Tag: HIPAA

Cloud Security is a Shared Responsibility

by Jim Conwell, posted in Cloud and IT Consultants, Cloud Computing, data center, IT Regulation, IT Security

shared security model cloud security is shared[/caption]

When I first became familiar with enterprise cloud computing, one of the primary objections of cloud adoption was the security of the data within the applications. Today that has changed; as cloud has matured it is now seen as an option for IT infrastructure that can be designed to be more secure than on premises solutions.  Through the process of designing a cloud infrastructure IT professionals have become aware of the increase security benefits cloud offers. Concurrently, IT data exposure and breaches have become more widespread and security has become a greater responsibility. These factors have led all cloud architects, whether with a cloud provider or working within an enterprise, to realize that cloud security is a shared responsibility. Cloud security is shared in two respects, first within the different groups of the enterprise and secondly, the responsibility of securing data is split between the enterprise and the cloud provider. For the purpose of this article we will focus on the sharing of security responsibilities between the enterprise and the provider. I will segregate three categories of cloud computing responsibility in order to simplify the roles and responsibilities: infrastructure, operating systems including applications and customer data.  

Private Cloud

Most IT users today consider a virtualize stack of IT infrastructure on premises a private cloud. In this scenario, as existed before cloud computing, the enterprise is responsible for all aspects of security. In an on-premises private cloud infrastructure the enterprise needs to secure their data from all physical, technical or administrative threats. With large organizations the security responsibilities can be shared within groups of their IT departments which may include network, security, application and compliance.

Infrastructure as a Service.

The greatest security coordination concerns come from a public or hybrid cloud configuration such as infrastructure as a service (IaaS). With an IaaS environment the enterprise has agreed to have the provider manage the infrastructure component of the IT security. This enables the enterprise to outsource all security and regulatory concerns concerning the actual server hardware. They also realize benefits of physical security because their IT infrastructure is off premises and in a secured facility. Many times, regulation or even large customers, will mandate an audited data center standard such as SOC 2 for their IT infrastructure as a requirement of the business partnership. Creating an audited SOC 2 compliant data center on premises can be costly and time-consuming. The hosting of their IT infrastructure in an audited and physically secure data center is one of the greatest benefits of IaaS.

Beyond the physical infrastructure, the IaaS or cloud provider also assures the security of the software hypervisor that orchestrates the virtualized cloud operating systems and services. However, the enterprise is still responsible for the operating systems of the virtual servers and the security patches the software developer issues for them. Additionally, the enterprise is responsible for the security of all their own software applications and the data that resides on them. Some cloud providers will offer managed services to their clients that will include security functions. The provider may offer a managed firewall, monitoring and even malware protection for the virtual servers they host. These services add value as the provider is more familiar with security best practices in the IT infrastructure stack than the enterprise. Still there is always a shared responsibility for security with the enterprise always responsible for their own data. 

Software as a Service (SaaS)

SaaS is the cloud technology the majority of businesses have the most experience with and understand the best. Common SaaS platforms like Microsoft Office 365, Google G Suite or CRM based software like salesforce.com have made SaaS commonplace. Virtually the whole IT stack is owned by the provider in a SaaS platform, however, the enterprise still does still have security responsibilities. The enterprise’s primary security responsibility is concerned with their own data. The business owns their data and needs to ensure it is free of malware and other external threats. They also need to protect the end points such as laptops and tablets that are used to access the SaaS data.

Additional Considerations

Other IT security responsibilities the enterprise needs to consider in any Cloud environment are connectivity, authentication and identification services as well as managing abandoned resources.

Connectivity to the cloud provider is most secure when a private circuit or connection can be implemented. If a private connection is not practical the enterprise needs to create a secure connection such as a virtual private network (VPN) and assure a secure connection is created over public internet.

Authentication and identification of network users is an integral part of any enterprise IT network. Additionally, it is equally important to integrate any authentication or directory service with the cloud solution. A solution like Microsoft Azure AD is considered by many as a best practice for this complicated process. It was described in some detail in a previous article Active Directory (AD) in the Cloud. Finally, a frequent cause for concern, especially with enterprises that employ large IT staffs, are abandoned resources. These are cloud instances that were created and have lost their relevance and have been forgotten. They can reside in a public cloud for years, with continued billing, and the customers data is open to the public since they were created in a  time with less stringent security policies. Periodic billing review and the monitoring services security platforms offer can eliminate this waste.

