1 Privacy and Security Policies for Healthcare Solutions on the Cloud Karuna P Joshi, PhD University of Maryland, Baltimore County
2 Introduction Increasing adoption of technologies such as Electronic Health Records (EHR) to capture clinical data Mandate by Health Information Technology for Economic and Clinical Health (HITECH 09) act Variety of Medical records data can be aggregated and analyzed to personalize delivery of healthcare Huge growth in Medical/healthcare data in coming decade Cloud-based solutions are being adopted. Focus of this talk on Cloud security, privacy policies for Healthcare/Personalized Medicine.
3 Medical Records Data Provider maintain Electronic Medical Records (EMRs) Electronic records sharing between different EMR systems are called Electronic Health Records (EHRs). Interoperation and sharing among different EMRs poor. Cost and poor usability obstacles to adoption of EHR. Personal Health Record (PHR): health record that is initiated and maintained by an individual. Includes summary of EMR and EHR EHR PHR EMR
4 Current Medical Technology Picture archiving and communication system (PACS) The universal format for PACS image storage and transfer is DICOM (Digital Imaging and Communications in Medicine). PACS consists of : Imaging modalities such as X-ray, CT, MRI Secured network for the transmission of patient information Workstations for interpreting and reviewing images Archives for the storage and retrieval of images and reports PACS should interface with : Hospital information system (HIS) and Radiology Information System (RIS).
5 Health care IT services Per Certification Commission for Healthcare Information Technology (CCHIT), following electronic medical IT systems are being offered in the market Electronic Health Records (EHRs) Electronic Medical Records (EMRs) Personal Health Records (PHRs) Payer-based Health Records (PBHRs) Electronic Prescribing (E-prescribing) Medical Financial Billing/Administrative System Computerized Practitioner Order Entry (CPOE) Systems
6 Some Cloud Solutions EHR,EMR Sequencing and Genotyping Majority of them run on Amazon, Rackspace, Microsoft, etc. cloud providers.
7 Challenges with Large Medical Data Medical data at present is very large in volume running to the order of terabytes (10 12 bytes) With the increasing adoption of digitized patient records and physician s notes, it has the potential of reaching peta (10 15 ) or even exa (10 18 ) bytes of data that in itself will be difficult to manage and analyze. Data currently resides in separate silos, which prevents it from being correlated and analyzed. Few providers can afford the infrastructure, both hardware and software, needed to collect, clean, curate, and analyze this data.
8 Technical Solution: Cloud Computing Latest paradigm for delivering IT resources or applications Service/Applications are stored/run on cloud and accessed by consumers via the Internet using Computers or Mobile devices. Eukhost blog Cloud based Services can provide analytics driven personalized medicine services Available to practitioners at the point of care. X as a Service : data storage, computing power, platform E.g. cloud based PACS, CareCloud cloud based EHR, Cloud based Medical billing services
9 Advantage of Using Cloud Cloud services make data and computing capabilities portable, sharable, and accessible from any online device The objective of the HITECH Act. Significant cost savings and the option of avoiding capital investment for organizations. Elasticity: Can easily scale up or scale down their resources instantly and on-demand. Cloud services are OS-neutral, and usually easy to use. E.g. Click Care HIPAA compliant SaaS and iphone application.
10 Challenges in Using Cloud Data security / Patient Privacy (attack by Hackers) Data ownership Auditing Cloud provider Compliance and Legal issues. Issues of regulatory compliance. Provider reliability What happens if Provider goes out of business? E.g. in 2001,GE Healthcare bought health records provider Encounter EHR and eventually ended up shutting it downgiving records holders 30 days notice to reclaim their data or lose it. Not Mature, standards still developing
11 HealthCare Services on the Cloud HIS/RIS Medical imaging Real time sensors Collaborating medical teams Genome data Service Access POLICY Online Communities Healthcare Cloud Medical Billing service Cloud data Access POLICY PACS services Public data service EHR/EMR service
12 Policy driven Cloud services A semantically rich, policy-based framework can be used to automate the lifecycle of virtualized services. Proposed lifecycle by us at UMBC Identify the key policies that the Cloud service should comply with Hard constraints that have to be met - HIPAA compliant Soft constraints that can be negotiated - Cost, support Policies defined in Requirements phase Technical policies OS, Hardware, Applications, Database Data / Security Policies Privacy Policies Compliance policies
13 Healthcare Cloud Security Policy Control level over the operating systems, hardware, and software. User, resource, and data requests threshold policies Cloud provider is internal within an organizationcontrolled data center or hosted externally. Compliance requirement The Health Insurance Portability and Accountability Act (HIPAA),1996 FISMA
14 Healthcare Services Cloud Service Model Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS). Cloud Deployment Public Hybrid Community Private.
15 Cloud Data Security Policy Checklist 1. Cloud Data Location policy 2. Data Deletion policy 3. Data Encryption strategy 4. Identity Management policy 5. Service Level Agreement (SLA) Monitoring 6. Incident response 7. Cloud Forensics 8. Cloud Data Audit
16 Cloud Security/Privacy Policies Data/Cloud Location US jurisdiction Europe jurisdiction Globally located Data Deletion Archived Secure wipe Data Encryption Encryption Key management
17 Cloud Identity Management Identity Management critical Authentication Mechanism ID/Password SmartCard (CatCard) PIN 1 time PIN/PW Data accessed via a mobile device / tablet requires more authentication Authorization Methods Limited Administrator Access Group Level Access Physicians, Residents, Nurses Need-to-know access Individual based
18 Continuous SLA monitoring Monitoring of SLA critical to ensure performance and ROI Companies want to be able to translate existing Outsourcing policies into Cloud We have developed an Ontology for machine-readable Cloud SLA Available on public domain -
19 Incident Response for Cloud Services * Cloud support SLAs should include Availability timeframe of services Contingency (Business Continuity) plans Timeframes for notification and recovery following an unplanned service disruption or a security incident Problem resolution and escalation procedures Scheduled maintenance times. * Some policies of a major financial organization, industry best practices
20 Cloud Data Privacy Policies Patient Data access across services, across consumers Virtual Machine Separation Controlled Multi-tenancy Disclosure Risk Assessment Existing Data Inferred Data wsj.com
21 Healthcare Ontologies Develop a standard ontology to describe/define EHR, PACS, DICOM standards Efforts being led by US National Library of Medicine Unified Medical Language System (UMLS) OpenClinical cancer research UK GALEN and GALEN-open project Gene Ontology Consortium molecular function, biological process, cellular component
22 Summary Increasing adoption of cloud based IT services for Personalized Medicine (mandated by HITECH 09) A policy-based integrated framework to control the execution of Cloud based Health care services Declarative, semantically rich approach that helps specify policies to control the service Automate the execution and consumption of such services at point of care, protect patient privacy, and ensure compliance with appropriate policies An automated cloud based service will ensure that the physician can focus on the patient s health, and not be concerned with the IT requirements.
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
Investigation of IT Auditing and Checklist Generation Approach to Assure a Secure Cloud Computing Framework Rajni Maheshwari M.Tech (Computer) College of Engineering, Bharati Vidyapeeth Deemed University
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the
Best Practices for Cloud-Based Information Governance Autonomy White Paper Index Introduction 1 Evaluating Cloud Deployment 1 Public versus Private Clouds 2 Better Management of Resources 2 Overall Cloud
Transferring Laboratory Data Into The Electronic Medical Record: Technological Options For Data Migration In The Laboratory Information System By: Mark Terry Editor: Robert L. Michel DARK Daily Laboratory
FEDERAL HEALTH IT STRATEGIC PLAN 2015 2020 Prepared by: The Office of the National Coordinator for Health Information Technology (ONC) Office of the Secretary, United States Department of Health and Human
WHITE PAPER Securing Your Cloud-Based Data Integration A Best Practices Checklist A Report on Secure Integration Techniques Targeted at the Information Technology Executive Prepared by Mercury Consulting,
1 October 2013 Cloud Security Whitepaper A Briefing on Cloud Security Challenges and Opportunities SINTEF ICT Software Engineering, Safety and Security Martin Gilje Jaatun, Per Håkon Meland, Karin Bernsmed
Summary of Responses to an Industry RFI Regarding a Role for CMS with Personal Health Records Table of Contents EXECUTIVE SUMMARY... 4 1. INTRODUCTON... 7 2. CMS ROLE WITH PHRs... 9 What PHR functionalities
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
White Paper: Managed Network Services Trends for Today s Enterprise Organizations Released December 2010 Spacenet Inc 1750 Old Meadow Road McLean, VA 22102 www.spacenet.com 866-480-2263 1 Table of Contents
Convergence of Social, Mobile and Cloud: 7 Steps to Ensure Success June, 2013 Contents Executive Overview...4 Business Innovation & Transformation...5 Roadmap for Social, Mobile and Cloud Solutions...7
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
CHECKLIST FOR THE CLOUD ADOPTION IN THE HEALTHCARE PROVISIONING INDUSTRY CHECKLIST FOR THE CLOUD ADOPTION IN THE HEALTHCARE PROVISIONING INDUSTRY SHOULD MY HOSPITAL MOVE TO THE CLOUD? A synopsis of questions
Office of the National Coordinator for Health Information Technology (ONC) Federal Health Information Technology Strategic Plan 2011 2015 Table of Contents Introduction 3 Federal Health IT Vision and Mission
2013 HIPAA/HITECH AMENDMENTS: HOW THE CHANGES IMPACT THE ediscovery PROCESS Brian Brown Danny Tijerina RenewData, an LDiscovery Company Austin, TX Introduction Maintaining compliance with government regulations
Federal Server Core Configuration (FSCC) A high-level overview of the value and benefits of deploying a single, standard, enterprise-wide managed server environment A Microsoft U.S. Public Sector White
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
Special Publication 800-146 DRAFT Cloud Computing Synopsis and Recommendations Recommendations of the National Institute of Standards and Technology Lee Badger Tim Grance Robert Patt-Corner Jeff Voas NIST
WHITEPAPER CLOUD Possible Use of Cloud Technologies in Public Administration Version 1.0.0 2012 Euritas THE BEST WAY TO PREDICT THE FUTURE IS TO CREATE IT. [Willy Brandt] 2 PUBLISHER'S IMPRINT Publisher:
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
IT service management and cloud computing AXELOS.com White Paper September 2014 Contents 1 Overview 3 2 What is ITIL? 3 3 What is cloud computing? 3 4 Why is cloud computing important? 4 5 Why is IT service
United States Department of Justice Federal Bureau of Investigation Information Technology Strategic Plan FY 2010 2015 CIO s Vision to deliver reliable and effective technology solutions needed to fulfill
GOVERNANCE STRATEGIES New Requirements for Security and Compliance Auditing in the Cloud Cloud computing poses new challenges for IT security, compliance, and audit professionals who must protect corporate
White Paper May 2006 Applying Electronic Records Management in the Document Management Environment: An Integrated Approach Written by: Bud Porter-Roth Porter-Roth Associates Table of Contents Introduction