Healthcare

White Paper

Data Protection in the Cloud: Implementing a Robust Security Framework for Healthcare Applications

About the Authors

Daniel Logan Daniel Logan is part of the Technology Excellence Group for the Healthcare unit at Tata Consultancy Services (TCS). He works with clients across the globe on conceptualizing and designing strategic solutions for digital transformation, data analytics, and security to meet the needs of the rapidly changing healthcare landscape. Logan has 25 years of experience in information technology in the insurance and healthcare industries. His areas of expertise include enterprise architecture and planning as well as solutions, information, security, and application architecture. He is a Certified Information Systems Security Professional (CISSP) and was one of the leading contributors to the Cloud Security Alliance Enterprise Architecture reference model.

Abstract

The healthcare landscape has evolved tremendously, with organizations struggling to handle cost, compliance, and performance pressures. Not surprisingly, cloud based IT services have emerged as the top choice to help companies reduce IT costs, increase employee productivity, and improve patient outcomes. However, cloud adoption has been slow in healthcare due to security concerns related to moving Protected Health Information (PHI) to the cloud. But given the rising frequency of data breaches in the industry, is it safe to assume that on-premise applications are more secure? As healthcare becomes more data-driven, collaborative, and patient-centric, cloud based applications will continue to witness a rise. CIOs have started viewing cloud as the answer to challenges around security, business continuity, and compliance. With cloud solutions offering greater accessibility to health data, it is important to have a strong security framework in place. This paper outlines an approach to create a controlsbased security reference architecture that can be used for designing healthcare applications. It leverages the security expertise and capabilities of the underlying IaaS and PaaS platforms, and ensures smoother adoption. The approach outlined here is flexible and can be used to protect organizational and patient data in diverse technological environments.

Contents

Cloud adoption is on the rise in healthcare

6

Developing and Implementing a Security Reference Architecture for the Cloud

6

Benefiting from the Cloud without Compromising on Security

10

Cloud adoption is on the rise in healthcare Healthcare organizations have begun to realize the many benefits of adopting cloud based Infrastructure as a Service (IaaS) technology. They are achieving this in various ways - through a private cloud in their own data center, virtual private cloud within a public cloud provider environment, or by leveraging Platform as a Service (PaaS) and Software as a Service (SaaS) offerings. In fact, recent studies show that the healthcare cloud computing market will grow to somewhere between $9 Billion and $12 Billion per year by 2020¹. A 2014 HIMMS Analytics Cloud Survey² showed that 83% of healthcare organizations were using cloud services already, mostly in the form of SaaS. Clinical application and data hosting, health information exchange as well as backup and data recovery are the most commonly used cloud services. Medical imaging, in particular, benefits through faster and more cost-efficient storing and sharing of large data files. With the widespread adoption of Electronic Health Records (EHRs), and the rise of Big Data, genomics, and personalized medicine, healthcare is increasingly reliant on data and integration across systems. Cloud based services support data storage, mobile data access, and interoperability. Moreover ensuring data integrity, privacy, and security has become easier due to the emergence of HIPAA-compliant cloud technology. Cloud service providers are also signing HIPAA business associate agreements to help secure PHI in accordance with HIPAA privacy and security rules. Despite the initial concerns regarding security, we believe that in the long run, cloud based platforms will prove to be more robust than in-house IT managed platforms.

Developing and Implementing a Security Reference Architecture for the Cloud Healthcare organizations need to develop an approach to manage security requirements and best practice implementations across multiple cloud service providers. This can be achieved through a two-phased approach, as shown in Figure 1. Phase - 1

Industry Standards and Frameworks M

ap

ap

M

Organization Security Reference Architecture ap

M

M

ap

Vendor Architecture

Phase - 2

Security Solution Architecture

Figure 1- Two Phased approach to Cloud Security Architecture [1] Markets and Markets, Healthcare Cloud Computing Market worth $9.48 Billion by 2020, Accessed June 2016, http://www.marketsandmarkets.com/PressReleases/cloud-computing-healthcare.asp [2] Forbes, 83% of Healthcare Organizations Are Using Cloud based Apps Today, July 2014, Accessed June 2016, http://www.forbes.com/sites/louiscolumbus/2014/07/17/83-of-healthcare-organizations-are-using-cloud based-apps-today/#30524f846502