Business cloud solutions offered to the enterprise come in many different configurations that vary as to the type of infrastructure, software and services offered. In all cloud environments security requires a shared responsibility as well as a layered approach coordinated between the cloud providers and the enterprise.  A supplier agnostic advisor like Two Ears One Mouth IT Consulting can assist by helping a business find the right provider and security services for your business’s applications.      

 

If your business is unique and requires a custom cloud security solution for IT Support

Contact Jim Conwell (513) 227-4131      jim.conwell@twoearsonemouth.net

www.twoearsonemouth.net

we listen first…

         

migrating datta to cloud

Compliance with Current IT Regulation

by Jim Conwell, posted in Cloud and IT Consultants, IT Regulation

Because of the explosion of data breaches in the past 10 years, most businesses are aware that compliance with IT regulation and security policy is imperative. That doesn’t stop the governments of most nations enforcing regulation to remind us of this. Maybe it’s because I have been in the IT industry most of my life, but I believe IT regulation is vital in this digital age. However, it is typically vague and much less effective than written law. Government regulation tends to be difficult to understand and followed without assistance. One way businesses are assisted with IT regulation is by following a certified IT framework. These frameworks are written in less general terms and describe IT “best practices”. Businesses can use them as a reference to achieve regulatory or security compliance.

Popular IT Frameworks

Cobit a framework designed by Information Systems Audit and Control Association (ISACA) provides management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT.

ISO 38500 an IT framework used by management and originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC). It is similar to and builds upon previous ISO frameworks.

Calder-Moir an IT Super-Framework that pulls all the existing frameworks together in a way that enables an organization to maximize its benefit. CALDER-MOIR IT Governance Framework is designed to help you use all these overlapping and competing frameworks and standards.

Common IT Regulation

HIPAA

A government regulation created in the Clinton Administration, the Health Insurance Portability and Accountability Act (HIPAA) primarily mandates compliance for the security of Protected Health Information (PHI). Originally passed in 1996 it was later amended to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule. HIPAA promoted physical, administrative and technical safeguards for the protection of PHI. It contained some of the strongest language to date of any regulation under the Privacy, Security, and Enforcement rules. It is the most important and revolutionary regulation of our time.

GDPR

The European Union’s (EU) General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. GDPR was approved by the EU parliament in April 0f 2016 and was enacted in May of 2018. It is designed to protect the data of all EU citizens whereever in the world they reside or do business. As is the case with most new regulation some of the details and enforcement are not clear yet. Most US based multi-nationals have taken this very seriously and have begun the process of compliance. For small and medium business (SMB) compliance starts with several questions:

  • Do we have data of EU citizens?
  • Is the data benign such as found on a business card or more details such as health records or political or religious affiliation?
  • Where is this data and how can we protect it?

While complete compliance may be not possible currently the best practice for SMB is to know where the data resides and to develop and document policies for its protection.

PCI DSS

In addition to government regulation, industry associations have aligned to create a compliance standard for their data. One primary example of this is the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS develops a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents. The PCI Security Standards Council originates the standards for compliance with all credit card information as well as an approved list of assessors who audit and validate an entity’s adherence to PCI DSS.

Regardless of the size of your business, if you have an IT presence you are likely subject to regulation. However, with a strong IT partner that has a deep understanding of IT frameworks like Two Ears One Mouth, compliance can be achieved.

             If you would like to talk more about strategies for IT compliance contact us:

                           Jim Conwell (513) 227-4131      jim.conwell@twoearsonemouth.net

www.twoearsonemouth.net

  we listen first…

HIPAA- The Who, When and What’s its primary purpose?

by Jim Conwell, posted in Business Practices, Cloud and IT Consultants, disaster recovery, IT Regulation

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996, it has since created some of the most sweeping changes in healthcare reform at that time and for many years after. HIPAA was designed to eliminate discrimination by protecting and securing patients’ health data. This law has since grown into a government regulation with a much larger scope and focus on information technology as it relates to healthcare. HIPAA’s three primary functions are:

  1. Protect the privacy and provide security for Protected Health Information (PHI).
  2. Increase the efficiency and effectiveness of the healthcare system.
  3. Establish standards for accessing, sharing and transmitting PHI.

