Upload File

csa security risks_compliance_ramadoss_11102016_mo_d

  • Home
  • Technology
  • Csa security risks_compliance_ramadoss_11102016_mo_d
24
www.cloudsecurityalliance.o Healthcare Information Security Risks and Compliance 2016 Colorado CSA Fall Summit | November 10, 2016 Ram Ramadoss, Vice President, CRP Privacy, Information Security and EHR Compliance Oversight, Catholic Health Initiatives Copyright © 2016 Cloud Security Alliance

Upload: trish-mcginity

Post on 23-Jan-2017

69 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.org

Healthcare Information Security Risks and Compliance2016 Colorado CSA Fall Summit | November 10, 2016

Ram Ramadoss, Vice President, CRP Privacy, Information Security and EHR Compliance Oversight, Catholic Health

InitiativesCopyright © 2016 Cloud Security Alliance

http://www.cloudsecurityalliance.org/
Page 2: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Overview

• About Catholic Health Initiatives • Healthcare Industry Overview• Top Technology Trends• HIPAA Compliance/Risk Assessment• OCR’s Cloud Computing Guidance• Q&A

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 3: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

About Catholic Health initiatives

• The nation’s third-largest nonprofit health system• CHI operates in 19 states and comprises 103 hospitals; Four academic health centers and major teaching hospitals as well as 30 critical-access facilities; Home Health, Senior Living Facilities• Other facilities and services that span the inpatient and outpatient continuum of care

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 4: Csa security risks_compliance_ramadoss_11102016_mo_d

Healthcare Industry

Page 5: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Overview

• Current state• Evolution• Complexity• Challenges and Opportunities

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 6: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Evolution• Major consolidation of Healthcare providers

• Small and Medium sized practices are struggling

• A major movement to Electronic Health Record systems

• We are seeing an increasing shift towards outsourcing

• Competing priorities and budget limitations

• Consumerization

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 7: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Complexity

• A significant number of legacy electronic systems

• 20 plus years retention timeframe for medical records

• Legacy medical devices / wireless capability

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 8: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Security Challenges Unique to the Healthcare Sector

• Protected Health Information (PHI) includes fundamental, unchanging facts about a patient

• An average security breach cost - $363 per record in healthcare versus $154 per record in other industries

• In 2015 alone,113 million patients were affected by breaches

• Fraud opportunities for criminals include: Identity theft Exploitation of insurance details Prescription drug benefits

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 9: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Challenges and Opportunities

Challenges:• Vulnerabilities and weak security controls

• Aggressive Threat Landscape

• HIPAA regulatory requirements

Opportunities:• Desperately looking for technology solutions

• An open minded approach with outsourcing

• Exploring efficiency and automation opportunities

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 10: Csa security risks_compliance_ramadoss_11102016_mo_d

Top Technology Trends

Page 11: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

The Consumerization of Healthcare

• Consumer connected to the New Healthcare Economy• A greater expectation for personalized experience• Business intelligence tools to derive patterns and consumer trends

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 12: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Big Data

• 360-degree view of customers/patients• Unstructured data to help with predictive analytics• Increasing focus on Health Clouds• Medium size providers – huge opportunity• Large Healthcare providers - partnerships

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 13: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Mobile Devices/Applications

• Not just the Millennials• Access to Health Information using smartphones• Online scheduling / Insurance shopping / Virtual care drive off• Developing a digital eco-system• Patient/Physician portals; information sharing

Engagement and interactions with patients

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 14: Csa security risks_compliance_ramadoss_11102016_mo_d

Patient Data vs Patient Safety Focus

Page 15: Csa security risks_compliance_ramadoss_11102016_mo_d

HIPAA Compliance and Risk Assessments

Page 16: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Business Associate Agreements (BAA)

• A contractual agreement between a Covered Entity (CE) and any third party company with access to patient information (Business Associate)• A mandatory requirement – HIPAA Administrative Safeguard• Key provisions include but not limited to:

Return or Destruction of Protected Health Information (PHI) upon Termination Safeguard the ePHI and Breach Notification

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 17: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Information Security Amendments

• Additional language regarding a minimum security program• Security provisions regarding access from foreign locations and storage of data outside the country• Risk stratification of partners and Business Associates• Monitoring of partners security and compliance

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 18: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Suppliers/Business Associates

Facts:• Increasing outsourcing activities (Business Process/IT)• Cloud-based electronic health record systems • Patient care program is reliant upon the support received from partners / BAs

Mitigation:• Cybersecurity insurance coverage • BAAs and security amendments• Access and storage outside the United States• Supplier risk management program

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 19: Csa security risks_compliance_ramadoss_11102016_mo_d

The Office for Civil Rights’ (OCR) Cloud Computing Guidance

Page 20: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Cloud Computing Guidance• Covered Entities (CE) must execute BAAs with Cloud Service Providers (OCR’s recent fines against a CE)• Risk Analysis – both CE and CSP • Service Level Agreements must include:

System availability and reliability Back-up and data recovery Manner in which data will be returned to the customer after service use termination Security responsibility Use, retention and disclosure limitations

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 21: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Cloud Computing Guidance

• CSP is directly liable under the HIPAA Privacy Rule Use and disclosure of data not authorized by the contract, law and HIPAA

• CSP is directly liable under the HIPAA Security Rule Failure to safeguard ePHI Failure to notify a Covered Entity regarding a breach

• CSP’s are still considered Business Associates: If the data is encrypted Even if the CSPs do not have access to data

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 22: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Cloud Computing Guidance• Can a CSP be considered to be a “conduit” like the postal service?

the conduit exception is limited to transmission-only services for PHI including any temporary storage of PHI

