CLOUD COMPUTING WHAT HEALTH CARE INTERNAL AUDITORS NEED TO KNOW GABRIELA MERINO DIRECTOR BUSINESS ADVISORY SERVICES

Similar documents
Cloud Computing, SaaS and Outsourcing

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Cloud Computing Overview. The Business and Technology Impact. October 2013

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

CLOUD COMPUTING READINESS CHECKLIST

Best Practices in Securing a Multicloud World

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

BRINGING CLARITY TO THE CLOUD

Data Security: Public Contracts and the Cloud

VMware vcloud Air Network Service Providers Ensure Smooth Cloud Deployment

Accelerate Your Enterprise Private Cloud Initiative

locuz.com SOC Services

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Cloud Computing An IT Paradigm Changer

Introduction To Cloud Computing

1-2-3 Webinar: Demystifying the Cloud

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

WHITE PAPER. Title. Managed Services for SAS Technology

Shaping the Cloud for the Healthcare Industry

Cloud Computing: Making the Right Choice for Your Organization

Auditing the Cloud. Paul Engle CISA, CIA

INFS 214: Introduction to Computing

CORPORATE PERFORMANCE IMPROVEMENT DOES CLOUD MEAN THE PRIVATE DATA CENTER IS DEAD?

Cloud Computing. Presentation to AGA April 20, Mike Teller Steve Wilson

The New Enterprise Network In The Era Of The Cloud. Rohit Mehra Director, Enterprise Communications Infrastructure IDC

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Cloud Computing in the enterprise: Not if, but when and how?

Mitigating Risks with Cloud Computing Dan Reis

Protecting your data. EY s approach to data privacy and information security

hcloud Deployment Models

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS

IT Attestation in the Cloud Era

IT Enterprise Services. Capita Private Cloud. Cloud potential unleashed

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Cloud Infrastructure and Operations Chapter 2B/8 Page Main concept from which Cloud Computing developed

Healthcare IT Modernization and the Adoption of Hybrid Cloud

CHEM-E Process Automation and Information Systems: Applications

CASE STUDY: USING THE HYBRID CLOUD TO INCREASE CORPORATE VALUE AND ADAPT TO COMPETITIVE WORLD TRENDS

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

How unified backup and cloud enable your digital transformation success

Security and Privacy Governance Program Guidelines

Service Provider Consulting

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

SIEMLESS THREAT DETECTION FOR AWS

Managing SaaS risks for cloud customers

CLOUD COMPUTING. A New Era of Business Opportunity. Matthew Maderios, CA Enterprise. IT Roadmap Conference & Expo San Jose, CA.

Intermedia s Private Cloud Exchange

In this unit we are going to look at cloud computing. Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing,

Case Study. Medical Information Records, LLC. Medical Software Company Relies on Azure to Improve Scalability, Cut Costs & Ensure Compliance

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Transform Your Business To An Open Hybrid Cloud Architecture. Presenter Name Title Date

Keys to a more secure data environment

Third Party Cloud Services Its Adoption in the New Age

Enabling Fast IT. In the IoE era. Alberto Degradi DCV Sales Leader. November 2014

Chapter. Securing the Cloud THE FOLLOWING COMPTIA SECURITY+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

ISACA Cincinnati Chapter March Meeting

Cloud Computing and Its Impact on Software Licensing

Google Cloud & the General Data Protection Regulation (GDPR)

THREE COLOCATION MYTHS HEALTHCARE PROVIDERS SHOULD LEAVE BEHIND. Exploring Security, Compliance, and Performance in Healthcare IT

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Fundamental Concepts and Models

How to avoid storms in the cloud. The Australian experience and global trends

How to ensure control and security when moving to SaaS/cloud applications

GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS.

efax Corporate for Independent Agent Offices

The simplified guide to. HIPAA compliance

CHAPTER 2 BASICS OF CLOUD COMPUTING

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

I D C T E C H N O L O G Y S P O T L I G H T. V i r t u a l and Cloud D a t a Center Management

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cloud Strategies for Addressing IT Challenges

San Francisco Chapter. What an auditor needs to know

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Powering Transformation With Cisco

Driving Business Outcomes: Cisco Data Center Innovation and Solutions

Level 3 Certificate in Cloud Services (for the Level 3 Infrastructure Technician Apprenticeship) Cloud Services

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

TOP 7 REASONS to Migrate Your Data Center to the Cloud

GDPR Update and ENISA guidelines

12,000+ Associates. Worldwide. Worldwide. 36 Countries. Customer Base 230+ Infra Supported Data Centers. 300,000+ End Users.

