SaaS Security in Healthcare: Can the Fox Guard the Hen House?Pros and Cons of an In-House Security Validation and a Third-

Party SOC 2 Audit

Nick Lewis, Internet2Dion Taylor, Univ. of Michigan

Peter Hoven, ICE Health Systems

Sean Sweeney, Univ. of PittsburghPaul Howell, Internet2

IntroductionPeter Hoven

Collaboration

• Dental schools at University of Michigan, University of North Carolina and University of Pittsburgh

• Schools introduced Internet2 to the process

• Deep commitment from all parties to develop a new EHR management system

• Formed an advisory board to guide all aspects of the project

www.icehealthsystems.com

Project Goals

• Efficient Clinical Experience

• Supports Learning

• Robust Financial and Administrative Reports

• Embrace Standards to Support Research

• Collaboration and Communication

• Integrates Medical Records

• Uses Excellent and Current Software Engineering Practices

www.icehealthsystems.com

Emphasis on Security

● Collaboration emphasized security

● Many opinions around security audit process

● Customer agreement focused on:

○ Long Term - ISO Certification

○ Short Term - Cloud Control Matrix

● Michigan performed security review

● Pitt and UNC initially requested independent review

● UNC introduced the option of SOC2 as an accepted 3rd party audit solution

www.icehealthsystems.com

Nick Lewis

What is Internet2 NET+ Services all about?

A partnership to provide a portfolio of solutions for Internet2 member organizations that are cost-effective, easy to access, simple to administer, and tailored to the unique, shared needs of the community:

• Define a new generation of value-added services• Leverage the Internet2 R&E Network and other services such as InCommon• Drive down the costs of provisioning/consuming services• Provide a strategic partnership with service providers (new service offerings). • Leverage community scale for better pricing and terms• Develop solutions that meet performance, usability, and security requirements• Provide a single point of contracting and provisioning

Requirements of Service Providers

• Identified Sponsor: CIO or other senior executive from a member institution• Membership in Internet2 and InCommon Federation• Adoption of InCommon-Shibboleth/SAML2.0 and Connection of services to the R&E

Network• Completion of the Internet2 NET+ Cloud Control Matrix• Commitment to:

A formal Service Validation with 5-7 member institutions Enterprise wide offerings and best pricing at community scale Establishing a service advisory board for each service offering Community business terms (Internet2 NET+ Business and Customer agreements) Support the community’s security, privacy, compliance and accessibility obligations

• Willingness to work with the Internet2 community to customize services to meet the unique needs of education and research

NET+ Service Validation Components

• Functional Assessment• Review features and functionality• Tune service for research and

education community• Technical Integration

• Network: determine optimal connection and optimize service to use the Internet2 R&E network

• Identity: InCommon integration• Security and Compliance

• Security assessment: Cloud Controls Matrix

• FERPA, HIPAA, privacy, data handling• Accessibility

• Business• Legal: customized agreement using

NET+ community contract templates• Business model• Define pricing and value proposition

• Deployment• Documentation• Use cases• Support model

NET+ Security and Compliance

• NET+ template legal agreements include SOC2, ISO27001, and CCM• Internet2 coordinates the Service Validation campuses on the security

review of the service provider• SP shares their security documentation with the campuses• Request SP complete the Cloud Security Alliance Cloud Control Matrix for

campuses to review if one wasn’t provided• Campuses determine what is necessary for security from the SP and sign-off

at the completion of SV that their security (and the other) requirements are satisfied by the SP• Campuses determine use cases and if the security will support the use

cases

NET+’s Usage of the CSA CCM

• What is the Cloud Security Alliance Cloud Control Matrix (CCM)?• How has the CCM evolved?

