Protecting PHI in the Cloud. Session #47, February 20, 2017 Kurt J. Long, Founder & CEO, FairWarning, Inc.

Similar documents
All Aboard the HIPAA Omnibus An Auditor s Perspective

Escalated Threats to PHI Require a New Approach to Privacy and Security Wednesday, March 2, 2016

Best Practices in Securing a Multicloud World

Healthcare in the Public Cloud DIY vs. Managed Services

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

The Customer Relationship:

NAVIFY. Cloud Security with the NAVIFY Tumor Board. Compliant. Secure. Dependable.

HIPAA Compliance is not a Cybersecurity Strategy

HITRUST CSF: One Framework

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Compliant. Secure. Dependable.

Modern Database Architectures Demand Modern Data Security Measures

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Choosing an Information Risk Management Framework: The Case for the NIST Cybersecurity Framework (CSF) in Healthcare Organizations

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

The Next Frontier in Medical Device Security

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Policy and Procedure: SDM Guidance for HIPAA Business Associates

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Security and Privacy Governance Program Guidelines

Accelerating the HCLS Industry Through Cloud Computing

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

Cognizant Cloud Security Solution

CSF to Support SOC 2 Repor(ng

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Speakers. Shellie Zavatsky Director of Internal Audit at Hurley Medical Center. Trent Long Director of Managed Privacy Services at FairWarning, Inc

Healthcare IT Modernization and the Adoption of Hybrid Cloud

We make hybrid cloud deliver the business outcomes you require

Compliance. TODAY August Creative passion, collaboration, and soft skills in Compliance

Securing Your Digital Transformation

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

HIPAA Cloud Computing Guidance

Information Governance, the Next Evolution of Privacy and Security

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

The Relationship Between HIPAA Compliance and Business Associates

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Cloud Customer Architecture for Securing Workloads on Cloud Services

Global Information Security Survey. A life sciences perspective

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

MITIGATE CYBER ATTACK RISK

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Global Headquarters: 5 Speen Street Framingham, MA USA P F

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Data Protection and GDPR

Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor

Topics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth

Managing SaaS risks for cloud customers

View the Replay on YouTube

HEALTH CARE AND CYBER SECURITY:

Case Study. Medical Information Records, LLC. Medical Software Company Relies on Azure to Improve Scalability, Cut Costs & Ensure Compliance

Leveraging the Cloud & Managing Compliance HITRUST Alliance.

The Resilient Incident Response Platform

Vendor Security Questionnaire

Modeling Factors Associated with Healthcare Data Breaches. Session #155, March 3, 2018 Dr. Alex McLeod, Dr. Diane Dolezel, Texas State University

Adaptive & Unified Approach to Risk Management and Compliance via CCF

HCISPP HealthCare Information Security and Privacy Practitioner

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Microsoft Azure Security, Privacy, & Compliance

SOC for cybersecurity

Background FAST FACTS

Locking Down the Cloud Security is Not a Myth

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

FDA & Medical Device Cybersecurity

Avanade s Approach to Client Data Protection

HIPAA AND SECURITY. For Healthcare Organizations

Cloud Communications for Healthcare

EY s data privacy service offering

The New Healthcare Economy is rising up

Cloud for Government: A Transformative Digital Tool to Better Serve Communities

Executive Insights. Protecting data, securing systems

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Healthcare HIPAA and Cybersecurity Update

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

SECURETexas Health Information Privacy & Security Certification Program

The simplified guide to. HIPAA compliance

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

DeliverySlip for Dental Practices

Strategies for a Successful Security and Digital Transformation

HIPAA Compliance & Privacy What You Need to Know Now

Cloud Brief. Understanding Compliance in the Cloud. Introduction PCI DSS THE CLOUD STRATEGY COMPANY TM

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

M365 Powered Device Proof of Concept Overview

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

CSP 2017 Network Virtualisation and Security Scott McKinnon

a publication of the health care compliance association MARCH 2018

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

Transcription:

Protecting PHI in the Cloud Session #47, February 20, 2017 Kurt J. Long, Founder & CEO, FairWarning, Inc. 1

Speaker Introduction Kurt J. Long Founder & CEO FairWarning, Inc. 2

Conflict of Interest Kurt J. Long Has no real or apparent conflicts of interest to report. 3

Agenda Risks to PHI in the Cloud The Changing Landscape Questions to Ask Demand Security Transparency Rights to Your Data Q&A Special thank you to John Houston at UPMC for allowing us to borrow from some of his presentation content. 4

Learning Objectives Illustrate the risks to PHI in cloud and big data environments including business associate breaches, unintentional disclosures, and insider threats. Discuss real-world use cases of how healthcare and life sciences organizations are leveraging technology to ensure data protection and governance for their cloud and big data environments. Describe the security, privacy and breach notification implications of Office of Civil Rights (OCR) Guidance on HIPAA & Cloud Computing. Propose a multi-pronged plan for how healthcare and life sciences organizations can protect PHI and remain HIPAA compliant in cloud and big data applications. 5

An Introduction of How Benefits Were Realized for the Value of Health IT E = Electronic Information/Data The cloud and big data hold tremendous promise for healthcare and life sciences organizations and patients. From precision medicine to patient-centered care there is the potential for better care, delivered faster, easier patient access, increased collaboration and ultimately improved outcomes. With so much potential, there is an emotional and financial fervor to rush into the cloud. However, unless patient privacy and security is built into applications at the ground level there is the ever-present risk of major data breaches from insiders and cyberattacks. Among the greatest threats to PHI in the cloud are business associate breaches, unintentional disclosures, and insider threats. And unlike EHRs, once your cloud data is breached you may never get your arms around it again. Today, as healthcare providers adopt cloud applications, they have the opportunity to take patient privacy and data protection seriously from the beginning. 6

Goals 1.To appropriately protect your organization from risks associated with cloud-based services 2.Achieve parity with what you would expect of your own IT group (if the particular cloud service was run out of your Data Center) 7

The Changing Data Processing Landscape 83% of care providers are using cloud services HIMSS Analytics BIG Data revolution is under way in health care accelerating value and innovation according to McKinsey & Company McKinsey and Company 8

The Good Improved collaboration Increased agility Reduced IT footprint, allowing IT to focus on value added IT Predictable operating expense Improved security (in some cases) 9

The Bad & The Ugly Decreased data integration Reduced IT capability Additional overall expense to the organization Less security (in some cases) Islands of Data Shadow IT 10

Questions How do we best manage the move to the cloud? How do we ensure appropriate security? What happens when everything goes bad? 11

Reality Not all cloud vendors are alike A good looking website does not equate to a mature product or adequate security Small startups often have limited understanding of security Functionality often trumps security 12

Demand Security Transparency Often CSP are unwilling to provide any substantive information regarding information security If provided, it will be limited to information related to its data center environment Few (if any) commitments are made regarding incident response or notification 13

Demand Security Transparency The CSP must commit to providing substantive information to verify that the cloud app is secure, including such things as: Code level reviews Penetration testing Periodic patching policies Account management These must be done on a regular basis by an independent party 14

Demand Security Transparency The CSP must demonstrate adoption / compliance with some type of relevant information security framework, such as: SOC 2 Type 2 HITRUST CSF ISO/IEC 27002:2013 15

Demand Security Transparency The CSPs must be able to provide substantive information (and commitments) regarding how it is prepared to respond to security events: Customer notification Information sharing Audit rights Access to staff 16

Demand Security Transparency As appropriate, the CSP should integrate into your security tools, such as: Security Information and Event Management (SIEM) Identity Management (IDM) Patient Privacy Intelligence (PPI) 17

Rights to Your Data CSPs will often attempt to secure rights to your data Such rights are often broad, allowing the CSP to use (and possibly sell) your data for unrelated purposes Even if de-identified, data still has enormous commercial value (and could potentially disadvantage your organization in the market) 18

Rights to Your Data At the end of the "relationship", make sure that you get a copy of your data in a mutually agreed to electronic format 19

A Summary of How Benefits Were Realized for the Value of Health IT E = Electronic Information/Data The cloud and big data hold tremendous promise for healthcare and life sciences organizations and patients. From precision medicine to patient-centered care there is the potential for better care, delivered faster, easier patient access, increased collaboration and ultimately improved outcomes. With so much potential, there is an emotional and financial fervor to rush into the cloud. However, unless patient privacy and security is built into applications at the ground level there is the ever-present risk of major data breaches from insiders and cyberattacks. Among the greatest threats to PHI in the cloud are business associate breaches, unintentional disclosures, and insider threats. And unlike EHRs, once your cloud data is breached you may never get your arms around it again. Today, as healthcare providers adopt cloud applications, they have the opportunity to take patient privacy and data protection seriously from the beginning. 20

Questions Kurt J. Long Founder & CEO FairWarning, Inc. www.fairwarning.com 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback