200 International Dr., Buffalo, NY 14221-5794 (716) 634-8800 Lifting the Fog to See the Cloud Information Security.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HITRUST, HIPAA, & HITECH TURNING COMPLIANCE INTO COMPETITIVE ADVANTAGE Mark Fulford, Partner Thomas Lewis, Partner LBMC Risk Services.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Security Controls – What Works
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Session 3 – Information Security Policies
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
The University of Kansas Medical Center Shadow Experience Training.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.
1 SECURITY & HIPAA DATA ENSURE INC. 798 PARK AVE. NW SUITE 204 NORTON, VA (276) D E.
Risk Management & Legal Issues in Cloud Practice Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Imagine a health system that focuses on health, not just health care. Imagine a sustainable health system with one goal: to improve the lives of the people.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
HIPAA Health Insurance Portability and Accountability Act of 1996.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Chapter 4: Laws, Regulations, and Compliance
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Presenter Gene Geiger, A-LIGN Partner -HITRUST Practitioner -CPA -CISSP -CCSK -QSA -PCIP -ISO 27K LA.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 3 This material was developed by Oregon Health & Science University,
Performing Risk Analysis and Testing: Outsource or In-house
Auditing Cloud Services
Current ‘Hot Topics’ in Information Security Governance Auditing
Final HIPAA Security Rule
Health Care: Privacy in a Digital Age
HIPAA Security Standards Final Rule
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Lesson 1: Introduction to HIPAA
Cyber Security: What the Head & Board Need to Know
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
IT Management Services Infrastructure Services
Presentation transcript:

200 International Dr., Buffalo, NY (716) Lifting the Fog to See the Cloud Information Security in a Hosted Environment William Prohn Managing Director Thomas O’Connor Consultant

200 International Dr., Buffalo, NY (716) William M. Prohn CISSP ®, CISA ®, CGEIT ®, CRISC ®, Managing Director Dopkins System Consultants Background Thomas M. O’Connor B.S. Accounting Information Systems M.S. Forensic Accounting Consultant Dopkins System Consultants

200 International Dr., Buffalo, NY (716) Introduction to the Cloud Benefits & Challenges in the Cloud Certifications ISACA Knowledge Center HIPAA o HITECH o HITRUST

200 International Dr., Buffalo, NY (716) What is That? But now they only block the sun They rain and snow on everyone So many things I would have done But clouds got in my way I've looked at clouds from both sides now From up and down, and still somehow It's cloud illusions I recall I really don't know clouds at all – Joni Mitchell, “Both Sides Now”

200 International Dr., Buffalo, NY (716) Introduction to the Cloud Simple Definition: Using the internet Replace the term ‘in the cloud’ in a statement with ‘on the internet’ We all use the ‘cloud,’ we just might not know it The term originates from network diagrams US Patent US_ Alternate: Utilizing third party resources accessible through the internet

200 International Dr., Buffalo, NY (716) Why Move to the Cloud? Reduce storage and archive costs Allow for remote access Allow for collaboration Improve search efficiency 24/7 Access and support Increased security with redundancy Reduce administrative overhead It’s All About the Compromise

200 International Dr., Buffalo, NY (716) The Role of the Auditors Oversee and provide input on governance Consideration of security COBIT Objectives: May be concerned with any of the COBIT objectives IT PlanningBudgeting Risk Assessment Feasibility Service Level Management Business Continuity Physical Environment IT Governance

200 International Dr., Buffalo, NY (716) What Moves to the Cloud? Applications & Software o Software as a Service [SaaS] Servers & IT Personnel o Infrastructure as a Service [IaaS] Programming languages, libraries, tools and services o Platform as a Service [PaaS]

200 International Dr., Buffalo, NY (716) The compromise with each benefit is risk Controls are a response to that risk Are the controls designed and implemented appropriately? Are they operating effectively?

200 International Dr., Buffalo, NY (716) ITGC audits typically focus on identifying and testing controls Manage Changes o Are changes authorized, tested and monitored? Logical Access o Is privileged access restricted to appropriate users? Other IT Operations o Is critical data regularly backed up? o Are incidents reported and addressed timely?

