12/1/2014. Cybersecurity and Cloud Services Compliance Considerations. Community Medical Centers. Cedars-Sinai. Dec. 5, 2014 San Francisco



Similar documents
CSO Cloud Computing Study. January 2012

The HIPAA Security Rule: Cloudy Skies Ahead?

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

BMC s Security Strategy for ITSM in the SaaS Environment

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

Strategies for Secure Cloud Computing

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

The Keys to the Cloud: The Essentials of Cloud Contracting

AHLA. C. Big Data, Cloud Computing and the New World Order for Health Care Privacy

CLOUD ARCHITECTURE DIAGRAMS AND DEFINITIONS

Cloud Security and Managing Use Risks

ADOPTING CLOUD COMPUTING AS AN ICT DEPLOYMENT STRATEGY FOR DELIVERING SERVICES IN THE GOVERNMENT

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

The silver lining: Getting value and mitigating risk in cloud computing

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

PRIVACY AND INFORMATION SECURITY WORKFORCE TRAINING

The CIO s Guide to HIPAA Compliant Text Messaging

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

Cloud Services Overview

CHIS, Inc. Privacy General Guidelines

IS PRIVATE CLOUD A UNICORN?

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015

Ronald Reagan UCLA Medical Center. Emergency Department

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Clinical Trials in the Cloud: A New Paradigm?

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

2012 Cloud Computing. Key Trends and Future Effects

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Overview of Topics Covered

Orchestrating the New Paradigm Cloud Assurance

Pharma CloudAdoption. and Qualification Trends

Cloud Computing and HIPAA Privacy and Security

John Essner, CISO Office of Information Technology State of New Jersey

Incident Handling in the Cloud and Audit s Role

Security Issues in Cloud Computing

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Data Privacy, Security, and Risk Management in the Cloud

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Legal Issues in the Cloud: A Case Study. Jason Epstein

BACKUP AND CONTIGENCY PLANS (DISASTER RECOVERY)

The HIPAA Audit Program

Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

HIPAA Privacy & Security White Paper

The NIST Definition of Cloud Computing

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Cloud Security Alliance New Zealand Contribution to the Privacy Commissioner. 23 February 2012

Enterprise Governance and Planning

Cloud Computing--Efficiency and Security

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Developing a Risk-Based Cloud Strategy

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

How To Manage Cloud Data Safely

Healthcare Compliance Solutions

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Cloud Computing; What is it, How long has it been here, and Where is it going?

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

STATE MODEL CLOUD COMPUTING SERVICES SPECIAL PROVISIONS (Software as a Service)

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

penelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software

How To Manage Security In A Federal System

HIPAA Requirements for Data Security

Healthcare Compliance Solutions

Managing Cloud Computing Risk

Blue Jeans Network Security Features

The NIST Definition of Cloud Computing (Draft)

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Federal Cloud Computing Initiative Overview

UTH~ihltli. December 11, Report on Institutional Use of Cloud Computing #14-204

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

CLOUD IN HEALTHCARE EXECUTIVE SUMMARY 1/21/15

Cloud Computing: Risks and Auditing


HIPAA DATA SECURITY & PRIVACY COMPLIANCE

Securing Content: The Core Currency of Your Business. Brian Davis President, Net Generation

Security Considerations for the Cloud

Five keys to a more secure data environment

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices

Security Overview Enterprise-Class Secure Mobile File Sharing

FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A HIPAA Security Incident and Investigation. It Can Happen to You.

OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105

Cloud Computing Risk and Rewards

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

Cloud Computing. What is Cloud Computing?

Transcription:

Cybersecurity and Cloud Services Compliance Considerations Dec. 5, 2014 San Francisco Katie Gorris, CHC,CHPS,CHPC Privacy Manager, Corporate Integrity Program Cedars-Sinai Health System gorrisk@cshs.org Young Vu, PhD, MBA, C CISO,CISSP, MPM,CIPM Director of Information Security & Corp. Information (HIPAA) Security Officer yvu@communitymedical.org Debra Muscio, MBA, CHC, CCE, CFE SVP, Chief Audit and Compliance Officer dmuscio@communitymedical.org Marti Arvin, CHPC,CHRC,CIA Chief Compliance Officer UCLA Health Sciences MArvin@mednet.ucla.edu Locally Owned, not-for-profit, public benefit organization located in Fresno and Clovis, CA A teaching facility and home to the only Level 1 trauma center and comprehensive burn center between LA and Sacramento. 906 licensed beds (3 facilities including home health agencies, hospice care, outpatient services, Long-Term Care, community clinics and physician organizations. CMC Staff 7,200 Staff Members 1,110 Affiliated Physicians 309 Medical / Dental Residents UCSF Patient Care 53,646 inpatient admissions 10,226 births 153,265 ER Visits $1.28B total revenue 2 Cedars-Sinai Established in 1902, Cedars-Sinai Medical Center is a not-for-profit academic medical center in Los Angeles with: 886 licensed beds and Level I Trauma Center More than 10,200 full-time employees, 2,100 physicians on medical staff, 2,800 nurses and 2,800 volunteers In FY2013 more than 7,000 babies delivered, 32,000 operating room procedures, 85,000 emergency department visits, 49,000 admissions and 630,000 outpatient visits 500 residents and fellows in graduate medical programs, with fellowships in 80 specialties and subspecialties More than 400 Cedars-Sinai faculty members and 470 research staff More than 1,180 active sponsored research projects 1

