become a smarter cloud consumer - ripping through the rhetoric to find your cloud & control your...

Kurt Hagerman | Chief Information Security Officer

BECOME A SMARTER CLOUD CONSUMERRipping through the Rhetoric to Find Your Cloud & Control Your Risk

05/18/2015

Kurt Hagerman

ABOUT KURT HAGERMAN

Expert in attaining and maintaining compliance standards, including PCI, HIPAA, ISO 27001, among others. Has conducted hundreds of security reviews and audits across a number of industries including the payment space, healthcare, financial services and higher education. Industry Leadership

• Cloud Security Alliance SME Council

• ISACA• CSA• ISSA

Chief Information Security Officer

So, you’ve decided to explore the cloud for your PHI but are worried about

HIPAA compliance.

HITRUST 2015: Become a Smarter Cloud Consumer

Have you done your research and come away confused about how various cloud

vendors communicate about HIPAA compliance?

It’s understandable given what they are saying.

HITRUST 2015: Become a Smarter Cloud Consumer

IT’S NOT WHAT YOU SAY. IT’S WHAT YOU DO.

Do you know what your vendor is really doing for you?Do you know who to call when something goes wrong?What about theprivacy andbreach rule?

???

HITRUST 2014: PHI and the Cloud

What They’re Saying…


SECURITY

• Outrageous statements being made• They sound good but ring hollow

• What do they actually mean to you, the cloud consumer, and how will your vendor’s stance affect your

compliance?

Are you Confused? Frustrated?I know I am.


SNAKE OIL, ANYONE?

• Vendors trivialize HIPAA compliance

• Vendors over simplify the requirementsto sell their services as a “silver bullet”

• HIPAA is risk-based for a reason

• There is no“Easy Button”


CONSIDER THE CLOUD MODELS

Role Clarity


Consider the Cloud Models


Your responsibilities, and those of your cloud vendor, vary based on the model used by the vendor.

Providers: AWS, Azure, Rackspace, SoftLayer, etc.

• Typically only provide security for the underlying infrastructure

• Any compliance attestations only apply to underlying infrastructure with no leverage available to customers

• Vendors forced into signing BAAs, but theirs are typically weak based on the lack of security provided to the customer

• Customer owns nearly 100 percent of the compliance responsibility

INFRASTRUCTURE AS A SERVICE (IAAS)


Providers: AWS (Elastic Beanstalk), Salesforce (Force.com), IBM SmartCloud, CloudFoundry, HP Helion, etc.

• Provide development tools and other building blocks for applications and secure these services

• Compliance attestations apply to the service with limited leverage available to customers

• Will sign BAAs, but typically provide little in terms of liability protection based on the limited security provided to the customer

• Customer owns a majority of the compliance responsibility

PLATFORM AS A SERVICE (PAAS)


Providers: Salesforce, Box, Epic, Allscripts, Athena, etc.

• Own the entire stack up through the application

• Any compliance attestations apply to the entire service with significant available to customers

• BAAs are typically stronger based on security provided to customer data and contain reasonable liability language

• Customer owns very little of the compliance responsibility (at least for the HIPAA security rule)

SOFTWARE AS A SERVICE (SAAS)


• IaaS and PaaS are fairly close in terms of the split of responsibility between customer and vendor (PaaS more difficult to parse)

• Significant shift from PaaS to SaaS in terms of vendor responsibility

• Risk to your organization increases from IaaS to SaaS

THE MODELS COMPARED


• Do you know what your vendor is really doing for you?

• Do they provide information on the specific security controls that are included with their service?

• Have they mapped their services and security controls to the HIPAA/HITECH requirements?

• Does your vendor use third parties to provide services to you?

• Have they (and their third parties) been independently assessed?

• Do you know who to call when something goes wrong?

• What about the privacy and breach rule?• How do I manage a compliance program with

multiple vendors all providing my “cloud services”?

IT’S NOT WHAT YOU SAY. IT’S WHAT YOU DO.


1. Identifying the division of responsibility between you and your cloud vendor

2. Ensuring the services your vendor is providing are properly mapped to your risk assessment

3. Getting the evidence you need for your audit

4. Obtaining objective attestation documentation from the vendor for the controls they have full or partial responsibility for

5. Monitoring ongoing compliance of your vendors

6. Receiving support from vendor during a breach event

SIX COMPLIANCE CHALLENGES


BE A SMARTER CLOUD CONSUMER

You need to deal with vendors who will be transparent about

what they do and how it assists you in mitigating risk and

addressing compliance requirements.

CAVEAT EMPTOR


Your Vendor Should:• Provide a clear, concise explanation of the specific

security controls they include in their service and how these directly assist you in meeting your compliance obligations

• Articulate the boundaries between their responsibility and yours

• Provide documentation that backs up assertions about being “HIPAA Compliant,” including independent audit reports that clearly state:

- the scope of the assessment- the control framework used

- how compliance can be leveraged by you

BE A SMARTER CLOUD CONSUMERCAVEAT EMPTOR


What about Business Associate Agreements?

Many vendors say they are “business associate-friendly” and that they will sign a BAA.

• Does their BAA include language that clearly states what services they are providing and what responsibility they are taking for security incidents?

• Do they suggest this language when reviewing yours?


Thank YouQuestions?

Kurt Hagerman Email [email protected]

Phone +1 877 262 3473


become a smarter cloud consumer - ripping through the rhetoric to find your cloud & control your...

Healthcare