SaaS Security in Healthcare: Can the Fox Guard the Hen House

SaaS Security in Healthcare: Can the Fox Guard the Hen House? Pros and Cons of an In-­‐House Security Valida=on and a Third-­‐
Party SOC 2 Audit Nick Lewis, Internet2 Sean Sweeney, Univ. of PiOsburgh Dion Taylor, Univ. of Michigan Paul Howell, Internet2 Peter Hoven, ICE Health Systems Introduc=on Peter Hoven Collabora(on •  Dental schools at University of Michigan, University of North Carolina and University of Pi;sburgh •  Schools introduced Internet2 to the process •  Deep commitment from all par(es to develop a new EHR management system •  Formed an advisory board to guide all aspects of the project www.icehealthsystems.com Project Goals •  Efficient Clinical Experience •  Supports Learning •  Robust Financial and Administra(ve Reports •  Embrace Standards to Support Research •  Collabora(on and Communica(on •  Integrates Medical Records •  Uses Excellent and Current SoNware Engineering Prac(ces www.icehealthsystems.com Emphasis on Security ● 
Collabora(on emphasized security ● 
Many opinions around security audit process ● 
Customer agreement focused on: ○  Long Term -­‐ ISO Cer(fica(on ○  Short Term -­‐ Cloud Control Matrix ● 
Michigan performed security review ● 
Pi; and UNC ini(ally requested independent review ● 
UNC introduced the op(on of SOC2 as an accepted 3rd party audit solu(on www.icehealthsystems.com Internet NET+
Nick Lewis What is Internet2 NET+ Services all about? A partnership to provide a portfolio of solutions for Internet2 member organizations that
are cost-effective, easy to access, simple to administer, and tailored to the unique,
shared needs of the community:
•  Define a new generation of value-added services
•  Leverage the Internet2 R&E Network and other services such as InCommon
•  Drive down the costs of provisioning/consuming services
•  Provide a strategic partnership with service providers (new service offerings).
•  Leverage community scale for better pricing and terms
•  Develop solutions that meet performance, usability, and security requirements
•  Provide a single point of contracting and provisioning
Requirements of Service Providers •  Iden(fied Sponsor: CIO or other senior execu(ve from a member ins(tu(on •  Membership in Internet2 and InCommon Federa(on •  Adop(on of InCommon-­‐Shibboleth/SAML2.0 and Connec(on of services to the R&E Network •  Comple(on of the Internet2 NET+ Cloud Control Matrix •  Commitment to: § 
§ 
§ 
§ 
§ 
A formal Service Valida(on with 5-­‐7 member ins(tu(ons Enterprise wide offerings and best pricing at community scale Establishing a service advisory board for each service offering Community business terms (Internet2 NET+ Business and Customer agreements) Support the community’s security, privacy, compliance and accessibility obliga(ons •  Willingness to work with the Internet2 community to customize services to meet the unique needs of educa(on and research NET+ Service Valida(on Components •  Func=onal Assessment •  Review features and func(onality •  Tune service for research and educa(on community •  Technical Integra=on •  Network: determine op(mal connec(on and op(mize service to use the Internet2 R&E network •  Iden(ty: InCommon integra(on •  Security and Compliance •  Security assessment: Cloud Controls Matrix •  FERPA, HIPAA, privacy, data handling •  Accessibility •  Business •  Legal: customized agreement using NET+ community contract templates •  Business model •  Define pricing and value proposi(on •  Deployment •  Documenta(on •  Use cases •  Support model NET+ Security and Compliance •  NET+ template legal agreements include SOC2, ISO27001, and CCM •  Internet2 coordinates the Service Valida(on campuses on the security review of the service provider •  SP shares their security documenta(on with the campuses •  Request SP complete the Cloud Security Alliance Cloud Control Matrix for campuses to review if one wasn’t provided •  Campuses determine what is necessary for security from the SP and sign-­‐off at the comple(on of SV that their security (and the other) requirements are sa(sfied by the SP •  Campuses determine use cases and if the security will support the use cases NET+’s Usage of the CSA CCM •  What is the Cloud Security Alliance Cloud Control Matrix (CCM)? •  How has the CCM evolved? •  What improvements were required for ICE Health? •  Now includes FERPA, HIPAA, ITAR, COPPA from NET+ contribu(on •  NET+ has started to use the CSA Consensus Assessment Ini(a(ve Ques(onnaire •  CCM has mappings to most laws, regula(ons, etc. now •  Ongoing oversight is a responsibility of the NET+ Service Advisory Board Dion Taylor What Was Done •  2012/13: Agreement to use CCM •  March 2014: Visited ICE HQ in Calgary •  August 2014 – October 2014: “High Priority” control list developed, expanded •  December 2014: Met with IIA to set control/report guidelines •  May 2015: Follow-­‐up visit to ICE HQ •  September 2015: Met with IIA to solidify report contents & format •  October 2015: Report delivered to, and reviewed by, IIA •  November 2015: Report delivered to ICE Ques=on Selec=on •  November 2013: En(re CCM/CAIQ used •  March 2014: En(re CCM/CAIQ used •  April 2014: “High Priority” CCM/CAIQ items extracted •  August 2014: UM Compliance Ques(onnaire incorporated •  October 2014: NIST “High Threat Poten(al” families iden(fied, incorporated Gap analysis performed to arrive at the final set of 150+ ques(ons M-IIA
Informa(on Security M-DENT
M-IIA
HIPAA
Informa(on Security M-IIA
HIPAA
Informa(on Security Incident Response Metrics Acceptable Use IS-­‐-­‐-­‐25 IS-­‐-­‐-­‐26 Mechanisms shall be put in place to monitor
and quantify the types, volumes, and costs of
information security incidents.
