saas security in healthcare: can the fox guard the hen ... · saas security in healthcare: ... •...
TRANSCRIPT
SaaS Security in Healthcare: Can the Fox Guard the Hen House?Pros and Cons of an In-House Security Validation and a Third-
Party SOC 2 Audit
Nick Lewis, Internet2Dion Taylor, Univ. of Michigan
Peter Hoven, ICE Health Systems
Sean Sweeney, Univ. of PittsburghPaul Howell, Internet2
Collaboration
• Dental schools at University of Michigan, University of North Carolina and University of Pittsburgh
• Schools introduced Internet2 to the process
• Deep commitment from all parties to develop a new EHR management system
• Formed an advisory board to guide all aspects of the project
www.icehealthsystems.com
Project Goals
• Efficient Clinical Experience
• Supports Learning
• Robust Financial and Administrative Reports
• Embrace Standards to Support Research
• Collaboration and Communication
• Integrates Medical Records
• Uses Excellent and Current Software Engineering Practices
www.icehealthsystems.com
Emphasis on Security
● Collaboration emphasized security
● Many opinions around security audit process
● Customer agreement focused on:
○ Long Term - ISO Certification
○ Short Term - Cloud Control Matrix
● Michigan performed security review
● Pitt and UNC initially requested independent review
● UNC introduced the option of SOC2 as an accepted 3rd party audit solution
www.icehealthsystems.com
What is Internet2 NET+ Services all about?
A partnership to provide a portfolio of solutions for Internet2 member organizations that are cost-effective, easy to access, simple to administer, and tailored to the unique, shared needs of the community:
• Define a new generation of value-added services• Leverage the Internet2 R&E Network and other services such as InCommon• Drive down the costs of provisioning/consuming services• Provide a strategic partnership with service providers (new service offerings). • Leverage community scale for better pricing and terms• Develop solutions that meet performance, usability, and security requirements• Provide a single point of contracting and provisioning
Requirements of Service Providers
• Identified Sponsor: CIO or other senior executive from a member institution• Membership in Internet2 and InCommon Federation• Adoption of InCommon-Shibboleth/SAML2.0 and Connection of services to the R&E
Network• Completion of the Internet2 NET+ Cloud Control Matrix• Commitment to:
A formal Service Validation with 5-7 member institutions Enterprise wide offerings and best pricing at community scale Establishing a service advisory board for each service offering Community business terms (Internet2 NET+ Business and Customer agreements) Support the community’s security, privacy, compliance and accessibility obligations
• Willingness to work with the Internet2 community to customize services to meet the unique needs of education and research
NET+ Service Validation Components
• Functional Assessment• Review features and functionality• Tune service for research and
education community• Technical Integration
• Network: determine optimal connection and optimize service to use the Internet2 R&E network
• Identity: InCommon integration• Security and Compliance
• Security assessment: Cloud Controls Matrix
• FERPA, HIPAA, privacy, data handling• Accessibility
• Business• Legal: customized agreement using
NET+ community contract templates• Business model• Define pricing and value proposition
• Deployment• Documentation• Use cases• Support model
NET+ Security and Compliance
• NET+ template legal agreements include SOC2, ISO27001, and CCM• Internet2 coordinates the Service Validation campuses on the security
review of the service provider• SP shares their security documentation with the campuses• Request SP complete the Cloud Security Alliance Cloud Control Matrix for
campuses to review if one wasn’t provided• Campuses determine what is necessary for security from the SP and sign-off
at the completion of SV that their security (and the other) requirements are satisfied by the SP• Campuses determine use cases and if the security will support the use
cases
NET+’s Usage of the CSA CCM
• What is the Cloud Security Alliance Cloud Control Matrix (CCM)?• How has the CCM evolved?
