2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Lifting the Fog to See the Cloud

Information Security in a Hosted Environment

William ProhnManaging Director

Thomas O’ConnorConsultant

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

William M. ProhnCISSP®, CISA®, CGEIT®, CRISC®,

Managing DirectorDopkins System Consultants

Background

Thomas M. O’ConnorB.S. Accounting Information Systems

M.S. Forensic Accounting

ConsultantDopkins System Consultants

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Agenda• Introduction to the Cloud• Benefits & Challenges in the Cloud• Certifications• ISACA Knowledge Center• HIPAA

o HITECHo HITRUST

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

What is That?But now they only block the sunThey rain and snow on everyoneSo many things I would have doneBut clouds got in my way

I've looked at clouds from both sides nowFrom up and down, and still somehowIt's cloud illusions I recallI really don't know clouds at all – Joni Mitchell, “Both Sides Now”

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Introduction to the CloudSimple Definition: Using the internet

• Replace the term ‘in the cloud’ in a statement with ‘on the internet’

• We all use the ‘cloud,’ we just might not know it

• The term originates from network diagrams

US Patent US_5485455

Alternate: Utilizing third party resources accessible through the

internet

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Why Move to the Cloud?• Reduce storage and archive

costs• Allow for remote access• Allow for collaboration• Improve search efficiency• 24/7 Access and support• Increased security with

redundancy• Reduce administrative overhead

It’s All About the Compromise

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

The Role of the Auditors• Oversee and provide input on governance• Consideration of security

COBIT Objectives:

• May be concerned with any of the COBIT objectives

IT Planning Budgeting Risk Assessment Feasibility

Service Level Management

Business Continuity

Physical Environment IT Governance

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

What Moves to the Cloud?• Applications & Software

o Software as a Service [SaaS]

• Servers & IT Personnelo Infrastructure as a Service

[IaaS]

• Programming languages, libraries, tools and serviceso Platform as a Service

[PaaS]

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Controls• The compromise with each benefit is

risk• Controls are a response to that risk• Are the controls designed and

implemented appropriately?• Are they operating effectively?

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

ControlsITGC audits typically focus on identifying and testing controls

Manage Changeso Are changes authorized, tested and monitored?

Logical Accesso Is privileged access restricted to appropriate users?

Other IT Operationso Is critical data regularly backed up?o Are incidents reported and addressed timely?

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Challenges in the CloudWhat about controls in a hosted environment?

• Who owns the data? • Who has access to the data?

New Risks | New Controls | New Audit Steps

[i.e. CSP] [i.e. Data Center] [i.e. System Admin]

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Challenges in the CloudWhat about controls in a hosted environment?

• Who is responsible for backing up the data?

• What about incidents?

New Risks | New Controls | New Audit Steps

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

• Service Level Agreements

• End-User Licensing Agreements

• Alternate providerso Bankruptcyo Acquisition

• Threats to CSPs

Challenges in the CloudDisaster Recovery & Business Continuity

 -- Gartner

1-in-4 Vendors Will Be Gone By 2015

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Challenges in the CloudCyber Security Insurance• 31% of companies have a cyber security insurance

policy 1

• 39% planned to purchase a policy within a year• ‘Cloud Protection’ policies gaining popularity

Cloud Coverage Typically Includes:• Loss of income due to vendor down time• Costs associated with procuring new vendor• Costs of migrating to new vendor1 Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age -- (Ponemon Institute & Experian), August 2013

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Certifications & ComplianceService Organization Control (SOC) Reports

SOC 1 SOC 2 SOC 3Controls at a service

organization relevant to user entities internal

control over financial reporting.

Controls at a service organization relevant to security, availability, processing integrity

confidentiality, or privacy.

General use report. Coverage similar to SOC 2.

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Certifications & ComplianceHIPAAPCI DSS ISO

27001:2005

• Protected Health Information

• Business Associate Agreements

• Payment Card Transactions

• International Information Security Standard

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

ISACA Knowledge Center• Topical Coverage:

o Governance affecting cloud computingo Contractual compliance o Control issues specific to cloud computing

• COBIT & COSO Cross-references• Intended to compliment other audit(s)

One of 25+ ISACA audit programs available:

ISACA Cloud Computing Management Audit/Assurance Program

Cloud Computing Management Audit/Assurance Program

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Auditing in the CloudService Provider Responsibilities• Service Level Agreements (SLAs)• Performance and frequency of risk assessments

Compliance and Audit:• Right to Audit• Third-party Reviews• Compliance• ISO 27001 Certification

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Auditing in the CloudIncident Response, Notification and Remediation• Review of SLAs• Legal and regulatory compliance

Data Security • Encryption Identity and Access Management

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HIPAA & HITECH

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HIPAAHealth Insurance Portability and Accountability Act

Established in 1996 by Clinton AdministrationMake it easier for workers to maintain

insurance coverage when changing jobs (portability)

This is facilitated by digital files and electronic data

This requires a level of security

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HIPAAHealth Insurance Portability and Accountability Act

Applies to health care organizations (HCOs)PROVIDERS and INSURERS

Specifically EXCLUDES Workers’ Compensation

Does NOT apply to medical records in other contexts, like employers

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HIPAAHealth Insurance Portability and Accountability Act

Three Rules that are relevant to compliance:

EDI RuleICD-9ICD-10

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HIPAAHealth Insurance Portability and Accountability Act

Privacy RuleHCOs must “Reasonably safeguard”

patient data

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HIPAAHealth Insurance Portability and Accountability Act

Security RuleProtect the Confidentiality, Integrity and

Availability of Protected Health Information against “reasonably anticipated threats or hazards”

Access ControlsAudit ControlsAuthenticationTransmission Security

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HITECHHealth Information Technology for Economic and Clinical Health

Enacted in 2009 as part of economic stimulus legislation

Gives grant money to HCOs to implement new technologies such as EHR

Creates fines and sanctions for HIPAA violations to pay for the grants

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HITECHHealth Information Technology for Economic and Clinical Health

Broadens the scope of HIPAA to include “Business Associates” of HCOs

accountants, lawyers, consultants“create, maintain, receive or transmit”

“Cloud”even if they disclaim access

New data breach notification rules

Enforcement is on a “contingent fee” basis HHS gets to keep the money

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

HIPAASpecific Controls Required:

Risk Analysis/Risk ManagementSanction PolicyIncident Response/reporting processData Backup planDisaster Recovery PlanData disposal/media re-useWritten contracts with Business Associates

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

• Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.

• harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC).

• As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry.

• www.hitrustalliance.net

2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m

Questions