hipaa hardening for azure/microsoft services1. cloud services (web and worker roles) 2. virtual...
TRANSCRIPT
866-276-8309
HIPAA Hardening for
Azure/Microsoft Services
EDUCATIONOnline Training, Webinars and Customized Workshop
CONSULTINGProfessional servicesto help you with your Compliance needs
WHO WE ARE …
Assist healthcare organizations to develop and implement practices to secure IT systems and comply with
HIPAA/HITECH regulations
1
DISCLAIMERConsult your attorney
2
ALL WEBINARS ARE RECORDED AND AVAILABLE AS AN “ON DEMAND” SUBSCRIPTION
This webinar has been provided for educational and informational purposes only and is not intended and should not be construed to constitute legal advice.
Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.
3
• Applications Architect for over 20 years
• Security and Compliance
• HIPAA, PCI, Sarbanes-Oxley
• Interests: Teaching, Community giving Back
• Previously - VP of AppDev at KKR, Architect of Blackstone’s IT & Director of IT at TPG
• Designing Cloud Systems for almost 10 years since the inception of AWS and Eucalyptus
Bhuvan Pasham
CEO, Tradon
Always available via email to answer any questions
Running HIPAA Workloads Securely on Microsoft Azure
Azure Cloud Architectures
HIPAA Requirements
Addressing HIPAA Requirements in
Azure
Security Guardrails
Focus AreasOngoing Security
Operations
6
TERMS YOU MAY HEAR …
Acronyms
HHS
HIPAA
PHI
OCR
HITECH
Anyone who is not handling patients directly
Breaches in 2018
Source:https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HHS HIPAA Rules• Privacy Rule – December 2000
➢the right of individuals to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.
• Security Rule – Feb 2003➢Sets the standards for administrative, technical, and physical safeguards to
protect electronic PHI from unauthorized access, use, and disclosure. It also includes such organizational requirements as Business Associate Agreements (BAAs).
• HITECH ACT – Feb 2009• Health Information Technology for Economic and Clinical Health (HITECH) Act➢The HITECH Breach Notification Final Rule - requires giving notice to individuals
and the government when a breach of unsecured PHI occurs.
List of breaches are listed as public information at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HIPAA Security Rule
CIA
Technical Safeguards
Physical Safeguards
Administrative Safeguards
Privacy Rule “Reasonable” Safeguards
• Access Control• Audit Control• Integrity• Person or entity Authentication• Transmission Security
• Facility Access Controls• Workstation Use• Workstation Security• Device & Media Controls
• Security Mgmt, Process, Sec Officer• Workforce Security, Info. Access Mgmt.• Security Training, Security Incident Proc.• Contingency Plan, Evaluation, BACs
What Changed after 2009 HITECH ACT?• There was no Cloud in 2009.
• Development, testing and deployment of Applications took a dramatic shift.
• Most HIPAA Security rule requirements are no longer under your control.
• Security matters – how you think of security changed almost entirely.• Proliferation of API services completely changed the technology industry• We are in a true distributed services model.
• Value of each patient record is far less - as the volume and service aspect increased
• Scale of applications & services went up significantly – thereby your liability also increased
What didn’t change?
• You are still liable for data breaches
Business Associate Agreement for Azure
1. Cloud Services (web and worker roles)2. Virtual Machines (including with SQL Server)3. Storage (Blobs, Tables, Queues)4. Virtual Network5. Traffic Manager6. Batch7. Web Apps8. BizTalk Services9. Media Services10. Mobile Services11. Service Bus
12. Notification Hub13. Workflow Manager14. ExpressRoute15. Scheduler16. Multi-Factor Authentication17. Active Directory18. Rights Management Service19. SQL Database20. HDInsight21. Any other features identified as included on the
Microsoft Azure Trust Center
ScopeMicrosoft currently offers a HIPAA BAA for the following Microsoft Azure core services:
In the event of a breach from the Microsoft side, then Microsoft is liable and will take responsibility.
Distributed API Economy
You
r Fr
on
t En
dCloud Platform
(Azure, AWS, Etc.)
SQL
App Service
Orchestration Service
Integration Service
Storage
Billing
Insurance Validation
Prescription Drug Lists
EMR Requests
Credit Card Hub
Insurance Providers
What’s your Liability – What Can you control?
Drug Costs
Traditional Apps Moved to AzureTraditional Apps Moved to Azure
Azure App Service
Desired Security StateApp Service Plan Azure SQL
Production Storage
ProdSQL
ProdDB
Blob Container
Blobs, Docs & Server Logs
Production App
Last-known-good
production
staging
Deployment slots
Azure AD
authenticate
IP Address
Validate deployment
Source Control
Access for external
usersCreate identical QA environment and move continuous integration/delivery to isolated QA environment from Release branches of Git, and master into staging.
Secure resources using AAD Principals.
Secure Certificates using Key Vault
Nightly Database backups for BECP/LTR to Amazon S3 storage.
Eliminate passwords from connection strings
Azure SQLStage Storage
StgSQL
StgDB
Blob Container
Blobs, Docs & Server Logs
Minimum (cloud) Infrastructure Security for HIPAA Compliance
Security AvailabilityRisk Mitigation & Business Continuity
➢ Is your Overall Data Secure?❑ Encryption at Rest❑ Where are your Backups❑ Connection Strings and Passwords❑ Access Control
➢ Is ePHI Obfuscated?➢ How are your passwords encrypted?➢ Are your documents encrypted?➢ Where are your backups stored?➢ Are your Keys & Certs safeguarded?➢ What’s your Admin & Developer access
policies?❑ App Management❑ SQL Server❑ Document Stores
➢ Authentication❑ RBAC & SP Access❑ AD Authentication❑ MFA Enabled
➢ How are you taking backups?❑ SQL Backups❑ Documents Backups❑ App & Service Backups
➢ What are your retention policies➢ How are your encrypting your backups?
❑ SQL Backups❑ Documents Backups
➢ Do you have a recovery plan?➢ What’s your SLA?➢ Where are your Keys & Certs?
Survey
What is the most common Breach for Cloud hosted applications?
a. Password Guess – Too weak
b. Users Sharing Password
c. API Hack
d. Network Vulnerability
DevOps – Most Common Mistakes
1. Developers or managers downloaded data to excel and sent the file to wrong recipients
2. Developers have access to Production data – deleted data accidentally
3. Clicked publish button by mistake bringing down the production service.
4. Developer disabled a security measure for simplifying testing and forgot to put it back before production rollout
5. Developer downloaded and used an unauthorized library from internet
6. Developer trying to debug a problem in production, enabled a debugger and forgot to remove.
DevOps – Most Ignored – Most Vulnerable
• Code Review
• Security Perimeter
• Key Developer Risk
• Malicious Code Risk
• Insecure API Risk
• Business Continuity
• Cloud Security Configuration
Azure DevOps - Simple Workflow & Automation
Project Management
Change Management
Source Code Control
Release Management
Staging
QA Process
Azure App Services
Prod
Last Known(resiliency/BCP)
1. Zero down-Time Production Rollouts2. Integrated fully traceable code/change management -
Auditability3. Policy Enforcements
4. Continuous Build and deployments5. Instant Roll-backs in the event of any failures6. All within Azure – Cost savings - both on development and
project management due to improved efficiency.
Azure DevOps
Benefits
Code Review
For the Developers
Stag
ing
Pro
d
Last
G
oo
d
Inte
grat
ion
Test
/QA
Build
Clear Separation of Development/QA environment from Production access environments is necessary
Simplify and Enable Switching
How to Stay Secure?
© 2018 EHR 2.0. All rights reserved. To purchase reprints of this document, please email [email protected].
Have An External Risk Assessment
Fix Identified Vulnerabilities
Establish Security Processes
Lockdown App Update
Procedures (DevOps)
Monitor
Setup Alerts
Recommended:
➢ Audit Report: every 3 months
➢ Full Assessment: Once a Year
Azure Security Guidance
• http://download.microsoft.com/download/0/D/6/0D68AE95-6414-4074-B4B8-34039831E2BF/Privacy-and-security-compliance-in-the-health-care-cloud.pdf
• https://gallery.technet.microsoft.com/Azure-HIPAAHITECH-Act-1d27efb0/file/163557/1/Microsoft%20Azure%20HIPAA%20Implementation%20Guide%20November%202016.pdf
BluePrints
• https://servicetrust.microsoft.com/ViewPage/HIPAABlueprint
KEY TAKEAWAYS• Microsoft provides a framework but it is you who need to
implement.
• HHS/OCR enforcement on HIPAA Covered Entities and Business Associates - Maintain a Framework and minimize risk.
• Security risk analysis, training and policies and procedures are key required documents• Monitor and make sure you are secure
• HIPAA Compliance needs continuous monitoring.
• Healthcare entities have wide footprint of patient data
26Annual update is required
CALL US
866-276 8309SERVICE
150, Cornerstone Dr. Cary, NC
SOCIALIZE
FacebookTwitter
FIND US
Twitter: @ehr_20 Facebook: ehr2027
Upcoming Events
How You Can Get More Money, Faster into Your Medical Practice ? – Nov’ 8 @ 1 p.m. ET
29
Please don’t hesitate to ask
Questions
30
for your attention!
Thank You
Thank you for joining us today
31
To purchase reprints of this document, please email [email protected].