1 Private Information Protection in Cloud Computing laws, Compliance and Cloud Security Misconceptions Special research prepared by Rubos, Inc. team (We do independent research on security matters in various domains) Prepared for OWASP AppSec 2012 Presented by Mikhail Utin, CISSP, Ph.D. (Questions will be answered after the presentation. Please, submit them to the speaker in writing.) Copyright OWASP AppSec 2012 & Rubos, Inc.
2 1. Introduction (1) A bit of Cloud Computing (CC) history: Not new as a service, new concept of crossing legal borders CC security research started only in ignoring legal side and concentrating on data protection No regulation any security rules set by CC and a customer Personal Information (PI) protection: HIPAA/HITECH, SOX, GLBA, PCI DSS, MA MGL 93H/ 201 CMR 17.00, numerous federal documents, etc. require certain relationship between CC provider and a customer HIPAA is the most developed in identifying provider and customer relationship Laws dictate different approach to CC security analysis how binding relationship could be made legal, and then followed by technical implementation.
3 1. Introduction (2) Delegation of Trust New concept Delegation of Trust (DoT)- in terms of requiring appropriate relationship between PI owner and a service provider: the provider guarantees certain level of security, and customer delegates trust to the provider. Such process is outlined in HIPAA Security Rule (45CFR Part 164): Paragraph (b)(1)...A covered entity in accordance with may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity behalf only if the covered entity obtains satisfactory assurances in accordance with (a) that the business associate will appropriately safeguard the information.
4 1. Introduction (3) important HIPAA quotes: Contracts between covered entity and a business associate: Paragraph (2)(i): Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will - (A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that is creates, receives, maintains or transmits on behalf of the covered entity as required by this sub-part;
5 1. Introduction (4) important HIPAA quotes: Once initial trust is established, DoT chain can expend further: Paragraph (2)(i)(B): Ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect it.. Logical assumption: Each component of DoT chain should have equal or better safeguards than business associate.
6 1. Introduction (final) The basis of DoT concept is knowing the entire chain of service providers, and security status of each chain component and then engage in binding relationship utilizing appropriate legal instruments. Analysis of services provided by CC in the context of widely used Deployment and Services models - how they will be affected by above mentioned regulations Necessary binding agreements between PI owner and service provider, and certain security processes, and if and how such relationship could be implemented Finding a solution to the fundamental legal DoT problem, and then considering more specific security issues (10 or more of known)
7 2. What is Cloud Computing an overview... the delivery of computing as a service rather than a product... Wikipedia 2.1. Short history of Cloud Computing and security concerns Back in time: Internet Bubble - 10% of hosting production capacity of hosting services were in use Amazon.com Amazon Web Service - first application CC Numerous CC service providers: moving data across legal and physical borders followed to Amazon initiative No security concerns until 2009: security related references in Wikipedia: 4 of 2009, , of 77 total US Government created Cloud Security Group in 2009, and both NIST Cloud Computing publications [2, 3] went public in 2011
8 2.1 What is Cloud Computing - two conclusions: Cloud Computing was originated from the hosting service by extending its capabilities, and is a service by its nature; the infrastructure is irrelevant to its customers, and is only a medium to transfer and process data. Legal and security concerns have been largely ignored during the rapid development of CC technology up until 2009.
9 2.2. Cloud Computing is a Dynamic Hosting Service (1) Computing is a process of computation. Prominent examples are Analog Computing, Digital Computing, Mainframe Computing, and so on. A cloud itself cannot compute, and it is neither a method nor a means of computation. There is always a point (or resource) inside infrastructure, which at a given moment digitally compute Originally Hosting Service, cloud is a service delivering data to a computational point and back to the user. By its nature, CC is dynamic service moving computational point between various resources, and providing dynamic access to applications either via API, or directly to an application itself
10 2.2. Cloud Computing is a Dynamic Hosting Service (2) - Cloud Computing Service Model So named Platform as a Service PaaS is actually Application Programming Interface (API) to a Dynamic Hosting Service (DHS) So-called Software as a Service SaaS is an Application Dynamic Hosting Service And - finally - Infrastructure as a Service - IaaS is a well-known Hosting Service; previously (as there were no other needs) hosting was for web sites only, and now it is left up to the infrastructure user how to use it and what to deploy it to.
11 2.3. Evolutionary vs. revolutionary names Dynamic Hosting service is correct and pure technical term and is evolutionary name Cloud Computing is pure marketing and revolutionary name Predecessor Intranet web sites - Internet information resources - installed inside a company infrastructure, which all of sudden became new technology for upper management sale just by adding web sites for internal use - Navy and Marine Corp Intranet (NMCI) project is typical sales of multi-billion upgrade as new concept Now Cloud Computing turn
12 2.4. What is the Cloud Computing Deployment Model and do we really need it? (1) Why do we need Deployment Model which is about computing resources and provides no explanation of how data moves inside or the exact meaning of service to the customer. The Public Cloud:...It is owned and operated by a cloud provider delivering cloud service to customers. Basically, owned and operated by provider implies Hosting Service infrastructure, or as we used to say Hosting Service or Outsourced Hosting. Basically, we are making a reference to a service again, meaning that there is supporting infrastructure. However, do we really need a new model of Public Cloud to explain what we know since year 2000 as Hosting Service?
13 2.4. What is the Cloud Computing Deployment Model and do we really need it? (2) Private Cloud  -... is operated exclusively for a single organization. It may be managed by the organization or by a third party, and may be hosted within the organization s data center or outside of it. If Private Cloud is comprised from customer's equipment it is just well known Local Network' or organization's Wide Area Network. If two kind of networks LAN and WAN are operated by external entity, it is called outsourcing. So, again we can easy explain new Private Cloud in old and easily understood terms LAN, WAN, or Outsourced Infrastructure and such well established terms are much easier to comprehend and to use than Private Cloud
14 2.4. What is the Cloud Computing Deployment Model and do we really need it? (3) Community Cloud :...the infrastructure and computational resources are exclusive to two or more organizations that have common privacy, security, and regulatory considerations, rather than a single organization. This definition is vague in legal context. Hosting Service. If NIST is trying to explain that a community has only one agreement with a provider, then it is legally incorrect. A community is not a legal entity and cannot sign an agreement, unless organizations within form such entity legally. In this case, we again see one-to-one relationship, and public cloud Hosting Service. So far, there is no legal practice of signing service agreement by a vague community
15 2.4. What is the Cloud Computing Deployment Model and do we really need it? (4) Finally Hybrid Cloud model: fundamentally, it is a composition *2+...are more complex than the other deployment models, since they involve a composition of two or more clouds (private, community, or public). Each member remains a unique entity, but is bound to the others through standardized or proprietary technology that enables application and data portability among them. As far as services are concerned, this model is a composition of LAN/WAN (private cloud), and a hosting service (public cloud). Community, as we discussed above, is either a hosting service or cannot legally exist.
16 2.5. Cloud Computing models research conclusion (1) Cloud Computing is a pure marketing term for extended hosting service Cloud Computing does not technically explain the nature of new service. Dynamic Hosting Service term is a better description, and does not require any new particular scientific models to explain it So named Deployment Models do not add to understanding of how exactly services are provided; LAN/WAN, hosting service, or infrastructure outsourcing would be more technically correct.
17 2.5. Cloud Computing models research conclusion (2) There is no legal consideration in any of the Service or Deployment models. They do not define how customers and provider will legally operate. So named Service Agreement and Service Level Agreement set in NIST [2,3] are not considered in regulatory legal context at all.
18 3. Legal consideration of Dynamic Hosting Service (DHS, aka Cloud Computing) implementation (1) We see enormous marketing campaign to sell DHS/CC to HIPAA covered entities and other regulated industries without any serious consideration of its legal ground and technical implementation of regulations We have hundreds of thousands of covered entities in the US, and most of them are small and medium size businesses. They are easy targets who understand neither HIPAA Security Rule itself nor legal meaning and possibility of implementation of DHS/CC.
19 Legal consideration of Dynamic Hosting Service (DHS, aka Cloud Computing) implementation (2) The Reality of CC Show: We have little doubt that our strictly technical DHS term will be happily ignored and never used by the service providers and even their customers. However, for clarity of this presentation, we will use it while identifying legal inconsistency problems and finding a better resolution. Nevertheless - we continue:
20 3.1. Anatomy of HIPAA Security Rule Part (b)(1) and (2) - (1) Base on the HIPAA quote provided in Introduction Business associate contracts and other arrangements : Two parties (not communities ) involved, which are named covered entity and business associate A contract is required, which is usually named as Business Associate Agreement (BAA) Covered entity explicitly permits operations on Electronic Protected Health Information (EPHI) Operations include: create, receive, maintain, or transmit Covered entity is responsible for obtaining satisfactory assurance from business associates concerning safeguarding EPHI
21 3.1. Anatomy of HIPAA Security Rule Part (b)(1) and (2) - (2) Standard refers to (a) and to (a)(2)(i) Business Associate contracts requiring: (A) Implement administrative, physical and technical safeguards reasonably and appropriately to protect the confidentiality, integrity and availability of EPHI (B) Ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect it.