• What improvements were required for ICE Health?• Now includes FERPA, HIPAA, ITAR, COPPA from NET+
contribution• NET+ has started to use the CSA Consensus Assessment
Initiative Questionnaire• CCM has mappings to most laws, regulations, etc. now• Ongoing oversight is a responsibility of the NET+ Service Advisory
Board
What Was Done
• 2012/13: Agreement to use CCM
• March 2014: Visited ICE HQ in Calgary
• August 2014 – October 2014: “High Priority” control list developed, expanded
• December 2014: Met with IIA to set control/report guidelines
• May 2015: Follow-up visit to ICE HQ
• September 2015: Met with IIA to solidify report contents & format
• October 2015: Report delivered to, and reviewed by, IIA
• November 2015: Report delivered to ICE
Question Selection
• November 2013: Entire CCM/CAIQ used
• March 2014: Entire CCM/CAIQ used
• April 2014: “High Priority” CCM/CAIQ items extracted
• August 2014: UM Compliance Questionnaire incorporated
• October 2014: NIST “High Threat Potential” families identified, incorporated
Gap analysis performed to arrive at the final set of 150+ questions
M-IIA
M-IIA M-DENT
M-IIA HIPAA
M-IIA HIPAA
M-IIA M-DENT
M-IIA M-DENT
M-IIA M-DENT
M-IIA HIPAA
M-IIA HIPAA
Information Security
IS--24.4 Do you enforce and attest to tenant dataseparation when producing data inresponse to legal subpoenas?
In progress Yes Yes
Information Security
Incident Response Metrics
IS--25 Mechanisms shall be put in place to monitor andquantify the types, volumes, and costs ofinformation security incidents.
IS--25.1 Do you monitor and quantify the types,volumes, and impacts on all informationsecurity incidents?
NIST SP800-53 R3 IR-4 NISTSP800-53 R3 IR-5 NIST SP800-53R3 IR-8
Incident Handling Incident Monitoring Incident Response Plan
No No Yes GAP
Information Security
IS--25.2 Will you share statistical information securityincident data with your tenants uponrequest?
No No No
Information Security
Acceptable Use IS--26 Policies and procedures shall be established forthe acceptable use of informationassets.
IS--26.1 Do you provide documentation regardinghow you may utilize or access tenant dataand/or metadata?
NIST SP800-53 R3 AC-8 System Use Notification In progress Yes Yes ✔
Information Security IS--26.2 Do you collect or create metadata about tenant datausage through the use of inspection technologies (search engines, etc.)?
Yes Yes Yes
Information Security IS--26.3 Do you allow tenants to opt--out of having theirdata/metadata accessed via inspection technologies?
Yes Yes Yes
Information Asset Returns IS--27 Employees, contractors and third IS--27.1 Are systems in place to monitor NIST SP800-53 R3 PS-4 Personnel Termination No No Yes GAPSecurity party users must return all assets for privacy breaches and notify
owned by the organization within a defined anddocumented time frame once the employment,contract or
tenants expeditiously if a privacy event mayhave impacted their data?
agreement has been terminated. GAPInformation Security IS--27.2 Is your Privacy Policy aligned with industry standards? Yes Yes Yes
HTP Information Security
Audit Tools Access
IS--29 Access to, and use of, audit tools that interactwith the organizations information systemsshall be appropriately segmented and restricted to prevent compromise and misuseof log data.
IS--29.1 Do you restrict, log, and monitor access toyour information security managementsystems? (Ex. Hypervisors, firewalls, vulnerability scanners, network sniffers,APIs, etc.)
NIST SP800-53 R3 AU-9 NIST SP800-53 R3 AU-11 NIST SP800-53 R3 AU-14
Protection Of Audit Informaton Audit Record Retention Session Audit
In progress In progress In progress
Top 10 HTP
Information Security
Diagnostic / Configuration Ports Access
IS--30 User access to diagnostic and configuration portsshall be restricted to authorized individuals and applications.
IS--30.1 Do you utilize dedicated secure networks toprovide management access to your cloudservice infrastructure?
