Locking Down the Cloud for Healthcare Kurt Hagerman Chief Information Security Officer
SECURITY TRENDS Healthcare businesses are fighting REAL threats Threats are growing over time by percent of breaches Healthcare represented 7 + % of the breeches in 2012 52% of the breeches involved companies in the Information business External Internal Partner 86% 98% 92% 78% 72% 48% 39% 6% 6% 12% 4% 14% 2% 1% 1% 2008 2009 2010 2011 2012 2013 Data Breach Inves2ga2ons Report Verizon/US Secret Service
SECURITY TRENDS Healthcare IT is Between a Rock and a Hard Place The Rock = Relentless Security Threats to Healthcare IT The top healthcare data breaches: State Department of Health - 780,000 records Healthcare Co. - 315,000 records State Dept. of Health and Human Services - 228,435 records Home Health Monitoring Co. - 116,506 records State Healthcare System, FL - 102,153 records University Hospital - 66,601 records Security Pains Healthcare Faces Expanding digital connectivity of healthcare platforms BYOD Doctors want access to data on their own devices Internal security capabilities Threats growing exponentially
SECURITY TRENDS Healthcare IT is Between a Rock and a Hard Place The Hard Place = Demanding Compliance Requirements (Partial list) HIPAA (Health Insurance Portability and Accountability Act) New PCI DSS 3.0 standards (Payment Card Industry Data Security Standard) Healthcare Companies Face Compliance Pain HIPAA/HITECH not prescriptive how do I know what I need to do? Zero to little internal capabilities Mixed internal IT environments = complex compliance scope(s) HHS/OCR audit program a reality its not if, its when am I going to get the call? Fines some examples Cignet Health Center - $4.3M access violations and failure to cooperate Alaska Dept. of Health and Social Services - $1.7M stolen USB drive Blue Cross Blue Shield of Tennessee $1.5M theft of 57 unencrypted drives Massachusetts Eye and Ear Infirmary - $1.5M stolen laptop with 3500 patient records Phoenix Cardiac Surgery P.C. - $100k doctor s office posting patient appts. online
SECURITY TRENDS Potential Solutions? HITRUST CSF - makes sense of the vague nature of HIPAA and provides defined, actionable controls to protect ephi along with a third party certification program Implementation of the CSF Independent validation against the CSF Look for Specialized Cloud Hosting/Service Providers Have staff that specialize in compliance IT infrastructure and security management Will limit compliance scope by consolidating key systems in a controlled environment Reduce compliance burden by taking responsibility for controls Reduce audit risk, cost and time
BEST APPROACH The Secure Cloud is Not a Myth What s the best approach? Build for security and compliance Follow security best practices vs. chasing compliance guidelines Use a common controls approach (HITRUST) Deploy multiple security countermeasures using a layered approach
WHERE TO START Where do you start in securing a cloud?
SECURITY LAYERS Start with Physical Security Locate data center in area at low risk to natural disasters No identifying signage 24X7 manned security, roving patrols Multi-factor authentication for entry Comprehensive CCTV coverage Log all entries, monitor systems, securely store logs and video
SECURITY LAYERS Once you have a secure facility, what s next?
SECURITY LAYERS Perimeter Security Public Traffic Redundant Routers w/ip Reputation Filtering Redundant DoS/DDoS Mitigation Redundant Web Application Firewalls Intrusion Detection
SECURITY LAYERS Perimeter is secured, what s next?
SECURITY LAYERS Host Security VMware Hypervisor (Hardened) Blade/SAN Architecture High Availability Architecture 20 Gbps Network (Public & Private) Per VM Firewall Policies Unlimited Security Zones Load Balancers LB LB Web Servers VM VM VM VM VM VM SECURITY ZONE Application Servers Database Servers VM VM VM VM SECURITY ZONE SAN Secure SAN Storage Physically Isolated Secure Storage Area Network Secure Data Deletion and Destruction Complete Data Obfuscation
SECURITY LAYERS What other security measures are important?
SECURITY LAYERS Secure Administrative Access Secure Customer Access Multi-Factor Authentication SSLVPN/L2LVPN Secure Access MPLS Termination Secure Administrative Access Physically Isolated Network Secure Jump Hosts Privileged Access Management Full Session Recording
SECURITY LAYERS Additional Security Services File Integrity Monitoring Data Leakage Protection Malware Protection Vulnerability Management Log Management Patch Management Configuration Management
SECURITY TRENDS How does it all come together?
SECURITY TRENDS Public Traffic Redundant Routers w/ip Reputation Filtering Redundant DoS/DDoS Mitigation Redundant Web Application Firewalls Secure Customer Access Multi-Factor Authentication SSLVPN/L2LVPN Secure Access MPLS Termination Intrusion Detection File Integrity Monitoring Data Leakage Protection Antimalware/ Antivirus Isolated Customer Environment VMware Hypervisor (Hardened) Blade/SAN Architecture High Availability Architecture 20 Gbps Network (Public & Private) Per VM Firewall Policies Unlimited Security Zones Web Servers SECURITY ZONE Application Servers VM Load Balancers VM VM VM VM VM Database Servers VM VM VM VM LB LB Isolated Customer Environment Vulnerability Management Log Management Patch Management Configuration Management SECURITY ZONE Secure Administrative Access Physically Isolated Network Secure Jump Hosts Privileged Access Management Full Session Recording SAN Secure SAN Storage Physically Isolated Secure Storage Area Network Secure Data Deletion and Destruction Complete Data Obfuscation
SECURITY LAYERS Security concerns beyond infrastructure?
OTHER CONCERNS Management Controls Personnel Security (critical and often overlooked) Incident Response (plan to manage the aftermath of a breach) Data lifecycle (creation to destruction and every stage in between) ediscovery (data investigation and identification) Delineation of responsibilities (both vendor and customer)
IDEAL SOLUTION What s the ideal healthcare IT solution?
NEXT STEPS Leverage a secure compliant cloud provider to: Limit scope of compliance by consolidating key systems into a secure, HITRUST certified infrastructure Reduce compliance burdens by having the provider share responsibility for infrastructure controls Reduce the time and cost to complete compliance audits Have 24 hour access to a staff of experts that specialize in compliance IT Infrastructure and security management Reduce business risk with layers of added enterprise security
THANK YOU Thank You Let FireHost solution advisors help configure the appropriate secure cloud infrastructure for your healthcare business VISIT CALL www.firehost.com/healthcare (US) +1 877 262 3473 x2 (UK) +44 800 500 3167 x2