22 3.2. Implementation of DoT in contracts between a covered entity, providers and subcontractors (1) According to DoT concept should be identified who provides services and what is security level of each. Two options of legally providing such assurance: Business associate collects all security level guaranteeing agreements from sub-contractors and verification of security status documents as well. Business associate has legal agreement with other cloud providers representing them as one legal entity and thus will provide covered entity with one security guarantee agreement and one security status document.
23 3.2. Implementation of DoT in contracts between a covered entity, providers and subcontractors (2) If all cloud providers have the same capability of being active providers, i.e. having customers, then each of them should possess corresponding agreements and security status documents for each of customers Customers regulated by other laws (SOX, GLBA, etc.) or standards (like PCI DSS), which will require the cloud to have appropriate legal assurance (i.e. documents) according to their regulations. The cloud very likely has non-regulated customers, who would prefer some simplified security rules to get less expensive service Thus, providers are required having very complex legal support of services. There is no introduced by government unified security controls providing military grade security assurance.
24 3.2. Implementation of DoT in contracts between a covered entity, providers and subcontractors (3) Compliance with HIPAA: Compliance status is to be identified by government audit only Neither software vendors nor cloud providers (business associates and sub-contractors) can claim as compliant - government audits covered entities only Business associates and sub-contractors can be audited by commercial auditors for satisfactory assurance, i.e. having security controls Possible source of check list is DHHS/CMS Sample Interview and Document Request  the implications of a covered entity not having appropriate legal paperwork - intentional misconduct bearing a penalty of at least $50,000 and up to $1,500,000 Not clear if government will audit contract with business associates in new future
25 3.3. Risks to covered entity associated with border provider originated risks Any provider any DHS/CC service is affected by border provider s activity Existing but completely absent in risk assessment and risk management border risks Caused by system level personnel access to PI data locations and logs possible altering of both Typical services: infrastructure components (firewalls, routers, etc.), security services (web filtering, anti-malware, etc.), application level access (to files or databases, etc.) Resolution separation of duties and physical separation of logging All risks (internal risk, service provider internal risk, and covered entity's external risk coming from the service provider) should be outlined in security assurance documents
26 3.4. Yet one more HIPAA standard audit trail logs and data retention Both PI data owner and service provider s personnel require system/administrative level of access to data Possibility of altering of both data and data logs by provider s personnel Resolution separation of duties and saving audit logs on physically separated resource
27 HIPAA Security Rule Part policies, procedures and documentation requirements Fundamental HIPAA requirements: A covered entity must, in accordance with : (b)(1) Standard: Documentation. (ii) If an action, activity, or assessment is required by this sub-part to be documented, maintain a written (which may be electronic) record of the action, activity or assessment. (2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. (ii) Availability (required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
28 Anatomy of Part and what it means for service providers (1) Maintain a document (a log) of all activities associated with EPHI Maintain logs for at least 6 years Covered entity is responsible for keeping logs, not a business associate Some details: Logs should be created in the resource associated with EPHI activities, and then stored outside of it Logs should be created by each service provider and sent outside of the service infrastructure and saved by covered entity for 6 years Logs also should be available for monitoring by cloud and customer personnel.
29 Anatomy of Part and what it means for service providers (2) HIPAA does not require service providers to keep logs for 6 years However, HITECH considers both covered entities and business associates equally responsible for safeguarding EPHI Thus, best practice for providers would be keeping EPHI activity logs for 6 years as well It would be helpful as well in a case of a litigation process.
