Gary Seay Former CIO, Community Health Systems

Chris Bowen Founder, CPSO, ClearDATA

Developing a Cloud Security Roadmap March 2, 2016

Conflict of Interest

Gary Seay

Has no real or apparent conflicts of interest to report.

Chris Bowen, MBA, CISSP, CIPP/US, CIPT

Has no real or apparent conflicts of interest to report.

Agenda

Healthcare Data Under Attack • Trends and Sources of Healthcare Data Breaches

Security Roadmap Essentials • Defense in Depth

• A Closer Look

• Shared Responsibility Model

Threat Diligence: On or Off Premise

Conclusion

CB

Learning Objectives

• Evaluate primary causes of data breaches as it relates to current

health system infrastructure

• List major considerations for selecting a cloud computing vendor

• Assess benefits of cloud platforms beyond security, including cost-

savings and data analytics

• Recognize key layers of a “Defense in Depth” approach to

healthcare data security

1

2

3

4

CB

Our Healthcare Data is under Attack!

Health

records

breached

In 2015 alone

115,000,000

An increase

of 10 x

more than in

2014

CB Source: CSO Online

http://www.csoonline.com/article/3026661/data-breach/over-113-million-health-records-breached-in-2015-up-10-fold-from-2014.html

The Role of the Healthcare Network

Regional Medical

Center

Physician Home

Office

Secondary Care

Hospital

Affiliate Office Community Health

Center

Military, Prison Health

Enterprise

Wireless

VOIP

Phone

Immersive

Telepresence

Enterprise

Wireless Telemedicine

VoIP Conference

phone

Data

Exchange

Patient

Consent

Mobile EMR

Access SMB

Wireless

EMR

Integrati

on

Health

Collaboratio

n

SMB

Wireless VOIP

Phone EMR

Integrati

on

Telemedicine

Enterprise

Wireless

Telemedicine Remote

Radiology

Remote

Monitoring

Enterprise

Wireless

Learning Objective: 1

CB

Injury

Occurs

Patient

Transferred to

Hospital

Ambulance

Takes Patient

to Clinic

Post

Procedure

Care

Preliminary

Treatment at

Local Clinic

Patient

Record

Patient

Monitoring

Care

Collaboration

Monitorin

g

System

Patient

X-ray EMR Patient

Consent

Patient

Management

Patient

Service

s

Continuo

us

Monitori

ng

Further

Tests

Patien

t

Care

Telemedicine Med

Mgmt

Home

Monitoring

The Role of HIT in the Patient Journey

Learning Objective: 1

CB

• 91% of small North American healthcare practices have been breached.

• 70% aren’t confident that their budget meets risk management, compliance, and governance requirements.

• Six in ten security systems aren’t mature enough to detect or react to data breaches.

Learning Objective: 1

CB

The Data Security Imperative

• 94% of providers have

suffered at least one data

breach in the last two years.

• Nearly 50% have experienced

more than five data

breaches.

Learning Objective: 1

CB

The Data Breach Epidemic

Source: Verizon 2015 Protected Health Information Data Breach Report

Learning Objective: 1

93% of PHI Breaches

Exhibit Nine Incident Patterns

Just 3 Patterns

Describe 85% of Incidents

Incident Patterns

Verizon’s Nefarious Nine

Lost & Stolen Assets

Privilege Misuse

Miscellaneous Errors

Everything Else

Point of Sale

Web Applications

Crimeware

Cyber-Espionage

Card Skimmers

807 (45.4%)

361 (20.3%)

357 (20.1%)

119 (6.7%)

68 (3.8%)

33 (1.9%)

25 (1.4%)

6 (0.3 %)

0 (0.0%)

CB

Most Hackers Invest Limited Time

CSO Online - Survey: Average successful hack nets less than $15,000 http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-successful-hack-nets-less-than-15-000.html

Average Hacker Time Investment

• 70 hours per attack against "typical" IT security infrastructure

• 147 hours battling "excellent" IT security infrastructure

• Give up completely after 209 hours.

Average Return

• Make Less Than $15,000 per attack

• Average less that $29,000 per year

Cyber Attacks

“If you can delay them by two days, you

can deter 60 percent of attacks.”