200 International Dr., Buffalo, NY (716) Challenges in the Cloud What about controls in a hosted environment? Who owns the data? Who has access to the data? New Risks | New Controls | New Audit Steps [i.e. CSP][i.e. Data Center][i.e. System Admin]

200 International Dr., Buffalo, NY (716) Challenges in the Cloud What about controls in a hosted environment? Who is responsible for backing up the data? What about incidents? New Risks | New Controls | New Audit Steps

200 International Dr., Buffalo, NY (716) Service Level Agreements End-User Licensing Agreements Alternate providers o Bankruptcy o Acquisition Threats to CSPs Challenges in the Cloud Disaster Recovery & Business Continuity -- Gartner 1-in-4 Vendors Will Be Gone By 2015

200 International Dr., Buffalo, NY (716) Challenges in the Cloud Cyber Security Insurance 31% of companies have a cyber security insurance policy 1 39% planned to purchase a policy within a year ‘Cloud Protection’ policies gaining popularity Cloud Coverage Typically Includes: Loss of income due to vendor down time Costs associated with procuring new vendor Costs of migrating to new vendor 1Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital AgeManaging Cyber Security as a Business Risk: Cyber Insurance in the Digital Age -- (Ponemon Institute & Experian), August 2013

200 International Dr., Buffalo, NY (716) Certifications & Compliance

200 International Dr., Buffalo, NY (716) Certifications & Compliance HIPAA PCI DSS ISO 27001:2005 Protected Health Information Business Associate Agreements Payment Card Transactions International Information Security Standard

200 International Dr., Buffalo, NY (716) ISACA Knowledge Center Topical Coverage: o Governance affecting cloud computing o Contractual compliance o Control issues specific to cloud computing COBIT & COSO Cross-references Intended to compliment other audit(s) One of 25+ ISACA audit programs available: ISACA Cloud Computing Management Audit/Assurance Program Cloud Computing Management Audit/Assurance Program

200 International Dr., Buffalo, NY (716) Auditing in the Cloud Service Provider Responsibilities Service Level Agreements (SLAs) Performance and frequency of risk assessments Compliance and Audit: Right to Audit Third-party Reviews Compliance ISO Certification

200 International Dr., Buffalo, NY (716) Auditing in the Cloud Incident Response, Notification and Remediation Review of SLAs Legal and regulatory compliance Data Security Encryption Identity and Access Management

200 International Dr., Buffalo, NY (716) HIPAA & HITECH

200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Established in 1996 by Clinton Administration Make it easier for workers to maintain insurance coverage when changing jobs (portability) This is facilitated by digital files and electronic data This requires a level of security

200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Applies to health care organizations (HCOs) PROVIDERS and INSURERS Specifically EXCLUDES Workers’ Compensation Does NOT apply to medical records in other contexts, like employers

200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Three Rules that are relevant to compliance: EDI Rule ICD-9 ICD-10

200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Privacy Rule HCOs must “Reasonably safeguard” patient data

200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Security Rule Protect the Confidentiality, Integrity and Availability of Protected Health Information against “reasonably anticipated threats or hazards” Access Controls Audit Controls Authentication Transmission Security

200 International Dr., Buffalo, NY (716) Health Information Technology for Economic and Clinical Health Enacted in 2009 as part of economic stimulus legislation Gives grant money to HCOs to implement new technologies such as EHR Creates fines and sanctions for HIPAA violations to pay for the grants

200 International Dr., Buffalo, NY (716) Health Information Technology for Economic and Clinical Health Broadens the scope of HIPAA to include “Business Associates” of HCOs accountants, lawyers, consultants “create, maintain, receive or transmit”  “Cloud” even if they disclaim access New data breach notification rules Enforcement is on a “contingent fee” basis HHS gets to keep the money

200 International Dr., Buffalo, NY (716) Specific Controls Required: Risk Analysis/Risk Management Sanction Policy Incident Response/reporting process Data Backup plan Disaster Recovery Plan Data disposal/media re-use Written contracts with Business Associates

200 International Dr., Buffalo, NY (716) Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Common Security Framework (CSF) harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry.

200 International Dr., Buffalo, NY (716)