NIST SP800-53 R3 CM-7 NISTSP800-53 R3 MA-3 NIST SP800-53R3 MA-4 NIST SP800-53 R3 MA-5
Least FunctionalityMaintenance ToolsNon-Local Maintenance Maintenance Personnel
No No Yes Top 10 HTP
HTP Information Network / IS--31 Network and infrastructure service IS--31.1 Do you collect capacity and NIST SP800-53 R3 SC-20 Secure Name/Address Resolution Service (Authoritative Source) In progress In progress In progress HTPSecurity Infrastructure
Serviceslevel agreements (in-house or outsourced)shall clearly document security controls,capacity and
utilization data for all relevant componentsof your cloud service offering?
NIST SP800-53 R3 SC-21 NISTSP800-53 R3 SC-22 NIST SP800-53R3 SC-23 NIST SP800-53 R3 SC-24
Secure Name/Address Resolution Service (Recursive/Caching Resolver) Arch & Provisioning for Name/Address Resolution SvcSession Authenticity Fail In Known State
Information Security
service levels, and business or customerrequirements.
IS--31.2 Do you provide tenants with capacityplanning and utilization reports?
No No No
M-DENT Information Security
Portable / MobileDevices
IS--32 Policies and procedures shall be established andmeasures implemented to strictly limit access tosensitive data from portable and mobile devices,such as laptops, cell phones, and personaldigital assistants (PDAs), which are generallyhigher-risk than non- portable devices (e.g.,desktop computers at the organization’s facilities).
IS--32.1 Are Policies and procedures established andmeasures implemented to strictly limit access to sensitive data from portable andmobile devices, such as laptops, cell phones,and personal digital assistants (PDAs), whichare generally higher--risk than non--portabledevices (e.g., desktop computers at the provider organization’s facilities)?
NIST SP800-53 R3 AC-17 NISTSP800-53 R3 AC-18 NIST SP800-53 R3 AC-19 NIST SP800-53 R3 MP-2 NIST SP800-53 R3 MP-4 NISTSP800-53 R3 MP-6
Remote Access Wireless AccessAccess Control for Mobile Devices Media AccessMedia Storage Media Sanitization
In progress Yes In progress
HTP Information Security Source Code Access Restriction
IS--33 Access to application, program or object source code shallbe restricted to authorized personnel on a need toknow basis. Records shall be maintainedregarding the individual granted access, reasonfor access and version of source code exposed.
IS--33.1 Are controls in place to prevent unauthorized access toyour application, program or object sourcecode, and assure it is restricted to authorizedpersonnel only?
NIST SP800-53 R3 CM-5 NISTSP800-53 R3 CM-6
Access Restrictions for Change Configuration Settings
In progress In progress Yes GAP
Information Security IS--33.2 Are controls in place to prevent unauthorized access totenant application, program or object source code, andassure it is restricted to authorized personnel only?
N/A N/A N/A
How Questions Were AssessedWhat does the regulation/standard say?
• CCM CGID IS-19, “Encryption Key Mgmt.”– Do you encrypt tenant data at rest (on disk/storage) within your environment? – Do you leverage encryption to protect data and virtual machine images during
transport across and between networks and hypervisor instances?• HIPAA (SP800-66)
– 164.312(a)(2)(iv), 164.312(e)(1)
• ISO27002:2005– Clause 4.3.3, A.10.7.3, A.12.3.2, A.15.1.6
• NIST (SP800-53)– SC-12, SC-13, SC-17, SC-28
How Questions Were Assessed, Cont.What does the regulation/standard say?
• CCM CGID IS-19, “Encryption Key Mgmt.”– HIPAA (SP800-66)
• 164.312(a)(2)(iv) - Encryption and Decryption (A)• 164.312(e)(1) - Transmission Security
– ISO27002:2005• Clause 4.3.3 – Control of Records• A.10.7.3 – Information Handling Procedures• …
– NIST (SP800-53)• SC-12 – Cryptographic Key Establishment and Mgmt.• SC-13 – Cryptographic Protection• …• AC-3 – Access Enforcement
How Questions Were Assessed, Cont.What does the regulation/standard say?