IS-­‐-­‐-­‐24.4 Do you enforce and a;est to tenant data separa(on when producing data in response to legal subpoenas? IS-­‐-­‐-­‐25.1 Do you monitor and quan(fy the types, volumes, and impacts on all informa(on security incidents? IS-­‐-­‐-­‐25.2 Will you share sta(s(cal informa(on security incident data with your tenants upon request? Policies and procedures shall be established for IS-­‐-­‐-­‐26.1 the acceptable use of information assets.
NIST SP800-53 R3 IR-4 NIST
SP800-53 R3 IR-5 NIST SP800-53
R3 IR-8
Incident Handling Incident Monitoring Incident
Response Plan
Yes Yes No No Yes No No No In progress Yes Yes M-IIA
M-DENT
Informa(on Security M-IIA
M-DENT
Informa(on Security IS-­‐-­‐-­‐26.2 Do you collect or create metadata about tenant data usage through the use of inspec(on technologies (search engines, etc.)? Yes Yes Yes M-IIA
M-DENT
Informa(on Security IS-­‐-­‐-­‐26.3 Do you allow tenants to opt-­‐-­‐-­‐out of having their data/
metadata accessed via inspec(on technologies? Yes Yes Yes IS-­‐-­‐-­‐27.1 Are systems in place to monitor for privacy breaches and no(fy tenants expedi(ously if a privacy event may have impacted their data? No No Yes IS-­‐-­‐-­‐27.2 Is your Privacy Policy aligned with industry standards? Yes Yes Yes IS-­‐-­‐-­‐29.1 Do you restrict, log, and monitor access to your informa(on security management systems? (Ex. Hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.) NIST SP800-53 R3 AU-9 NIST
SP800-53 R3 AU-11 NIST SP800-53
R3 AU-14
Protection Of Audit Informaton Audit Record
Retention Session Audit
M-IIA
HIPAA
M-IIA
HIPAA
Informa(on Security Asset Returns IS-­‐-­‐-­‐27 Employees, contractors and third
party users must return all assets
owned by the organization within a defined and
documented time frame once the employment,
contract or
agreement has been terminated.
Informa(on Security Do you provide documenta(on regarding how you may u(lize or access tenant data and/or metadata? In progress NIST SP800-53 R3 AC-8
NIST SP800-53 R3 PS-4
System Use Notification
Personnel Termination
HTP Informa(on Security Audit Tools Access IS-­‐-­‐-­‐29 Access to, and use of, audit tools that interact
with the organizations information systems
shall be appropriately segmented and
restricted to prevent compromise and misuse
of log data.
Top 10 HTP Informa(on Security Diagnos(c / Configura(on Ports Access IS-­‐-­‐-­‐30 IS-­‐-­‐-­‐30.1 User access to diagnostic and configuration
ports shall be restricted to authorized individuals
and applications.
