Embed Size (px)
Citation preview
HIPAA and PCI Compliance in the Cloud
8th International Cloud ExpoJune 8th, 2011
Agenda
IntroductionsAbout CCSWhat is PCIWhat is HIPAAWhy are PCI and HIPAA Important to cloud providers?Technology and Best PracticesOther ComplianceKey Questions for ProvidersQuestions
IntroductionsJeff Uphues
VP of Sales & Marketing Cbeyond Cloud Services
Stacy Griggs
Senior Director of Customer ExperienceCbeyond Cloud Services
About Cbeyond Cloud Services
3000+ Cloud Customers58,000 Total Customers$450M Publically Traded NASD:CBEY11 Years OldPublic Cloud + Managed Dedicated Servers = Hybrid2009 Microsoft Worldwide Hosting Partner of the Year2010 Microsoft Hyper-V Cloud Provider of the YearFocus on SMB’s with complex technology needs
What is PCI
Set of regulations that businesses must follow to accept credit cards – mandated by merchant processors.Applies to merchants that take payments on-line or in person.Non-compliance generally results in litigation, reputational damage and loss of ability to take credit cards.2 Levels
Audited by a QSASAQ• 4 Types of SAD A-D• Basically 36 pages of detailed
security information• Topical for smaller merchants <1M
annual transactions• Must not store credit card data.
What is HIPAA
Set of regulations enacted by congress for the secure handling of patient health information.Applies to medical offices, hospitals, research labs, pharmaceutical companies, drug stores and any other company that handles patient information.Civil and criminal penalties for non-compliance.Requires technical and physical safeguards to protect patient data.Documented policies and annual risk assessmentsAbout to become bigger with new proposed rule - would give people the right to get a report on who has electronically accessed their protected health information May 31, 2011 - http://www.hhs.gov/news/press/2011pres/05/20110531c.html
Why PCI and HIPAA are important for the cloud
US Economy $14.7 T GDP in 2010 - Wikipedia
Healthcare = 16% of GDP - WikipediaVisa / Amex + MC = $410B in Q1/10 – NY Times May,2011Annualized Credit Card Spending = 11% of GDP
Collectively > ¼ of the economyBoth spending categories are growing at >2X the pace of the general economy.Rapidly moving to the cloudIf you aren’t providing PCI and HIPAA compliant service you are leaving ¼ of the economy to your competitors.
Technology Requirements and Best Practices
Security!FirewallsApplication Isolation (one primary function /server)WAFLog ManagementIPSPhysical• Building controls and logs• CCTV and history
Process, Policy and ReviewHIPAA – Business Associate AgreementPath to compliance - PCI
SAQ or SAQ + QSAAOC - ROC
Other - less common areas of compliance
Federal Information Security Act (FISMA) – Federal Government and VendorsSarbanes-Oxley (SOX) – Public companies and their vendorsInformation Technology Infrastructure Library (ITIL) – Companies with advanced IT process especially EuropeanInternational Organization for Standards (ISO 9001) – WorldwideEuropean Safe Harbor – Data protection standards for EU countries
Key Questions for Cloud Providers
Show me your SAS70 Type II (SSAE16)How will you design a complaint infrastructure?What is the client responsible for and what is the vendor responsible for?Show me your privacy policyWhat's your SLA?How do you maintain a secure environment?
