Increasing Pressures to Maintain Compliance
While many industries are held to security and compliance standards and regulations, few if any have the rigor and complexity of healthcare. Depending upon your healthcare sector and use cases, you may have to comply with everything from HIPAA to GDPR, GxP to NIST.
We’ve all seen the fallout when compliance regulations and standards are not met. Patient outcomes are compromised, lives are endangered, and financial chaos can ensue for both victims and the organization that had the breach or was not in compliance. In addition, precious time that could have been spent accelerating healthcare solutions to market is spent responding to mountains of paperwork and tied up in legal boardrooms, courts, and audits.
Adding to this external pressure, there is pressure inside healthcare organizations as the Chief Information and Security Officer (CISO) and now with GDPR, the Data Protection Officer (DPO) role, are required to manage risk to ensure the business succeeds and evolves in the face of huge digital threats, and often very small or diminishing operating margins. Failing to succeed can lead to penalties and even jail time for the CISO under the Sarbanes-Oxley Act of 2002. Because of this threat, some CISOs may be reluctant to adopt cloud and may prefer to stay within their area of previous (pre-CISO title) expertise – often the data center. They sometimes believe cloud increases their shadow IT and think they have more, and better, control in a data center. Sadly, this view of the world is no longer accurate and is increasing their risk while it decreases their ability to innovate and get to more predictable spends and cost optimization.
Additionally, many organizations are now adding Strategic Digital Officers or Cloud Innovation Officers who are ‘cloud yes’ in contrast to the CISO’s ‘cloud maybe’ or ‘cloud no.’ How do we align these opposing forces and ensure compliance and organizational transformation?
The answer is simple. Bring in a third party that knows – really knows – privacy, security, and compliance regulations in addition to current technology in the cloud. Knowing one or the other won’t be enough to succeed, as you will have to make your technology work within the complex regulatory standards. Can it be done? Yes, hundreds of healthcare organizations today are succeeding in transforming their organizations while protecting their most precious assets – PHI and their business reputation – all by partnering with ClearDATA.
Understand Compliance in the Cloud
It’s important to adopt a different mindset as you move from data centers to the cloud. Compliance and security are handled differently in the cloud, where incidentally, your efforts to secure your data can be vastly more successful, especially with skilled third-party support. The great news is as a CISO, you do not have to surrender control. You can, in fact, increase your control over shadow IT, rogue staff and more. But first, let’s look at what compliance challenges you face today in the healthcare cloud.
In an increasingly global marketplace, the requirements for protecting patient privacy and protected health information continue to mount. Most recently, the General Data Protection Regulation caused a flurry of concerns and questions as international implications for protecting EU citizen’s privacy affected business operations for healthcare organizations across the globe.
With the sheer volume of regulations, the most frequent question we get at ClearDATA is not tied to issues and concerns like identity access management or encryption of data at rest, or tracing PHI through microservices – though we get all of those questions and many more. The most common question is: ‘How can one organization keep up with all of these regulations?’
Here’s the way we like to think of it. We can’t do open heart surgery. We wouldn’t dream of trying. Surgeons can because they dedicated years of their lives to learning every finite detail about the human body, and more specifically, about every aspect of heart functionality. They’ve researched, studied, practiced, were assessed by rigorous tests and certifications, and they proved they were continuously learning through continuing education and research. They have spent thousands of hours in the surgery ward learning, doing, and watching. They don’t have time to understand all of the complex regulations comprising HIPAA and GDPR. They don’t need to.
We don’t know how to perform heart surgery, but we know privacy, security, and compliance in the healthcare cloud because that is what we have researched, studied, and delivered for the last seven years with hundreds of healthcare organizations from providers to payers, life sciences and pharma, to SaaS and healthcare IT. We are constantly learning. We have a team of experts who have dedicated their professions to perfecting their knowledge of compliance. They belong to professional organizations that keep them updated, they regularly consult legal counsel, and they work directly with healthcare organizations to understand the evolving needs that come with evolving technologies.
Unlike some companies that provide managed services and may try to bolt on compliance, the ClearDATA platform was built on a foundation of HITRUST with security and compliance at the very heart of what we do.
Chris Bowen, Founder and Chief Privacy and Security Officer, launched ClearDATA because he had spent years working in privacy and compliance and found that healthcare had no single organization 100 percent committed to this incredibly important cause. The company is healthcare-exclusive, and the experts that comprise the team are certified and respected industry-wide. That takes full-time commitment and deep knowledge. Thinking you would have the time, resources, and expertise to go it alone is like thinking we could perform surgery because we had seen some done. There needs to be 24/7/365 ownership of the myriad ever-changing details of protecting your PHI for your efforts to be successful.
In our meetings with potential customers we find unique requests. ‘Do you have data locality issues in the Seychelles?’ We’ve been asked, and we can help protect you. It’s what our business was built to do, which frees you up to do what your business was built to do.
What follows are just some of the questions we receive and answer every day. Sometimes the answers are proprietary and very specific to your organization, so this will stay pretty high level, but we hope you can see how working with experts 100 percent dedicated to the cause of privacy, security and compliance in the healthcare cloud is the answer to your biggest question – ‘How can I find someone qualified to help protect my organization who understands all of these compliance regulations and cloud technologies?’
