1 PHI and the Cloud: Caveat Emptor Kurt Hagerman Chief Information Security Officer HITRUST April, 2014
2 Cloud Peace of Mind What did you consider when looking to leverage the cloud for PHI? Security Availability Performance How Service / Agility it impacts my HIPAA compliance
3 Did you find it? (If not it s understandable given the messaging you re seeing)
4 Here s What They re Saying
5 Here s More of What They re Saying
6 Are you confused, frustrated (I know I am)? I think you ll agree that these are pretty outrageous statements being made They sound good but remind me of the old Wendy s commercial where Clara shouts out Where s the beef? What do they actually mean to you, the cloud consumer? Question for the audience: How easy is/was it for you to get past the hype and figure out what they are actually going to do for you?
7 Trivializing HIPAA Compliance There is no Easy Button Vendors over simplify the requirements to sell their services as a silver bullet snake oil anyone? HIPAA is risk based for a reason
8 It s Not What They Say It s What They DO Do you know what your vendor is really doing for you? Do they provide information on the specific security controls that are included with their service? Have they mapped their services and security controls to the HIPAA/HITECH requirements? Does your vendor use third parties to provide services to you? Have they (and their third parties) been independently assessed? Do you know who to call when something goes wrong? What about the privacy and breach rule? How do I manage a compliance program with multiple vendors all providing my cloud services?
9 Be A Smarter Cloud Consumer You need to deal with vendors who will be transparent about how what they do directly assists you in mitigating risk and addressing your compliance requirements. Your vendor should. Provide a clear concise explanation of the specific security controls they include and how these assist you Be able to articulate the boundaries between their responsibility and yours Provide you with documentation that backs up any assertions they make about being HIPAA Compliant including independent audit reports that clearly state the scope of the assessment, the controls framework used and especially how this compliance can be leveraged by YOU
10 Be A Smarter Cloud Consumer What about Business Associate Agreements? Many vendors say they are business associate friendly and that they will sign a BAA. Does their BAA include language that clearly states what services they are providing? Do they suggest this language when reviewing yours? Your vendor should. Demonstrate that they understand the requirements that they are subject to Engage in a meaningful conversation around the division of responsibilities and suggest/include this in your BAA
11 So Far We ve Talked About Security and Compliance You have Business Critical applications that need to provide access to data NOW to ensure the quality of patient care So What About Performance and Availability?
12 Performance and Availability The nature of healthcare information requires that it be available without delay when it s needed Lots of focus on IOPS but that's not the whole story Latency between the application and storage is a better measure Not all storage is created equal Fast is great but what about security of your data? Availability of PHI is a core requirement of HIPAA How do you ensure resiliency and redundancy? Not all storage is by default highly available
13 Performance and Availability (What to ask your vendor) What type of storage do they provide? Are there multiple tiers / options? SSD is becoming more popular but your mileage may vary find out who their vendor is and research them Don t just take IOPS numbers / guarantees ask about latency How is it connected / presented to your server? How do they ensure segmentation between customers? What is their data destruction process? Do they provide high availability by default or is this extra (if it s even available)? If so, how? Ask for a POC environment so you can test your applications and judge for your self
14 Using the Cloud for PHI is Possible Caveat Emptor be a smart cloud consumer Find vendors who... Provide detailed information about their security and how it matters to you Provide meaningful documentation backing up their claims around HIPAA compliance Will engage in serious conversation about how what they do will make your compliance process easier Will address your performance requirements and are willing to let you try before you buy
15 HIMSS Lunch and Learn: Security PHI Q&A Questions?
16 HIMSS Lunch and Learn: Security PHI WRAP UP Thank You Kurt Hagerman Chief Information Security Officer Phone: x8073
Hybrid: The Next Generation Cloud Interviews Among CIOs of the Fortune 1000 and Inc. 5000 IT Solutions Survey Wakefield Research 2 EXECUTIVE SUMMARY: Hybrid The Next Generation Cloud M ost Chief Information
5 Things to Look for in a Cloud Provider When it Comes to Security In This Paper Internal technology services that lack resources, rigor or efficiencies are prime candidates for the cloud Understand the
CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC. S EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD.
