clearly states what services they are providing and what responsibility they are taking for security incidents?
• Do they suggest this language when reviewing yours?
HITRUST 2014: PHI and the Cloud
Thank YouQuestions?
Kurt Hagerman Email kurt.hagerman@firehost.com
Phone +1 877 262 3473
HITRUST 2014: PHI and the Cloud
Recommended