6

Phase 1 – Create an organization-specific security reference architecture In phase one, organizations can leverage industry standard control frameworks and reference architectures to create a customized control framework and security reference architecture tailored to business needs. In the first phase, companies must: Step 1: Select an industry standard controls framework There are several security and compliance standards such as the ISO 270001/27002, NIST 800-53, PCI-DSS, Cloud Security Alliance Cloud Controls Matrix (CCM) and HITRUST. Selecting the right control framework is therefore crucial. Cloud service providers must be able to manage their solutions against the chosen framework. Ease of access also plays a role in choice of frameworks, since some such as ISO must be purchased, while others such as HITRUST require membership subscriptions. NIST 800-53, PCI-DSS and the CSA CCM are available for free. Organizations must also evaluate the level of detail provided by a framework. NIST 800-53 rev4 is a generalized framework with over 800 controls and enhancements while HITRUST has around 135 controls which are specifically mapped to healthcare requirements. Certification expectations also vary across industries and standards. For example, credit card processors and merchants seek solutions certified against the PCI-DSS standards. Federal government agencies seek FedRAMP certified solutions. In the healthcare industry, a HITRUST certified assessor can certify solutions against the HITRUST control framework. Organizations must choose the most comprehensive framework, and then map it to other secondary frameworks to meet multiple regulatory requirements. For the healthcare sector, we recommend the HITRUST framework³ or the NIST framework⁴ as the best starting points. Step 2: Tailor the framework to the organization’s needs Organizations need to tailor the control framework to address their specific data classification, regulatory requirements, and threat modeling concerns. The HITRUST Cyber Security Framework requires minimal tailoring, while general frameworks such as the NIST 800-53 require extensive customization. The NIST SP 800-66: An Introductory Resource Guide for Implementing the HIPAA Security Rule⁵ can be used for mapping the NIST 800-53 framework to a healthcare organization’s needs. Step 3: Map the controls to a security reference architecture This step requires translating the controls into a set of implementation guidelines that can be used by technologists and risk management professionals. The controls must be first embedded into a reference architecture that describes the operational processes and technical capabilities required for implementation. The Cloud Security Alliance (CSA) Enterprise Architecture⁶ is a good starting point for the reference architecture since it aligns with the enterprise architecture model supported by most organizations.

[3] HITRUST Alliance, Healthcare Sector Cybersecurity Implementation Guide v1, February 2016, Accessed June 2016, https://hitrustalliance.net/documents/cybersecurity/HITRUST_Healthcare_Sector_Cybersecurity_Framework_Implementation_Guide.pdf [4] NIST, National Institute of Standards and Technology, U.S. Department of Commerce, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013, Accessed June 2016, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf [5] NIST, National Institute of Standards and Technology, U.S. Department of Commerce, An Introductory Resource Guide for Implementing HIPAA Security Rule, Accessed June 2016, http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf [6] Cloud Security Alliance, Accessed June 2016, Enterprise Architecture Working Group, https://cloudsecurityalliance.org/group/enterprise-architecture/

7

Table 1 shows how security capabilities can be mapped at a high level using the NIST 800-53 framework as the control reference and the CSA Enterprise Architecture as the reference architecture for capabilities. Enhanced traceability and flexibility require mapping at a more detailed level. NIST 800-53 Control

Reference Architecture Capabilities

AC-2 Account Management

Identity Management, User Directory Services

AC-4 Information Flow Enforcement

Firewall, Link Layer Network Security, Network Content Filtering

AC-6 (9) Auditing Use of Privileged Functions

Privilege Usage Management, Security Monitoring Services

IA-2 (1) Network Access to Privileged Accounts

Authentication Services (Multifactor)

PE-3 Physical Access Control

Physical Security

RA-5 Vulnerability Scanning

Vulnerability Management (Application, Infrastructure, DB)

SI-3 Malicious Code Protection

Anti-Virus, Anti-Spam, Anti-Malware, Behavioral Malware Protection

SC-7 Boundary Protection

Firewall, Network IDS/IPS,

SC-12 Cryptographic Key Establishment and Management

Key Management

SI-7 (1) Software, Firmware, and Information Integrity Checks

Compliance Testing (Servers), HIPS / HIDS

SC-28 Protection of Information at Rest

Data-At-Rest Encryption (File, DB, SAN)

