SaaS Security in Healthcare: Can the Fox Guard the Hen House? Pros and Cons of an In-House Security Validation and a Third- Party SOC 2 Audit

Transcription

1 SaaS Security in Healthcare: Can the Fox Guard the Hen House? Pros and Cons of an In-House Security Validation and a Third- Party SOC 2 Audit Nick Lewis, Internet2 Dion Taylor, Univ. of Michigan Peter Hoven, ICE Health Systems Sean Sweeney, Univ. of Pittsburgh Paul Howell, Internet2

2 Introduction Peter Hoven

3 Collaboration Dental schools at University of Michigan, University of North Carolina and University of Pittsburgh Schools introduced Internet2 to the process Deep commitment from all parties to develop a new EHR management system Formed an advisory board to guide all aspects of the project

4 Project Goals Efficient Clinical Experience Supports Learning Robust Financial and Administrative Reports Embrace Standards to Support Research Collaboration and Communication Integrates Medical Records Uses Excellent and Current Software Engineering Practices

5 Emphasis on Security Collaboration emphasized security Many opinions around security audit process Customer agreement focused on: Long Term - ISO Certification Short Term - Cloud Control Matrix Michigan performed security review Pitt and UNC initially requested independent review UNC introduced the option of SOC2 as an accepted 3rd party audit solution

6 Nick Lewis

7 What is Internet2 NET+ Services all about? A partnership to provide a portfolio of solutions for Internet2 member organizations that are cost-effective, easy to access, simple to administer, and tailored to the unique, shared needs of the community: Define a new generation of value-added services Leverage the Internet2 R&E Network and other services such as InCommon Drive down the costs of provisioning/consuming services Provide a strategic partnership with service providers (new service offerings). Leverage community scale for better pricing and terms Develop solutions that meet performance, usability, and security requirements Provide a single point of contracting and provisioning

8 Requirements of Service Providers Identified Sponsor: CIO or other senior executive from a member institution Membership in Internet2 and InCommon Federation Adoption of InCommon-Shibboleth/SAML2.0 and Connection of services to the R&E Network Completion of the Internet2 NET+ Cloud Control Matrix Commitment to: A formal Service Validation with 5-7 member institutions Enterprise wide offerings and best pricing at community scale Establishing a service advisory board for each service offering Community business terms (Internet2 NET+ Business and Customer agreements) Support the community s security, privacy, compliance and accessibility obligations Willingness to work with the Internet2 community to customize services to meet the unique needs of education and research

9 NET+ Service Validation Components Functional Assessment Review features and functionality Tune service for research and education community Technical Integration Network: determine optimal connection and optimize service to use the Internet2 R&E network Identity: InCommon integration Security and Compliance Security assessment: Cloud Controls Matrix FERPA, HIPAA, privacy, data handling Accessibility Business Legal: customized agreement using NET+ community contract templates Business model Define pricing and value proposition Deployment Documentation Use cases Support model

10 NET+ Security and Compliance NET+ template legal agreements include SOC2, ISO27001, and CCM Internet2 coordinates the Service Validation campuses on the security review of the service provider SP shares their security documentation with the campuses Request SP complete the Cloud Security Alliance Cloud Control Matrix for campuses to review if one wasn t provided Campuses determine what is necessary for security from the SP and sign-off at the completion of SV that their security (and the other) requirements are satisfied by the SP Campuses determine use cases and if the security will support the use cases

11 NET+ s Usage of the CSA CCM What is the Cloud Security Alliance Cloud Control Matrix (CCM)? How has the CCM evolved? What improvements were required for ICE Health? Now includes FERPA, HIPAA, ITAR, COPPA from NET+ contribution NET+ has started to use the CSA Consensus Assessment Initiative Questionnaire CCM has mappings to most laws, regulations, etc. now Ongoing oversight is a responsibility of the NET+ Service Advisory Board

12 Dion Taylor

13 What Was Done 2012/13: Agreement to use CCM March 2014: Visited ICE HQ in Calgary August 2014 October 2014: High Priority control list developed, expanded December 2014: Met with IIA to set control/report guidelines May 2015: Follow-up visit to ICE HQ September 2015: Met with IIA to solidify report contents & format October 2015: Report delivered to, and reviewed by, IIA November 2015: Report delivered to ICE

14 Question Selection November 2013: Entire CCM/CAIQ used March 2014: Entire CCM/CAIQ used April 2014: High Priority CCM/CAIQ items extracted August 2014: UM Compliance Questionnaire incorporated October 2014: NIST High Threat Potential families identified, incorporated Gap analysis performed to arrive at the final set of 150+ questions

15 M-IIA M-DENT Information Security IS Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas? In progress Yes Yes M-IIA HIPAA Information Security Incident Response Metrics IS- 25 Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents. IS Do you monitor and quantify the types, volumes, and impacts on all information security incidents? NIST SP R3 IR-4 NIST SP R3 IR-5 NIST SP R3 IR-8 Incident Handling Incident Monitoring Incident Response Plan No No Yes GAP M-IIA HIPAA Information Security IS Will you share statistical information security incident data with your tenants upon request? No No No M-IIA M-DENT Information Security Acceptable Use IS- 26 Policies and procedures shall be established for the acceptable use of informationassets. IS Do you provide documentation regarding how you may utilize or access tenant data and/or metadata? NIST SP R3 AC-8 System Use Notification In progress Yes Yes M-IIA M-DENT Information Security IS Do you collect or create metadata about tenant data usage through the use of inspection technologies (search engines, etc.)? Yes Yes Yes M-IIA M-DENT Information Security IS Do you allow tenants to opt- out of havingtheir data/metadata accessed via inspection technologies? Yes Yes Yes M-IIA M-IIA HIPAA HIPAA Information Asset Returns IS- 27 Employees, contractorsand third IS Are systems inplace tomonitor NIST SP R3 PS-4 Personnel Termination No No Yes GAP Security party usersmustreturn all assets for privacybreaches andnotify owned by the organization within a defined and tenants expeditiously if a privacy event may documentedtime frame once the employment, have impacted their data? contract or agreement has been terminated. Information Security IS Is your Privacy Policy aligned with industry standards? Yes Yes Yes GAP HTP Information Security Audit Tools Access IS- 29 Access to, and use of, audit tools that interact with the organizations information systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data. IS Do you restrict, log, and monitor access to your information security management systems? (Ex. Hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.) NIST SP R3 AU-9 NIST SP R3 AU-11 NIST SP R3 AU- 14 Protection Of Audit Informaton Audit Record Retention Session Audit In progress In progress In progress Top 10 HTP Information Security Diagnostic / Configuration Ports Access IS- 30 User access to diagnostic and configuration ports IS shall be restricted to authorized individuals and applications. Do you utilize dedicated secure networks to provide management access to your cloud service infrastructure? NIST SP R3 CM-7 NIST SP R3 MA-3 NIST SP R3 MA-4 NIST SP R3 MA-5 Least Functionality Maintenance Tools Non-Local Maintenance Maintenance Personnel No No Yes Top 10 HTP HTP Information Network / IS- 31 Networkand infrastructureservice IS Do you collect capacity and NIST SP R3 SC-20 Secure Name/Address Resolution Service (Authoritative Source) In progress In progress In progress HTP Security Infrastructure level agreements (in-house or outsourced) utilizationdata for allrelevant components NIST SP R3 SC-21 NIST Secure Name/Address Resolution Service (Recursive/Caching Resolver) Arch & Provisioning for SP R3 SC-22 NIST SP Name/Address Resolution Svc Services shall clearly document security controls, of your cloud service offering? R3 SC-23 NIST SP R3 SC-24 Session Authenticity Fail In Known State capacity and M-IIA Information Security service levels, and business or customer requirements. IS Do you provide tenants with capacity planning and utilization reports? No No No M-DENT Information Security Portable / Mobile Devices IS- 32 Policies and procedures shall be established and IS measures implemented to strictly limit access to sensitive data from portable and mobile devices, such as laptops, cell phones, and personal digital assistants (PDAs), which are generally higher-risk than non- portable devices (e.g., desktop computers at the organization s facilities). Are Policies and procedures established and NIST SP R3 AC-17 NIST SP R3 AC-18 NIST SP measures implemented to strictly limit R3 AC-19 NIST SP R3 MP-2 access to sensitive data from portable and NIST SP R3 MP-4 NIST mobiledevices, such as laptops, cell phones, SP R3 MP-6 and personal digital assistants (PDAs), which are generally higher- risk than non- portable devices (e.g., desktop computers at the provider organization s facilities)? Remote Access Wireless Access Access Control for Mobile Devices Media Access Media Storage Media Sanitization In progress Yes In progress HTP Information Security Source Code Access Restriction IS- 33 Access to application, program or object source code shall IS be restricted to authorized personnel on a need to know basis. Records shall be maintained regarding the individual granted access, reason for access and version of source code exposed. Are controls in place to prevent unauthorized access to NIST SP R3 CM-5 NIST your application, programor object source SP R3 CM-6 code, and assure it is restricted to authorized personnel only? Access Restrictions for Change Configuration Settings In progress In progress Yes GAP Information Security IS Are controls in place to prevent unauthorized access to tenant application, program or object source code, and assure it is restricted to authorized personnel only? N/A N/A N/A

16 NIST SP Control Rankings

17 How Questions Were Assessed

18 How Questions Were Assessed What does the regulation/standard say? CCM CGID IS-19, Encryption Key Mgmt. Do you encrypt tenant data at rest (on disk/storage) within your environment? Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? HIPAA (SP800-66) (a)(2)(iv), (e)(1) ISO27002:2005 Clause 4.3.3, A , A , A NIST (SP800-53) SC-12, SC-13, SC-17, SC-28

19 How Questions Were Assessed, Cont. What does the regulation/standard say? CCM CGID IS-19, Encryption Key Mgmt. HIPAA (SP800-66) (a)(2)(iv) - Encryption and Decryption (A) (e)(1) - Transmission Security ISO27002:2005 Clause Control of Records A Information Handling Procedures NIST (SP800-53) SC-12 Cryptographic Key Establishment and Mgmt. SC-13 Cryptographic Protection AC-3 Access Enforcement

20 How Questions Were Assessed, Cont. What does the regulation/standard say? CCM CGID IS-19, Encryption Key Mgmt. NIST (SP800-53) SC-12 Cryptographic Key Establishment and Mgmt. The organization establishes and manages cryptographic keys for required cryptography employed within the information system.» SC-12(1): The organization maintains availability of information in the event of the loss of cryptographic keys by users. AC-3 Access Enforcement The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.» access enforcement mechanisms (e.g., access controls lists, access control matrices, cryptography) Then compare the ICE response against these controls and determine what needs to be done to remediate.

21 Example of ICE Improvement CCM CGID IS-19, Encryption Key Mgmt. Do you encrypt tenant data at rest (on disk/storage) within your environment? November 2013: No response March 2014: No to both policies and procedures May 2015: Yes (AWS Securing Data at Rest with Encryption, Database Installation Procedure, etc.) Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? November 2013: No response March 2014: No to both policies and procedures May 2015: Yes (Network Diagrams, Data Interaction Diagram)

22 Assessment Team UM Information Assurance Office Sol Bermann, UM Privacy Officer, IA Risk Assessment team Developed U-M wide guidance, tools, and processes for service provider security-compliance assessments Remained engaged with U-M School of Dentistry, and other key stakeholders on progress and reporting Identified areas of IT security risk/controls emphasis Part of final review/approval UMHS Compliance Ben Havens, UMHS Information Security Compliance Director Ensured HIPAA-specific concerns were addressed

23 Assessment Team, Cont. UM Office of General Counsel Colleen McClorey, Associate General Counsel Managed all legal agreements Advised over the course of the assessment strategy UM Procurement Ted Eisenhut, Privacy Officer and IT Policy and Enterprise Continuity Strategist Facilitated major update to U-M Procurement policy that embedded security and compliance reviews as a part of the procurement process Collaborated with all U-M stakeholder to ensure all concerns were addressed as they relate to the purchasing process

24 Peter Hoven

25 Acronym Hell HIPAA/HITRUST CCM (1.4 or 3.01) PCI SOC2 Trust Principles NIST SP R3 ISO COBIT Michigan High Priority Items

26 Mappings Michigan mapped CCM to various standards and created High Priority Items KPMG PreAssessment mapped CCM to SOC2 Security Many differences CCM Cloud focus Virtualization Cloud Providers ICE relies on Amazon Attestation and Compliance

27 Go Forward Plan Michigan security review and remediation Holistic Security Risk Analysis Bake it in SOC 2 Type 1 and 2 ISO

28 Sean Sweeny

29 Third-Party Risk Assessment at Pitt Centrally administered and reviewed Required for all third-parties having access to University Data Embedded into University processes, including Purchasing, Office of General Council, IRB, etc.

30 Third-Party Risk Assessment at Pitt Self Assessment Questionnaire Maps to NIST CSF, FISMA, HIPAA/HITRUST, GLBA, PCI, and ISO Independent verification required for regulated data SOC 2, PCI Certification, ISO Certification

31 Review Process for ICE at Pitt Initial review and acceptance of Cloud Controls Matrix in lieu of normal procedure Version 1.3 Gap Assessment of ICE against the CCM Third-party audit Control testing required CCM vs SOC 2

32 Next Steps and Takeaways University of Michigan security review Working to understand methods Potential Reliance CCM detail + SOC 2 overview Best of both worlds for Pitt Model for EDU reliance?

33 Discussion Paul Howell