Clearing Away The Shadows: Cloud Privacy and Security for Research Data

Transcription

1 Clearing Away The Shadows: Cloud Privacy and Security for Research Data Melissa L. Markey Hall, Render, Killian, Heath & Lyman, PLLC 201 W Big Beaver Rd., Suite 1200 Troy MI mmarkey@hallrender.com

2 What is Cloud? Cloud computing is a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST Special Publication

3 What is Cloud? On demand self service. Consumer managed Broad network access. Multiple types of assets Resource pooling. Multi tenancy Rapid elasticity. High flexibility Measured service. 3

4 What is Cloud? Service Models: Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Security as a Service (SECaaS) 4

5 What is Subject to FDA Part 11? Records with GxP Data Quality Decision Records Records submitted to FDA Research Data Laboratory Data Animal Data Manufacturing Data SOPs QA Data Tracking Logs Batch Records Supplier Records Audit Reports Anything else that goes to FDA Consider Risk 5

6 Part 11 Closed System 21 CFR (a) Validation (b) Accurate and Complete Records (c) Protection of Records (d) Access Controls (e) Audit Trails (f) Operational System Checks (g) Authority Checks (Authentication of Authority) (h) Device Checks (i) Training (j) Written Policies (k) Controls over System Documentation 6

7 Part 11 Open System 21 CFR Controls and systems to ensure authenticity, integrity and confidentiality of the record Includes the items in 21 CFR PLUS: Encryption Appropriate digital signature standards to ensure integrity, authenticity, and confidentiality as appropriate Note that availability is not required! 7

8 Electronic Signatures 21 C.F.R. 50, 70, and Part 11 Subpart C Includes printed name, date, time and meaning of signature Subject to same controls as other electronic records Human readable on screen/print outs Linked to the relevant record in a manner that prevents removal, copying, transfer, falsification 8

9 Electronic Signatures 21 C.F.R. 50, 70, and Part 11 Subpart C Signer must be identity proofed by organization Signature must be unique and NOT SHARED Certification that electronic signature is equivalent to wet ink signature If not biometric, need 2 factors Batch signing no true batch signing permitted; can do rapid signing with 1 factor after first document uses 2 factor authentication Good computer credentials hygiene required 9

10 What is Cloud? Deployment Models Private Cloud Public Cloud Hybrid Community Cloud 10

11 Why Cloud? Cost No/Sharply Reduced Capital Expenditure Operating Expenditure Matches Need Speed Provisioning takes 15 minutes instead of 6 months Ease Get a server by going to a website Avoid internal approvals/barriers 11

12 Why Cloud? Scalability Permits upscaling to handle very large datasets Facilitates data sharing when appropriate Interoperability Most cloud environments are made to be application/os/hardware agnostic 12

13 Why Worry? There are some risks FDA Part 11/EMEA Annex 11 GMP Data Protection HIPAA Other compliance issues Trade secrets. 13

14 Why Worry? Business Risks Outages/Down Time Loss of Connection Breaches Data Portability Must be able to transfer data out if change provider/return to in house data solution Security is critical 14

15 Cloud Computing Diagram 15

16 What are the Risks? Confidentiality of Data At Rest: Within the software application Within the primary and secondary backup systems Including storage media Within mobile devices (smartphones, ipad). In Motion: Hardwired Wireless Mobile Devices 16

17 What are the Risks? Where is your data, and what law applies? Data rights and ownership What are operations/performance expectations? What are remedies for failures? What are backup, disaster recovery, restore expectations? Who is responsible for security? What about audits, pen tests, etc? 17

18 What are the Risks? Data Breach/Loss of Confidentiality Data Leaks Loss of Integrity Loss of Availability Hacktivism/Hijacking of Account Changes in business model/termination of vendor/transition of contract 18

19 Data Breach/Loss of Confidentiality Hackers Stole Account Details for Over 60 Million Dropbox Users (Aug. 30, 2016) Probably #1 concern of most customers In past 2 years, cloud vendors have had a good experience with respect to data breaches But they give you tools, you are responsible for using them properly 19

