Cloud Compliance and Security a Health Perspective
It doesn’t seem so long ago that the IT industry was nervously, or perhaps excitedly, poised for a mass migration to emerging Cloud Service Providers (CSP); some called it ‘The Year of The Cloud’ like it was a Chinese new-year celebration that would usher in an exodus from costly on-prem services to highly scalable Cloud-based services.
Opinion raged as people feared that migrating long-held services and data would see some sort of ‘Cloud-mageddon’ creating a world of pain. With blurred responsibility, lost skill-sets and concerns about who owned the data, where it was stored and, of course, outdated legislation that seemed to look down with an eye of disapproval… Well, in keeping with our theme a Chinese proverb wisely predicts that “all things are difficult before they are easy”, and who would argue?
“RightScale.com reported that 82 per cent of
enterprises have a hybrid cloud strategy in place”
And thankfully things have moved on and many of us are exploiting some level of Cloud based service and avoided a mandatory prison term for doing so. In fact recently RightScale.com reported that 82 percent of enterprises have a hybrid Cloud strategy in place.
The drive to exploit the Cloud for patient benefit and to reduce the burden on the NHS is ever growing. Philips, for example, has just announced its plans to make it easier for patients to self-monitor their health using Amazon Web Services (AWS) Cloud and the Internet of Things (IoT) technologies. Philips see monitoring of patients in the home as a key way to solve these issues and exploiting the Cloud’s level of compute power is vital.
Even with the Government’s Cloud First mandate, Digital by Default approach and supporting frameworks, the question of how to be compliant and ensure security in the Cloud, especially in a health setting, remain a blocker for many. Public opinion also plays its part. So how exactly can we keep it all compliant and secure? Where are the lines of responsibility drawn? How do we maintain the principles of confidentiality, integrity and availability?
To assist me with answering these questions I have invited comments from James Mucklow FBCS CITP, who has a wealth of experience supporting organisations with Cloud migrations across multiple CSP’s and hopefully between us we can offer a rational perspective on the complex world of hosting your services and data in the Cloud.
The first thing with any initiative, where compliance is concerned, is to understand what you need to be compliant with and then complete a risk assessment. Making sure that the assessment is comprehensive will help you to surface areas where you may struggle to meet compliance. Consider the service in its entirety, for example you should consider the flow of data and especially where it hands off to another system or interface. Walking the system in this way will help you to understand if any changes occur with encryption, location and access control.
James says “You need to consider the data to be stored, the security requirements, and risks and from these derive the right mechanisms to protect the data. If you do this you can unlock significant benefits in the Cloud, in cost savings and/or new capabilities”
Where compliance is required, auditing will always follow and choosing a CSP that offers a level of industry compliance will be an advantage. Back in February Microsoft Azure were quick to announce that they were the first to comply with the ISO/IEC 27018 which is an extension of ISO/IEC 27001 Information Security Management System framework, and provides a code of practice for the protection of Personally Identifiable Information (PII) in public Clouds. Google Apps announced their compliance in September and Amazon Web Services in October of this year.
Having CSP’s compliant to the same standards also helps if you run a single service across multiple providers. James adds “The Cloud industry is quickly adopting international standards and publishing more information on security than ever before, giving increased confidence. We have found examples of the standards compliance of Cloud vendors exceeding those of some traditional data centre providers”
One area that ISO/IEC 27018 addresses is providing you with transparency over where your data is geographically stored, which solves a long-standing concern for many. Bear in mind though, that an ISO accreditation is only as useful as the supporting certificate which tells you the scope. New Cloud services being offered may fall out of this scope so make sure you read the detail and if you’re unsure ask for confirmation.
If you’re responsible for Electronic Patient Records (EPR) and have adopted, or are required to meet, the US HIPAA law and the more stringent HITECH law then it will be useful to choose a CSP that already understands the policies and processes involved such as the use of Business Associate Agreements (BAA’s).
The UK’s Data Protection Act makes your organisation responsible as the Data Controller. Moving your data and services to a CSP, no matter how compliant they are, will not relieve you of this responsibility. James advises “In selecting a supplier you need to examine both the technical standards and legal aspects such as the references to Data Protection, particularly with the recent ruling from the ECJ regarding Safe Harbour.”
“The data itself remains your responsibility and understanding what this means is important if you are to avoid compliance issues later on”
A CSP that is compliant with standard X will simply provide you with a level of assurance that they will operate in accordance with the requirements stated and that you, as the customer, can interact with the relevant processes they have established.
The data itself remains your responsibility and understanding what this means is important if you are to avoid compliance issues later on. For example, like the US HIPAA law, the UK’s Data Protection Act makes a distinction between PII (Personally Identifiable Information) and SPI (Sensitive Personal Information). Understanding what qualifies as personal versus sensitive is vital if you are responsible for the processes that govern the interactions with such data and the technology you choose to protect it, especially in a health setting. This, of course, is true no matter whether the data is held on-prem or in the Cloud. From a Health perspective, the Caldicott Review helps to provide more definition and recommendations regarding the use of data in a health setting.
The bottom-line is that you, or your organisation, will always be ultimately responsible for how you manage and protect your data, no matter what CSP you choose. Having robust policies and procedures for both Information Governance and Information Security are the key to playing safe whether services are on-prem or the Cloud. James recommends “Using a robust process to select the right Cloud service based on both technical and contractual aspects will allow you to unlock the pot of gold at the end of the rainbow”
Never underestimate the monetary value of your data to a cyber criminal, health data is also a viable target and carries considerable resale value.
A CSP will offer assurance and SLA’s in relation to the security of their infrastructure and core services; this is usually up to the Hypervisor where it stops. Beyond this you are free to create and run your own services which you will need to secure as appropriate.
“Choices and demarcation of responsibility will also vary depending on the cloud solution chosen, for example operating IaaS will be very different to the requirements of PaaS or SaaS”
It’s also worth noting, that depending on the security model you have chosen, your CSP may not have access to the encryption keys used to decrypt anything above the Hypervisor, essentially creating a black box from the CSP’s perspective. However most providers like to state that security is a shared endeavour and will offer you guidance and assistance in building a security model that is appropriate to your requirements.
Security choices and demarcation of responsibility will also vary depending on the Cloud solution chosen, for example operating IaaS will be very different to the requirements of PaaS or SaaS. Also, depending on the level of compliance you are required to meet, data may need to be encrypted both at rest and in transit. James observes “Because Cloud security is engineered at scale it actually makes things more secure”.
Of course, there still remains, and will likely continue to be, concerns over the security of patient data held in the Cloud and accessed by Mobile Health Apps. In September of this year it was discovered that approved apps listed on the NHS Health Apps Library trial site were found to be sending unencrypted data including names, date of births and contact details over the internet as plain text.
Being proactive is key where security is concerned, the landscape is constantly changing and employing robust defensive strategies in support of Information Security is an essential part of keeping your data safe.
Traditional Data Loss/Theft Prevention (DLP/DTP) solutions are still a good way to ensure a level of security assurance, however much more is needed. For example how quickly would you know that an attack was underway? Or that an attacker has compromised your database? The Ponemon Institute reported that it takes an average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail. In their Cyber Crime report of October 2015 they state that the mean number of days to resolve cyber attacks is 31 days with an average cost of £11,545 per day. This illustrates that prevention is better than cure.
Understanding that cyber threats are becoming more directed and more complex, requires us to stay ahead of the game. Many organisations are opting for combinations of Security Information and Event Management (SIEM) solutions and Intrusion Detection Systems (IDS) that can provide near real-time monitoring techniques to identify known patterns and apply a level of intelligence to reduce false-positives.
Where security over sensitive data is concerned, cautious organisations are opting for an additional layer of security called Cloud Proxy/Encryption Gateway services. These services act as middleware in handling data between the Cloud and the end-point, thereby providing additional assurance end-to-end.
BE CLOUD HAPPY
So in conclusion, there are many aspects to compliance and security and each organisation will have a combination of mandated compliance, and self-imposed regulations that will influence your decision and the approach you adopt.
There are also excellent independent resources to be found that can guide you every step of the way, such as the Cloud Security Alliance www.CloudSecurityAlliance.org, the Cloud Accountability Project www.a4Cloud.eu. From a Health perspective you can find valuable guidance at the Health and Social Care Information Centre www.hscic.gov.uk and Healthcare Information and Management Systems Society www.himss.org.
And so hopefully we have helped to signpost you to areas that you can focus on and methods you can employ to ensure compliance and security in the Cloud. So let’s end our discussion as we began, by learning from the cautionary wisdom of an ancient Chinese proverb that simply warns: ‘Don’t adjust your shoes in a melon field’, no, me neither…
Gareth Baxendale FBCS CITP
Head of Technology NIHR Clinical Research Network.
Vice Chair BCS Health and Care Executive