200 International Dr., Buffalo, NY (716) Lifting the Fog to See the Cloud Information Security in a Hosted Environment William Prohn Managing Director Thomas O’Connor Consultant
200 International Dr., Buffalo, NY (716) William M. Prohn CISSP ®, CISA ®, CGEIT ®, CRISC ®, Managing Director Dopkins System Consultants Background Thomas M. O’Connor B.S. Accounting Information Systems M.S. Forensic Accounting Consultant Dopkins System Consultants
200 International Dr., Buffalo, NY (716) Introduction to the Cloud Benefits & Challenges in the Cloud Certifications ISACA Knowledge Center HIPAA o HITECH o HITRUST
200 International Dr., Buffalo, NY (716) What is That? But now they only block the sun They rain and snow on everyone So many things I would have done But clouds got in my way I've looked at clouds from both sides now From up and down, and still somehow It's cloud illusions I recall I really don't know clouds at all – Joni Mitchell, “Both Sides Now”
200 International Dr., Buffalo, NY (716) Introduction to the Cloud Simple Definition: Using the internet Replace the term ‘in the cloud’ in a statement with ‘on the internet’ We all use the ‘cloud,’ we just might not know it The term originates from network diagrams US Patent US_ Alternate: Utilizing third party resources accessible through the internet
200 International Dr., Buffalo, NY (716) Why Move to the Cloud? Reduce storage and archive costs Allow for remote access Allow for collaboration Improve search efficiency 24/7 Access and support Increased security with redundancy Reduce administrative overhead It’s All About the Compromise
200 International Dr., Buffalo, NY (716) The Role of the Auditors Oversee and provide input on governance Consideration of security COBIT Objectives: May be concerned with any of the COBIT objectives IT PlanningBudgeting Risk Assessment Feasibility Service Level Management Business Continuity Physical Environment IT Governance
200 International Dr., Buffalo, NY (716) What Moves to the Cloud? Applications & Software o Software as a Service [SaaS] Servers & IT Personnel o Infrastructure as a Service [IaaS] Programming languages, libraries, tools and services o Platform as a Service [PaaS]
200 International Dr., Buffalo, NY (716) The compromise with each benefit is risk Controls are a response to that risk Are the controls designed and implemented appropriately? Are they operating effectively?
200 International Dr., Buffalo, NY (716) ITGC audits typically focus on identifying and testing controls Manage Changes o Are changes authorized, tested and monitored? Logical Access o Is privileged access restricted to appropriate users? Other IT Operations o Is critical data regularly backed up? o Are incidents reported and addressed timely?
200 International Dr., Buffalo, NY (716) Challenges in the Cloud What about controls in a hosted environment? Who owns the data? Who has access to the data? New Risks | New Controls | New Audit Steps [i.e. CSP][i.e. Data Center][i.e. System Admin]
200 International Dr., Buffalo, NY (716) Challenges in the Cloud What about controls in a hosted environment? Who is responsible for backing up the data? What about incidents? New Risks | New Controls | New Audit Steps
200 International Dr., Buffalo, NY (716) Service Level Agreements End-User Licensing Agreements Alternate providers o Bankruptcy o Acquisition Threats to CSPs Challenges in the Cloud Disaster Recovery & Business Continuity -- Gartner 1-in-4 Vendors Will Be Gone By 2015
200 International Dr., Buffalo, NY (716) Challenges in the Cloud Cyber Security Insurance 31% of companies have a cyber security insurance policy 1 39% planned to purchase a policy within a year ‘Cloud Protection’ policies gaining popularity Cloud Coverage Typically Includes: Loss of income due to vendor down time Costs associated with procuring new vendor Costs of migrating to new vendor 1Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital AgeManaging Cyber Security as a Business Risk: Cyber Insurance in the Digital Age -- (Ponemon Institute & Experian), August 2013
200 International Dr., Buffalo, NY (716) Certifications & Compliance
200 International Dr., Buffalo, NY (716) Certifications & Compliance HIPAA PCI DSS ISO 27001:2005 Protected Health Information Business Associate Agreements Payment Card Transactions International Information Security Standard
200 International Dr., Buffalo, NY (716) ISACA Knowledge Center Topical Coverage: o Governance affecting cloud computing o Contractual compliance o Control issues specific to cloud computing COBIT & COSO Cross-references Intended to compliment other audit(s) One of 25+ ISACA audit programs available: ISACA Cloud Computing Management Audit/Assurance Program Cloud Computing Management Audit/Assurance Program
200 International Dr., Buffalo, NY (716) Auditing in the Cloud Service Provider Responsibilities Service Level Agreements (SLAs) Performance and frequency of risk assessments Compliance and Audit: Right to Audit Third-party Reviews Compliance ISO Certification
200 International Dr., Buffalo, NY (716) Auditing in the Cloud Incident Response, Notification and Remediation Review of SLAs Legal and regulatory compliance Data Security Encryption Identity and Access Management
200 International Dr., Buffalo, NY (716) HIPAA & HITECH
200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Established in 1996 by Clinton Administration Make it easier for workers to maintain insurance coverage when changing jobs (portability) This is facilitated by digital files and electronic data This requires a level of security
200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Applies to health care organizations (HCOs) PROVIDERS and INSURERS Specifically EXCLUDES Workers’ Compensation Does NOT apply to medical records in other contexts, like employers
200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Three Rules that are relevant to compliance: EDI Rule ICD-9 ICD-10
200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Privacy Rule HCOs must “Reasonably safeguard” patient data
200 International Dr., Buffalo, NY (716) Health Insurance Portability and Accountability Act Security Rule Protect the Confidentiality, Integrity and Availability of Protected Health Information against “reasonably anticipated threats or hazards” Access Controls Audit Controls Authentication Transmission Security
200 International Dr., Buffalo, NY (716) Health Information Technology for Economic and Clinical Health Enacted in 2009 as part of economic stimulus legislation Gives grant money to HCOs to implement new technologies such as EHR Creates fines and sanctions for HIPAA violations to pay for the grants
200 International Dr., Buffalo, NY (716) Health Information Technology for Economic and Clinical Health Broadens the scope of HIPAA to include “Business Associates” of HCOs accountants, lawyers, consultants “create, maintain, receive or transmit” “Cloud” even if they disclaim access New data breach notification rules Enforcement is on a “contingent fee” basis HHS gets to keep the money
200 International Dr., Buffalo, NY (716) Specific Controls Required: Risk Analysis/Risk Management Sanction Policy Incident Response/reporting process Data Backup plan Disaster Recovery Plan Data disposal/media re-use Written contracts with Business Associates
200 International Dr., Buffalo, NY (716) Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Common Security Framework (CSF) harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry.
200 International Dr., Buffalo, NY (716)