Cloud Computing An IT Paradigm Changer

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

How Hybrid Cloud Accelerates IT Transformation

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Five Key Considerations for Selecting Cloud Recovery Services

Choosing the Right Cloud. ebook

Everyday Security: Simple Solutions to Complex Security Problems

IBM Security Intelligence on Cloud

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Government IT Modernization and the Adoption of Hybrid Cloud

Capgemini Dynamic Services

CLOUD COMPUTING. Lecture 4: Introductory lecture for cloud computing. By: Latifa ALrashed. Networks and Communication Department

Part III: Evaluating the Business Value of the Hybrid Cloud

Cloud Services. Infrastructure-as-a-Service

01.0 Policy Responsibilities and Oversight

10 Cloud Myths Demystified

Transcription:

1 CLOUD COMPUTING WHAT HEALTH CARE INTERNAL AUDITORS NEED TO KNOW GABRIELA MERINO DIRECTOR BUSINESS ADVISORY SERVICES AHIA 33 rd Annual Conference September 21-24, 2014 Austin, Texas www.ahia.org

Learning objectives 2 Identify the most common risk areas associated with cloud computing, and recommend methods to manage this risk Identify basic areas of a cloud computing internal audit plan Identify mechanisms to assess cloud computing vendors' HIPAA compliance

Agenda 3 Background Cloud Computing Overview Risks and Audit Strategies Summary Questions/Comments

4 Background Separating hype from reality what s new? In some respects, not that different from services that have been used by businesses for years ADP as a software-as-a-service (SaaS) New combinations of existing tools, some new technologies, and some very significant marketing It s Back to the Future From service bureaus to ASPs But it is here to stay Virtual resource allocation and real-time performance optimization yield significant benefits

5 Background Cloud computing a force Forrester: Cloud computing is a sustainable long-term paradigm and the successor to previous mainframe, client/server and network computing eras

6 Background Why the buzz? Cloud computing here to stay A flexible model for deploying technology Extremely reliable and infinitely scalable Strong cost/benefits and ease of ownership Allows you to expand or contract as business needs dictate Pay for only what you need at any given time and only for the duration you need it 83% of Healthcare organizations are using cloud-based apps today* *HIMMS Analytics Cloud survey

7 Overview History The term cloud originated as a metaphor to depict the public switched telephone system on network diagrams

8 Overview What is cloud computing? An alternative to mainframe and client-server technology The old: Fixed capacity requires investment in infrastructure beyond immediate/current needs The new: On-demand, at-scale access to software, infrastructure and development tools Computing processing, infrastructure, applications, etc. all delivered as a service wherever and whenever needed

9 Overview What is cloud computing? Architecture (can be hosted internally or by a third-party) External/Public Internal/Private Hybrid Service Types Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (Paas) The big 3 Software-as-a-Service (SaaS) Desktop-as-a-Service (DaaS) Business Process-as-a-Service (BPaaS)

10 Overview Architecture - External/Public Shared computer resources provided by an off-site third-party provider Pay-per-use access to data, applications, infrastructure, etc. Examples Health Information Exchanges Electronic Health Record solutions (e.g., Practice Fusion) Productivity tools (e.g., email from Google or Microsoft)

11 Overview Architecture - Internal/Private Dedicated computer resources provided by an off-site thirdparty, or use of cloud technologies on a private internal network Internal clouds managed by in-house IT staff physical infrastructure and data stored/maintained on-site access via Internet or local network differs from LAN/WAN due to consolidated infrastructure and processing, along with virtual allocation of resources Examples: Productivity tools (e.g., Sharepoint, Exchange Webmail)

