Locking Down the Cloud for Healthcare. Kurt Hagerman Chief Information Security Officer

Similar documents
Secure Cloud Hosting for Healthcare Organizations

Secure Cloud Hosting. No Compromises.

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

HIPAA Security & Compliance

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

The Education Fellowship Finance Centralisation IT Security Strategy

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

A practical guide to IT security

Injazat s Managed Services Portfolio

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014

Mitigating Information Security Risks of Virtualization Technologies

Netzwerkvirtualisierung? Aber mit Sicherheit!

Secure HIPAA Compliant Cloud Computing

BEST PRACTICES FOR COMMERCIAL COMPLIANCE

How To Protect Your Cloud From Attack

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

The Protection Mission a constant endeavor

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Can You be HIPAA/HITECH Compliant in the Cloud?

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

What do you need to know?

GoodData Corporation Security White Paper

Client Security Risk Assessment Questionnaire

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Did you know your security solution can help with PCI compliance too?

Achieving Compliance with the PCI Data Security Standard

Cloud and Data Center Security

Payment Card Industry Data Security Standard

Firewall Administration and Management

Governance and Control in the Cloud. Infrastructure as a Service

INCIDENT RESPONSE CHECKLIST

EARTHLINK BUSINESS. Simplify the Complex

Cloud Security and Managing Use Risks

PCI Requirements Coverage Summary Table

CONTENTS. Security Policy

Cyber Security. John Leek Chief Strategist

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Managing Cloud Computing Risk

PICO Compliance Audit - A Quick Guide to Virtualization

Virtualization with VMware and IBM: Enjoy the Ride, but Don t Forget to Buckle Up!

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Data Security and Healthcare

The True Story of Data-At-Rest Encryption & the Cloud

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Trend Micro Healthcare Compliance Solutions

CloudCheck Compliance Certification Program

Avoiding the Top 5 Vulnerability Management Mistakes

PCI Compliance for Cloud Applications

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

External Supplier Control Requirements

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Lot 1 Service Specification MANAGED SECURITY SERVICES

The Business Case for Security Information Management

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

PCI Data Security Standards (DSS)

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

HEC Security & Compliance

Project Title slide Project: PCI. Are You At Risk?

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

SOC & HIPAA Compliance

IT Networking and Security

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Altius IT Policy Collection Compliance and Standards Matrix

Securing OS Legacy Systems Alexander Rau

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Network/Cyber Security

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

PCI DSS 3.0 Compliance

THE HITECH ACT - THE TEETH AND CLAWS OF HIPAA

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Outline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Outline. Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, /10/2014

Projectplace: A Secure Project Collaboration Solution

Trend Micro. Advanced Security Built for the Cloud

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

PCI Requirements Coverage Summary Table

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Security Management. Keeping the IT Security Administrator Busy

Transcription:

Locking Down the Cloud for Healthcare Kurt Hagerman Chief Information Security Officer

SECURITY TRENDS Healthcare businesses are fighting REAL threats Threats are growing over time by percent of breaches Healthcare represented 7 + % of the breeches in 2012 52% of the breeches involved companies in the Information business External Internal Partner 86% 98% 92% 78% 72% 48% 39% 6% 6% 12% 4% 14% 2% 1% 1% 2008 2009 2010 2011 2012 2013 Data Breach Inves2ga2ons Report Verizon/US Secret Service

SECURITY TRENDS Healthcare IT is Between a Rock and a Hard Place The Rock = Relentless Security Threats to Healthcare IT The top healthcare data breaches: State Department of Health - 780,000 records Healthcare Co. - 315,000 records State Dept. of Health and Human Services - 228,435 records Home Health Monitoring Co. - 116,506 records State Healthcare System, FL - 102,153 records University Hospital - 66,601 records Security Pains Healthcare Faces Expanding digital connectivity of healthcare platforms BYOD Doctors want access to data on their own devices Internal security capabilities Threats growing exponentially

SECURITY TRENDS Healthcare IT is Between a Rock and a Hard Place The Hard Place = Demanding Compliance Requirements (Partial list) HIPAA (Health Insurance Portability and Accountability Act) New PCI DSS 3.0 standards (Payment Card Industry Data Security Standard) Healthcare Companies Face Compliance Pain HIPAA/HITECH not prescriptive how do I know what I need to do? Zero to little internal capabilities Mixed internal IT environments = complex compliance scope(s) HHS/OCR audit program a reality its not if, its when am I going to get the call? Fines some examples Cignet Health Center - $4.3M access violations and failure to cooperate Alaska Dept. of Health and Social Services - $1.7M stolen USB drive Blue Cross Blue Shield of Tennessee $1.5M theft of 57 unencrypted drives Massachusetts Eye and Ear Infirmary - $1.5M stolen laptop with 3500 patient records Phoenix Cardiac Surgery P.C. - $100k doctor s office posting patient appts. online

SECURITY TRENDS Potential Solutions? HITRUST CSF - makes sense of the vague nature of HIPAA and provides defined, actionable controls to protect ephi along with a third party certification program Implementation of the CSF Independent validation against the CSF Look for Specialized Cloud Hosting/Service Providers Have staff that specialize in compliance IT infrastructure and security management Will limit compliance scope by consolidating key systems in a controlled environment Reduce compliance burden by taking responsibility for controls Reduce audit risk, cost and time

BEST APPROACH The Secure Cloud is Not a Myth What s the best approach? Build for security and compliance Follow security best practices vs. chasing compliance guidelines Use a common controls approach (HITRUST) Deploy multiple security countermeasures using a layered approach

WHERE TO START Where do you start in securing a cloud?

SECURITY LAYERS Start with Physical Security Locate data center in area at low risk to natural disasters No identifying signage 24X7 manned security, roving patrols Multi-factor authentication for entry Comprehensive CCTV coverage Log all entries, monitor systems, securely store logs and video

SECURITY LAYERS Once you have a secure facility, what s next?

SECURITY LAYERS Perimeter Security Public Traffic Redundant Routers w/ip Reputation Filtering Redundant DoS/DDoS Mitigation Redundant Web Application Firewalls Intrusion Detection

SECURITY LAYERS Perimeter is secured, what s next?

SECURITY LAYERS Host Security VMware Hypervisor (Hardened) Blade/SAN Architecture High Availability Architecture 20 Gbps Network (Public & Private) Per VM Firewall Policies Unlimited Security Zones Load Balancers LB LB Web Servers VM VM VM VM VM VM SECURITY ZONE Application Servers Database Servers VM VM VM VM SECURITY ZONE SAN Secure SAN Storage Physically Isolated Secure Storage Area Network Secure Data Deletion and Destruction Complete Data Obfuscation

SECURITY LAYERS What other security measures are important?

SECURITY LAYERS Secure Administrative Access Secure Customer Access Multi-Factor Authentication SSLVPN/L2LVPN Secure Access MPLS Termination Secure Administrative Access Physically Isolated Network Secure Jump Hosts Privileged Access Management Full Session Recording

SECURITY LAYERS Additional Security Services File Integrity Monitoring Data Leakage Protection Malware Protection Vulnerability Management Log Management Patch Management Configuration Management

SECURITY TRENDS How does it all come together?

SECURITY TRENDS Public Traffic Redundant Routers w/ip Reputation Filtering Redundant DoS/DDoS Mitigation Redundant Web Application Firewalls Secure Customer Access Multi-Factor Authentication SSLVPN/L2LVPN Secure Access MPLS Termination Intrusion Detection File Integrity Monitoring Data Leakage Protection Antimalware/ Antivirus Isolated Customer Environment VMware Hypervisor (Hardened) Blade/SAN Architecture High Availability Architecture 20 Gbps Network (Public & Private) Per VM Firewall Policies Unlimited Security Zones Web Servers SECURITY ZONE Application Servers VM Load Balancers VM VM VM VM VM Database Servers VM VM VM VM LB LB Isolated Customer Environment Vulnerability Management Log Management Patch Management Configuration Management SECURITY ZONE Secure Administrative Access Physically Isolated Network Secure Jump Hosts Privileged Access Management Full Session Recording SAN Secure SAN Storage Physically Isolated Secure Storage Area Network Secure Data Deletion and Destruction Complete Data Obfuscation

SECURITY LAYERS Security concerns beyond infrastructure?

OTHER CONCERNS Management Controls Personnel Security (critical and often overlooked) Incident Response (plan to manage the aftermath of a breach) Data lifecycle (creation to destruction and every stage in between) ediscovery (data investigation and identification) Delineation of responsibilities (both vendor and customer)

IDEAL SOLUTION What s the ideal healthcare IT solution?

NEXT STEPS Leverage a secure compliant cloud provider to: Limit scope of compliance by consolidating key systems into a secure, HITRUST certified infrastructure Reduce compliance burdens by having the provider share responsibility for infrastructure controls Reduce the time and cost to complete compliance audits Have 24 hour access to a staff of experts that specialize in compliance IT Infrastructure and security management Reduce business risk with layers of added enterprise security

THANK YOU Thank You Let FireHost solution advisors help configure the appropriate secure cloud infrastructure for your healthcare business VISIT CALL www.firehost.com/healthcare (US) +1 877 262 3473 x2 (UK) +44 800 500 3167 x2

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information