Get My Score

Blog

Healthcare IT Blog Series - 4 of 6 

(This is the fourth post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)


In the last blog of our Moving Healthcare to the Cloud series, we discussed the key considerations for healthcare organizations that are defining a cloud migration project. In this blog, we examine the technologies to apply in order to assess, manage and reduce the risk of security attacks.

While the cloud is proving to be less risky, more secure and more innovative than traditional on-premises IT, it is still not foolproof nor without risk. Healthcare organizations need to take every precaution in the cloud to ensure confidentiality, integrity, and availability.

In many cases, data must be properly encrypted, with keys stored separately from where the data is stored in order to maintain confidentiality. The number of admins who have access to the keys to decrypt the data should also be limited and all access should be logged and verified. Data integrity can be ensured only if admins and users who have appropriate levels of authorization can modify, manipulate, or delete the data.

Another key defense measure is your backup and recovery program. If a ransomware attack succeeds, you want to at least be able to fall back to an infrastructure and dataset that are free from compromise and can be safely used to get the business back up-and-running.

To protect your organization from ransomware, be sure to run on-going, frequent backups and test these backups as part of your disaster recovery plan tabletop exercises. Along with backup and recovery, also ensure all of your security policies can be applied uniformly to all public and private clouds as well as your on-premises data center. This will help ensure a consistent end-user experience with limited disruption to the business.

Assessing Your Security Posture

A good way to assess your current security posture is to utilize the “CIA” triad model: Confidentiality, Integrity and Availability. The model can guide your information security policies with respect to your data.

Confidentiality applies rules that limit access to information. Integrity assures the data is trustworthy, accurate, and has not been tampered with. Availability guarantees reliable access to the data only by authorized people.

If your organization achieves all three model components, you’ve got a solid security posture and can more easily address the challenges of cloud security. This is especially true for hybrid environments where users and data move back-and-forth from on-premises and cloud infrastructures.

Deploying Access Control in Hybrid Environments 

One of the key challenges when it comes to securing hybrid environments is access control, which requires the enforcement of persistent policies. Adding to the risk is that access in hybrid environments is usually available to a large range of devices. This makes it difficult to create and secure persistency within access policies.

There are a range of access control models to choose from, and it’s imperative to determine which model is most appropriate for your organization—based on data sensitivity and operational requirements. When processing personally identifiable information or other sensitive information types, access control needs to be a core capability of your security architecture to ensure you comply with HIPAA regulations.

Multiple vendors provide privilege access and identity management solutions that can be integrated into your identity management platform, which is key because you may actually require multiple technologies to achieve the desired level of control. Multifactor authentication is another a component to further enhance security.

Given the complexity of access control and the dire consequences, if not handled properly, it’s best to consult with your IT partner!

Multiple Tools Required to Focus Efforts

Another key aspect to consider in enhancing your security posture is the set of tools you deploy for monitoring and responding to risks. This includes identifying risk, measuring risk, and mitigating risk.

It’s critical to rely on a combination of threat intelligence sources backed by analysis tools and security experts so you can put risks into context for the healthcare industry in general and your organization in particular. This makes it possible to know which threats represent the biggest risks so you can focus your efforts in the right place—and avoid wasting time on low-level threats and false positives that don’t represent any real threat at all.

In Closing

We are excited about how popular this Blog series has been, so by request, we will be posting two more postings regarding ‘Moving Healthcare to the Cloud’.  Next week's posting will discuss how to operationalize security--this includes managing the security lifecycle, applying security policies, and establishing control to ensure compliance.  Please check back in next week or subscribe to our Blog postings, by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it. so you will be alerted when they become available.  

 

0
0
0
s2sdefault

Healthcare IT Blog Series - 3 of 6 

(This is the third post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)


In the last blog of our Moving Healthcare to the Cloud series, we discussed why it makes sense for healthcare organizations to move their IT infrastructures to the cloud. In this blog, we examine the process for defining cloud migration projects.

Although every step in the overall cloud migration process is critical, just how well you define the project at the start could very well set the stage to streamline success—or cause a lot of pain along the way.

At a high level, you first need to decide exactly what to move to the cloud:

  • Which business functions?This covers the entire spectrum of the healthcare organization—from patient medical services to billing, procurement, insurance claims, compliance, human resources, marketing, communications and physical security as well as the general operations of buildings and grounds. Business processes to which end users require anytime, anywhere access from multiple devices—as well as those processes through which end users collaborate frequently—will likely benefit the most from moving to a cloud environment.
  • Which systems? You may discover that while it makes sense to move a certain business function to the cloud, the function may be supported by a legacy system that makes sense to keep on-premises for the short term. Older technologies may simply not work well in a cloud environment fraught with new technologies. Perhaps it makes sense to wait until it’s time to upgrade the system before moving it to the cloud. 
  • What data? Data is now just as secure in the cloud as it is on-premises. But there may be some systems containing data that you feel more comfortable keeping under your direct control. Over time, senior management may become more comfortable with storing sensitive data in the cloud, but in the near term, it might be best to go with what makes the boss happy!

Most organizations that move to the cloud end up utilizing multiple environments. While health records, financial systems and human resource applications will generally be moved to a private cloud, you may want to isolate them in separate environments. Other systems, such as email and marketing, could be moved to a separate, yet shared, public cloud in order to reduce costs.

Determine the Necessary Resources  

Another key aspect to defining a cloud migration project is determining who will play a key role. You will likely rely heavily on your primary IT partner—or one that specializes in the cloud—for designing your cloud environments. Depending on the services your chosen partner offers, you may also need to turn to another provider (or providers) to host your cloud environments.

Also, consider the internal resources you will need to coordinate the migration and to interact with your partners who maintain the cloud environment. In addition to IT resources filling these roles, you will want to secure the buy-in of the senior management team in getting the organization as a whole to realize and accept the benefits of cloud computing. Moving to the cloud involves a bit of a culture change in the way people interact with applications, so make sure all your end users are on board.

Getting the Ball Rolling 

The best way to get the ball rolling in defining what systems to move to the cloud is to take a ‘Cloud First’ approach. This means that all heads of each business function must show conclusive evidence why certain apps and data are not cloud-ready. The burden of proof lies on these individuals to prove this; otherwise, the cloud is the final destination.

David Chou, CIO of The Children’s Mercy Hospital in Kansas City, spells this out in a three-phase approach to the Cloud First journey:

  1. Evaluate your current culture and outline what is required to transform into a cloud-first operation.
  2. Draft a vision that answers why you are moving to the cloud and what becoming a Cloud First organization will achieve—in a way executives and non-technical employees, including clinicians, can understand easily.
  3. Communicate the benefits that cloud technologies will deliver; this includes the upside to adopting cloud technologies instead of using on-premises systems that the staff is already comfortable using.

The ‘Cloud First’ mandate helps you identify which business functions are the first to move, what systems within each of these businesses to move, and why (as discussed above). This approach also facilitates the identification of critical versus non-critical data, data subject to compliance mandates, and applications that require strict availability versus more tolerant applications.

Next Up: Managing User Access

In our next ‘Moving Healthcare to the Cloud’ blog,we will discuss how to manage end-user access and reduce risk. This includes how to adequately define and enforce access control policies as well as how to monitor, identify, respond to, and mitigate risks. 

Cavirin joint seminar with Logicworks - Meet 5 Innovators Who Are Revolutionizing HealthTech - May 9, evening, NYC

Read about how Cavirin can protect your ePHI.

0
0
0
s2sdefault

 

Phew!

That’s all I can say after last week’s very successful (in the eye of the writer), very crowded (50,000 in a construction zone?), and sometimes overwhelming (parties?) RSA. Anyone in attendance would agree that the intensity, the depth of conversation, and even the innovation was a step up from previous years.  But so was the angst.  Read on!

At Cavirin, we introduced CyberPosture Intelligence to the world, along with an accompanying survey on hybrid cloud security that speaks to the necessity and timeliness of our approach.  As a reminder, CyberPosture Intelligence:

  • Provides actionable intelligence for the CISO and stakeholders to take control by delivering continuous risk, cybersecurity, and compliance management across hybrid environments.
  • Offers continuous compliance for the hybrid cloud and eliminates the gaps and risks inherent with current approaches.
  • Secures both the public cloud control plane as well as target hybrid cloud workloads (servers), on-premise, within the public cloud, and within containers.

This last point is especially important, given the need to protect critical workloads in the cloud. Having a solution that only looks at the servers, or the cloud account itself, leaves you half-blind, half-protected. You need real ‘situational awareness’ where you’re immediately made aware of any drift from your ‘golden posture’ and, from there, can take appropriate action. 