• CCM CGID IS-19, “Encryption Key Mgmt.”– NIST (SP800-53)
• SC-12 – Cryptographic Key Establishment and Mgmt.– The organization establishes and manages cryptographic keys for required cryptography employed within the information system.
» SC-12(1): The organization maintains availability of information in the event of the loss of cryptographic keys by users.
• …• AC-3 – Access Enforcement
– The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.» “…access enforcement mechanisms (e.g., access controls lists, access control matrices, cryptography)…”
Then compare the ICE response against these controls and determine what needs to be done to remediate.
Example of ICE Improvement
• CCM CGID IS-19, “Encryption Key Mgmt.”– Do you encrypt tenant data at rest (on disk/storage) within your environment?
• November 2013: No response• March 2014: “No” to both policies and procedures• May 2015: “Yes” (AWS Securing Data at Rest with Encryption, Database Installation Procedure,
etc.)
– Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?
• November 2013: No response• March 2014: “No” to both policies and procedures• May 2015: “Yes” (Network Diagrams, Data Interaction Diagram)
Assessment Team
• UM Information Assurance Office– Sol Bermann, UM Privacy Officer, IA Risk Assessment team
• Developed U-M wide guidance, tools, and processes for service provider security-compliance assessments
• Remained engaged with U-M School of Dentistry, and other key stakeholders on progress and reporting
• Identified areas of IT security risk/controls emphasis• Part of final review/approval
• UMHS Compliance– Ben Havens, UMHS Information Security Compliance Director
• Ensured HIPAA-specific concerns were addressed
Assessment Team, Cont.
• UM Office of General Counsel– Colleen McClorey, Associate General Counsel
• Managed all legal agreements• Advised over the course of the assessment strategy
• UM Procurement– Ted Eisenhut, Privacy Officer and IT Policy and Enterprise Continuity Strategist
• Facilitated major update to U-M Procurement policy that embedded security and compliance reviews as a part of the procurement process
• Collaborated with all U-M stakeholder to ensure all concerns were addressed as they relate to the purchasing process
Acronym Hell
• HIPAA/HITRUST
• CCM (1.4 or 3.01)
• PCI
• SOC2 Trust Principles
• NIST SP800-53 R3
• ISO 27001
• COBIT
• Michigan High Priority Items
www.icehealthsystems.com
Mappings
• Michigan mapped CCM to various standards and created High Priority Items
• KPMG PreAssessment mapped CCM to SOC2 Security
Many differences• CCM Cloud focus
Virtualization
Cloud Providers
• ICE relies on Amazon Attestation and Compliance
www.icehealthsystems.com
Go Forward Plan
• Michigan security review and remediation
• Holistic Security
• Risk Analysis
• Bake it in
• SOC 2 Type 1 and 2
• ISO 27001
www.icehealthsystems.com
Third-Party Risk Assessment at Pitt• Centrally administered and reviewed• Required for all third-parties having access to University Data• Embedded into University processes, including Purchasing, Office
of General Council, IRB, etc.
Third-Party Risk Assessment at Pitt• Self Assessment Questionnaire
– Maps to NIST CSF, FISMA, HIPAA/HITRUST, GLBA, PCI, and ISO
• Independent verification required for regulated data– SOC 2, PCI Certification, ISO Certification
Review Process for ICE at Pitt• Initial review and acceptance of Cloud Controls Matrix in lieu of
normal procedure– Version 1.3
• Gap Assessment of ICE against the CCM• Third-party audit
– Control testing required
– CCM vs SOC 2
Next Steps and Takeaways• University of Michigan security review
– Working to understand methods
– Potential Reliance
• CCM detail + SOC 2 overview– Best of both worlds for Pitt
• Model for EDU reliance?