• Lack of actual knowledge by CSPs that their services are used to handle ePHI

Affirmative defense - address compliance within 30 days• Breach Notification – CSPs must implement:

Policies and Procedures Document security incidents Report incidents to CEs and Business Associates

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 23: Csa security risks_compliance_ramadoss_11102016_mo_d

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

Cloud Computing Guidance• CSPs must return or destroy all PHI at the termination of the BAA where feasible

If such return or destruction is not feasible, the BAA must extend the privacy and security protections

• HIPAA rule does not restrict storage of data outside the US Risk Assessment is the key

• Customers may require additional assurances from CSPs such as the documentation of safeguards or audits• De-identified ePHI per HIPAA Privacy Rule

CSP is not a Business Associate

http://www.cloudsecurityalliance.org/
http://www.cloudsecurityalliance.org/
Page 24: Csa security risks_compliance_ramadoss_11102016_mo_d

24

Thank You


Dept. CSA-C DoD & Government FEE: Cyber Security U.S ...militarynetworksmodernization.com/wp-content/... · INDUSTRY KEYNOTE ADDRESSES DoD & Government Cyber Security Automation Symposium

Cloud Security: Issues and Concerns - unimi.itspdp.di.unimi.it/papers/sd-cloud_security.pdf · 2014-11-04 · cloud computing (ENISA, 2009). The Cloud Security Alliance (CSA) lists

CSA Italy Profilo - Cloud Security Alliance Italy · Copyright © 2011-2016 CSA Italy Pubblicazioni 2011-2015 1. Traduzione 2011 della guida "Cloud Security Guidance Ver. 2.1" 2

Singapore Cyber Landscape - Cyber Security Agency/media/csa/documents/publications/... · The Cyber Security Agency of Singapore (CSA) will be your partner in making cyberspace a

Privacy Compliance and Security SLA: CSA addressing … · Security SLA: CSA addressing the challenges ... State of Practice vs State of Art ... CSA PRIVACY LEVEL AGREEMENT and EC

CSA Mobile Application Security Testing Project 「CSA Mobile APP Security Testing and Mobile APP Security Vetting Certification () The current version uses Special Publication 800

Operationalizing CSA: Applications and CSA Metrics CSA... · Operationalizing CSA: Applications and CSA Metrics . LEARNING OBJECTIVES Participants will : • Gain a deeper understanding

CSA CONTENT MODERATION - Cyber Security Affairs

CSA Incident-based Collection - Homepage - Crime ... · Web view256.6 1.8% Public order and security offences Offence count 34,463 39,756 36,864 37,412 35,652 -4.7% ... CSA Incident-based

Csa security-assurance-at-the-speed-of-cloud-russia

Csa summit cloud security. tendencias de mercado

CSA CCM (CSA CAIQ v3.1) HUAWEI CLOUD Compliance with › content › dam › cloudbu...CSA STAR Certification An authoritative certification for cloud security level launched by the

Cisco Security Agent (CSA) Network Admission Control (NAC)

Cloud Security Alliance - etouches€¦ · Achieving Security Assurance and Compliance in the Cloud Jason Witty Executive Committee, CSA International Info Security Exec, Bank of

Microservices security CSA meetup ppt 10_21_2015_v2-2

Dept. CSA-C FEE: Cyber Security U.S. Government Automationmilitarynetworksmodernization.com/wp-content/... · INDUSTRY KEYNOTE ADDRESSES DoD & Government Cyber Security Automation

Our Journey in the Cloud - Home - CSA Congress · Launch of Cloud Security Alliance (CSA) and release of initial Security Guidance Positioning CSA as the industry leader in cloud

INDUSTRIAL SECURITY LETTER - Defense Security Service 2007-01.pdf · The articles in this Industrial Security Letter (ISL) ... 21. (Rescinded) CSA Trusted Download Process – Media

Jeanne Clery Disclosure of Campus Security Policy & Crime Statistics Act Campus Security Authority (CSA) Training Presented by: The University of Southern

CSA Cloud Trust Protocol and A4Cloud: Enforcing cloud accountability through security continuous monitoring, Daniele Catteddu, CSA

Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance DANIELE CATTEDDU CSA Managing Director EMEA

Campus Security Authority (CSA) Training Presentation

Metrics of Security - Peoplepeople.cs.ksu.edu/~xou/publications/metrics14.pdfmetrics are essential to comprehensive network security and CSA management. Without good metrics, analysts

Improving the security in cloud using CSA by varying the ... · Improving the security in cloud using CSA by varying the key length S.Raja shree 1*, A.Chilambu Chelvan 2,M.Rajesh

CSA Consensus Assessments Initiative Questionnaire · 2019-06-27 · Amazon Web Services – CSA Consensus Assessments Initiative Questionnaire Page 1 Introduction The Cloud Security

Campus Security Authority (CSA) Training Presentation

Les Outils de la CSA (Cloud Security Alliance)

Cloud Security Alliance...Achieving Security Assurance and Compliance in the Cloud Jason Witty Executive Committee, CSA International Info Security Exec, Bank of America

CSA - Italian Chapter - Presentation · Conference, ISC2, Oracle Community for Security, Datacenter Dynamics Conference, ICT Security Forum riscontrando un notevole interesse pubblicato

CSA for Mobile Client Security - Cisco

CSA 223 network and web security Chapter one What is information security. Look at: Define information security Define security as process, not

CSA - DevSecOps v1 compressed//aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ CodePipeline security group ... CSA - DevSecOps v1 compressed Created Date:

Slide 1 - Cloud Security Alliance (CSA) - security best practices

Cloud Security Alliance Research & Roadmap Jim Reavis , Executive Director, CSA

How To Earn Your Certificate In Cloud Security...Security Guidance v.4 The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a cloud security controls framework from the