At the same time, you need a simple deployment based on a technology-agnostic solution that delivers as close to single click scoring as practical, contrasting with multiple stove-piped tools, manual processes, and point-in-time assessments.  An approach that cuts through the noise to offer real, actionable guidance to protect the hybrid cloud, 24x7.

Similarly, a well-developed GDPR plan should be put in place for implementation. On May 25, the GDPR regulation will officially take effect in the EU, inevitably impacting companies beyond those borders.  According to a recent survey released by Cloud Security Alliance at RSA “31 percent of companies have well-defined plans for meeting GDPR compliance, 85 percent have something in place, and 73 percent have begun executing that plan.”

Ultimately, we want the CISO to achieve business outcomes that reverse what is a disturbing trend, where additional security investments don’t necessarily make things better. Reversing a reality that had Cisco’s SVP of security, John Stewart, lamenting the fact that 3.5 million security jobs will go unfilled in the coming years.  He concluded with the statement ‘we are completely screwed.’   Well, let us help un-screw things!

Check here for some of the great coverage we’ve received on our CyberPosture strategy and how it fits into current security conversations across different verticals and geos.

0
0
0
s2sdefault

Healthcare IT Blog Series - 2 of 6

(This is the second post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)


As we presented in the opening message in our ‘Moving Healthcare to the Cloud’ blog series, healthcare IT is in a crisis. The good news is, help is available to address the issues healthcare organizations, and their third-party vendors face—and it comes in the form of cloud computing. From the perspective of enhancing patient services as well as internal and patient communications, the future of healthcare is definitely in the cloud.

Nemi George, the Senior Director of Information Security & IT Governance for Pacific Dental Services, provides one specific example:“A key area in which we see the cloud helping us is with our medical imaging,” says George. “Today, a local server is used to capture images and then synchronizes nightly to the data center. Using a cloud service for imaging significantly reduces the cost and the speed to retrieve image files while also allowing access across multiple platforms without the dependency on location.”

As your organization begins its journey to the cloud, the planning should first involve a close look at the top-level ROI. It’s important to know why it makes sense to move to the cloud.

“In line with our risk methodology and cloud strategy, we are comfortable moving applications to the cloud,” George says. “Our focus is on applications that require a high level of resilience and also general business apps that we seek to mobilize, such as Workday and Box, that offer a mobile experience without the dependency of a VPN.”

Cloud Value Goes Beyond Reduced Cost

Most think of the cost savings first, but that’s not the top benefit of the cloud. Other returns will prove to be much more valuable:

  • Improved system and app availability—allowing doctors, nurses and support staff to work more efficiently so they can spend more time focused on patient care.
  • Enhanced ability to manage risk—with system protections that secure sensitive medical records and personal patient data.
  • Increased ability to employ compensating controls and governance—to ensure compliance with regulations and to avoid costly fines.

After considering the top-level benefits, the next things to consider for moving to the cloud are the tactical measures. Here, the objective is to reduce the number of on-premises data center systems required to run the organization.

Not all healthcare apps are ready to be moved to the cloud. You will likely decide to keep one or two on-premises. Perhaps it will make sense to set up an integrated hybrid IT infrastructure with a mix of cloud apps and on-premises apps.

“There are a number of applications such as our core practice management and finance applications that will remain on premises for a number of reasons,” George points out. “These include our legacy application architecture and applications already billed for decommissioning as well as applications that rely on a VPN or sit behind a corporate firewall for security reasons.”

Most Apps Now Safe to Run in the Cloud

For years, availability, privacy and security were cited by healthcare organizations as the reasons for delaying or jettisoning the idea of moving their apps to the cloud. But AWS, Microsoft, Google, IBM and other cloud providers are all proving this premise wrong. In 99% of the cases, apps can and should run in the cloud!

As we saw in our first post, the inability to hire sufficient technical resources is a critical factor in healthcare organizations deciding to move to the public cloud. Hiring internal technical resources with the expertise to design, deploy and support an on-premises infrastructure is costly, and keeping them on-board is difficult. They need constant training to keep up with the latest technologies, and those that are really good will likely grow bored working on just one infrastructure.

It’s also important to note that the rate of innovation in the public cloud is unmatched. For instance, AWS ECS (Elastic Container Service) was launched in 2015. A short time later, the AWS Lambda Computing function-as-a-service offering was made available. These lightweight, yet powerful services are proving to be a big ally for organizations seeking to increase IT agility and decrease IT costs.

Here are two recent examples:

  • The Centers for Medicare & Medicaid Services created a cloud-based analytics platform that eliminated $5M in underutilized infrastructure spending, according to Jessica Kahn, the director of the data and systems group at CMS.
  • Children's Mercy in Kansas City uses Microsoft's Azure cloud services to host an app and data that save lives of at-risk pediatric patients by tracking them after they leave the hospital, according to Richard Stroup, Children's Mercy director of informatics.  

The success of the cloud for these two organizations echoes the success of George and Pacific Dental Services. “The cloud in itself will not impair our security or our compliance,” says George. “And if managed appropriately with the right level of monitoring, oversight, and governance, migrating to the cloud should reduce our costs.”

With results like this, it’s time for other healthcare organizations to dive in!

In our next ‘Moving Healthcare to the Cloud’ blog, we will examine how to define a cloud migration project. This includes identifying who needs to be involved, what applications should make the short list to move to the cloud, and where’s the best place in the cloud for your organization.

Read about how Cavirin can protect your ePHI.

0
0
0
s2sdefault

Healthcare IT Blog Series - 1 of 6 

(This is the introduction post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)


One of the key themes of the recent HIMMS18 conference in Las Vegas is that healthcare IT leaders need to embrace the power of change to transform how doctors, nurses, staff and patients consume IT. This approach may be more important than ever, given that the industry is in the midst of an IT crisis.

Threats are coming in from several fronts. Here are a few reasons why many CIOs and CTOs are finding it hard to get a good night’s sleep:

The fallacy of thinking compliance = a strong security posture

Some organizations think that abiding by regulations such as HIPAA makes them safe, but this has been proven to be incorrect. Let’s take a real public example. In February 2015, Anthem disclosed that criminal hackers had broken into its servers and had potentially stolen more than 37.5 million records that contained personally identifiable information. 20 days later, Anthem raised the number to 78.8 million records. According to Anthem, the data breach extended into multiple brands that Anthem uses to market its healthcare plans, including Anthem Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare. The security breach occurred even though Anthem was HIPAA compliant.

Vulnerable legacy equipment

For decades, manufacturers like Siemens, Bosch, Honeywell and others have built embedded systems that run on operating systems from the Stone Age—unpatched, insecure and vulnerable. An example of this includes Siemens medical scanners. Hackers can exploit trivial flaws in the network-connected devices to run arbitrary malicious code on the equipment. These remotely-accessible vulnerabilities lurked in all Siemens positron emission tomography and computed tomography scanners running Microsoft Windows 7.

Too many compliance mandates

It’s hard to keep up with changing mandates because healthcare organizations have patient data dispersed in many databases across the cloud, the network, and a multitude of endpoints. Sometimes they rely on paper as well. This makes it difficult to comply with the stringent regulatory requirements of HIPAA and HITECH and to safeguard PHI, PII and EHR. In addition, medical teams need to access this information quickly in order to meet the demands of timely care. Security teams are thus challenged to find a balance between patient data security and providing easy access to the information.

Modern-day attacks

Ransomware continued to make the news in 2017 and the healthcare industry was not immune; in fact, it was a leading victim—Hollywood Presbyterian declared a state of emergency over a ransomware attack in February last year. The hospital isn't saying exactly when it paid the ransom, but it looks like they waited at least a week to end the file-hostage situation. The hospital said the payment was 40 Bitcoin, which was worth around $17K at the time. An unnamed doctor told the press that the systems responsible for CT scans, documentation, lab work, pharmacy functions and electronic communications were out of commission. Email was also down, so the staff relied on pencil and paper. It was also reported that radiation and oncology were temporarily shut down.

Severe shortage of IT security personnel

According to Cybersecurity Ventures, there will be 3.5 million unfilled cybersecurity jobs by 2021. And for qualified security personnel, healthcare IT is not the preferred destination of choice: Facebook, Google, AWS and other high-tech innovators are more attractive. 

New age disruptors

Healthcare organizations have to manage insanely large data sets to make their training algorithms better and more robust. But an even bigger and more disturbing challenge is that non-health entities can now play ‘doctor.’ Findings of the research conducted by the Computational Story Lab, a group led by Chris Danforth and Peter Sheridan Dodds of the University of Vermont, show that Instagram knows if you’re depressed, Twitter can indicate PTSD, and Facebook posts can describe a region’s relative public health.

Identifying the Right Steps to Take in the Cloud Journey

So, with all these developments as a backdrop, and as healthcare organizations look to the cloud as a panacea for everything, there needs to be a reality check on how to look at the cloud in the context of the current state and where healthcare is headed. To help organizations take on this challenge, this blog series will walk readers through the why, the what, and the how of ‘Cloud and Healthcare.’

The series will show how to identify what steps to take in the cloud journey. It starts with the next blog, which will focus on the why—Making the Business Case for the Cloud. The following chapter will delve into understanding what systems are ready for this journey, and frankly, which aren’t. We’ll also look at how you can make that distinction without bias.

The next blog will address the issue of how to assess the appropriate levels of risk for all the assets you are moving (or will be moving) to the cloud to ensure confidentiality, integrity, and availability. The fifth installment will focus on how to operationalize security. This includes the policy controls to put in place beforehand, how to monitor security, and how to react to any indications of breaches or potential breaches. It’s a team effort, so make sure you know who the players are and get your team ready!

Finally, we will look at the advent of artificial intelligence and machine learning, and how there is going to be an opportunity to gather more and do more with patient data, research, and analysis. But all of this should be backdropped with a clear ‘Code of Ethics.’ If you fail in the ethics arena, the fallout could be cataclysmic.

The Need to Embrace Education

The cloud provides an amazing path for your healthcare organization to take a leap forward. You can not only address the security sins of the past in a comprehensive manner, but also set yourself up for success in this new age of healthcare IT that includes the Internet of Things, artificial intelligence and predictive medicine

But, to use the cloud effectively, securely and consistently—truly understanding what the cloud can do for your organization and your patients and to set your organization up competitively—requires you to embrace the need for education without bias. Hopefully, these blog series did just that! 

Read about how Cavirin can protect your ePHI.

0
0
0
s2sdefault

 

Today we’re announcing the next phase in Cavirin’s evolution, with an approach and product offerings that will truly provide organizations with the visibility and control they require across their hybrid infrastructures, an approach that provides the CISO with actionable insights to minimize the attack surface while meeting the reporting requirements of his or her board.  We call this ‘CyberPosture Intelligence for the Hybrid Cloud.”  Read on!

The hybrid cloud is real, and in fact, 81% of enterprises are adopting a multi-cloud architecture, spanning on-premise and one or more public cloud providers.  And this won’t go away anytime soon, with about 1/3 of workloads remaining on-premise in 2025, sometimes the most critical.  But there is a problem.  A good 77% of IT personnel identify security as still a barrier to adoption, and almost the same number, 75% lack visibility across their hybrid cloud.

So what is CyberPosture, a word that you’ll be seeing more of in the future?  It is verifying that your slice of the public cloud is secure, be it IaaS, PaaS, SaaS, or even FaaS.  It is confirming that your workloads (servers) in the cloud are secure as well, be they VMs or containers.  It is ensuring that sensitive data if in the cloud, is secured, being able to pass your periodic security audits, and not only securing your own infrastructure but those of your critical suppliers and partners.  Finally, it is an architecture to help you truly understand the risks and deficiencies that are part of any hybrid cloud infrastructure.  One that permits you to effectively balance your risk tolerance with skills and budgets.

CyberPosture is closely aligned with the rise of DevSecOps, the automation of security within DevOps to ensure a more secure cloud infrastructure and to offer more automated remediation when issues are discovered.  In a break from the past, SecOps will no longer be held as a barrier to agile development.  They will regain their place at the table as an enabler.  Who manages this?  The ‘Cloud Security Architect’ runs point, bringing together skillsets from across the organization in a ‘Cloud Center of Excellence.’ 

How do you achieve CyberPosture?  As with any type of posture, it doesn’t just come to you.  You actively set off to achieve it.  We help you instrument your public cloud accounts, your cloud security posture.  We offer the tools to enable continuous compliance across regulations that include GDPR, PCI, HIPAA, SOC, ISO, CIS, and others.  We help you apply these tools across critical verticals and use cases, such as cyber-insurance risk assessment or supply chain risk management.  We integrate these tools with your agile development processes. And, we package up this intelligence in the form of a ‘CISO Dashboard’ or as reports for your audit committee, providing you with a consolidated ‘Cavirin Risk Score’ that combines elements of security and compliance, for your cloud, and for your workloads.

The next step?  Visit us at RSA to learn more about Cavirin’s CyberPosture Intelligence, and while there challenge your existing cybersecurity partner on how to solve this hybrid cloud security and visibility challenge.  Then drop by booth N4439 and share your thoughts with us!

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.