Scott Simkin, senior threat intelligence manager at Palo Alto Networks

Security Roadmap Essentials

Learning Objective: 4

Multi-level Security User, Process, Device

Data & Application Security

Physical Infrastructure

Network Security Air-tight - properly configured

System Security

DEFENSE IN DEPTH

DEFENSE IN BREADTH

Applied Across Each Use Case to Appropriate Level

REDUCE

ATTACK SURFACES DEPLOY

CRYPTO KEYS CREATE SECURE PEOPLE,

PROCESSES & SYSTEMS

APPLYING DEFENSE IN DEPTH & BREADTH

JGS

• Leverage CSP policies and procedures

as extensions of your own

• Leverage RBAC tools

• Use CSP team for Segregation of Duties • Regular security awareness training

• Cyclical policies and procedure review

• Convenient policies & procedures access

• Background checks

• On and Off boarding checklists

• Minimum Necessary, Role Based Access

Controls (RBAC)

• Segregation of Duties

• Fair and equal sanctions

• Whistleblower hotline

Multi-Level User

Cloud Service Provider

Learning Objective: 4

Defense in Depth: Multi-level User

JGS

• Leverage Anti Virus / Malware

• Leverage Content Filters

• Leverage password expiration & support

policies

• Leverage remote wipe features

• Prohibit storing PHI on devices or

workstations leveraging controls

• Screen lock (15 minutes)

• One user, one account

• Anti-virus, anti-malware

• Appropriate use of network resources

(questionable sites, prevent drive-by

downloads)

• Keep credentials secure and fresh

• Enable remote-wipe

• Prohibit PHI storage on device or

workstation

Device & Workstation

Cloud Service Provider

Learning Objective: 4

Defense in Depth: Device & Workstation

JGS

• Keep your data in secure physical facility

at no extra cost to you

• Use Physical access controls: gates,

guards, biometric two factor

authentication, surveillance

• CSP can be your hands on the ground -

No need to access the data center

• Access controls

• Surveillance

• Workstation timeouts

• Appropriates use of locks for sensitive areas

• Limited entry points

• Physical barriers

Physical Infrastructure

Cloud Service Provider

Learning Objective: 4

Defense in Depth: Physical Infrastructure

JGS

• Leverage IDS / IPS

• Reduce inventory of Firewalls, VPNs,

and other network assets

• Leverage SIEM for your own use.

• Let CSP analyze logs for you.

• Let CSP manage your port restrictions

and regular port reviews

• Let CSP detect and alert you of

anomalous activity

• Formal network and acceptable use policy

• Active network asset inventory:

- Firewalls, VPNs, IPS/IDS, Content Security,

Wireless Access Points, Identity Management

• Know your data, and its logical flows

• Lock down traffic that could touch PHI

• Review settings regularly

• Visualize network activity

• Implement a SIEM

• Manage logs effectively

Network Security

Cloud Service Provider

Learning Objective: 4

Defense in Depth: Network

JGS

• Leverage hardening templates of your CSP

• Let your CSP do patching for you.

• Leverage your CSP’s tools for

backup/restore testing.

• Let your CSP collect audit artifacts required

for compliance, and investigation

• Understand server relationships to sensitive

data

• Maintain up-to-date vendor software

versions/patches

• Perform penetration tests and vulnerability

scans on server ecosystem

• Server/OS hardened to standards

• Backup/restore testing regularly performed

• Logging enabled and preserved

System Server / OS

Cloud Service Provider

Learning Objective: 4

Defense in Depth: System Server / OS

JGS

• Leverage Web Application Firewalls from

your CSP

• Let CSP help design your Tier-based system

• Leverage security expertise of CSP to restrict

traffic in secure zones

• Let CSP help you perform penetration testing

• Use CSP’s solution for vulnerability scanning

• Let CSP manage log preservation

• Understand application relationship to

sensitive data

• Maintain up-to-date software versions

• Ensure vendor provides support and patches

• Perform security and privacy reviews on

applications

• Perform penetration tests and vulnerability

scans on key applications

• Enabled and preserved logs

Data & Applications

Cloud Service Provider

Learning Objective: 4

Defense in Depth: Data & Applications

JGS

• Automated port reviews and network traffic

analysis

• Opinionated, purpose-built hardening

templates

• Vulnerability management

• 24x7 security monitoring

• Automated policy enforcement

General

• Secure the Right Boundary

Network Surface

• Close unnecessarily open ports

• Adopt white-list models to reduce port traffic

• Keep things simple - eliminate expired or

unnecessary rules

Software Surface

• Build security into applications

• Reduce the amount of running code

Physical Surface

• Enforcing strong authentication

• Laptop encryption

Reduce Attack Surfaces

Cloud Service Provider

Learning Objective: 4

Defense in Breadth: Reduce Attack Surfaces

JGS

• Security awareness training

• Social engineering drills

• Background checks

• Proper onboarding and offboarding

• Sanctions

• Workstation security

• Security awareness training

• Social engineering drills

• Background checks

• Proper onboarding and offboarding

• Sanctions

• Workstation security

People

Cloud Service Provider

Learning Objective: 4

Defense in Breadth: People

JGS

Summary of Cloud Cost Factors

Year 1 Year 2 Year 3 Year 4 Year 5

CAPEX (Self-Provisioning)