HIPAA was originally segmented into 3 primary components: the Privacy Rule, the Security Rule, and the Enforcement Rule. Several years later it was amended to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule.

The Privacy Rule

The Privacy Rule was designed to protect and keep private all of our Protected Health Information (PHI). PHI includes information such as a patient’s street address, city, birth date, email addresses, social security numbers or any type of identifiable information obtained in the process of receiving care. Individuals may be charged with either civil or criminal penalties for violating HIPAA privacy rules.

The primary goal is to protect individuals’ PHI while promoting an efficient “flow” of information. It applies to covered entities, which are defined as hospitals, doctor’s offices, insurance companies or any organization that accepts health insurance. It also applies to business associates; organizations that create, maintain or transmit PHI on behalf of a covered entity. These entities must protect any PHI transmitted in any form: electronic, oral or written.

The Privacy Rule also allows for an individual’s personal right to access, review and obtain copies of their PHI. In addition, it authorizes the right to amend or request restrictions on the use of their PHI. As a part of the Privacy Rule, covered entities and business associates are required to appoint a privacy officer, complete workforce training on HIPAA compliance and construct business associate agreements with any entity with whom you are disclosing or sharing information.

The Security Rule

The Security Rule sets standards for covered entities and business associates for the security of electronic health information.

The Security Rule has three primary components:

  1. Administrative safeguards– These begin the security management process by identifying a security officer and performing a risk assessment. The goal is to evaluate risk and make sure only authorized personnel can access PHI. Also, contingency and business continuity plans must be addressed and documented in the event of a disaster or disruption of business.
  2. Physical safeguards – These cover facility access controls (badges), alarms and locks. Any PHI data must be encrypted at rest and in motion and have adequate passwords. The use of tablets, phones, etc. must also be considered.
  3. Technical safeguards- These include audit controls (SSAE), which record and monitor transactions, password, pins or biometrics.

All security Information must be documented and accessible on demand. It is required to be updated and archived for 6 years.

The Enforcement Rule

The Enforcement Rule sets the standards for penalties in the event of a HIPAA violation or breach. Initially, there were very little violations reported or penalties assessed. Today, there are still not many penalties compared to the actual violations, which occur frequently.

Most common infractions include:

  • Unauthorized disclosures of PHI
  • Lack of protection of health information
  • Inability of patients to access their health information
  • Disclosing more than the minimum necessary protected health information
  • Absence of safeguards for electronic protected health information

The following are the covered entities required to take corrective action to be in voluntary compliance according to HHS:

  • Private practices
  • Hospitals
  • Outpatient facilities
  • Group plans such as insurance groups
  • Pharmacies

(source: hhs.gov/enforcement, 2013)

HITECH and the Omnibus Rule

In 2009 Congress passed an amendment to HIPAA: the Health Information Technology for Economic and Clinical Health Act (HITECH). This amendment was designed to reduce cost and streamline healthcare through information technology. HITECH expanded HIPAA and implemented new requirements for the protection of PHI in Information Technology.

In 2013 HHS office of civil rights issued “the final rule” or Omnibus as a means of implementing the changes of HITECH. HITECH changes included:

  • It allowed for changes requested to PHI by individuals and required direct approval before the sale of PHI.
  • Business Associates became directly liable and are required to provide items such as workforce training, privacy officer and risk assessment. HITECH also assigned liabilities to subcontractors of business associates.
  • All breaches to HIPAA must be reported to affected individuals as well as the secretary of HHS. An additional risk assessment must then be completed for each breach.
  • HITECH introduced a tiered approach to breach penalties with recurring infractions in the same year totaling up to $1,500,000. It also gave the state Attorney General the power to enforce HIPAA violations.

HIPAA is one of the most sweeping and all-encompassing changes to ever impact the Healthcare industry. It has evolved to regulate the use of Information Technology within the scope of healthcare in addition to protecting the privacy of a patient’s PHI. Unfortunately, like most government regulations, it is vague and very difficult to enforce. In contrast, it has created valuable safeguards for the protection of our personal health records and it has encouraged improvements to the flow and integration of healthcare data.

If you need assistance with any current IT projects (Cincinnati or remote), or risk assessment for your practice please contact us at:

Jim Conwell (513) 227-4131      jim.conwell@outlook.com      www.twoearsonemouth.net