Privacy Officer s Guide to Evaluating Cloud Vendors

Transcription

1 Privacy Officer s Guide to Evaluating Cloud Vendors Andrew Rodriguez, MSHI, HCISSP, CHPC, CHPS, CDP Corporate Privacy and Information Security Officer Shriners Hospitals for Children Adjunct Instructor University of Illinois at Chicago Agenda Overview of Cloud Technology The Role of Privacy Officer a in Cloud Vendor Evaluation Understanding and Evaluating a Data Flow Map 1

2 Privacy & Security Privacy What information we protect. Cybersecurity How we protect the information. Overview of Cloud Technology 2

3 Pre Cloud: Application Service Provider Cloud Computing 3

4 Cloud Computing " 'There Is No Cloud' by Chris Watterston ( - Used with permission. " What s the Difference? 4

5 Cloud Computing Cloud Provider Web Server Cloud Provider App Engine Cloud Provider EMR Cloud Consumer Cloud Provider Storage Characteristics of Cloud Computing On demand selfservice Consumer can increase or decrease resources without human interaction with the service provider. Broad network access Resources are available over the network and on multiple platforms. Resource pooling Rapid elasticity Measured service Resources are share among service provider s customers. Resources can be quickly increased or decreased according to demand. Use of resources are monitored, controlled, audited, and reported. 5

6 Understanding as a Service Software as a Service Infrastructure as a Service Platform as a Service Database as a Service X as a Service Software licensing and delivery is on a subscription basis and centrally hosted. Virtualized computing resources accessible over the Internet, such as servers and networking. Technology that allows customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure. Services and resources provided to store, retrieve, and managed data. Represents Anything as a Service. Examples: software, infrastructure, platform, database, file storage, security, or disaster recovery. Types of Cloud Providers Application Provider (Software as a Service) Examples: Electronic Medical Record (EMR) Customer Relationship Management (CMS) Employee Management and Payroll Resource Provider (X as a Service) Examples: Infrastructure as a Service Storage as a Service Platform as a Service Database as a Service Mobile Backend as a Service 6

7 Software as a Service Application Provider (Software as a Service) Examples: Electronic Medical Record (EMR) Customer Relationship Management (CMS) Employee Management and Payroll Role of a Privacy Officer in a Cloud Vendor Evaluation Business Associate Evaluation Logging, Monitoring, and Reporting of Access Multi Tenancy and Segregation of Data User Management Breach Notification Evaluation Report 7

8 Question Confirm Role of a Privacy Officer in a Cloud Vendor Evaluation Privacy Document Assess Information Security Cybersecurity Vendor says: 100% HIPAA Compliant HIPAA Compliance certification does not exist. Certifications mean: On the date of the certification the company met the requirements for the certification. Or On the date of the certification the company met the requirements for the certification and provided evidence of processes to maintain compliance. 8

9 Business Associate Evaluation Determine if a Business Associate Agreement is Needed. Is there a potential for PHI to be stored within the solution? Helpdesk software Backup services Meaningful Use Will you be required to enter a direct agreement with a support XaaS? Cloud Consumer & Business Associates Agreement Cloud Consumer SaaS Vendor 9

10 SaaS & Supporting Cloud Solutions Business Associates Agreement Cloud Provider Web Server Cloud Provider EMR Cloud Provider App Engine Cloud Provider Storage SaaS & Supporting Cloud Solutions Business Associates Agreement Cloud Provider Web Server Cloud Provider EMR Tip: Ask SaaS Provider for a copy of their risk assessment for XaaS vendors. Cloud Provider App Engine Cloud Provider Storage 10

11 Logging, Monitoring, and Reporting of Access Covered Entity Auditing Access to PHI (success and failure) Login to system (success and failure) PHI accessed via reports. Does auditing include vendor workforce and XaaS workforce. Monitoring How are the audit logs accessed? (real time, hourly, once a day) Can logs be exported? (Excel, Comma delimited) Reporting Ask for a demonstration of accessing audit logging reports Logging, Monitoring, and Reporting of Access SaaS & XaaS Access to PHI Privileged Access Evidence that vendor collects audit logs Evidence that vendor monitors audit logs Evidence that vendor collects audit logs Evidence that vendor monitors audit logs 11

12 User Management Types of Users System Administrators Limited to SaaS and XaaS. Application Administrators Adds, changes, removes users and groups. Power Users Has limited access to application administrative areas. Application Users General population of users User Management Questions to Ask: Who will be responsible for adding, changing, and removing users? What is the process to add, change, and remove a user who is an application administrator? 12

13 Multi Tenancy and Segregation of Data Types of Multi Tenancy File Server Are files that are created and/or uploaded separated logically by folders or through application permissions? Database At what level does multi tenancy occur table level, database/instance level? Application Does each client get their own instance of the application? Questions to Ask: Have you ever had an incident where you served a client another client s information? If so, what did you do to remediate the issue from occurring again? If, in the future, we decide to separate, will you be able to remove our data (files, database)? Data at Rest: Files (PDFs, DOCX, XLSX, etc.) Where and how are files stored? File server Are the hard drives encrypted? Are the files encrypted? Are audit logs available for access to files containing PHI? Database Are the hard drives encrypted? Are audit logs available for access to objects containing PHI? 13

14 Breach Notification Questions to ask: What does the contract say about notifying customers when a breach occurs? Is it consistent with the BAA? Does the SaaS have contract requirements for breach notification for their XaaS vendors? Understanding and Evaluating a Data Flow Map 14

15 Data Flow Map A data flow map illustrates every point of where data is transmitted and stored. Data in Motion: information transferred between storage, interfaces, and systems. Data at Rest: information that has been written to disk. Also called System Flow Map. Data Flow Map: What to request Can you provide a network map that illustrates data flow between systems and where data is stored? 15

16 Data Flow Map: General/High Level Example Data Flow Map What data is being transferred between components? What data is being stored and where? How and where are identifiers stored? How and where is clinical information stored? 16

17 Data Flow Map In larger deployments, treat each XaaS vendor as a unique system. Ask: What data does the XaaS vendor transmit (input and output)? What data does the XaaS vendor store? Data Flow Diagram A Data Flow Diagram represents the how a system sends and receives information. 17

18 Data Flow Diagram: High Level Example Questions to ask: What data is being collected from the exercise bike? What data is being stored at the SaaS? What access to data does the physical therapist have? Can you provide a diagram with detailed information? Data Flow Diagram 18

19 Data Flow Diagram What information is transmitted? Is it encrypted during transmission? What information is collected? How is it stored? Is it encrypted? Who has access to reports? Are there audit logs for the information accessed via reports? Data Flow Map Lifecycle of data: Data is created or captured. Data is transferred and/or stored. Data is processed or analyzed. Data is transferred and/or stored. Data is used or disclosed. 19

20 Questions? Acknowledgements There is No Cloud" Copyright Chris Watterston. All rights reserved Resale, distribution, intension to gain profit, or usage in or out of context of the artwork 'There Is No Cloud', in any format, is forbidden without written agreement by Chris Watterston. 20