himss 2011 securing health information in the cloud -- feisal nanji
TRANSCRIPT
![Page 1: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/1.jpg)
SECURING HEALTH INFORMATION IN THE CLOUDSECURING HEALTH INFORMATION IN THE CLOUD Feisal Nanji, Executive Director, Techumen
![Page 2: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/2.jpg)
Conflict of Interest DisclosureFeisal Nanji, MPP, CISSP
lHas no real or apparent conflicts of interest to report.
2
![Page 3: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/3.jpg)
LEARNING OBJECTIVES• Describe the advantages of Cloud computing for
Health Providers• Identify the major concerns of securing health
information in the cloud• Recognize the key steps to overcoming health• Recognize the key steps to overcoming health
information security and privacy issues in the cloud
• Define a suitable audit and compliance process to ensure security and privacy in the cloud
3
![Page 4: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/4.jpg)
4
![Page 5: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/5.jpg)
WHAT SHOULD YOU TAKE AWAY?
1. Level set – Core technology for cloud computingcomputing
2. Cloud computing -- variants3 Wh t th k li / it3. What are the key compliance / security
concerns of the cloud?4. How should we manage security in the
cloud?
5
![Page 6: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/6.jpg)
CORE TECHNOLOGY
• Fast networks• Fast networks • Web enabled eco-system• The “Virtual Machine”
6
![Page 7: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/7.jpg)
7
![Page 8: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/8.jpg)
VIRTUALIZATION CONCERNS…
• Increases complexity • Strains infrastructure• Can cause large-scale failure g• Requires special maintenance
8
![Page 9: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/9.jpg)
THIS ALLOWS……
• Computing capability on demand• Resource pooling storage CPU• Resource pooling – storage, CPU• Rapid deployment and scaling of IT services• Easy measurement of what’s been used
9
![Page 10: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/10.jpg)
LEADING TO CLOUD VARIANTS….
• Infrastructure as a service (IaaS) • Platform as a service (PaaS)• Platform as a service (PaaS) • Software as a service (SaaS)
10
![Page 11: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/11.jpg)
Infrastructure as a Service (IaaS)
APPLICATION PROGRAMMING INTERFACES
Infrastructure as a Service (IaaS)
APPLICATION PROGRAMMING INTERFACES
VIRTUALIZATION AND CORE CONNECTIVITY
HARDWARE AND DATA CENTER FACILITIES
11
![Page 12: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/12.jpg)
Platform as a Service (PaaS)
INTEGRATION AND MIDDLEWARE
Platform as a Service (PaaS)
APPLICATION PROGRAMMING INTERFACES
INTEGRATION AND MIDDLEWARE
APPLICATION PROGRAMMING INTERFACES
VIRTUALIZATION AND CORE CONNECTIVITY
HARDWARE AND DATA CENTER FACILITIES
12
![Page 13: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/13.jpg)
Software as a Service (SaaS)
PRESENTATION
APPLICATIONS
DATA AND CONTENT
APPLICATION PROGRAMMING INTERFACES
INTEGRATION AND MIDDLEWARE
VIRTUALIZATION AND CORE CONNECTIVITY
HARDWARE AND DATA CENTER FACILITIESHARDWARE AND DATA CENTER FACILITIES
13
![Page 14: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/14.jpg)
CLOUD: A SUMMARYEssentialCharacteristics
ServiceSoftware as a Platform as a Infrastructure as ModelsService (SaaS) Service (PaaS) a Service (SaaS)
Deployment ModelsPublic Private Hybrid Community
14
![Page 15: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/15.jpg)
CLOUD – HELPING HEALTH CARE….
• Providers, EMR vendors, Health Plans, Government, HIE etc.Government, HIE etc.
• Cheaper and fasterB tt li ( it )???• Better compliance (security)???
15
![Page 16: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/16.jpg)
TRADITIONAL DATA CENTER SECURITY APPROACHES…
• Physical configuration management governs deployment and control implementation --- standards for specification, configuration, and operation
• Physical control as the ultimate breakwater for logical access control to platforms and applications
• Enterprise policies and organization for separation of duties and control
• Patch testing and patch management … physical-platform- by-physical-platform
• Data and applications are wherever the machine is and networks are between machinesbetween machines
16
![Page 17: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/17.jpg)
BUT AS “PHYSICAL” VISIBILITY IS LOST….
• Where is the data?• Who can see the data?Who can see the data?• Who has seen the data?• Has data been tampered?Has data been tampered?• Where is processing performed?• How is processing configured?• How is processing configured?• Does backup happen? How? Where?
17
![Page 18: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/18.jpg)
AND COMPLIANCE -- IS NOT JUST SECURITY1 HIPAA Security
2 Medical Fraud
3 e- Prescribing 4 Mental and behavioral health 5 Health Information Exchange
6 Health Quality reporting
7 Policy, Procedure Mgt.7 Policy, Procedure Mgt.
8 Medical Research
9 Payment Card Industry (PCI)
10 FTC Red Flags Rule18
![Page 19: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/19.jpg)
HEALTH CARE COMPLIANCE AND THE CLOUD
19
![Page 20: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/20.jpg)
ComplianceInformationSecurity
ComplianceProcesses
Information Architecture
Requires an Requires an interconnectedinterconnected strategystrategy20
![Page 21: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/21.jpg)
ARE YOU CLOUD READY?
• Have you standardized most commonly repeated operating procedures?repeated operating procedures?
• Have you fully automated deployment and management?management?
• Can you provide self-service access for users?• Are your business units ready to share the
same infrastructure?
21
![Page 22: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/22.jpg)
MAJOR CLOUD COMPLIANCE ISSUES INCLUDE:
• Data ownership and control– Trust ,consequences and chain of custodyTrust ,consequences and chain of custody– Access and authentication
• Facilities and service provisionFacilities and service provision– e.g. shared data centers / resources
• AdministrationAdministration– Policies, transparency, auditing
22
![Page 23: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/23.jpg)
KEY CLOUD SECURITY CONCERNS• Virtualization software (e.g., hypervisor) risk exposure
• Inability to determine location of data or processing
• Mobility among VM’s contradicts control principles;• Mobility among VM s contradicts control principles; boundaries become unreliable and blurred
• Limited visibility into host O/S’s and virtual network (to find vulnerabilities and assess/report configuration, patching)
23
![Page 24: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/24.jpg)
LEAD TO VERY GRANULAR ISSUES:• Security policies need to shift "up the stack" to
match logical attributes
• Network Access control and Intrusion Prevention
• Root kit DetectionRoot kit Detection
• Inter VM traffic analysisInter VM traffic analysis
24
![Page 25: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/25.jpg)
KEY CONSIDERATIONS
• Move away from physical attributes for meeting compliancemeeting compliance
A li ti Id tit d C t t• Application, Identity and Content awareness
25
![Page 26: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/26.jpg)
CORE RECOMMENDATIONS• Think of information security as a set of adaptive services
integrated with compliance requirements and Information Architecture/Design
• Get security vendors to deliver their security controls in a virtualized form
• Express security policy across physical, virtualized and private cloud-computing environments
• Maintain separation of duties between security policy enforcement and IT operations
26
![Page 27: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/27.jpg)
27
![Page 29: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/29.jpg)
29
![Page 30: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/30.jpg)
30
![Page 31: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/31.jpg)
31
![Page 32: Himss 2011 securing health information in the cloud -- feisal nanji](https://reader033.vdocuments.mx/reader033/viewer/2022052912/55a0a26a1a28abd12f8b4834/html5/thumbnails/32.jpg)
32