Do you u(lize dedicated secure networks to provide management access to your cloud service infrastructure? NIST SP800-53 R3 CM-7 NIST
SP800-53 R3 MA-3 NIST SP800-53
R3 MA-4 NIST SP800-53 R3 MA-5
Least Functionality
Maintenance Tools
Non-Local Maintenance Maintenance
Personnel
HTP Informa(on Security Network / Infrastructure Services IS-­‐-­‐-­‐31 Network and infrastructure service
level agreements (in-house or outsourced)
shall clearly document security controls,
capacity and
IS-­‐-­‐-­‐31.1 Do you collect capacity and u(liza(on data for all relevant components of your cloud service offering? NIST SP800-53 R3 SC-20
Secure Name/Address Resolution Service (Authoritative Source)
NIST SP800-53 R3 SC-21 NIST
SP800-53 R3 SC-22 NIST SP800-53
R3 SC-23 NIST SP800-53 R3 SC-24
Secure Name/Address Resolution Service (Recursive/Caching Resolver) Arch & Provisioning for
Name/Address Resolution Svc
Session Authenticity Fail In Known State
service levels, and business or customer
requirements.
IS-­‐-­‐-­‐31.2 Do you provide tenants with capacity planning and u(liza(on reports? Informa(on Security M-IIA
M-DENT
HTP In progress No Yes In progress In progress No No No Yes In progress Portable / Mobile Devices IS-­‐-­‐-­‐32 Policies and procedures shall be established
and measures implemented to strictly limit
access to sensitive data from portable and
mobile devices, such as laptops, cell phones,
and personal digital assistants (PDAs), which
are generally higher-risk than non- portable
devices (e.g., desktop computers at the
organization’s facilities).
IS-­‐-­‐-­‐32.1 Are Policies and procedures established and NIST SP800-53 R3 AC-17 NIST
SP800-53 R3 AC-18 NIST SP800-53
measures implemented to strictly limit access R3 AC-19 NIST SP800-53 R3 MP-2
to sensi(ve data from portable and mobile NIST SP800-53 R3 MP-4 NIST
SP800-53 R3 MP-6
devices, such as laptops, cell phones, and personal digital assistants (PDAs), which are generally higher-­‐-­‐-­‐risk than non-­‐-­‐-­‐portable devices (e.g., desktop computers at the provider organiza(on’s facili(es)? Remote Access Wireless Access
Access Control for Mobile Devices Media Access
Media Storage Media Sanitization
In progress Informa(on Security Source Code Access IS-­‐-­‐-­‐33 Access to application, program or object source code shall
be restricted to authorized personnel on a need
IS-­‐-­‐-­‐33.1 Are controls in place to prevent unauthorized access to NIST SP800-53 R3 CM-5 NIST
SP800-53 R3 CM-6
your applica(on, program or object source Access Restrictions for Change Configuration Settings
In progress Informa(on Security No In progress Yes code, and assure it is restricted to authorized personnel only? to know basis. Records shall be maintained
regarding the individual granted access, reason
for access and version of source code exposed.
IS-­‐-­‐-­‐33.2 Are controls in place to prevent unauthorized access to tenant applica(on, program or object source code, and assure it is restricted to authorized personnel only? N/A N/A ✔
GAP GAP In progress In progress Informa(on Security Restric(on In progress GAP N/A Top 10 HTP HTP GAP NIST SP800-­‐53 Control Rankings How Ques=ons Were Assessed How Ques=ons Were Assessed What does the regula=on/standard say? •  CCM CGID IS-­‐19, “Encryp(on Key Mgmt.” –  Do you encrypt tenant data at rest (on disk/storage) within your environment? –  Do you leverage encryp(on to protect data and virtual machine images during transport across and between networks and hypervisor instances? •  HIPAA (SP800-­‐66) –  164.312(a)(2)(iv), 164.312(e)(1) •  ISO27002:2005 –  Clause 4.3.3, A.10.7.3, A.12.3.2, A.15.1.6 •  NIST (SP800-­‐53) –  SC-­‐12, SC-­‐13, SC-­‐17, SC-­‐28 How Ques=ons Were Assessed, Cont. What does the regula=on/standard say? •  CCM CGID IS-­‐19, “Encryp(on Key Mgmt.” –  HIPAA (SP800-­‐66) •  164.312(a)(2)(iv) -­‐ Encryp(on and Decryp(on (A) •  164.312(e)(1) -­‐ Transmission Security –  ISO27002:2005 •  Clause 4.3.3 – Control of Records •  A.10.7.3 – Informa(on Handling Procedures •  … –  NIST (SP800-­‐53) • 
• 
• 
• 