Depreciation

OPEX (Cloud Partner)

Cost = Fixed monthly + Tax Deduction

Direct Costs

• Server Hardware

• Network Hardware

• Hardware Maintenance

• Power and Cooling

• Data Center Space

• Personnel/Sophistication

Indirect Considerations

• Server Economies of scale/Pay as you grow

• Initial capital expenses or savings

• Move from CapEx to OpEx

• Reduced data center capital expenses

• Reduced data center operational expenses

• Reduced disaster recovery risk

• Transparency of compute resources used/cost

• Infrastructure peak load avoidance

• Increased control and automation

• Enhanced interoperability

Learning Objective: 5

JGS

Unmanaged Shared Responsibility Model

Learning Objective: 3

Your Responsibility

Cloud Provider

Responsibility

Endpoin

ts

Foundation Services

Compute Storage Database Networking

Global Infrastructure

Regions Availability Zones Edge Locations

Operating System & Network Configuration at Rest

Platform & Application Management

Network Traffic Protection Provided by the

Platform

Production of Data in Transit

Server-side Encryption Provided by the Platform

Protection of Data at Rest

Client-side Data Encryption & Data Integrity

Authentication

Customer Data

Optional

– Opaque

Data OS

and 1S

(in transit

/ at rest)

Ide

ntity

& A

cce

ss M

an

ag

em

ent (IA

M)

JGS

Managed Shared Responsibility Model

Learning Objective: 3

Your Responsibility

Managed Cloud

Provider

Responsibility

Endpoin

ts

Foundation Services

Compute Storage Database Networking

Global Infrastructure

Regions Availability Zones Edge Locations

Operating System & Network Configuration at Rest

Platform & Application Management

Network Traffic Protection Provided by the

Platform

Production of Data in Transit

Server-side Encryption Provided by the Platform

Protection of Data at Rest

Client-side Data Encryption & Data Integrity

Authentication

Customer Data

Ide

ntity

& A

cce

ss M

an

ag

em

ent (IA

M)

Optional

– Opaque

Data OS

and 1S

(in transit

/ at rest)

JGS

Misconceptions About Moving to the Cloud

• Cloud is unattainable b/c my infrastructure costs have already been accrued

• I can’t transfer my software licenses to a third party cloud provider

• I simply cannot move everything to the cloud

• Authentication systems are not yet equipped to traverse a hybrid cloud environment

? • Workloads require extremely low

latency and our bandwidth may not support demand

• Software versions are a little dated and don’t allow us to take advantage of new technologies

• Our systems are architected in a manner that does not take advantage of content delivery via content deliver network

?

?

?

?

?

?

Learning Objective: 5

JGS

Cloud Security Benefits

Security rigorously updated

for regulatory compliance &

cyber threats.

Security Best Practices

are followed

Security features, services and

competency out of reach to most

can be provided at attractive

price points

Security Teams dedicated to helping

customers: SAs, TAMs, Consultants, Trainers,

Auditors, Security Engineers – all up to date

on latest skills in security and compliance

Integration of cloud security

controls into existing control

frameworks

Regular third party audit /

verification of robust security &

cyber threat operations.

Certifications, physical and network

security, data privacy, encryption,

auditability, and security best practices as

part of the cloud solution

Learning Objective: 5

CB

Choosing a Healthcare Cloud Partner

Technical Expertise & Industry Depth

• Flexible and sophisticated network

• High level of engineering and deployment experience

• Speed and quality of execution

• Understand healthcare uptime requirements, regulatory requirements, data flows, and integration points

• Expert at safeguarding at each stage of the data lifecycle

TRUST

Third Party Validation

• Flexible Risk Assessments

• HITRUST CSF Certification

• SSAE 16 (eg. SOC 1, 2, etc.)

Learning Objective: 5

CB

Our Healthcare Data is under Attack!

Health

records

breached

Since 2009

101,000,000

Source: Data Motion Health

70%

Occurred in

first 8 months

of 2015

alone

CB

Questions

Chris Bowen MBA, CISSP, CIPP/US, CIPT

Founder, Chief Privacy & Security Officer

chris.bowen@cleardata.com

Twitter: @chris_bowen

LinkedIn: https://www.linkedin.com/in/cbowen1

Gary Seay Former CIO, Community Health Systems

Principal, josephgseay, llc. Advisory Services