Frequently Asked Questions about Cloud and Online Backup With more companies realizing the importance of protecting their mission-critical data, we know that businesses are also evaluating the resiliency
Cloud Computing A Small Business Guide. Whilst more and more small businesses are adopting Cloud Computing services, it is fair to say that most small businesses are still unsure of what Cloud Computing
A REPORT BY HARVARD BUSINESS REVIEW ANALYTIC SERVICES Meeting the Cyber Risk Challenge Sponsored by ABOUT ZURICH INSURANCE GROUP Zurich Insurance Group (Zurich) is a leading multi-line insurance provider
SESSION ID: GRC-R03 Surviving SOC2 The Why and How for Cloud Service Providers Shaun Gordon VP & CISO New Relic, Inc. firstname.lastname@example.org What we ll talk about What is a SOC2 Why you should consider one
Changes to special educational needs and disability support Easy read guide for children and young people Who is this guide for? This guide will be useful if you: are a child or a young person have a learning
1 I m Ken Hartman, the Security Architect for OneNeck IT Solutions. OneNeck is the growth services arm of TDS, providing Colocation, Cloud, Managed Services. We are also a Value Added Reseller. By education,
Consumer Report The 6 Critical Questions to Ask BEFORE Hiring a Personal Injury Attorney Provided by: Heiting & Irwin Attorneys At Law 5885 Brockton Avenue Riverside, CA 92506 (951) 682-6400 http://heitingandirwin.com
Why HIPAA Compliance Should Scare You and What You Should Ask Your Business Phone Service Provider NOW By Mike McAlpen, 8x8 Executive Director of Privacy, Security and Compliance The Champion For Business
Tuesday, May 28, 2013 Survey and Thought Leadership: SIP Trunking is what everyone is talking about but if we can t get the basics right will the talk be for all the wrong reasons? Editorial and Research
Email Best Practices A WORD TO THE WISE WHITE PAPER BY LAURA ATKINS, CO- FOUNDER 2 Introduction Discussions of best practices for email marketing can be a confusing array of one- size- fits- all suggestions
Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,
Cold Calling in the 21 st Century: The New Rules By Wendy Weiss, The Queen of Cold Calling Is Cold Calling Dead? That s what you hear. No one likes making cold calls. No one likes receiving cold calls.
Future-proofing your identity management system beyond technology Abstract John Jones December 2011 Many IAM systems fail too early or worse, simply never reach their potential; their lifespans are much
Ask Questions Questions You Should Ask About Your Investments Information is an investor s best tool ASK QUESTIONS 1 2 ASK QUESTIONS Ask Questions That s the best advice we can give you about how to invest
VoIP 101: An introduction to the basics of Voice over Internet Protocol How to guide Introduction You may have heard of VoIP that it s the future of telephone service, and that you can save a lot of money
GET MORE DONE WITH THE RIGHT INTERNET CONNECTION. So, lunch? Let me just download this file. I ll be super quick. Our internet options are: BT Business Broadband BT Business Infinity CHOOSING THE RIGHT
Consumer Report The 5 Critical Questions to Ask BEFORE Hiring a Personal Injury Attorney Provided by: Martinson & Beason, P.C. 115 Northside Square Huntsville, AL 35801 (256) 533-1667 http://www.martinsonandbeason.com/
Selecting a Voice Solution Hosted VoIP vs. PBX VoIP Contents Introduction The Traditional Solution Why VoIP? The Primary Tradeoffs Today Hosted VoIP Today s PBX Latest Features of VoIP Managing Costs What
Using a lawyer as you get older: Ten top tips www.legalombudsman.org.uk The information in this leaflet is useful for anyone who is considering using a lawyer but it may be particularly useful for people
Due Diligence April 2014 Edited by Charles Wallace As the M&A market continues to heat up, sellers are gaining a clear advantage. With larger pools of buyers now frequently vying for the same attractive