30 Anatomy of Part and what it means for service providers (3) Requiring a covered entity to keep logs means: That such entity must employ an onsite Security Information Management system (SIM) for operations with logs Make them available for government audit upon request Typical cost is well over $20,000 to purchase plus additional supporting expenses Likely being over a budget of an SMB entity
31 3.5. Conclusion (1) Our concept of Delegation of Trust clearly explains legal relationship between covered entity/customer and business associate/service provider and along a chain of sub-contractors/service providers Appropriate legal relationship between a covered entity and a cloud require security level agreements between a customer and each of the providers if providers are independent business entities. The number of such agreements is multiplied by the number of customers. Implementation of trust requires appropriate security level assurance document which accompany security level agreement. The number of such documents is the same as above, and is equal to the number of providers multiplied by the number of customers. If a cloud forms new legal entity, then it should be one cloud-wide security level agreement between all providers and similar - security assurance document. Then each customer should be given two documents representing agreement between the customer and cloud as well as security guarantees.
32 3.5. Conclusion (2) In any case, customer should know all legal entities included in the cloud. Legal document of security assurance should include risk assessment and risk management of, as we named them, border risks. What is said in pp.2 7 of this Conclusion, creates enormous legal challenge to DHS/CC providers. Our opinion is that nothing has been done yet by the providers toward making DHS/CC operations truly legal. Implementation of HIPAA provisions of keeping documents/logs of all activities concerning EPHI on customer legal premises for 6 years creates a legal and technical challenge for both covered entities and business associates, and in particular considering moving EPHI freely between subcontractors. The requirement of keeping a SIM system to collect logs for 6 years on covered entity s premises places a high technical and financial burden for SMB size covered entities
33 4. Final conclusion (1) In our already technology-overloaded world, any new technology should be carefully investigated to understand its role, capabilities, as well as possible risks. Cloud Computing has been pushed to market and promoted as optimizing IT services. Its current technological capabilities are adequate to address its main purpose. However, legal grounds for this technology have not been investigated prior to moving it forward and promoting to regulated industries. Instead, the research focused more on operational aspects of security, not legality of services. Regulations like HIPAA and, more recently, MGL 93H 201 CMR Standards require certain assurance of protection of personal information, and thus establish a legal relationship between providers and customers. When we come to analyze CC from purely legal grounds, we see enormous problems starting with questionable models, unsound architecture, and ending with a necessity of having numerous legal binding instruments, completely uninvestigated risks, and finally deploying heavy duty security systems in a cloud and on customer site to maintain legal compliance. In short, regulated industries and US government in particular cannot use cloud services as they are now and will not be able to use them until a legal ground for the technology is laid down.
34 4. Final conclusion (2) Dear Colleagues, We hope that our research will stimulate careful consideration of all security problems surrounding Cloud Computing. Moreover, we suggest renaming the term itself to a more appropriate Dynamic Hosting Service without confusing models. This will help to avoid misleading marketing-oriented terminology and bring the legal aspects of information security to the forefront. Thank you very much for participating in this discussion!
35 References: 1. Shankar B. Chebrolu, PhD, CISSP, et al. Top Ten Risks With Cloud That Will Keep You Awake at Night. OWASP, September 22, Guidelines on Security and Privacy in Public Cloud Computing, NIST Special Publication , December DRAFT Cloud Computing Synopsis and Recommendations, NIST Special Publication , May Department of Health and Human Services/Centers for Medicare and Medicaid Services/ Office of E-Health Standards and Serrvices. Sample Interview and Document Request for HIPAA Security Onsite Investigation and Compliance Review. 5. Ryan K.L. Ko et al. TrustCloud: A Framework for Accountability and Trust in Cloud Computing, HP Laboratories, IEEEICFP 2011.
36 Thank you! All questions will be answered: or Rubos, Inc. (presentations, texts, articles, etc.)
Cloud Computing The new approach to securing Personal Information and addressing new EU regulation Special research prepared by Rubos, Inc. team: Mikhail Utin, PhD, CISSP and Daniil Utin, MS (We do independent
Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture
The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, firstname.lastname@example.org Something Old, Something New New: Cloud describes the use of a collection of services, applications,
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity
HIPAA and HITECH Compliance Simplification Sol Cates CSO @solcates email@example.com Quick Agenda Why comply? What does Compliance look like? New Cares vs Rental Cars vs Custom Cars Vormetric Q&A Slide
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types
HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy
SCADA Cloud Computing Information on Cloud Computing with SCADA systems Version: 1.0 Erik Daalder, Business Development Manager Yokogawa Electric Corporation Global SCADA Center T: +31 88 4641 360 E: firstname.lastname@example.org
BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and
COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is entered into between Covered Entity and CoverMyMeds LLC, a Delaware limited liability company ( Business Associate
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act
Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a
International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,
Using SIEM for Compliance Adrian Lane Security Strategist Securosis.com Overview SIM/SEM Introduction Compliance Initiatives Implementation Examples Tips Other Considerations Evolution of Terminology SIM
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
Special Publication 800-145 (Draft) The NIST Definition of Cloud Computing (Draft) Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication
SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made and is effective as of the date of electronic signature("effective Date") between Name of Organization ("Covered
Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station What is Cloud Computing? http://www.agent-x.com.au/ Wikipedia - the use of computing resources (hardware and software)
BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate
Why HIPAA Compliance Should Scare You and What You Should Ask Your Business Phone Service Provider NOW By Mike McAlpen, 8x8 Executive Director of Privacy, Security and Compliance The Champion For Business
Incident Handling in the Cloud and Audit s Role David Cole, CPA, CISA ISACA National Capital Area Chapter Cloud Computing Conference March 17, 2015 1 Outline Cloud Service Models Cloud Types Summary of
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
Secure Cloud Computing through IT Auditing 75 Navita Agarwal Department of CSIT Moradabad Institute of Technology, Moradabad, U.P., INDIA Email: email@example.com ABSTRACT In this paper we discuss the
Cloud Computing and the Regulatory Compliance Labyrinth About ERM About The Speaker Nick Shuman Information Security Consultant Bachelor of Science in Computer Science and Psychology - University of Miami
What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics
SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,
Secure Cloud Computing Concepts Supporting Big Data in Healthcare Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC Learning Objectives After this session, the learner should
Cloud Computing Policy Effective Date: July 28, 2015 1.0 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
Auditing IT Contracts From Afar Ensuring Compliance Michael Carr, JD, CISSP, CIPP Director, Enterprise IT Architecture & Chief Information Security Officer University of Kentucky June 2015 Disclaimer The
BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of ( Effective Date ) by and between Sentara Health Plans, Inc. ( Covered Entity ) and ( Business Associate
TecTakes Value Insight How to Turn the Promise of the Cloud into an Operational Reality By David Talbott The Lure of the Cloud In recent years, there has been a great deal of discussion about cloud computing
UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,
GAIN CLARITY CRITICAL ISSUES Your Data in the Cloud : Benefits & Risks berrydunn.com AGENDA Defining Cloud Services Benefits and Risks Core Requirements Myths about Clouds Is Your Data in the Cloud Secure?
DRAFT BUSINESS ASSOCIATES AGREEMENT THIS AGREEMENT is made this day of, 20, by and among, a Corporation organized under the laws of the State of (hereinafter known as "Covered Entity") and organized under
Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where
Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Kate Donofrio Security Assessor Fortrex Technologies Instructor Biography Background On Fortrex What s In A Cloud? Pick
WHITE PAPER Cloud Basics Strategies for Secure Cloud Computing An Introduction to Exploring the Cloud There is a lot of buzz these days about cloud computing and how it s going to revolutionize the way
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit firstname.lastname@example.org 2 If cloud computing is so simple, then what s the big deal? What is the
EAaaS Cloud Security Best Practices A Technical White Paper by Sennovate Inc Jan 2013 EAaaS Cloud Security Best Practices Page 1 Introduction: Cloud security is an ever evolving subject that is difficult
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
A Guide to Cloud Services for production workloads Intro Workload Requirements Matter Intro With the benefits of the cloud supported by both research and case studies, a growing number of cloud service
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
HIPAA COMPLIANCE AND DATA PROTECTION email@example.com +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
VMware vcloud Architecture Toolkit Version 2.0.1 October 2011 This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
HIPAA Compliance and Non-Business Associate Vendors: Strategies and Best Practices July 14, 2015 William J. Roberts, Esq. Shipman & Goodwin LLP 2015. All rights reserved. HARTFORD STAMFORD GREENWICH WASHINGTON,
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM firstname.lastname@example.org What What is PCI A global forum launched in September 2006 for ongoing enhancement
Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
DHHS POLICIES AND PROCEDURES Section VIII: Privacy and Security Revision History: 8/21/13; 5/1/05 Original Effective Date: 4/14/03 Purpose To ensure that all individuals or organizations that perform specific
BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective
BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University
Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is
Section 4.3 Implement Business Associate and Other Agreements This tool identifies the types of agreements that may be necessary for a community-based care coordination (CCC) program to have in place in
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored