Overcoming HIPAA ChallengesCloud Service Architecture

Marius Aharonovich, Cloud Security Architect

Agenda

Cloud Service Overview

Architecture

PHI Security Controls – Approach

Security – Infrastructure

Administrative Controls

Technical Controls

Incidents Detection and Response

2

Cloud Services – Overview (1/2)

3

Mobile Workforce Management & Optimization

Dispatcher/Mobile/GIS

Number of Cloud Customer: 60+

Data stored and processed:

Personal and Protected Health Information (PHI)

Customer’s and Customer’s Clients’ Information

Cloud Services – Overview (2/2)

Software as a Service

Amazon Web Services (AWS) Based

Holding 3 Regions (US, EU, AUS)

HIPAA business associate

Operation team

Cloud Ops, NOC & Support 24x7, DevOps, Security

SLA – 99.9%

DR – Other Region / Availability Zone

Data Daily Backup – AWS S3 in encrypted format

4

Architecture

5

VPC – Virtual Private CloudSaaS – Software as a ServiceDC – Domain ControllerCSSO – Service Optimization

WEBHTTPS

Amazon Firewall / Internet GW

ClientA

CSSOMSSQL

Full Redundant(Mirroring)

Client C

CSSO

ClientB

CSSO

SiteMinder Authentication

GIS (PTV)

DCBDC

ELB

ELBELB

SaaS VPC

ClickSoftwareSaaS

Covered Entity (Customers)

Business Associate (ClickSoftware Cloud Services)

Private Data / PHI must be Processed with:

Limited purposes

Not kept for longer than is necessary

Mitigation of unauthorized access

No transfer to third parties without adequate protection

PHI Security Controls – Approach

6

• AWS assurance programs:

SOC2 & SOC3 & FIPS 140-2 (encryption) & NIST (media re-use)

ISO 27001- Information Security Management System (ISMS)

HIPAA (& BAA) – Health Insurance Portability and Accountability Act

• AWS addresses common infrastructure security threats, such as:

Distributed Denial of Service (DDoS) attacks

Man In the Middle (MITM) attacks

IP spoofing

Port scanning

Packet sniffing by other tenants

Security – Infrastructure

7

• Security Personnel – Security and Privacy Officer

• ISO 27001 and HIPAA compliance (& BAA)

• Information Security and Privacy Policy

• Risk Assessments

• Code Inspections

• Penetration Tests

Administrative Controls (1/3)

8

• Internal Security Audits:

Brute-forces & changes in groups, servers, applications and GPO

Changes in AWS Security Groups & ELB

AWS tools: Trusted Advisor, Credentials Report

Administrative Controls (2/3)

Credentials Report:

Username (Console / API)

user_creation_time

password_enabled/disabled

password_last_used

mfa_active/inactive

access_key_active/inactive

Security Group changes: Email:Hello,

AWS Auditing Alert - Please check the log lines below

2015-01-27 06:31:53 AM: Object: Security Group(sg-XX)

ObjectId: tcp Decription: Security Group IpProtocol

RANGE (YY) had been added

9

Employees:

NDA, Employee Security Requirements

Security Awareness Training (OPS, NOC, Support, R&D)

Background Screening

• Specific policies and Procedures

DRP

Backup & Restore

Data Sanitization (PHI disposal: database, logs, backup)

Administrative Controls (3/3)

10

AAA – Authentication, Password policy, Strict Permissions, Logs

Active Directory

Identity Manager

SSO - Federation and SAML2

URL filter and Reverse Proxy

IPS & WAF & DDoS Protection

Antimalware, Security Patches

Technical Controls (1/3)

11

Network Segmentation and Traffic Control

VPC - Private, isolated and controlled section of AWS

Dedicated Database Instance / Dedicated HIPAA Environment

AWS Security Groups (inbound & outbound)

Authorized IP Addresses

Remote Access:

AWS Management console: TLS with Two Factor Authentication (TFA)

AWS Environment: VPN/TLS with TFA

Technical Controls (2/3)

12

HTTPS access – TLS termination

AWS ELB / Security Gateway

Web Server

Data at-rest encryption:

Elastic Block Store (EBS) encryption

Mobile local database encryption

De-Identified Health Information - Static & dynamic data masking

Audit of actions in PHI Database

Technical Controls (3/3)

13

Detect and Notify

SIEM - Logs collection, aggregation, correlation

AWS Changes detection, CloudTrail / CloudWatch

On-going Audits

Contain – Isolation, blocking, prevention of further damage

Recover (snapshots)

After Action – Forensics (snapshots)

Breach notification

Timeline

Legal & Marketing cooperation

Incidents Detection and Response

14

Thank you