Embed Size (px)
Citation preview
SaaS Security in Healthcare: Can the Fox Guard the Hen House? Pros and Cons of an In-‐House Security Valida=on and a Third-‐
Party SOC 2 Audit
Nick Lewis, Internet2 Dion Taylor, Univ. of Michigan Peter Hoven, ICE Health Systems
Sean Sweeney, Univ. of PiOsburgh Paul Howell, Internet2
Introduc=on Peter Hoven
Collabora(on
• Dental schools at University of Michigan, University of North Carolina and University of Pi;sburgh
• Schools introduced Internet2 to the process
• Deep commitment from all par(es to develop a new EHR management system
• Formed an advisory board to guide all aspects of the project
www.icehealthsystems.com
Project Goals
• Efficient Clinical Experience
• Supports Learning
• Robust Financial and Administra(ve Reports
• Embrace Standards to Support Research
• Collabora(on and Communica(on
• Integrates Medical Records
• Uses Excellent and Current SoNware Engineering Prac(ces
www.icehealthsystems.com
Emphasis on Security
● Collabora(on emphasized security
● Many opinions around security audit process
● Customer agreement focused on:
○ Long Term -‐ ISO Cer(fica(on
○ Short Term -‐ Cloud Control Matrix
● Michigan performed security review
● Pi; and UNC ini(ally requested independent review
● UNC introduced the op(on of SOC2 as an accepted 3rd party audit solu(on
www.icehealthsystems.com
Nick Lewis
+Internet NET
What is Internet2 NET+ Services all about?
A partnership to provide a portfolio of solutions for Internet2 member organizations that are cost-effective, easy to access, simple to administer, and tailored to the unique, shared needs of the community:
• Define a new generation of value-added services • Leverage the Internet2 R&E Network and other services such as InCommon • Drive down the costs of provisioning/consuming services • Provide a strategic partnership with service providers (new service offerings). • Leverage community scale for better pricing and terms • Develop solutions that meet performance, usability, and security requirements • Provide a single point of contracting and provisioning
Requirements of Service Providers
• Iden(fied Sponsor: CIO or other senior execu(ve from a member ins(tu(on • Membership in Internet2 and InCommon Federa(on • Adop(on of InCommon-‐Shibboleth/SAML2.0 and Connec(on of services to the R&E
Network • Comple(on of the Internet2 NET+ Cloud Control Matrix • Commitment to:
§ A formal Service Valida(on with 5-‐7 member ins(tu(ons § Enterprise wide offerings and best pricing at community scale § Establishing a service advisory board for each service offering § Community business terms (Internet2 NET+ Business and Customer agreements) § Support the community’s security, privacy, compliance and accessibility obliga(ons
• Willingness to work with the Internet2 community to customize services to meet the unique needs of educa(on and research
NET+ Service Valida(on Components
• Func=onal Assessment • Review features and func(onality • Tune service for research and
educa(on community • Technical Integra=on
• Network: determine op(mal connec(on and op(mize service to use the Internet2 R&E network
• Iden(ty: InCommon integra(on • Security and Compliance
• Security assessment: Cloud Controls Matrix
• FERPA, HIPAA, privacy, data handling • Accessibility
• Business • Legal: customized agreement using
NET+ community contract templates • Business model • Define pricing and value proposi(on
• Deployment • Documenta(on • Use cases • Support model
NET+ Security and Compliance
• NET+ template legal agreements include SOC2, ISO27001, and CCM • Internet2 coordinates the Service Valida(on campuses on the security review of the service provider
• SP shares their security documenta(on with the campuses • Request SP complete the Cloud Security Alliance Cloud Control Matrix for campuses to review if one wasn’t provided
• Campuses determine what is necessary for security from the SP and sign-‐off at the comple(on of SV that their security (and the other) requirements are sa(sfied by the SP • Campuses determine use cases and if the security will support the use cases
NET+’s Usage of the CSA CCM
• What is the Cloud Security Alliance Cloud Control Matrix (CCM)? • How has the CCM evolved?
• What improvements were required for ICE Health? • Now includes FERPA, HIPAA, ITAR, COPPA from NET+ contribu(on
• NET+ has started to use the CSA Consensus Assessment Ini(a(ve Ques(onnaire
• CCM has mappings to most laws, regula(ons, etc. now • Ongoing oversight is a responsibility of the NET+ Service Advisory Board
Dion Taylor
What Was Done
• 2012/13: Agreement to use CCM
• March 2014: Visited ICE HQ in Calgary
• August 2014 – October 2014: “High Priority” control list developed, expanded • December 2014: Met with IIA to set control/report guidelines
• May 2015: Follow-‐up visit to ICE HQ
• September 2015: Met with IIA to solidify report contents & format
• October 2015: Report delivered to, and reviewed by, IIA • November 2015: Report delivered to ICE
Ques=on Selec=on
• November 2013: En(re CCM/CAIQ used
• March 2014: En(re CCM/CAIQ used
• April 2014: “High Priority” CCM/CAIQ items extracted
• August 2014: UM Compliance Ques(onnaire incorporated
• October 2014: NIST “High Threat Poten(al” families iden(fied, incorporated
Gap analysis performed to arrive at the final set of 150+ ques(ons
M-IIA
M-IIA M-DENT
M-IIA HIPAA
M-IIA HIPAA
M-IIA M-DENT
M-IIA M-DENT
M-IIA M-DENT
M-IIA HIPAA
M-IIA HIPAA
Informa(on Security
IS-‐-‐-‐24.4 Do you enforce and a;est to tenant data separa(on when producing data in response to legal subpoenas?
In progress Yes Yes
Informa(on Security
Incident Response Metrics
IS-‐-‐-‐25 Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents.
IS-‐-‐-‐25.1 Do you monitor and quan(fy the types, volumes, and impacts on all informa(on security incidents?
NIST SP800-53 R3 IR-4 NIST SP800-53 R3 IR-5 NIST SP800-53 R3 IR-8
Incident Handling Incident Monitoring Incident Response Plan
No No Yes GAP
Informa(on Security
IS-‐-‐-‐25.2 Will you share sta(s(cal informa(on security incident data with your tenants upon request?
No No No
Informa(on Security
Acceptable Use IS-‐-‐-‐26 Policies and procedures shall be established for the acceptable use of information assets.
IS-‐-‐-‐26.1 Do you provide documenta(on regarding how you may u(lize or access tenant data and/or metadata?
NIST SP800-53 R3 AC-8 System Use Notification In progress Yes Yes ✔
Informa(on Security IS-‐-‐-‐26.2 Do you collect or create metadata about tenant data usage through the use of inspec(on technologies (search engines, etc.)?
Yes Yes Yes
Informa(on Security IS-‐-‐-‐26.3 Do you allow tenants to opt-‐-‐-‐out of having their data/metadata accessed via inspec(on technologies?
Yes Yes Yes
Informa(on Asset Returns IS-‐-‐-‐27 Employees, contractors and third IS-‐-‐-‐27.1 Are systems in place to monitor NIST SP800-53 R3 PS-4 Personnel Termination No No Yes GAP Security party users must return all assets for privacy breaches and no(fy
owned by the organization within a defined and documented time frame once the employment, contract or
tenants expedi(ously if a privacy event may have impacted their data?
agreement has been terminated. GAP Informa(on Security IS-‐-‐-‐27.2 Is your Privacy Policy aligned with industry standards? Yes Yes Yes
HTP Informa(on Security
Audit Tools Access
IS-‐-‐-‐29 Access to, and use of, audit tools that interact with the organizations information systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data.
IS-‐-‐-‐29.1 Do you restrict, log, and monitor access to your informa(on security management systems? (Ex. Hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)
NIST SP800-53 R3 AU-9 NIST SP800-53 R3 AU-11 NIST SP800-53 R3 AU-14
Protection Of Audit Informaton Audit Record Retention Session Audit
In progress In progress In progress
Top 10 HTP
Informa(on Security
Diagnos(c / Configura(on Ports Access
IS-‐-‐-‐30 User access to diagnostic and configuration ports shall be restricted to authorized individuals and applications.
IS-‐-‐-‐30.1 Do you u(lize dedicated secure networks to provide management access to your cloud service infrastructure?
NIST SP800-53 R3 CM-7 NIST SP800-53 R3 MA-3 NIST SP800-53 R3 MA-4 NIST SP800-53 R3 MA-5
Least Functionality Maintenance Tools Non-Local Maintenance Maintenance Personnel
No No Yes Top 10 HTP
HTP Informa(on Network / IS-‐-‐-‐31 Network and infrastructure service IS-‐-‐-‐31.1 Do you collect capacity and NIST SP800-53 R3 SC-20 Secure Name/Address Resolution Service (Authoritative Source) In progress In progress In progress HTP Security Infrastructure
Services level agreements (in-house or outsourced) shall clearly document security controls, capacity and
u(liza(on data for all relevant components of your cloud service offering?
NIST SP800-53 R3 SC-21 NIST SP800-53 R3 SC-22 NIST SP800-53 R3 SC-23 NIST SP800-53 R3 SC-24
Secure Name/Address Resolution Service (Recursive/Caching Resolver) Arch & Provisioning for Name/Address Resolution Svc Session Authenticity Fail In Known State
Informa(on Security
service levels, and business or customer requirements.
IS-‐-‐-‐31.2 Do you provide tenants with capacity planning and u(liza(on reports?
No No No
M-DENT Informa(on Security
Portable / Mobile Devices
IS-‐-‐-‐32 Policies and procedures shall be established and measures implemented to strictly limit access to sensitive data from portable and mobile devices, such as laptops, cell phones, and personal digital assistants (PDAs), which are generally higher-risk than non- portable devices (e.g., desktop computers at the organization’s facilities).
IS-‐-‐-‐32.1 Are Policies and procedures established and measures implemented to strictly limit access to sensi(ve data from portable and mobile devices, such as laptops, cell phones, and personal digital assistants (PDAs), which are generally higher-‐-‐-‐risk than non-‐-‐-‐portable devices (e.g., desktop computers at the provider organiza(on’s facili(es)?
NIST SP800-53 R3 AC-17 NIST SP800-53 R3 AC-18 NIST SP800-53 R3 AC-19 NIST SP800-53 R3 MP-2 NIST SP800-53 R3 MP-4 NIST SP800-53 R3 MP-6
Remote Access Wireless Access Access Control for Mobile Devices Media Access Media Storage Media Sanitization
In progress Yes In progress
HTP Informa(on Security Source Code Access Restric(on
IS-‐-‐-‐33 Access to application, program or object source code shall be restricted to authorized personnel on a need to know basis. Records shall be maintained regarding the individual granted access, reason for access and version of source code exposed.
IS-‐-‐-‐33.1 Are controls in place to prevent unauthorized access to your applica(on, program or object source code, and assure it is restricted to authorized personnel only?
NIST SP800-53 R3 CM-5 NIST SP800-53 R3 CM-6
Access Restrictions for Change Configuration Settings In progress In progress Yes GAP
Informa(on Security IS-‐-‐-‐33.2 Are controls in place to prevent unauthorized access to tenant applica(on, program or object source code, and assure it is restricted to authorized personnel only?
N/A N/A N/A
NIST SP800-‐53 Control Rankings
How Ques=ons Were Assessed
How Ques=ons Were Assessed What does the regula=on/standard say?
• CCM CGID IS-‐19, “Encryp(on Key Mgmt.” – Do you encrypt tenant data at rest (on disk/storage) within your environment? – Do you leverage encryp(on to protect data and virtual machine images during transport across and between networks and hypervisor instances?
• HIPAA (SP800-‐66) – 164.312(a)(2)(iv), 164.312(e)(1)
• ISO27002:2005 – Clause 4.3.3, A.10.7.3, A.12.3.2, A.15.1.6
• NIST (SP800-‐53) – SC-‐12, SC-‐13, SC-‐17, SC-‐28
How Ques=ons Were Assessed, Cont. What does the regula=on/standard say?
• CCM CGID IS-‐19, “Encryp(on Key Mgmt.” – HIPAA (SP800-‐66)
• 164.312(a)(2)(iv) -‐ Encryp(on and Decryp(on (A) • 164.312(e)(1) -‐ Transmission Security
– ISO27002:2005 • Clause 4.3.3 – Control of Records • A.10.7.3 – Informa(on Handling Procedures • …
– NIST (SP800-‐53) • SC-‐12 – Cryptographic Key Establishment and Mgmt. • SC-‐13 – Cryptographic Protec(on • … • AC-‐3 – Access Enforcement
How Ques=ons Were Assessed, Cont. What does the regula=on/standard say?
• CCM CGID IS-‐19, “Encryp(on Key Mgmt.” – NIST (SP800-‐53)
• SC-‐12 – Cryptographic Key Establishment and Mgmt. – The organiza(on establishes and manages cryptographic keys for required cryptography employed within the informa(on system.
» SC-‐12(1): The organiza(on maintains availability of informa(on in the event of the loss of cryptographic keys by users.
• … • AC-‐3 – Access Enforcement
– The informa5on system enforces approved authoriza5ons for logical access to the system in accordance with applicable policy. » “…access enforcement mechanisms (e.g., access controls lists, access control matrices, cryptography)…”
Then compare the ICE response against these controls and determine what needs to be done to remediate.
Example of ICE Improvement
• CCM CGID IS-‐19, “Encryp(on Key Mgmt.” – Do you encrypt tenant data at rest (on disk/storage) within your environment?
• November 2013: No response • March 2014: “No” to both policies and procedures • May 2015: “Yes” (AWS Securing Data at Rest with Encryp=on, Database Installa=on Procedure, etc.)
– Do you leverage encryp(on to protect data and virtual machine images during transport across and between networks and hypervisor instances?
• November 2013: No response • March 2014: “No” to both policies and procedures • May 2015: “Yes” (Network Diagrams, Data Interac=on Diagram)
Assessment Team
• UM Informa(on Assurance Office – Sol Bermann, UM Privacy Officer, IA Risk Assessment team
• Developed U-‐M wide guidance, tools, and processes for service provider security-‐compliance assessments
• Remained engaged with U-‐M School of Den(stry, and other key stakeholders on progress and repor(ng
• Iden(fied areas of IT security risk/controls emphasis • Part of final review/approval
• UMHS Compliance – Ben Havens, UMHS Informa(on Security Compliance Director
• Ensured HIPAA-‐specific concerns were addressed
Assessment Team, Cont.
• UM Office of General Counsel – Colleen McClorey, Associate General Counsel
• Managed all legal agreements • Advised over the course of the assessment strategy
• UM Procurement – Ted Eisenhut, Privacy Officer and IT Policy and Enterprise Con(nuity Strategist
• Facilitated major update to U-‐M Procurement policy that embedded security and compliance reviews as a part of the procurement process
• Collaborated with all U-‐M stakeholder to ensure all concerns were addressed as they relate to the purchasing process
Peter Hoven
Acronym Hell
• HIPAA/HITRUST
• CCM (1.4 or 3.01)
• PCI
• SOC2 Trust Principles
• NIST SP800-‐53 R3
• ISO 27001
• COBIT
• Michigan High Priority Items
www.icehealthsystems.com
Mappings
• Michigan mapped CCM to various standards and created High Priority Items
• KPMG PreAssessment mapped CCM to SOC2 Security
Many differences • CCM Cloud focus
Virtualiza(on
Cloud Providers
• ICE relies on Amazon A;esta(on and Compliance
www.icehealthsystems.com
Go Forward Plan
• Michigan security review and remedia(on
• Holis(c Security
• Risk Analysis
• Bake it in
• SOC 2 Type 1 and 2
• ISO 27001
www.icehealthsystems.com
Sean Sweeny
Third-Party Risk Assessment at Pitt • Centrally administered and reviewed • Required for all third-parties having access to University Data • Embedded into University processes, including Purchasing, Office
of General Council, IRB, etc.
Third-Party Risk Assessment at Pitt • Self Assessment Questionnaire
– Maps to NIST CSF, FISMA, HIPAA/HITRUST, GLBA, PCI, and ISO
• Independent verification required for regulated data – SOC 2, PCI Certification, ISO Certification
Review Process for ICE at Pitt • Initial review and acceptance of Cloud Controls Matrix in lieu of
normal procedure – Version 1.3
• Gap Assessment of ICE against the CCM
• Third-party audit – Control testing required
– CCM vs SOC 2
Next Steps and Takeaways • University of Michigan security review
– Working to understand methods
– Potential Reliance
• CCM detail + SOC 2 overview – Best of both worlds for Pitt
• Model for EDU reliance?
Discussion
Paul Howell
![NET+ INFRASTRUCTURE AND PLATFORM …meetings.internet2.edu/media/medialibrary/2016/08/05/...2016/08/05 · [ 3 ] Goals for 2015 • Compelling Infrastructure and Platform Services](https://img.pdfslide.us/doc/110x75/5fb43cc8915e5653c43a8253/net-infrastructure-and-platform-20160805-3-goals-for-2015-a-compelling.jpg)