For more than half a century, UCLA Health has provided the best in healthcare and the latest in medical technology to the people of Los Angeles and throughout the world. Comprised of Ronald Reagan UCLA Medical Center, Santa Monica Hospital, Resnick Neuropsychiatric Hospital at UCLA, Mattel Children s Hospital UCLA and the UCLA Medical Group with its wide-reaching system of primary-care and specialty-care offices throughout the region Over 2,000 Physicians and more than 200 are listed as the Best in America. Patients enter our clinics more than one million times annually, and our hospitals, more than 80,000 times a year. Best in the Western United States and # 5 in the Nation. David Geffen School of Medicine Research with Human Subjects for FY 2009 2013 = Over $1 Billion. 4 Overview The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Benefits of Cloud Computing Are you in the cloud? For many healthcare organizations, cloud computing has become essential for planning and performance. It can be used for everything from storing emails and personal photos, to research collaboration and business continuity planning. It allows an organization to be extremely flexible by allocating computing resources on demand, and makes it possible to data mine large amounts of data in a short period of time. Hosting data with an external cloud vendor means that an organization doesn t have to support the infrastructure necessary to gain all of the benefits of the cloud. This can lead to a reduction in cost and improved system performance and reliability. 5 Are you in the cloud? Even if you think you are not, you probably are Tech savvy users IT staff Students, residents, fellows Researchers eager to collaborate Mobile device backup icloud are you using it for more than Find My iphone Vendors, contractors and other third-parties 6 2

Are you thinking about being in the cloud? Cloud Technology Stay abreast of the current trends in security and technology in the healthcare industry, and have a formal approach for evaluating new hardware and software in your environment o In particular, be sure to update your Computer Technology Acquisition Policy to include the funding of sensitive or ephi data elements being transmitted or stored Perform a formal HIPAA Security Assessment of potential cloud vendors that includes an analysis of security at the following four (4) OSI Layers: o Application o Presentation (Encryption and decryption) o Network o Physical (Server) 7 Are you thinking about being in the cloud? Specific Requirements HIPAA Business Associate Agreement (BAA) o Breach Response and Incident Policy (Notifications) o Service Level Agreement (SLA) for guaranteed uptimes Enterprise Single Sign-On (SSO) Two Factor Authentication Data Encryption (256-bit AES) in transit and at rest Review of vendor business continuity plan & testing, to include: o Cloud Provider Backup and Retention Plan o Information Technology Penetration Test (Pen-Test) 8 Requirements Follow industry standard best practices for the following: Frameworks o Identity & Access Management o Auditing for application content & user activity o Reporting and support for data analytics o Mobile Device Management (MDM) Applications and Policies SSAE 16 Type II, SOC 1 and SOC 2 (Replaces SAS 70) Cloud Security Alliance Framework Control Matrix Cloud vendor certification such as ISO 27001 9 3

It s important to have a tried and tested incident response plan in place that is tailored for your organization and captures event details at every stage of recovery: 10 Have a (fully tested) process in place for conducting investigations when an event does occur. An effective security investigation is similar to the incident response process, and many cases will be conducted concurrently with your recovery actions: Preparation Acquire the necessary tools and training Develop investigation policies and procedures o Determine your evidence collection requirements and establish a policy for secure storage and handling of potential evidence o Coordinate with Legal & HR to ensure complete transparency Investigation Collect evidence from various sources Transport and secure evidence (Be mindful of the Chain of Custody) Examine the evidence and analyze the results Presentation Present your investigation methodology, the results of your analysis, and your conclusions 11 Privacy Considerations with PHI in the Cloud Is it part of your Designated Record Set? Patient access and amendment When can information be downloaded and stored locally? When can your users invite third-parties to collaborate or access PHI in the cloud? Minimum necessary Verification of identity and authority Accounting of disclosures implications Are there tools for monitoring appropriateness of access to PHI in the cloud? 12 4

Possible Use Cases Cloud Service Models Software as a Service (SaaS) The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS) The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. Infrastructure as a Service (IaaS) The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). 13 Possible Use Cases If you can think it, your users might be doing it or want to! External collaboration projects Incoming patient data uploads Outside records sent in advance of a consult Images or photos Teleworking Replacement for sending files by e-mail 14 Meeting Cloud Compliance and Security (HIPAA) Standards ISO2007 Global standard for information security and systems controls HIPAA and HITECH Trusted platform for ephi and medical research SSAE 16 Type II,SOC 1 and SOC 2 Safe Harbor,EU and Swiss International data privacy controls and enforcement 15 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information