SC-­‐12 – Cryptographic Key Establishment and Mgmt. SC-­‐13 – Cryptographic Protec(on … AC-­‐3 – Access Enforcement How Ques=ons Were Assessed, Cont. What does the regula=on/standard say? •  CCM CGID IS-­‐19, “Encryp(on Key Mgmt.” –  NIST (SP800-­‐53) •  SC-­‐12 – Cryptographic Key Establishment and Mgmt. –  The organiza(on establishes and manages cryptographic keys for required cryptography employed within the informa(on system. »  SC-­‐12(1): The organiza(on maintains availability of informa(on in the event of the loss of cryptographic keys by users. •  … •  AC-­‐3 – Access Enforcement –  The informa5on system enforces approved authoriza5ons for logical access to the system in accordance with applicable policy. »  “…access enforcement mechanisms (e.g., access controls lists, access control matrices, cryptography)…” Then compare the ICE response against these controls and determine what needs to be done to remediate. Example of ICE Improvement •  CCM CGID IS-­‐19, “Encryp(on Key Mgmt.” –  Do you encrypt tenant data at rest (on disk/storage) within your environment? •  November 2013: No response •  March 2014: “No” to both policies and procedures •  May 2015: “Yes” (AWS Securing Data at Rest with Encryp=on, Database Installa=on Procedure, etc.) –  Do you leverage encryp(on to protect data and virtual machine images during transport across and between networks and hypervisor instances? •  November 2013: No response •  March 2014: “No” to both policies and procedures •  May 2015: “Yes” (Network Diagrams, Data Interac=on Diagram) Assessment Team •  UM Informa(on Assurance Office –  Sol Bermann, UM Privacy Officer, IA Risk Assessment team •  Developed U-­‐M wide guidance, tools, and processes for service provider security-­‐compliance assessments •  Remained engaged with U-­‐M School of Den(stry, and other key stakeholders on progress and repor(ng •  Iden(fied areas of IT security risk/controls emphasis •  Part of final review/approval •  UMHS Compliance –  Ben Havens, UMHS Informa(on Security Compliance Director •  Ensured HIPAA-­‐specific concerns were addressed Assessment Team, Cont. •  UM Office of General Counsel –  Colleen McClorey, Associate General Counsel •  Managed all legal agreements •  Advised over the course of the assessment strategy •  UM Procurement –  Ted Eisenhut, Privacy Officer and IT Policy and Enterprise Con(nuity Strategist •  Facilitated major update to U-­‐M Procurement policy that embedded security and compliance reviews as a part of the procurement process •  Collaborated with all U-­‐M stakeholder to ensure all concerns were addressed as they relate to the purchasing process Peter Hoven Acronym Hell •  HIPAA/HITRUST •  CCM (1.4 or 3.01) •  PCI •  SOC2 Trust Principles •  NIST SP800-­‐53 R3 •  ISO 27001 •  COBIT •  Michigan High Priority Items www.icehealthsystems.com Mappings •  Michigan mapped CCM to various standards and created High Priority Items •  KPMG PreAssessment mapped CCM to SOC2 Security Many differences •  CCM Cloud focus Virtualiza(on Cloud Providers •  ICE relies on Amazon A;esta(on and Compliance www.icehealthsystems.com Go Forward Plan •  Michigan security review and remedia(on •  Holis(c Security •  Risk Analysis •  Bake it in •  SOC 2 Type 1 and 2 •  ISO 27001 www.icehealthsystems.com Sean Sweeny Third-Party Risk Assessment at Pitt
•  Centrally administered and reviewed
•  Required for all third-parties having access to University Data
•  Embedded into University processes, including Purchasing, Office
of General Council, IRB, etc.
Third-Party Risk Assessment at Pitt
•  Self Assessment Questionnaire
–  Maps to NIST CSF, FISMA, HIPAA/HITRUST,
GLBA, PCI, and ISO
•  Independent verification required for
regulated data
–  SOC 2, PCI Certification, ISO Certification
Review Process for ICE at Pitt
•  Initial review and acceptance of Cloud Controls Matrix in lieu of
normal procedure
–  Version 1.3
•  Gap Assessment of ICE against the CCM
•  Third-party audit
–  Control testing required
–  CCM vs SOC 2
Next Steps and Takeaways
•  University of Michigan security review
–  Working to understand methods
–  Potential Reliance
•  CCM detail + SOC 2 overview
–  Best of both worlds for Pitt
•  Model for EDU reliance?
Discussion Paul Howell