Review of Cloud Risks: What if

Transcription

1 Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls there is no way to prevent Twitter from sharing your data (like when & where you tweeted from) with another 3 rd party? Contractual Obligations Jurisdictional Issues Export Controls Support

2 Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls you have a problem with your free Facebook or Yahoo! account? Who do you call for help? Contractual Obligations Jurisdictional Issues Export Controls Support

3 Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls the service is unwittingly exporting certain regulated information without a license where one may be required? Contractual Obligations Jurisdictional Issues Export Controls Support

4 Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls the Facebook terms and conditions change? Who owns your profile data today? What about tomorrow? Contractual Obligations Jurisdictional Issues Export Controls Support

5 Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls Amazon is keeping your data and virtual systems in their Chinese datacenter and not in the US? Contractual Obligations Jurisdictional Issues Export Controls Support

6 Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls Gmail went of business. Could you get your data back? Contractual Obligations Jurisdictional Issues Export Controls Support

7 Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls Box.com doesn t meet the Data Management Plan requirements from NSF? Can you get the necessary language in a contract? Contractual Obligations Jurisdictional Issues Export Controls Support

8 Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls Dropbox is hacked? Are you confident they have sufficient safeguards to protect your files and folders? Contractual Obligations Jurisdictional Issues Export Controls Support

9 Security & Privacy of Cloud Services Top issues: Your undisputed ownership of the data A vendors ability to protect your data from disclosure, destruction or alteration Vendors that are in close contact with the cloud service provider may come in contact with data. Their ability to maintain availability of your data. Compliance with law, regulations and policy Ideally, your ability to control access and restrictions to your data granularly (not just off/on).

10 Security & Privacy of Cloud Services Top issues (cont.): Understanding your risks depending on the cloud service model (i.e., IaaS, PaaS, SaaS) and cloud deployment model (i.e., public, community, private, hybrid) used Your ability to audit or verify cloud provider s controls related to security, availability, processing integrity, confidentiality and/or privacy Several standards or best practices are available for cloud providers to report on

11 Some real world examples

12 Some real world examples

13 Some real world examples

14 Challenges People s ability to self service (bypassing IT, Privacy, etc.) Urgency + autonomy = bad agreements Lack of awareness of cloud vendor risks Lack of awareness about their own data Regulations can be complex, difficult to understand or comply with, and changing

15 Penn s Response to these Risks & 1. Raise awareness Challenges 2. Provide readily available alternatives (local or vetted solutions) 3. Provide tools to help you evaluate the sensitivity of your data and the vendor s security and privacy posture

16 Recap You re looking for a Service or Application Consider Penn-built or -hosted solutions Conduct review process: 1. Data Sensitivity 2. Security 3. Contract language If needs not met If needs not met Look to portfolio of trusted external vendors Review ISC Cloud Website

17 What is a Business Associate? A Business Associate (BA) is a: Person or organization (vendor) that is not a member of the Penn Medicine workforce AND Performs certain functions or activities on behalf of a Penn Covered Entity that involve the use and disclosure of Protected Health Information (PHI) Protected Health Information is health information created or maintained by a covered entity or employer that identifies or can be used to identify a specific individual that: Relates to individual s health, health care or payment for care - past, present or future Can be in any medium written, spoken, faxed, electronic

18 Business Associates Omnibus Rule Changes BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule; directly liable for violations BAs must comply with the use or disclosure limitations expressed in BA contract and those in the Privacy Rule; directly liable for violations BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities Cloud Providers and Document Retention and Storage Vendors are also included Subcontractors of BA are now defined as BAs BA liability flows to all subcontractors

19 Business Associate Implementation Requirements Penn as a Covered Entity Updated BA Language is Available for use Use for new BA relationships Use for agreements that will be amended or renewed before September 23, 2013 Historical BAA s must be updated by September 23, 2014 Identify vendors that fit expanded definition of BA Execute BA language where applicable Penn as a BA Internally assess: Subcontractor Relationships Faculty Engagement as BA via research activity or service relationships If engaged as a BA, be prepared to see language from the CE regarding: Audits of existing Privacy/Security Program Requirements related to Sub-contractors Unique Provisions (e.g. segregation of PHI, prohibition of off shoring, etc.) Indemnification Ensure that ALL BA Language is reviewed and vetted by the appropriate parties! (i.e. IT Security, OGC, ORS, OACP, etc.)