SlideShare a Scribd company logo

Secure Cloud Computing for the Health Enterprise

Joel Amoussou, profile picture
Joel Amoussou

Secure Cloud Computing for the Health Enterprise discusses securing healthcare applications in the cloud. It addresses the regulatory framework including HIPAA, security practices like access control and encryption, and security management standards. Auditing and compliance are also covered to ensure cloud providers meet regulatory requirements for healthcare data. Overall it provides guidance to healthcare enterprises on collaborating with cloud providers to securely deploy applications while protecting sensitive patient information.

Technology
Related topics:
Cloud Computing Insights
1 of 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Secure Cloud Computing for the Health Enterprise By Joel Amoussou, CEO, Efasoft Inc.
Contents 1 Regulatory Framework 2 Cloud Security Practices 3 Security Management 4 Auditing & Compliance www.efasoft.com
Healthcare Apps in the Cloud Cloud Services: IaaS, SaaS, PaaS Cloud Services: IaaS, SaaS, PaaS CDSS EMR 5010 Analytics ICD10 www.efasoft.com
Drivers t en ym Pa ed as ity bil -B ala ge Sc sa e U siv Mas ty Elastici e nin g Tim ovisio $ r Q uick P Low Capital Costs www.efasoft.com
Regulatory Framework HIPAA HITECH Act – HIPAA Security Updates State and Federal Laws Meaningful Use Recommendations on Patient Consent www.efasoft.com
Impact of Regulations HITECH Act US Patriot Act •HIPAA applies to Cloud Service Providers (CSPs) and online PHR •Canada Health Infoway vendors as Business Associates??? certification requirements refer •Breach Notification to HIPAA •Accounting of disclosure •British Columbia and Nova Scotia prohibit storing patient •Marketing and sale of PHI data at providers (including CSPs) located in the US •Patient access and disclosure restrictions •Minimum data set www.efasoft.com
Tiger Team Recommendations Collection, Use and Disclosure Limitation: Third party service When the decision to disclose or organizations may not collect, use exchange the patient's identifiable or disclose personally identifiable health information from the health information for any provider's record is not in the purpose other than to provide the control of the provider or that services specified in the business provider's organized health care associate or service agreement arrangement ("OHCA"), patients with the data provider, and should be able to exercise necessary administrative meaningful consent to their functions, or as required by law. participation. www.efasoft.com
Addressing HIPAA in the Cloud Access Disaster Control Audit Backup Recovery •SSH Keys •Snapshot of block storage •Monitoring •No password-based volumes •Event logs to •Availability shell access secured •Encrypt and Zones dedicated Keep backups out (geographic •Strong Encryption of server of the cloud redundancy) data and filesystems •Backup log •Cloud storage is •Clustering •Private decryption files replicated across keys out of the cloud multiple •Replication •Security groups availability zones •Secure Transport www.efasoft.com
Security Issues in the Cloud 1 2 3 •Reassigned IP •CSP staff access to VM addresses instances and guest OS •Isolation in multitenancy •BGP Prefix Hijacking •Encryption not always possible while •OWASP Top 10 •DNS Attacks processing data in the cloud (as opposed to •Data Lineage •DoS and DDoS Attacks data at rest) •Data Provenance •Security groups not physically separated •Data Remanence (NIST 800-88) www.efasoft.com
Security Controls in the Cloud 1 1 Image hardening and patching 2 2 Host based IDS/IPS such as OSSEC 3 3 Health Monitoring & Security event logs 4 4 Effective Key Management (NIST 800-57) 5 5 Default deny-all mode, Host Firewall www.efasoft.com
Identity and Access Management (IAM) SPML Provisioning B SAML 2.0 A C XACML Identity Authorization Federation/SSO IAM WS-I Security E D Oauth Profile (SOA in Authentication the Cloud) across CSPs www.efasoft.com
Security Management Standards ITIL: IT Service Management ISO 17799: Code of Practice ISO 20000: Security Techniques Overview ISO 27001: Security Techniques Requirements ISO 27002: Code of Practice www.efasoft.com
Auditing & Compliance COBIT ISO 27001 SAS 70 GRC* ISO 27002 SysTrust WebTrust *Governance, Risk Management, and Compliance www.efasoft.com
Collaboration Health Enterprise Cloud Service Provider Understand responsibilities (who does Provide transparency into what about security?) security practices and policies. www.efasoft.com
www.efasoft.com joel@efasoft.com

More Related Content

PPS
Mii Oracle Biz Map 2009
Dira Sabrina
 
PDF
AnyConnect Secure Mobility
Cisco Canada
 
PDF
Cloud Security:Threats & Mitgations
IndicThreads
 
PDF
Topdanmark- Cisco
Cisco Case Studies
 
PPTX
PCI DSS v 3.0 and Oracle Security Mapping
Troy Kitch
 
PDF
OpSource Enterprise-Class Security
OpSource
 
PPTX
Protéger ses données, identités & appareils avec Windows 10
Microsoft Technet France
 
PDF
Bloombase Spitfire SOA Security Server Specifications
Bloombase
 
Mii Oracle Biz Map 2009
Dira Sabrina
 
AnyConnect Secure Mobility
Cisco Canada
 
Cloud Security:Threats & Mitgations
IndicThreads
 
Topdanmark- Cisco
Cisco Case Studies
 
PCI DSS v 3.0 and Oracle Security Mapping
Troy Kitch
 
OpSource Enterprise-Class Security
OpSource
 
Protéger ses données, identités & appareils avec Windows 10
Microsoft Technet France
 
Bloombase Spitfire SOA Security Server Specifications
Bloombase
 

What's hot (9)

PPT
Secure webl gate way
vfmindia
 
PPTX
Defending the Data Center: Managing Users from the Edge to the Application
Cisco Security
 
PPTX
From Physical to Virtual to Cloud
Cisco Security
 
PDF
ISA Server 2006 Administration
LearnItFirst.com
 
PPTX
Select your career path
MD. IFTEKARUL ALAM
 
PDF
Isa server 2006 guide
vmamar
 
PPTX
From Cisco ACS to ISE
Mahzad Zahedi
 
PDF
Cyberoam cr300i
puneet1990
 
PPTX
Security Avalanche
Michele Leroux Bustamante
 
Secure webl gate way
vfmindia
 
Defending the Data Center: Managing Users from the Edge to the Application
Cisco Security
 
From Physical to Virtual to Cloud
Cisco Security
 
ISA Server 2006 Administration
LearnItFirst.com
 
Select your career path
MD. IFTEKARUL ALAM
 
Isa server 2006 guide
vmamar
 
From Cisco ACS to ISE
Mahzad Zahedi
 
Cyberoam cr300i
puneet1990
 
Security Avalanche
Michele Leroux Bustamante
 
Ad

Similar to Secure Cloud Computing for the Health Enterprise (20)

PDF
Cloud Security - Made simple
Sameer Paradia
 
PDF
Cloud computing due diligence WTF?
Security BSides London
 
PPTX
17h30 aws enterprise_app_jvaria
Luiz Gustavo Santos
 
PDF
Cloud Security: Perception Vs. Reality
Internap
 
PPTX
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
Khazret Sapenov
 
PDF
Neupart Isaca April 2012
Lars Neupart
 
PPTX
The Cloud Beckons, But is it Safe?
Legal Services National Technology Assistance Project (LSNTAP)
 
PDF
Enterprise Applications on AWS
Amazon Web Services LATAM
 
PPT
Cloudy with a chance of downtime
AFCOM
 
PDF
Cloudsecurity
drewz lin
 
PDF
Who owns security in the cloud
Trend Micro
 
PDF
Seguridad en SQL Azure Windows azure
Eduardo Castro
 
PDF
Enterprise Strategy for Cloud Security
Bob Rhubart
 
PDF
Cloud Security Alliance - Guidance
Subra Kumaraswamy CISSP CISM
 
PDF
Cloud Webinar Neiditz Weitz Mitchell Goodman
jonneiditz
 
PPTX
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Symosis Security (Previously C-Level Security)
 
PPTX
Enterprise Security in Cloud
Lenin Aboagye
 
PDF
Peering Through the Cloud Forrester EMEA 2010
graywilliams
 
PDF
Information Security and Cloud Computing
Paul Miller
 
PDF
110307 cloud security requirements gourley
GovCloud Network
 
Cloud Security - Made simple
Sameer Paradia
 
Cloud computing due diligence WTF?
Security BSides London
 
17h30 aws enterprise_app_jvaria
Luiz Gustavo Santos
 
Cloud Security: Perception Vs. Reality
Internap
 
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
Khazret Sapenov
 
Neupart Isaca April 2012
Lars Neupart
 
The Cloud Beckons, But is it Safe?
Legal Services National Technology Assistance Project (LSNTAP)
 
Enterprise Applications on AWS
Amazon Web Services LATAM
 
Cloudy with a chance of downtime
AFCOM
 
Cloudsecurity
drewz lin
 
Who owns security in the cloud
Trend Micro
 
Seguridad en SQL Azure Windows azure
Eduardo Castro
 
Enterprise Strategy for Cloud Security
Bob Rhubart
 
Cloud Security Alliance - Guidance
Subra Kumaraswamy CISSP CISM
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
jonneiditz
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Symosis Security (Previously C-Level Security)
 
Enterprise Security in Cloud
Lenin Aboagye
 
Peering Through the Cloud Forrester EMEA 2010
graywilliams
 
Information Security and Cloud Computing
Paul Miller
 
110307 cloud security requirements gourley
GovCloud Network
 
Ad

Recently uploaded (20)

PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Unlock new opportunities with location data.pdf
Precisely
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Five Habits of High-Impact Board Members
OnBoard
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 

Secure Cloud Computing for the Health Enterprise

  • 1. Secure Cloud Computing for the Health Enterprise By Joel Amoussou, CEO, Efasoft Inc.
  • 2. Contents 1 Regulatory Framework 2 Cloud Security Practices 3 Security Management 4 Auditing & Compliance www.efasoft.com
  • 3. Healthcare Apps in the Cloud Cloud Services: IaaS, SaaS, PaaS Cloud Services: IaaS, SaaS, PaaS CDSS EMR 5010 Analytics ICD10 www.efasoft.com
  • 4. Drivers t en ym Pa ed as ity bil -B ala ge Sc sa e U siv Mas ty Elastici e nin g Tim ovisio $ r Q uick P Low Capital Costs www.efasoft.com
  • 5. Regulatory Framework HIPAA HITECH Act – HIPAA Security Updates State and Federal Laws Meaningful Use Recommendations on Patient Consent www.efasoft.com
  • 6. Impact of Regulations HITECH Act US Patriot Act •HIPAA applies to Cloud Service Providers (CSPs) and online PHR •Canada Health Infoway vendors as Business Associates??? certification requirements refer •Breach Notification to HIPAA •Accounting of disclosure •British Columbia and Nova Scotia prohibit storing patient •Marketing and sale of PHI data at providers (including CSPs) located in the US •Patient access and disclosure restrictions •Minimum data set www.efasoft.com
  • 7. Tiger Team Recommendations Collection, Use and Disclosure Limitation: Third party service When the decision to disclose or organizations may not collect, use exchange the patient's identifiable or disclose personally identifiable health information from the health information for any provider's record is not in the purpose other than to provide the control of the provider or that services specified in the business provider's organized health care associate or service agreement arrangement ("OHCA"), patients with the data provider, and should be able to exercise necessary administrative meaningful consent to their functions, or as required by law. participation. www.efasoft.com
  • 8. Addressing HIPAA in the Cloud Access Disaster Control Audit Backup Recovery •SSH Keys •Snapshot of block storage •Monitoring •No password-based volumes •Event logs to •Availability shell access secured •Encrypt and Zones dedicated Keep backups out (geographic •Strong Encryption of server of the cloud redundancy) data and filesystems •Backup log •Cloud storage is •Clustering •Private decryption files replicated across keys out of the cloud multiple •Replication •Security groups availability zones •Secure Transport www.efasoft.com
  • 9. Security Issues in the Cloud 1 2 3 •Reassigned IP •CSP staff access to VM addresses instances and guest OS •Isolation in multitenancy •BGP Prefix Hijacking •Encryption not always possible while •OWASP Top 10 •DNS Attacks processing data in the cloud (as opposed to •Data Lineage •DoS and DDoS Attacks data at rest) •Data Provenance •Security groups not physically separated •Data Remanence (NIST 800-88) www.efasoft.com
  • 10. Security Controls in the Cloud 1 1 Image hardening and patching 2 2 Host based IDS/IPS such as OSSEC 3 3 Health Monitoring & Security event logs 4 4 Effective Key Management (NIST 800-57) 5 5 Default deny-all mode, Host Firewall www.efasoft.com
  • 11. Identity and Access Management (IAM) SPML Provisioning B SAML 2.0 A C XACML Identity Authorization Federation/SSO IAM WS-I Security E D Oauth Profile (SOA in Authentication the Cloud) across CSPs www.efasoft.com
  • 12. Security Management Standards ITIL: IT Service Management ISO 17799: Code of Practice ISO 20000: Security Techniques Overview ISO 27001: Security Techniques Requirements ISO 27002: Code of Practice www.efasoft.com
  • 13. Auditing & Compliance COBIT ISO 27001 SAS 70 GRC* ISO 27002 SysTrust WebTrust *Governance, Risk Management, and Compliance www.efasoft.com
  • 14. Collaboration Health Enterprise Cloud Service Provider Understand responsibilities (who does Provide transparency into what about security?) security practices and policies. www.efasoft.com