12 Overview Architecture - Hybrid Consisting of mixed-use multiple public/private clouds Integrates on-site IT infrastructure and internal cloud applications with third-party provider services Mission-critical processes maintained on-site Examples Outsourced payroll

13 Overview Infrastructure-as-a-Service Computer infrastructure delivered over the Internet (e.g., Amazon, Rackspace) Infrastructure Provided Data Center Processor Memory Storage Virtualized & Dynamic Redundant/Hardened

14 Overview Platform-as-a-Service Full or partial operating system/development environment delivered over the Internet, supporting online access and collaboration and access to a robust toolset (Amazon s Elastic Beanstalk, MS Azure, Google App Engine) Platform Provided Operating System Web Servers Database Servers Operational Services Virtualized Infrastructure

15 Overview Platform-as-a-Service Software applications delivered over the Internet (e.g., Salesforce, EHR, Medical Imaging solutions, etc.) Application CRM EHR Collaboration Platform Infrastructure

16 Overview Service model attributes Software-as-a-Service (SaaS) The consumer does not manage or control the underlying cloud infrastructure, platform, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings Platform-as-a-Service (PaaS) Consumer has control over the deployed applications and possibly application hosting environment configurations Infrastructure-as-a-Service (IaaS) Consumer has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers)

17 Overview DaaS and BPaaS Desktop-as-a-Service Provides desktop virtualization for single user clients Allows access to an individual workstation, as well as its operating system and storage hardware, via the Internet Example: GoToMyPC Business Process-as-a-Service Similar to SaaS, but rather than applications, the cloud provider hosts specific business processes, such as employee benefits management, help desk, or procurement to multiple internal or external customers Example: Telegenisys and Wipro

18 Overview Cloud Computing - Economics

19 Overview Benefits Cost effective and higher utilization of resources Dynamic allocation as needed Dynamically de-provision when not needed (released back into a common pool for reallocation to others) Speed to deployment Enable faster delivery of applications and upgrades Rapid deployment of infrastructure, platform modifications, etc.

20 Overview Benefits Operating and capital cost reduction Pay-per-use model more accurately matching organizational need (reduced capital for future capacity) Lower energy use and facility costs Lower maintenance and personnel costs Performance Scalability to support growth or peak usage needs More efficient and effective system-wide deployment of applications Enhanced interoperability of disparate hardware/software

Overview 21 Benefits Improves: Data analytics capabilities Ability to share information / Mobility Flexibility and agility Focus on service Patient care

22 Risks and Audit Strategies In the news System failure at Sutter Health The nearly $1 billion electronic health record system at Sutter Health in Northern California failed early this week, leaving nurses and clinical staff unable to access any patient information for a full day." Healthcare IT News, August 28, 2013 Security breach at Community health Systems An outside group of hackers targeted Community Health Systems' computer network and stole 4.5 million individuals' nonmedical patient data, the company disclosed Monday in a regulatory filing. " Modern Healthcare, August 18, 2014

23 Risks and Audit Strategies Key risk areas Data security and controls -third party reliance, compounded by exposure to the Internet Regulatory dependence on knowledge of and compliance with industry specific requirements Multi-tenancy concern regarding co-mingling of and/or access to data Data location uncertainty regarding physical location of institutional assets Reliability availability of resources when needed Sustainability disaster recovery/business continuity

24 Risks and Audit Strategies Data security and controls risks The cloud provider s security policies and internal controls are not as strong as the institution s requirements Cloud systems which store institutional data are not updated or patched when necessary Security vulnerability assessments or penetration tests are not performed to ensure logical and physical security controls are in place The physical location of company data is not properly secured

25 Risks and Audit Strategies Data security and controls audit strategy Determine cloud provider s security and control practices Is a SOC available and are all control concerns addressed? Does contract contain a right to audit clause? Is there a SLA with minimum control standards specified? Determine if the cloud provider s security posture is based on a security standard (e.g., ISO27001, Cloud Security Alliance, PCI DSS, etc.) Determine if the cloud provider has had a security assessment performed

26 Risks and Audit Strategies Regulatory risks Does vendor comply with industry and legal standards (PCI, HIPAA, etc.)? Are state privacy laws upheld? Is data stored in international locations, thereby falling under foreign business or national laws/regulations?

27 Risks and Audit Strategies Regulatory audit strategy Inquire as to vendor s approach for compliance Check contract terms for inclusion of specific regulatory adherence Inquire as to practices regarding provider s approach to maintaining regulatory compliance if data resides in multiple locations Request attestation (e.g., SOC report) Request relevant Risk Analysis*

28 Risks and Audit Strategies Regulatory audit strategy Assess HIPAA compliance for cloud providers, considering that: There is no HIPAA audit standard. However, the Office of Civil Rights (OCR) released their audit protocol. SSAE 16 (SOC1) reports do not cover confidentiality and privacy Service Organization Controls (SOC) assurance reports SOC 2 or SOC 3 are more suitable to evaluate HIPAA compliance

Risks and Audit Strategies 29 Multi-tenancy risks Institutional data is not appropriately segregated on shared hardware, resulting in data being inappropriately accessed by third parties The cloud service provider has not deployed appropriate levels of software control to ensure data is appropriately segregated, both at rest and in transit

Risks and Audit Strategies 30 Multi-tenancy audit strategy Inquire as to the cloud service provider s method used to secure data from being accessed by other customers/third parties Review independent audit report(s) and/or exercise the institution s right-to-audit clause Gain access to cloud system(s) and perform limited auditing procedures from the institution s location

31 Risks and Audit Strategies Data location risks The institution does not know where their data is physically or virtually stored The institution is not aware of all of the cloud service provider s physical location(s) The cloud service provider moves data to another location without informing the institution If the institution chooses to migrate all or part of its system and/or data back in-house (or to another provider), the cloud service provider cannot (or will not) provide the data

32 Risks and Audit Strategies Data location audit strategy Inquire of the cloud provider the specific physical and virtual location of the institution s data Work with the your legal group to fully understand the impact and potential risks of data residing in a foreign country Determine if the contract provides for the institution to move data back in house and/or to another provider, and determine the specific procedures and associated costs needed to perform this task

33 Risks and Audit Strategies Reliability risks Are quality of service standards consistent with identified business requirements regarding availability? Will resources scale as expected during peaks? Concentration of resources potential single point of failure Vendor viability In the event the cloud service provider goes out of business, the institution might not be able to sustain operations or retrieve its data Another third party might gain access/control of the institution s data

34 Risks and Audit Strategies Reliability audit strategy Understand the cloud provider s approach to scale its systems to meet short-term spikes and long-term growth Compare SLA/contract specifications to actual performance Determine the times that the cloud provider performs system upgrades and/or patches to ensure data availability during peak business hours is not affected Determine means for gaining access to data in the event the cloud service provider goes out of business Review vendor financials

Risks and Audit Strategies 35 Sustainability risks The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster The institution s business continuity plan does not address the cloud s service offering being unavailable Institutional data is compromised as a result of a disaster

Risks and Audit Strategies 36 Sustainability audit strategy Inquire to determine if the cloud provider has adequate controls in place to protect and recover data in the event of a disaster Review the institution s business continuity plan and determine if the plan establishes standards for allowable downtime and addresses interruptions with the cloud solution in the event of a disaster Perform a service disruption test for appropriateness and timeliness of response

37 Summary Considerations Fundamentally, it s as much an outsourcing decision as it is a technology decision Alignment with short and long term IT strategy Business partner reliability, integrity, etc. Service level (uptime, recoverability, support, escalation) Confidentiality, privacy, security, compliance Standardization of services vs. customized fit Ability to unwind the relationship return or transfer Can t outsource your responsibility or your problems

38 Questions/Comments

Disclaimer 39 This Grant Thornton LLP presentation is not a comprehensive analysis of the subject matters covered and may include proposed guidance that is subject to change before it is issued in final form. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this presentation. The views and interpretations expressed in the presentation are those of the presenters and the presentation is not intended to provide accounting or other advice or guidance with respect to the matters covered. For additional information on matters covered in this presentation, contact your Grant Thornton LLP adviser.

Thank you for attending. Visit us online at: www.grantthornton.com twitter.com/grantthorntonus linkd.in/grantthorntonus

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback