developing a cloud security roadmap - himss20 · • perform penetration tests and vulnerability...
TRANSCRIPT
Gary Seay Former CIO, Community Health Systems
Chris Bowen Founder, CPSO, ClearDATA
Developing a Cloud Security Roadmap March 2, 2016
Conflict of Interest
Gary Seay
Has no real or apparent conflicts of interest to report.
Chris Bowen, MBA, CISSP, CIPP/US, CIPT
Has no real or apparent conflicts of interest to report.
Agenda
Healthcare Data Under Attack • Trends and Sources of Healthcare Data Breaches
Security Roadmap Essentials • Defense in Depth
• A Closer Look
• Shared Responsibility Model
Threat Diligence: On or Off Premise
Conclusion
CB
Learning Objectives
• Evaluate primary causes of data breaches as it relates to current
health system infrastructure
• List major considerations for selecting a cloud computing vendor
• Assess benefits of cloud platforms beyond security, including cost-
savings and data analytics
• Recognize key layers of a “Defense in Depth” approach to
healthcare data security
1
2
3
4
CB
Our Healthcare Data is under Attack!
Health
records
breached
In 2015 alone
115,000,000
An increase
of 10 x
more than in
2014
CB Source: CSO Online
http://www.csoonline.com/article/3026661/data-breach/over-113-million-health-records-breached-in-2015-up-10-fold-from-2014.html
The Role of the Healthcare Network
Regional Medical
Center
Physician Home
Office
Secondary Care
Hospital
Affiliate Office Community Health
Center
Military, Prison Health
Enterprise
Wireless
VOIP
Phone
Immersive
Telepresence
Enterprise
Wireless Telemedicine
VoIP Conference
phone
Data
Exchange
Patient
Consent
Mobile EMR
Access SMB
Wireless
EMR
Integrati
on
Health
Collaboratio
n
SMB
Wireless VOIP
Phone EMR
Integrati
on
Telemedicine
Enterprise
Wireless
Telemedicine Remote
Radiology
Remote
Monitoring
Enterprise
Wireless
Learning Objective: 1
CB
Injury
Occurs
Patient
Transferred to
Hospital
Ambulance
Takes Patient
to Clinic
Post
Procedure
Care
Preliminary
Treatment at
Local Clinic
Patient
Record
Patient
Monitoring
Care
Collaboration
Monitorin
g
System
Patient
X-ray EMR Patient
Consent
Patient
Management
Patient
Service
s
Continuo
us
Monitori
ng
Further
Tests
Patien
t
Care
Telemedicine Med
Mgmt
Home
Monitoring
The Role of HIT in the Patient Journey
Learning Objective: 1
CB
• 91% of small North American healthcare practices have been breached.
• 70% aren’t confident that their budget meets risk management, compliance, and governance requirements.
• Six in ten security systems aren’t mature enough to detect or react to data breaches.
Learning Objective: 1
CB
The Data Security Imperative
• 94% of providers have
suffered at least one data
breach in the last two years.
• Nearly 50% have experienced
more than five data
breaches.
Learning Objective: 1
CB
The Data Breach Epidemic
Source: Verizon 2015 Protected Health Information Data Breach Report
Learning Objective: 1
93% of PHI Breaches
Exhibit Nine Incident Patterns
Just 3 Patterns
Describe 85% of Incidents
Incident Patterns
Verizon’s Nefarious Nine
Lost & Stolen Assets
Privilege Misuse
Miscellaneous Errors
Everything Else
Point of Sale
Web Applications
Crimeware
Cyber-Espionage
Card Skimmers
807 (45.4%)
361 (20.3%)
357 (20.1%)
119 (6.7%)
68 (3.8%)
33 (1.9%)
25 (1.4%)
6 (0.3 %)
0 (0.0%)
CB
Most Hackers Invest Limited Time
CSO Online - Survey: Average successful hack nets less than $15,000 http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-successful-hack-nets-less-than-15-000.html
Average Hacker Time Investment
• 70 hours per attack against "typical" IT security infrastructure
• 147 hours battling "excellent" IT security infrastructure
• Give up completely after 209 hours.
Average Return
• Make Less Than $15,000 per attack
• Average less that $29,000 per year
Cyber Attacks
“If you can delay them by two days, you
can deter 60 percent of attacks.”
Scott Simkin, senior threat intelligence manager at Palo Alto Networks
Security Roadmap Essentials
Learning Objective: 4
Multi-level Security User, Process, Device
Data & Application Security
Physical Infrastructure
Network Security Air-tight - properly configured
System Security
DEFENSE IN DEPTH
DEFENSE IN BREADTH
Applied Across Each Use Case to Appropriate Level
REDUCE
ATTACK SURFACES DEPLOY
CRYPTO KEYS CREATE SECURE PEOPLE,
PROCESSES & SYSTEMS
APPLYING DEFENSE IN DEPTH & BREADTH
JGS
• Leverage CSP policies and procedures
as extensions of your own
• Leverage RBAC tools
• Use CSP team for Segregation of Duties • Regular security awareness training
• Cyclical policies and procedure review
• Convenient policies & procedures access
• Background checks
• On and Off boarding checklists
• Minimum Necessary, Role Based Access
Controls (RBAC)
• Segregation of Duties
• Fair and equal sanctions
• Whistleblower hotline
Multi-Level User
Cloud Service Provider
Learning Objective: 4
Defense in Depth: Multi-level User
JGS
• Leverage Anti Virus / Malware
• Leverage Content Filters
• Leverage password expiration & support
policies
• Leverage remote wipe features
• Prohibit storing PHI on devices or
workstations leveraging controls
• Screen lock (15 minutes)
• One user, one account
• Anti-virus, anti-malware
• Appropriate use of network resources
(questionable sites, prevent drive-by
downloads)
• Keep credentials secure and fresh
• Enable remote-wipe
• Prohibit PHI storage on device or
workstation
Device & Workstation
Cloud Service Provider
Learning Objective: 4
Defense in Depth: Device & Workstation
JGS
• Keep your data in secure physical facility
at no extra cost to you
• Use Physical access controls: gates,
guards, biometric two factor
authentication, surveillance
• CSP can be your hands on the ground -
No need to access the data center
• Access controls
• Surveillance
• Workstation timeouts
• Appropriates use of locks for sensitive areas
• Limited entry points
• Physical barriers
Physical Infrastructure
Cloud Service Provider
Learning Objective: 4
Defense in Depth: Physical Infrastructure
JGS
• Leverage IDS / IPS
• Reduce inventory of Firewalls, VPNs,
and other network assets
• Leverage SIEM for your own use.
• Let CSP analyze logs for you.
• Let CSP manage your port restrictions
and regular port reviews
• Let CSP detect and alert you of
anomalous activity
• Formal network and acceptable use policy
• Active network asset inventory:
- Firewalls, VPNs, IPS/IDS, Content Security,
Wireless Access Points, Identity Management
• Know your data, and its logical flows
• Lock down traffic that could touch PHI
• Review settings regularly
• Visualize network activity
• Implement a SIEM
• Manage logs effectively
Network Security
Cloud Service Provider
Learning Objective: 4
Defense in Depth: Network
JGS
• Leverage hardening templates of your CSP
• Let your CSP do patching for you.
• Leverage your CSP’s tools for
backup/restore testing.
• Let your CSP collect audit artifacts required
for compliance, and investigation
• Understand server relationships to sensitive
data
• Maintain up-to-date vendor software
versions/patches
• Perform penetration tests and vulnerability
scans on server ecosystem
• Server/OS hardened to standards
• Backup/restore testing regularly performed
• Logging enabled and preserved
System Server / OS
Cloud Service Provider
Learning Objective: 4
Defense in Depth: System Server / OS
JGS
• Leverage Web Application Firewalls from
your CSP
• Let CSP help design your Tier-based system
• Leverage security expertise of CSP to restrict
traffic in secure zones
• Let CSP help you perform penetration testing
• Use CSP’s solution for vulnerability scanning
• Let CSP manage log preservation
• Understand application relationship to
sensitive data
• Maintain up-to-date software versions
• Ensure vendor provides support and patches
• Perform security and privacy reviews on
applications
• Perform penetration tests and vulnerability
scans on key applications
• Enabled and preserved logs
Data & Applications
Cloud Service Provider
Learning Objective: 4
Defense in Depth: Data & Applications
JGS
• Automated port reviews and network traffic
analysis
• Opinionated, purpose-built hardening
templates
• Vulnerability management
• 24x7 security monitoring
• Automated policy enforcement
General
• Secure the Right Boundary
Network Surface
• Close unnecessarily open ports
• Adopt white-list models to reduce port traffic
• Keep things simple - eliminate expired or
unnecessary rules
Software Surface
• Build security into applications
• Reduce the amount of running code
Physical Surface
• Enforcing strong authentication
• Laptop encryption
Reduce Attack Surfaces
Cloud Service Provider
Learning Objective: 4
Defense in Breadth: Reduce Attack Surfaces
JGS
• Security awareness training
• Social engineering drills
• Background checks
• Proper onboarding and offboarding
• Sanctions
• Workstation security
• Security awareness training
• Social engineering drills
• Background checks
• Proper onboarding and offboarding
• Sanctions
• Workstation security
People
Cloud Service Provider
Learning Objective: 4
Defense in Breadth: People
JGS
Summary of Cloud Cost Factors
Year 1 Year 2 Year 3 Year 4 Year 5
CAPEX (Self-Provisioning)
Depreciation
OPEX (Cloud Partner)
Cost = Fixed monthly + Tax Deduction
Direct Costs
• Server Hardware
• Network Hardware
• Hardware Maintenance
• Power and Cooling
• Data Center Space
• Personnel/Sophistication
Indirect Considerations
• Server Economies of scale/Pay as you grow
• Initial capital expenses or savings
• Move from CapEx to OpEx
• Reduced data center capital expenses
• Reduced data center operational expenses
• Reduced disaster recovery risk
• Transparency of compute resources used/cost
• Infrastructure peak load avoidance
• Increased control and automation
• Enhanced interoperability
Learning Objective: 5
JGS
Unmanaged Shared Responsibility Model
Learning Objective: 3
Your Responsibility
Cloud Provider
Responsibility
Endpoin
ts
Foundation Services
Compute Storage Database Networking
Global Infrastructure
Regions Availability Zones Edge Locations
Operating System & Network Configuration at Rest
Platform & Application Management
Network Traffic Protection Provided by the
Platform
Production of Data in Transit
Server-side Encryption Provided by the Platform
Protection of Data at Rest
Client-side Data Encryption & Data Integrity
Authentication
Customer Data
Optional
– Opaque
Data OS
and 1S
(in transit
/ at rest)
Ide
ntity
& A
cce
ss M
an
ag
em
ent (IA
M)
JGS
Managed Shared Responsibility Model
Learning Objective: 3
Your Responsibility
Managed Cloud
Provider
Responsibility
Endpoin
ts
Foundation Services
Compute Storage Database Networking
Global Infrastructure
Regions Availability Zones Edge Locations
Operating System & Network Configuration at Rest
Platform & Application Management
Network Traffic Protection Provided by the
Platform
Production of Data in Transit
Server-side Encryption Provided by the Platform
Protection of Data at Rest
Client-side Data Encryption & Data Integrity
Authentication
Customer Data
Ide
ntity
& A
cce
ss M
an
ag
em
ent (IA
M)
Optional
– Opaque
Data OS
and 1S
(in transit
/ at rest)
JGS
Misconceptions About Moving to the Cloud
• Cloud is unattainable b/c my infrastructure costs have already been accrued
• I can’t transfer my software licenses to a third party cloud provider
• I simply cannot move everything to the cloud
• Authentication systems are not yet equipped to traverse a hybrid cloud environment
? • Workloads require extremely low
latency and our bandwidth may not support demand
• Software versions are a little dated and don’t allow us to take advantage of new technologies
• Our systems are architected in a manner that does not take advantage of content delivery via content deliver network
?
?
?
?
?
?
Learning Objective: 5
JGS
Cloud Security Benefits
Security rigorously updated
for regulatory compliance &
cyber threats.
Security Best Practices
are followed
Security features, services and
competency out of reach to most
can be provided at attractive
price points
Security Teams dedicated to helping
customers: SAs, TAMs, Consultants, Trainers,
Auditors, Security Engineers – all up to date
on latest skills in security and compliance
Integration of cloud security
controls into existing control
frameworks
Regular third party audit /
verification of robust security &
cyber threat operations.
Certifications, physical and network
security, data privacy, encryption,
auditability, and security best practices as
part of the cloud solution
Learning Objective: 5
CB
Choosing a Healthcare Cloud Partner
Technical Expertise & Industry Depth
• Flexible and sophisticated network
• High level of engineering and deployment experience
• Speed and quality of execution
• Understand healthcare uptime requirements, regulatory requirements, data flows, and integration points
• Expert at safeguarding at each stage of the data lifecycle
TRUST
Third Party Validation
• Flexible Risk Assessments
• HITRUST CSF Certification
• SSAE 16 (eg. SOC 1, 2, etc.)
Learning Objective: 5
CB
Our Healthcare Data is under Attack!
Health
records
breached
Since 2009
101,000,000
Source: Data Motion Health
70%
Occurred in
first 8 months
of 2015
alone
CB
Questions
Chris Bowen MBA, CISSP, CIPP/US, CIPT
Founder, Chief Privacy & Security Officer
Twitter: @chris_bowen
LinkedIn: https://www.linkedin.com/in/cbowen1
Gary Seay Former CIO, Community Health Systems
Principal, josephgseay, llc. Advisory Services