Cybersecurity and Cloud Services Compliance Considerations Dec. 5, 2014 San Francisco Katie Gorris, CHC,CHPS,CHPC Privacy Manager, Corporate Integrity Program Cedars-Sinai Health System gorrisk@cshs.org Young Vu, PhD, MBA, C CISO,CISSP, MPM,CIPM Director of Information Security & Corp. Information (HIPAA) Security Officer yvu@communitymedical.org Debra Muscio, MBA, CHC, CCE, CFE SVP, Chief Audit and Compliance Officer dmuscio@communitymedical.org Marti Arvin, CHPC,CHRC,CIA Chief Compliance Officer UCLA Health Sciences MArvin@mednet.ucla.edu Locally Owned, not-for-profit, public benefit organization located in Fresno and Clovis, CA A teaching facility and home to the only Level 1 trauma center and comprehensive burn center between LA and Sacramento. 906 licensed beds (3 facilities including home health agencies, hospice care, outpatient services, Long-Term Care, community clinics and physician organizations. CMC Staff 7,200 Staff Members 1,110 Affiliated Physicians 309 Medical / Dental Residents UCSF Patient Care 53,646 inpatient admissions 10,226 births 153,265 ER Visits $1.28B total revenue 2 Cedars-Sinai Established in 1902, Cedars-Sinai Medical Center is a not-for-profit academic medical center in Los Angeles with: 886 licensed beds and Level I Trauma Center More than 10,200 full-time employees, 2,100 physicians on medical staff, 2,800 nurses and 2,800 volunteers In FY2013 more than 7,000 babies delivered, 32,000 operating room procedures, 85,000 emergency department visits, 49,000 admissions and 630,000 outpatient visits 500 residents and fellows in graduate medical programs, with fellowships in 80 specialties and subspecialties More than 400 Cedars-Sinai faculty members and 470 research staff More than 1,180 active sponsored research projects 1
For more than half a century, UCLA Health has provided the best in healthcare and the latest in medical technology to the people of Los Angeles and throughout the world. Comprised of Ronald Reagan UCLA Medical Center, Santa Monica Hospital, Resnick Neuropsychiatric Hospital at UCLA, Mattel Children s Hospital UCLA and the UCLA Medical Group with its wide-reaching system of primary-care and specialty-care offices throughout the region Over 2,000 Physicians and more than 200 are listed as the Best in America. Patients enter our clinics more than one million times annually, and our hospitals, more than 80,000 times a year. Best in the Western United States and # 5 in the Nation. David Geffen School of Medicine Research with Human Subjects for FY 2009 2013 = Over $1 Billion. 4 Overview The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Benefits of Cloud Computing Are you in the cloud? For many healthcare organizations, cloud computing has become essential for planning and performance. It can be used for everything from storing emails and personal photos, to research collaboration and business continuity planning. It allows an organization to be extremely flexible by allocating computing resources on demand, and makes it possible to data mine large amounts of data in a short period of time. Hosting data with an external cloud vendor means that an organization doesn t have to support the infrastructure necessary to gain all of the benefits of the cloud. This can lead to a reduction in cost and improved system performance and reliability. 5 Are you in the cloud? Even if you think you are not, you probably are Tech savvy users IT staff Students, residents, fellows Researchers eager to collaborate Mobile device backup icloud are you using it for more than Find My iphone Vendors, contractors and other third-parties 6 2
Are you thinking about being in the cloud? Cloud Technology Stay abreast of the current trends in security and technology in the healthcare industry, and have a formal approach for evaluating new hardware and software in your environment o In particular, be sure to update your Computer Technology Acquisition Policy to include the funding of sensitive or ephi data elements being transmitted or stored Perform a formal HIPAA Security Assessment of potential cloud vendors that includes an analysis of security at the following four (4) OSI Layers: o Application o Presentation (Encryption and decryption) o Network o Physical (Server) 7 Are you thinking about being in the cloud? Specific Requirements HIPAA Business Associate Agreement (BAA) o Breach Response and Incident Policy (Notifications) o Service Level Agreement (SLA) for guaranteed uptimes Enterprise Single Sign-On (SSO) Two Factor Authentication Data Encryption (256-bit AES) in transit and at rest Review of vendor business continuity plan & testing, to include: o Cloud Provider Backup and Retention Plan o Information Technology Penetration Test (Pen-Test) 8 Requirements Follow industry standard best practices for the following: Frameworks o Identity & Access Management o Auditing for application content & user activity o Reporting and support for data analytics o Mobile Device Management (MDM) Applications and Policies SSAE 16 Type II, SOC 1 and SOC 2 (Replaces SAS 70) Cloud Security Alliance Framework Control Matrix Cloud vendor certification such as ISO 27001 9 3
It s important to have a tried and tested incident response plan in place that is tailored for your organization and captures event details at every stage of recovery: 10 Have a (fully tested) process in place for conducting investigations when an event does occur. An effective security investigation is similar to the incident response process, and many cases will be conducted concurrently with your recovery actions: Preparation Acquire the necessary tools and training Develop investigation policies and procedures o Determine your evidence collection requirements and establish a policy for secure storage and handling of potential evidence o Coordinate with Legal & HR to ensure complete transparency Investigation Collect evidence from various sources Transport and secure evidence (Be mindful of the Chain of Custody) Examine the evidence and analyze the results Presentation Present your investigation methodology, the results of your analysis, and your conclusions 11 Privacy Considerations with PHI in the Cloud Is it part of your Designated Record Set? Patient access and amendment When can information be downloaded and stored locally? When can your users invite third-parties to collaborate or access PHI in the cloud? Minimum necessary Verification of identity and authority Accounting of disclosures implications Are there tools for monitoring appropriateness of access to PHI in the cloud? 12 4
Possible Use Cases Cloud Service Models Software as a Service (SaaS) The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS) The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. Infrastructure as a Service (IaaS) The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). 13 Possible Use Cases If you can think it, your users might be doing it or want to! External collaboration projects Incoming patient data uploads Outside records sent in advance of a consult Images or photos Teleworking Replacement for sending files by e-mail 14 Meeting Cloud Compliance and Security (HIPAA) Standards ISO2007 Global standard for information security and systems controls HIPAA and HITECH Trusted platform for ephi and medical research SSAE 16 Type II,SOC 1 and SOC 2 Safe Harbor,EU and Swiss International data privacy controls and enforcement 15 5