EHR IN THE CLOUD - FINDING A BALANCE

Size: px

Start display at page:

Download "EHR IN THE CLOUD - FINDING A BALANCE"

Bernard Dixon
8 years ago
Views:

1 1 05/12/2013 EHR IN THE CLOUD - FINDING A BALANCE Michael De Geest Central information security consultant vzw Provincialaat der Broeders van Liefde

2 2 EHR in the Cloud - introduction Find a clever way to deal with risks: - search for a methodology to handle risks - find a syntax to identify the risks -> risks have to be easy-tounderstand by the policy - pursue a scenario based risk analysis -> say what s going wrong Topics in this presentation: Insecure connections / Third party and data / Various providers / Reporting and data access / awareness of safety levels

pursue a scenario based risk analysis -> say what s going wrong Topics in this presentation: Insecure

3 3 EHR in the Cloud - insecure connections Situation: hosting of EHR in the Cloud provided by foreign hosting provider Juridical: strictly speaking, the EHR may not reside outside the walls of hospitals (this is an outdated legislation) Weakness: insufficient elaborated back-to-back SLAs between telecom providers Risk: failure of international connections due to conflicts between telecom providers

hospitals (this is an outdated legislation) Weakness: insufficient elaborated back-to-back SLAs

4 4 EHR in the Cloud - insecure connections Measures: 24/7 availability of network team of the hosting provider -> only this measure is not enough -> need for better measures

5 5 EHR in the Cloud - third party and data Situation: hosting van EHR in Cloud is provided by a hosting provider, that provides basic services such as data backup. Weakness: medical data is stored by the third party. The hospital has no control over the existing security measures. Risk: third party has unauthorized access to medical data from the hospital

Weakness: medical data is stored by the third party.

6 6 EHR in the Cloud - third party and data Measures: - Creation of back-to-back SLAs between hospital and hosting provider - Responsibility of hospital: compliance with the back-to-back SLAs - Ability to obtain an audit of the third party

provider - Responsibility of hospital: compliance with the

7 7 EHR in the Cloud - various providers Situation: the hosting of the EHR in the cloud is provided by a hosting provider. The actual EHR software that runs on this hosting is provided by the so called software provider (= another third party) Weakness: the software provider can claim a certificate that actually belongs to the hosting provider Risk: mistaken SLA between hospital and software provider, due to a wrong certificate claim Measures: vigilance and awareness of claiming certificates by software vendors

Weakness: the software provider can claim a certificate that actually belongs to the hosting provider Risk: mistaken SLA between

8 8 EHR in the Cloud - reporting and data access Situation: each hospital needs hospital-specific reports. Additionally, there is a need for direct read and write operations on the database. Weakness: - connectors that can provide read and write operations may have access to restricted data - Insufficient separation between customer data, both at the level of user access as at the level of direct SQL access to data in the database

Weakness: - connectors that can provide read and write operations may have access to restricted data -

9 9 EHR in the Cloud - reporting and data access Risks: - correct data is retrieved/edited from the wrong hospital - wrong data is retrieved/edited from the correct hospital Measures: - an independent audit is required - ask the software provider to offer better data connections. This can lead to a loss of flexibility, which in turn is a new risk. You have to make your management aware of this risk. - Foresee infrastructure to run reports against local copies of databases

software provider to offer better data connections.

10 10 EHR in the Cloud - awareness of safety levels Both the EHR and hosting provider are unaware what security measures they have to take in order to be compliant with the current guidelines (ISO guidelines and privacy commission). Current situation: - no clarity about any shortcomings - security levels of the provider and the hospital are difficult to compare - not clear under which conditions a hosting provider can obtain data access

11 11 EHR in the Cloud - awareness of safety levels What should be done: - Hosting and software provider should mutually agree on their SLAs in order to affirm the security levels of each other - the technical architecture should be clarified - The expected level of the hospital and the offered levels of the providers have to be aligned on each other. In this regard the discussions must take place in an honest way (and in advance). - Statement of Applicability = a copy of the ISO 2700X measures + adjustments to the needs, by inspecting the additional standards and the new European privacy law

levels of the providers have to be aligned on each other. In this regard the discussions must take place in an honest way (and in advance).

12 12 Questions?

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.