20 Data Breach/Loss of Confidentiality Strategy: Encryption User access controls and multifactor authentication Audit trails Training Set up a secure cloud image, with basic security policies applied and security tools configured Only that image can be used Segregate environments to the greatest extent possible Use least privileges; minimize user accounts 20

21 Basics of Encryption 21

22 Key, Key, Who Has the Key? Other alternatives Symmetric key: encrypt, then have master key that encrypts the symmetric key. The symmetric key is stored with the data, but cannot be used without being decrypted by the master key. Client side encryption: you encrypt the data and send it to the cloud vendor. Cloud vendor is essentially a dumb backup only. Server side encryption 22

23 Key, Key, Who Has the Key? Server side encryption Encrypts data at rest Typically cloud vendor has access to the key Uses symmetric data key hierarchy For some vendors, can provide your key to encrypt, and cloud vendor does not retain key Some vendors offer key management services, so customer does not have to keep track of their own keys 23

24 Key, Key, Who Has the Key? Control of the encryption key helps determine status as business associate for entities subject to HIPAA Allows audit trails of who encrypted/ decrypted data If you use customer provided keys, consider where the hardware necessary for key security management will be located This can grant complete control over keys 24

25 Data Leakage Often occurs due to insufficient user access and authentication controls Need to know where your data is, and where it is going Strategy: Who controls/enforces user access controls and authentication? Audit trails Monitor network activity 25

26 Integrity Loss of Integrity Corruption due to malware Errors in backup Failure of access control Configuration errors Strategy: Due diligence of vendor Can you have your own backup? Check your data integrity from time to time 26

27 Availability Not referenced in Part 11; part of integrity and an express concern under HIPAA Some unavailability is to be expected; the question is what is acceptable and based on mission criticality of data DDoS is a risk in cloud computing Physical security/disaster of data center or internet connections 27

28 Availability Configuration/pen testing/change management disruptions If your co tenant or vendor is raided, your servers may be affected Strategies Look at Continuous Integration/Continuous Delivery options Understand disaster recovery responsibilities Do you have a copy of your data? Consider a failover option 28

29 HIPAA OCR Guidance: Cloud Provider is a Business Associate Whether or not the data is encrypted Without regard to who holds the encryption key A cloud computing provider is not a conduit Therefore, the cloud provider must be subject to a Business Associate Agreement The cloud provider will also be directly subject to regulation 29

30 HIPAA OCR Guidance: Cloud Provider is a Business Associate Service Level Agreements should address, consistent with legal requirements: System availability and reliability Backup and data reliability Return of data to customer after termination Security responsibility Use, retention and disclosure limitations 30

31 HIPAA OCR Guidance: Cloud Provider is a Business Associate Cloud provider security vulnerabilities should be considered in the Covered Entity s risk assessment There needs to be a clear allocation of security responsibility between the cloud provider and the customer/covered Entity, and no gaps should exist If the CSP cannot access data, security requirements may be eased 31

32 FTC Federal Trade Commission is becoming very active in data privacy issues Recent Guidance: Entities that hold PHI may also hold consumer data and be subject to FTC jurisdiction There are jurisdictional limits Entities that are not subject to HIPAA need to be sensitive to FTC privacy requirements 32

33 EU: Network and Information Security Directive Came into effect August 2016 Enforceable May 2018 Requires each Member State to adopt a national strategy on the security of network and information systems Establishes security and incident notification requirements for operators of essential services and digital services providers Subordinate to sector specific laws 33

34 EU: Network and Information Security Directive Essential Services include: Energy companies Air, rail, water and road transport companies Banking and financial institutions Drinking water suppliers Healthcare providers Digital Infrastructure 34

35 EU: Network and Information Security Directive Operators of Essential Services must: take appropriate and proportional technical and administrative measures to control risk posed to network and data take appropriate measures to minimize the impact of security incidents notify the CSIRT or authority of incidents that have a significant impact on the continuity of the essential services provided 35

36 EU: Network and Information Security Directive Digital Services Providers Must identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems Take measures to prevent and minimize impact of security incidents Notify CSIRT or authority of incidents having a substantial impact on provision of services Includes cloud computing services 36

37 EU: Network and Information Security Directive Cloud computing services means services that allow access to a scalable and elastic pool of shareable computing resources [including] resources such as networks, servers or other infrastructure, storage, applications and services... The term scalable refers to computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand 37

38 EU Impact As with the GDPR, the EU NIS Directive has potentially global impact If an entity is directing services to EU citizens, then purportedly the Directive applies to that entity, whether or not physically located in the EU Entity is required to have a registered agent in the EU 38

39 GDPR EU Impact Any cross border transfer must be supported by legal basis To a country with substantially equivalent privacy protections Not the US Privacy Shield Model Contract Clauses Binding Corporate Rules Consent Derogations 39

40 Major Security Risks Compromised Credentials and Failures of Authentication Use of weak passwords Failure to deactivate credentials for terminated employees Re use of passwords that are compromised in other hacks Failure to use 2 factor authentication Use of default passwords, or saving credentials in public facing locations 40

41 Major Security Risks Vulnerable Interfaces and APIs Often disregarded, but open to Internet and need to be secure Bugs and software vulnerabilities Shared memory and databases result in larger attack surfaces Hijacked accounts Phishing, spearphishing, and whaling May attack your account, or use your account to attack other accounts 41

42 Major Security Risks Malicious Insiders Current or former employee, contractor, cloud provider employee, business partner Motivation ranges from financial to emotional Strategies: Segregation of duties and audits are critical Monitor user access Audit access authorizations annually Look for exfiltration of data 42

43 Major Security Risks Advanced Persistent Threats May move laterally through a cloud environment to other customers Can t abdicate vigilance against APTs just because you are in the cloud Strategy: Require cloud provider to maintain security measures to monitor for APTs Monitor your data and audit logs 43

44 Data Breach Strategy: Major Security Risks Business Associate Agreement with indemnification Training Backup data Data Loss due to Error Strategy: Backup data Require use of standardized change control procedures 44

45 Major Security Risks Lack of Diligence in Selection/Contracting Due diligence before you select your cloud provider Security measures Physical, technological and administrative security measures Negotiate the contract Business Continuity/Disaster Recovery Location of data center Jurisdiction/Venue Require updated information each year Security, operational and other policies 45

46 Major Security Risks Lack of Diligence in Selection/Contracting Make sure to address transition away from cloud provider and transition of data When, in what format OCR guidance: It is a HIPAA breach for a business associate to attempt to withhold PHI from a Covered Entity in the event of a dispute or termination of an agreement 46

47 Ransomware Major Security Risks Malware that either locks computers, or encrypts data, preventing data owner s access until a ransom is paid Ransom typically demanded in bitcoins Some variants either increase ransom demand, or delete data, if ransom is not paid in time required Effort of several governments and Kaspersky Security called No More Ransom Project is starting to make inroads in decryption of some variants 47

48 Ransomware Strategy: Major Security Risks Encrypt data at rest and in transit Backup data Keep at least one backup off line Restore backups Keep systems patched Training Don t click on links Don t open suspicious/unexpected documents Use whitelisting 48

49 DDoS Major Security Risks Denial of Service/Distributed Denial of Service millions of requests for service tie up servers and prevent access to servers of legitimate requests On October 21, 2016, a DDoS attack using malware called Mirai established a botnet of Internet of Things devices, such as DVRs and connected cameras, and interrupted Internet connections for many companies This type of attack can disrupt cloud providers as well 49

50 DDoS Strategy Major Security Risks Redundant telecom connections from company to cloud provider Talk to your cloud provider about their plans for defense against DDoS Be prepared to go offline under the business continuity plan 50

51 Major Security Risks Hacktivism/Hijacking You may be a target, another co tenant may be a target, or the vendor may be a target of the hacktivist Your accounts could be hijacked Data could be deleted/modified Strategy Ensure patching is up to date Monitor network traffic Do you have a copy of your data? 51

52 In Summary Cloud computing can work, in healthcare and in research, but it requires: Diligence in selecting the cloud provider Careful negotiation of an appropriate contract that allocates responsibility and risk For a HIPAA Covered Entity, a BAA with the cloud provider (unless access to PHI is not required) Continuing oversight by the customer 52

53 Questions? Please contact: Melissa Markey, Esq