• What improvements were required for ICE Health?• Now includes FERPA, HIPAA, ITAR, COPPA from NET+

contribution• NET+ has started to use the CSA Consensus Assessment

Initiative Questionnaire• CCM has mappings to most laws, regulations, etc. now• Ongoing oversight is a responsibility of the NET+ Service Advisory

Board

Dion Taylor

What Was Done

• 2012/13: Agreement to use CCM

• March 2014: Visited ICE HQ in Calgary

• August 2014 – October 2014: “High Priority” control list developed, expanded

• December 2014: Met with IIA to set control/report guidelines

• May 2015: Follow-up visit to ICE HQ

• September 2015: Met with IIA to solidify report contents & format

• October 2015: Report delivered to, and reviewed by, IIA

• November 2015: Report delivered to ICE

Question Selection

• November 2013: Entire CCM/CAIQ used

• March 2014: Entire CCM/CAIQ used

• April 2014: “High Priority” CCM/CAIQ items extracted

• August 2014: UM Compliance Questionnaire incorporated

• October 2014: NIST “High Threat Potential” families identified, incorporated

Gap analysis performed to arrive at the final set of 150+ questions

M-IIA

M-IIA M-DENT

M-IIA HIPAA

M-IIA HIPAA

M-IIA M-DENT

M-IIA M-DENT

M-IIA M-DENT

M-IIA HIPAA

M-IIA HIPAA

Information Security

IS--24.4 Do you enforce and attest to tenant dataseparation when producing data inresponse to legal subpoenas?

In progress Yes Yes

Information Security

Incident Response Metrics

IS--25 Mechanisms shall be put in place to monitor andquantify the types, volumes, and costs ofinformation security incidents.

IS--25.1 Do you monitor and quantify the types,volumes, and impacts on all informationsecurity incidents?

NIST SP800-53 R3 IR-4 NISTSP800-53 R3 IR-5 NIST SP800-53R3 IR-8

Incident Handling Incident Monitoring Incident Response Plan

No No Yes GAP

Information Security

IS--25.2 Will you share statistical information securityincident data with your tenants uponrequest?

No No No

Information Security

Acceptable Use IS--26 Policies and procedures shall be established forthe acceptable use of informationassets.

IS--26.1 Do you provide documentation regardinghow you may utilize or access tenant dataand/or metadata?

NIST SP800-53 R3 AC-8 System Use Notification In progress Yes Yes ✔

Information Security IS--26.2 Do you collect or create metadata about tenant datausage through the use of inspection technologies (search engines, etc.)?

Yes Yes Yes

Information Security IS--26.3 Do you allow tenants to opt--out of having theirdata/metadata accessed via inspection technologies?

Yes Yes Yes

Information Asset Returns IS--27 Employees, contractors and third IS--27.1 Are systems in place to monitor NIST SP800-53 R3 PS-4 Personnel Termination No No Yes GAPSecurity party users must return all assets for privacy breaches and notify

owned by the organization within a defined anddocumented time frame once the employment,contract or

tenants expeditiously if a privacy event mayhave impacted their data?

agreement has been terminated. GAPInformation Security IS--27.2 Is your Privacy Policy aligned with industry standards? Yes Yes Yes

HTP Information Security

Audit Tools Access

IS--29 Access to, and use of, audit tools that interactwith the organizations information systemsshall be appropriately segmented and restricted to prevent compromise and misuseof log data.

IS--29.1 Do you restrict, log, and monitor access toyour information security managementsystems? (Ex. Hypervisors, firewalls, vulnerability scanners, network sniffers,APIs, etc.)

NIST SP800-53 R3 AU-9 NIST SP800-53 R3 AU-11 NIST SP800-53 R3 AU-14

Protection Of Audit Informaton Audit Record Retention Session Audit

In progress In progress In progress

Top 10 HTP

Information Security

Diagnostic / Configuration Ports Access

IS--30 User access to diagnostic and configuration portsshall be restricted to authorized individuals and applications.

IS--30.1 Do you utilize dedicated secure networks toprovide management access to your cloudservice infrastructure?

NIST SP800-53 R3 CM-7 NISTSP800-53 R3 MA-3 NIST SP800-53R3 MA-4 NIST SP800-53 R3 MA-5

Least FunctionalityMaintenance ToolsNon-Local Maintenance Maintenance Personnel

No No Yes Top 10 HTP

HTP Information Network / IS--31 Network and infrastructure service IS--31.1 Do you collect capacity and NIST SP800-53 R3 SC-20 Secure Name/Address Resolution Service (Authoritative Source) In progress In progress In progress HTPSecurity Infrastructure

Serviceslevel agreements (in-house or outsourced)shall clearly document security controls,capacity and

utilization data for all relevant componentsof your cloud service offering?

NIST SP800-53 R3 SC-21 NISTSP800-53 R3 SC-22 NIST SP800-53R3 SC-23 NIST SP800-53 R3 SC-24

Secure Name/Address Resolution Service (Recursive/Caching Resolver) Arch & Provisioning for Name/Address Resolution SvcSession Authenticity Fail In Known State

Information Security

service levels, and business or customerrequirements.

IS--31.2 Do you provide tenants with capacityplanning and utilization reports?

No No No

M-DENT Information Security

Portable / MobileDevices

IS--32 Policies and procedures shall be established andmeasures implemented to strictly limit access tosensitive data from portable and mobile devices,such as laptops, cell phones, and personaldigital assistants (PDAs), which are generallyhigher-risk than non- portable devices (e.g.,desktop computers at the organization’s facilities).

IS--32.1 Are Policies and procedures established andmeasures implemented to strictly limit access to sensitive data from portable andmobile devices, such as laptops, cell phones,and personal digital assistants (PDAs), whichare generally higher--risk than non--portabledevices (e.g., desktop computers at the provider organization’s facilities)?

NIST SP800-53 R3 AC-17 NISTSP800-53 R3 AC-18 NIST SP800-53 R3 AC-19 NIST SP800-53 R3 MP-2 NIST SP800-53 R3 MP-4 NISTSP800-53 R3 MP-6

Remote Access Wireless AccessAccess Control for Mobile Devices Media AccessMedia Storage Media Sanitization

In progress Yes In progress

HTP Information Security Source Code Access Restriction

IS--33 Access to application, program or object source code shallbe restricted to authorized personnel on a need toknow basis. Records shall be maintainedregarding the individual granted access, reasonfor access and version of source code exposed.

IS--33.1 Are controls in place to prevent unauthorized access toyour application, program or object sourcecode, and assure it is restricted to authorizedpersonnel only?

NIST SP800-53 R3 CM-5 NISTSP800-53 R3 CM-6

Access Restrictions for Change Configuration Settings

In progress In progress Yes GAP

Information Security IS--33.2 Are controls in place to prevent unauthorized access totenant application, program or object source code, andassure it is restricted to authorized personnel only?

N/A N/A N/A

NIST SP800-53 Control Rankings

How Questions Were Assessed

How Questions Were AssessedWhat does the regulation/standard say?

• CCM CGID IS-19, “Encryption Key Mgmt.”– Do you encrypt tenant data at rest (on disk/storage) within your environment? – Do you leverage encryption to protect data and virtual machine images during

transport across and between networks and hypervisor instances?• HIPAA (SP800-66)

– 164.312(a)(2)(iv), 164.312(e)(1)

• ISO27002:2005– Clause 4.3.3, A.10.7.3, A.12.3.2, A.15.1.6

• NIST (SP800-53)– SC-12, SC-13, SC-17, SC-28

How Questions Were Assessed, Cont.What does the regulation/standard say?

• CCM CGID IS-19, “Encryption Key Mgmt.”– HIPAA (SP800-66)

• 164.312(a)(2)(iv) - Encryption and Decryption (A)• 164.312(e)(1) - Transmission Security

– ISO27002:2005• Clause 4.3.3 – Control of Records• A.10.7.3 – Information Handling Procedures• …

– NIST (SP800-53)• SC-12 – Cryptographic Key Establishment and Mgmt.• SC-13 – Cryptographic Protection• …• AC-3 – Access Enforcement

How Questions Were Assessed, Cont.What does the regulation/standard say?

• CCM CGID IS-19, “Encryption Key Mgmt.”– NIST (SP800-53)

• SC-12 – Cryptographic Key Establishment and Mgmt.– The organization establishes and manages cryptographic keys for required cryptography employed within the information system.

» SC-12(1): The organization maintains availability of information in the event of the loss of cryptographic keys by users.

• …• AC-3 – Access Enforcement

– The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.» “…access enforcement mechanisms (e.g., access controls lists, access control matrices, cryptography)…”

Then compare the ICE response against these controls and determine what needs to be done to remediate.

Example of ICE Improvement

• CCM CGID IS-19, “Encryption Key Mgmt.”– Do you encrypt tenant data at rest (on disk/storage) within your environment?

• November 2013: No response• March 2014: “No” to both policies and procedures• May 2015: “Yes” (AWS Securing Data at Rest with Encryption, Database Installation Procedure,

etc.)

– Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?

• November 2013: No response• March 2014: “No” to both policies and procedures• May 2015: “Yes” (Network Diagrams, Data Interaction Diagram)

Assessment Team

• UM Information Assurance Office– Sol Bermann, UM Privacy Officer, IA Risk Assessment team

• Developed U-M wide guidance, tools, and processes for service provider security-compliance assessments

• Remained engaged with U-M School of Dentistry, and other key stakeholders on progress and reporting

• Identified areas of IT security risk/controls emphasis• Part of final review/approval

• UMHS Compliance– Ben Havens, UMHS Information Security Compliance Director

• Ensured HIPAA-specific concerns were addressed

Assessment Team, Cont.

• UM Office of General Counsel– Colleen McClorey, Associate General Counsel

• Managed all legal agreements• Advised over the course of the assessment strategy

• UM Procurement– Ted Eisenhut, Privacy Officer and IT Policy and Enterprise Continuity Strategist

• Facilitated major update to U-M Procurement policy that embedded security and compliance reviews as a part of the procurement process

• Collaborated with all U-M stakeholder to ensure all concerns were addressed as they relate to the purchasing process

Peter Hoven

Acronym Hell

• HIPAA/HITRUST

• CCM (1.4 or 3.01)

• PCI

• SOC2 Trust Principles

• NIST SP800-53 R3

• ISO 27001

• COBIT

• Michigan High Priority Items

www.icehealthsystems.com

Mappings

• Michigan mapped CCM to various standards and created High Priority Items

• KPMG PreAssessment mapped CCM to SOC2 Security

Many differences• CCM Cloud focus

Virtualization

Cloud Providers

• ICE relies on Amazon Attestation and Compliance

www.icehealthsystems.com

Go Forward Plan

• Michigan security review and remediation

• Holistic Security

• Risk Analysis

• Bake it in

• SOC 2 Type 1 and 2

• ISO 27001

www.icehealthsystems.com

Sean Sweeny

Third-Party Risk Assessment at Pitt• Centrally administered and reviewed• Required for all third-parties having access to University Data• Embedded into University processes, including Purchasing, Office

of General Council, IRB, etc.

Third-Party Risk Assessment at Pitt• Self Assessment Questionnaire

– Maps to NIST CSF, FISMA, HIPAA/HITRUST, GLBA, PCI, and ISO

• Independent verification required for regulated data– SOC 2, PCI Certification, ISO Certification

Review Process for ICE at Pitt• Initial review and acceptance of Cloud Controls Matrix in lieu of

normal procedure– Version 1.3

• Gap Assessment of ICE against the CCM• Third-party audit

– Control testing required

– CCM vs SOC 2

Next Steps and Takeaways• University of Michigan security review

– Working to understand methods

– Potential Reliance

• CCM detail + SOC 2 overview– Best of both worlds for Pitt

• Model for EDU reliance?

DiscussionPaul Howell