Protecting PHI in the Cloud Session #47, February 20, 2017 Kurt J. Long, Founder & CEO, FairWarning, Inc. 1
Speaker Introduction Kurt J. Long Founder & CEO FairWarning, Inc. 2
Conflict of Interest Kurt J. Long Has no real or apparent conflicts of interest to report. 3
Agenda Risks to PHI in the Cloud The Changing Landscape Questions to Ask Demand Security Transparency Rights to Your Data Q&A Special thank you to John Houston at UPMC for allowing us to borrow from some of his presentation content. 4
Learning Objectives Illustrate the risks to PHI in cloud and big data environments including business associate breaches, unintentional disclosures, and insider threats. Discuss real-world use cases of how healthcare and life sciences organizations are leveraging technology to ensure data protection and governance for their cloud and big data environments. Describe the security, privacy and breach notification implications of Office of Civil Rights (OCR) Guidance on HIPAA & Cloud Computing. Propose a multi-pronged plan for how healthcare and life sciences organizations can protect PHI and remain HIPAA compliant in cloud and big data applications. 5
An Introduction of How Benefits Were Realized for the Value of Health IT E = Electronic Information/Data The cloud and big data hold tremendous promise for healthcare and life sciences organizations and patients. From precision medicine to patient-centered care there is the potential for better care, delivered faster, easier patient access, increased collaboration and ultimately improved outcomes. With so much potential, there is an emotional and financial fervor to rush into the cloud. However, unless patient privacy and security is built into applications at the ground level there is the ever-present risk of major data breaches from insiders and cyberattacks. Among the greatest threats to PHI in the cloud are business associate breaches, unintentional disclosures, and insider threats. And unlike EHRs, once your cloud data is breached you may never get your arms around it again. Today, as healthcare providers adopt cloud applications, they have the opportunity to take patient privacy and data protection seriously from the beginning. 6
Goals 1.To appropriately protect your organization from risks associated with cloud-based services 2.Achieve parity with what you would expect of your own IT group (if the particular cloud service was run out of your Data Center) 7
The Changing Data Processing Landscape 83% of care providers are using cloud services HIMSS Analytics BIG Data revolution is under way in health care accelerating value and innovation according to McKinsey & Company McKinsey and Company 8
The Good Improved collaboration Increased agility Reduced IT footprint, allowing IT to focus on value added IT Predictable operating expense Improved security (in some cases) 9
The Bad & The Ugly Decreased data integration Reduced IT capability Additional overall expense to the organization Less security (in some cases) Islands of Data Shadow IT 10
Questions How do we best manage the move to the cloud? How do we ensure appropriate security? What happens when everything goes bad? 11
Reality Not all cloud vendors are alike A good looking website does not equate to a mature product or adequate security Small startups often have limited understanding of security Functionality often trumps security 12
Demand Security Transparency Often CSP are unwilling to provide any substantive information regarding information security If provided, it will be limited to information related to its data center environment Few (if any) commitments are made regarding incident response or notification 13
Demand Security Transparency The CSP must commit to providing substantive information to verify that the cloud app is secure, including such things as: Code level reviews Penetration testing Periodic patching policies Account management These must be done on a regular basis by an independent party 14
Demand Security Transparency The CSP must demonstrate adoption / compliance with some type of relevant information security framework, such as: SOC 2 Type 2 HITRUST CSF ISO/IEC 27002:2013 15
Demand Security Transparency The CSPs must be able to provide substantive information (and commitments) regarding how it is prepared to respond to security events: Customer notification Information sharing Audit rights Access to staff 16
Demand Security Transparency As appropriate, the CSP should integrate into your security tools, such as: Security Information and Event Management (SIEM) Identity Management (IDM) Patient Privacy Intelligence (PPI) 17
Rights to Your Data CSPs will often attempt to secure rights to your data Such rights are often broad, allowing the CSP to use (and possibly sell) your data for unrelated purposes Even if de-identified, data still has enormous commercial value (and could potentially disadvantage your organization in the market) 18
Rights to Your Data At the end of the "relationship", make sure that you get a copy of your data in a mutually agreed to electronic format 19
A Summary of How Benefits Were Realized for the Value of Health IT E = Electronic Information/Data The cloud and big data hold tremendous promise for healthcare and life sciences organizations and patients. From precision medicine to patient-centered care there is the potential for better care, delivered faster, easier patient access, increased collaboration and ultimately improved outcomes. With so much potential, there is an emotional and financial fervor to rush into the cloud. However, unless patient privacy and security is built into applications at the ground level there is the ever-present risk of major data breaches from insiders and cyberattacks. Among the greatest threats to PHI in the cloud are business associate breaches, unintentional disclosures, and insider threats. And unlike EHRs, once your cloud data is breached you may never get your arms around it again. Today, as healthcare providers adopt cloud applications, they have the opportunity to take patient privacy and data protection seriously from the beginning. 20
Questions Kurt J. Long Founder & CEO FairWarning, Inc. www.fairwarning.com 21