Cloud Computing in Healthcare:Privacy and Security Considerations

WSHIMA – April 20, 2012

Speaker

Lisa A. Gallagher, BSEE, CISM, CPHIMS

Senior Director, Privacy and Security

HIMSS

Learning Objectives

• Explore the current cloud computing landscape in healthcare

• Discuss privacy and security challenges

• Review cloud computing resources available through HIMSS and others

Why do we call it “Cloud Computing?”

• The phrase “cloud computing” originated from the informal use of a “cloud” graphic in technical diagrams/ flow charts to symbolize the internet and is now codified by use in some electronic tools for producing graphical representations of technical architectures, such as Microsoft Office Visio1 and others. Further, its technical history includes the notion of shared or pooled computing resources.

• The underlying concept of cloud computing dates back to the 1960s, when John McCarthy opined that "computation may someday be organised as a public utility."

1 Microsoft Visio, http://visiotoolbox.com/2010/

What is “Cloud Computing?”

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” - NIST

NIST: http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

Deployment Model(s)

Service Models

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS).

End-user applications provided as a service,

not stored on local devices or on customer

enterprise resources.

Computing resources, storage and other

resources(e.g., firewalls) provided as a service

rather than deployed internally by customer.

Application platform provided as a service such

that the customer can build, deploy and manage

custom applications.

Uses in Healthcare

• Faster Deployment of EHR technology

• Data Sharing/Enhanced Collaboration

• “PACS-On-Demand”

• Management of “Big Data”

• Longitudinal Patient Medical Record

• Revenue Cycle Management

• Claims Processing

• Enrollment

Advantages - General

• Computing resources available on demand

• Lower cost (reduced upfront costs and capital expenditures)

• Faster Deployment

• Staff Specialization

• Scalable Implementation

• High Availability

Advantages - SecurityStaff Specialization - Cloud providers, just as organizations with large-scale computing facilities, have an opportunity for staff to specialize in security, privacy, and other areas of high interest and concern to the organization.

Platform Strength - Greater uniformity and homogeneity facilitate platform hardening and enable better automation of security management activities like configuration control, vulnerability testing, security audits, and security patching of platform components.

Resource Availability - Redundancy and disaster recovery capabilities are built into cloud computing environments and on-demand resource capacity can be used for better resilience when facing increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents.

“Guidelines on Security and Privacy in Public Cloud Computing,” NIST SP – 800-144, Draft:

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

Advantages – Security (cont.)Backup and Recovery - The backup and recovery policies and procedures of a cloud service may be superior to those of the organization and, if copies are maintained in diverse geographic locations, may be more robust.

Mobile Endpoints - Since the main computational resources needed are held by the cloud provider, clients are generally lightweight computationally and easily supported on laptops, notebooks, and netbooks, as well as embedded devices such as smart phones, tablets, and personal digital assistants.

Data Concentration – Related to the previous point, data maintained and processed in the cloud can present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers or removable media out in the field, where theft and loss of devices routinely occur.

“Guidelines on Security and Privacy in Public Cloud Computing,” NIST SP – 800-144, Draft:

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

Concerns and Challenges - General• System Complexity - A public cloud computing environment is extremely

complex compared with that of a traditional data center. Many components comprise a public cloud, resulting in a large attack surface.

• Shared Multi-tenant Environment - Public cloud services offered by providers have a serious underlying complication: subscribing organizations typically share components and resources with other subscribers that are unknown to them.

• Internet-facing Services - Public cloud services are delivered over the Internet, exposing both the administrative interfaces used to self-service an account and the interfaces for users and applications to access other available services.

• Loss of Control - While security and privacy concerns in cloud computing services are similar to those of traditional non-cloud services, they are amplified by external control over organizational assets and the potential for mismanagement of those assets.

“Guidelines on Security and Privacy in Public Cloud Computing,” NIST SP – 800-144, Draft:

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

Concerns and Challenges - Security• Governance - control and oversight over policies, procedures, and

standards for application development, as well as the design, implementation, testing, and monitoring of deployed services.

• Compliance - conformance with an established specification, standard, regulation, or law. Various types of privacy laws and regulations exist within different countries at the national, state, and local levels, making compliance a potentially complicated issue for cloud computing.

• Trust - Under the cloud computing paradigm, an organization relinquishes direct control over many aspects of security and, in doing so, confers an unprecedented level of trust onto the cloud provider.

“Guidelines on Security and Privacy in Public Cloud Computing,” NIST SP – 800-144, Draft:

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

Concerns and Challenges - Security• Architecture - The architecture of the software systems used to deliver

cloud services comprises hardware and software residing in the cloud. Many of the “simplified” interfaces and service abstractions belie the inherent complexity that affects security.

• Identity and Access Management - One recurring issue is that the organizational identification and authentication framework may not naturally extend into the cloud and extending or changing the existing framework to support cloud services may be difficult.

• Software Isolation - The security of a computer system depends on the quality of the underlying software kernel that controls the confinement and execution of processes. Understanding the use of virtualization by a cloud provider is prerequisite to understanding the security risk involved.

“Guidelines on Security and Privacy in Public Cloud Computing,” NIST SP – 800-144, Draft:

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

Concerns and Challenges - Security• Data Protection - Data stored in the cloud typically resides in a shared

environment collocated with data from other customers. Organizations moving sensitive and regulated data into the cloud, and must account for the means by which access to the data is controlled and the data is kept secure.

• Availability - Availability is the extent to which an organization’s full set of computational resources is accessible and usable. Denial of service attacks, equipment outages, and natural disasters are all threats to availability in the cloud.

• Incident Response - The cloud provider’s role is vital in performing incident response activities, including incident verification, attack analysis, containment, data collection and preservation, problem remediation, and service restoration. Revising an organization’s incident response plan to address differences between the organizational computing environment and a cloud computing environment is an important, but easy-to-overlook prerequisite to transitioning applications and data.

“Guidelines on Security and Privacy in Public Cloud Computing,” NIST SP – 800-144, Draft:

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

Cloud Computing Resources

• HIMSS Resources

• Additional Resources

Resources on the HIMSS Website

• HIMSS Privacy and Security Toolkits

– http://www.himss.org/ASP/topics_pstoolkitsDirectory.asp?faid=569&tid=4

• HIMSS Cloud Security Toolkit– http://www.himss.org/cloudsecurity

Additional Resources• EPIC: http://epic.org/privacy/cloudcomputing/

• ISACA: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Business-Benefits-With-Security-Governance-and-Assurance-Perspective.aspx

• NASCIO: http://www.nascio.org/resources/EAresources.cfm

• CSA: Security Guidance for Critical Areas of Focus in Cloud Computing V2.1: https://cloudsecurityalliance.org/csaguide.pdf

• SANS: http://www.sans.org/reading_room/analysts_program/arcsight-ping-healthcare.pdf

• RSNA: http://rsna2011.rsna.org/exbData/838/docs/6_h8805-healthcare-costs-complexities-ep.pdf

• HFMA: http://www.hfma.org/Publications/hfm-Magazine/Archives/2011/May/Cloud-Computing--Innovating-the-Business-of-Health-Care/

Questions?