Table 1: Mapping Controls to Reference Architecture

Phase 2 – Map to vendor specific solution architecture In phase two, the organization's customized control framework and reference architecture are mapped against one or more cloud service provider architectures. This is done by ensuring that the service providers’ documentation and compliance mapping descriptions meet the organization’s requirements. Such an approach establishes traceability - all the way from requirements mapping to the implementation stage - for a specific cloud service provider. Phase two involves the following steps: Step 1: Create security solution architectures based on solution archetypes The high level reference architecture must be merged with solution architecture diagrams. For example, all cloud hosted web applications have similar requirements. Organizations can design a solution architecture for hosting a web application on a public cloud. They can then use the required security capabilities listed in the control framework to define a blueprint that can be mapped to the capabilities of different cloud vendors. One such capability could be network isolation or flow control to isolate the virtual machines used in a web application from other solutions hosted in the same cloud environment. This ensures that from a network level perspective, it is as if the web application is deployed on its own private network.

8

Web Tier App Tier

Middleware Servers

DB Tier

Virtual Network / Virtual Data Center

Web Servers

Database Servers

Figure 2 - Depiction of network isolation in a security solution architecture Figure 2 represents a snippet from the overall reference architecture for a web application. The larger reference architecture will include many additional components such as boundary protection, identity and access management, monitoring and change management services, and so on. Step 2: Map solution archetypes to the cloud service provider architecture This step involves mapping the solution archetype designs to the specific capabilities of each cloud service provider. In the network isolation example, the web application may be hosted on Amazon Web Services (AWS). In such a scenario, the 'Virtual Network \ Virtual Data Center' dotted line can be mapped to the AWS Virtual Private Cloud (VPC) service. In case of a Microsoft Azure cloud, the network isolation capability would be represented by an Azure Virtual Network. It is clear that selecting the right control framework is crucial to the success of a security reference architecture for the cloud. Cloud service providers such as Amazon and Microsoft offer certification services against widely accepted frameworks as well as mappings to demonstrate how their solutions meet those requirements. For example, Amazon provides a 'Quick Start' service for NIST 800-53 hosting⁷ as well as one for HIPAA hosting. This makes the task of mapping between the reference architecture developed in phase 1 to the solution architectures developed in phase 2 a very straightforward process.

[7] Amazon Web Services, AWS Enterprise Accelerator – Compliance: Standardized Architecture for NIST-based Assurance Frameworks on the AWS Cloud, Accessed June 2016, http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

9

Benefiting from the Cloud without Compromising on Security With IaaS and PaaS adoption on the rise, healthcare IT risk management teams need to have a robust, best-of-breed approach for extending their security architecture to the cloud. By using industry standard control frameworks and a detailed security reference architecture, multiple cloud offerings can be used to match the right applications with the right hosting model, while ensuring security. The framework presented in this paper is reusable and ensures that compliance and security teams on the cloud service provider and consumer sides are on the same page. In the long run, this will greatly streamline the process of designing, deploying, and operating cloud based applications that are backed by robust security, allowing healthcare companies to reap real benefits of cloud adoption.

10

About TCS' Healthcare Business Unit TCS partners with leading health payers, providers and PBMs globally to enable business model transformations to address healthcare reforms, improve quality of care, increase customer engagement and reduce overheads. By streamlining and modernizing business processes and systems, TCS helps healthcare organizations realize operational efficiencies and reduce operating costs. We work closely with healthcare players to empower them to meet their consumers’ demands for higher levels of service, quality of care, and new ways of interacting and engaging. Our advanced data solutions, analytics, and cutting edge digital technologies deliver a higher degree of customer centricity. TCS’ portfolio of services covers the entire payer value chain from Plan Definition, Eligibility and Enrollment, Policy Servicing, Billing, Claims Processing, Claims Adjudication, Benefit Management, Provider Management and Member Services. For providers, we deliver bespoke services for Provider Management, Claims Management, Patient Information and Financial Management, Clinical Data Management, Pharmacy Benefit Management and Revenue Cycle Management.

Contact Visit TCS’ Healthcare Business unit page for more information Email: [email protected] Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/Pages/feed.aspx?f=w Feedburner: http://feeds2.feedburner.com/tcswhitepapers About Tata Consultancy Services (TCS) Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and assurance services. This is delivered through its unique Global Network Delivery ModelTM, recognized as the benchmark of excellence in software development. A part of the Tata Group, India’s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India.

IT Services Business Solutions Consulting All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright © 2016 Tata Consultancy Services Limited

TCS Design Services I M I 07 I 16

For more information, visit us at www.tcs.com