I already have my own internal compliance team; why do I need you?
First, congratulations on having your own team. Everyone should. But what they don’t have is a healthcare platform built with compliance at its very core. For seven years we have been evolving this platform and set of services and solutions based on changing regulations and the experiences of hundreds of successful healthcare organizations who partner with us. We can help ensure your team is meeting your compliance requirements.
Where is my key vault and how can I be sure only my employees access it?
Let’s think about how to maximize your compliance and security in the cloud. First, you don’t want all of your employees to have access. We can help you use Key Management Systems so that your developers don’t have access into the credentials. Your key management controls can be replicated in the cloud, and they can also be perfected. We’ll help you create individual users, grant the least privilege necessary, have a policy for strong password configuration and scheduled refreshes, rotate keys regularly, manage permissions with groups, reduce or remove the use of root, use roles to share access and log access, in addition to other precautions like multi-factor authentication.
What if I don’t want my cloud services provider/healthcare platform to have my root keys?
That’s achievable. We can set up an HSM and put the keys there, locking them away where they can only be used by a delegate.
Can I bring my own anti-virus or agent for XYZ?
We will include this as part of our unified defense against a surface attack. You’ll have consistent hardened images. If you have disparate tooling and some images are hardened, others not, you are prone. The advantage to this unified approach is our team is watching for the industry and when a bug or compromise comes forward, we can swiftly defend you.
What do you do if my platform gets exposed?
The cloud offers much greater protection for this event than you can achieve in an on premise-environment. The three main public clouds we partner with (AWS, Google Cloud Platform and Microsoft Azure) scrape the entire Internet every few minutes for exposed keys. If any are detected, we get notified and immediately deactivate that key so it can’t be used to infiltrate your environment. It would be impossible to achieve that kind of coverage in your on-premises system.
How can you give me visualization and an audit trail into my HIPAA compliance?
ClearDATA offers customers a Compliance Dashboard that simplifies this challenge by providing you with a clear, concise, and auditable view of your cloud environment, mapped to multiple compliance disciplines. Rooted in expert interpretations of complex government standards and regulations; the Compliance Dashboard allows you to understand regulatory requirements easily, supporting technical controls and your organization’s historical attainment of compliance objectives.
How will you protect my organization from misconfigurations?
Automation is the short answer. Based upon our interpretation of specific standards and regulations, we define and deploy the necessary technical controls that must be put into place within your environment in order to achieve compliance. Our automation remediates non-compliant actions, so your team can work directly in the cloud without sacrificing compliance, but instead, keep you and your team focused on your app and business objectives.
Why do I need your technical controls?
Technical controls go a step further than Automated Safeguards, which remediate you if you drift out of compliance. For services that are not HIPAA-eligible, we simple issue the control to keep it from ever being configured in your environment. Most CISOs we talk to have a huge sigh of relief learning that. For example, we block FarGate on AWS because it doesn’t have encrypted storage under it.
I want to use my cloud platform’s HIPAA services – why do I need you?
The fact that the public cloud is making more services HIPAA eligible is wonderful and is actually one of the primary reasons to partner with ClearDATA. Each new service has a different set of requirements for handling PHI, and as your team makes use of more and more of these native services in production, it will be difficult for your team to track compliant configuration at the time of deployment, as well as configuration and compliance drift over time. Our Automated Safeguards ensure compliant configuration, ongoing inspection, and automated remediation for dozens of the top HIPAA-eligible services leveraged on the public cloud by healthcare organizations today. We continue to expand our safeguard coverage as new features are added to bridge an otherwise potentially dangerous divide between agility and compliance in the public cloud.
What if I need to understand my compliance against multiple standards and regulations for the same group of assets?
The Compliance Dashboard lets you select your view from multiple standards and regulations for any group of assets including HIPAA, GDPR, and NIST.
Can I view compliance for both the group of assets and also drill down to individual assets?
In addition to understanding your entire environment, you can drill down to gain details about our individual assets such as: instance types and regions, usage stats for memory and disk, available security updates, volume type and encryption, compliance status at the asset level, audit trail for user accounts, and much more.
I work with EU citizens. How can I establish an environment that complies with GDPR’s Right to be Forgotten?
ClearDATA ensures that the infrastructure and database hosts and services are available in order for you to erase data within the data set. We have an EU-based Data Protection Officer who can facilitate the process for an individual’s request to be forgotten by interfacing with that person and you. Careful attention is paid to ensure data lifecycle management procedures are followed. In addition, ClearDATA has launched a solution called Locate that provides Healthcare Aware Distributed Tracing across Kubernetes and microservice environments, enabling you to trace PHI.
What is your stature with the EU-US Privacy Shield?
ClearDATA participates in the EU-US and Swiss-US Privacy Shield frameworks regarding the collection, use, and retention of personal information from EU member countries and Switzerland. We have certified with the Department of Commerce that we adhere to the Privacy Shield Principles.
How can I maintain a PHI inventory?
The Compliance Dashboard provides an inventory of your cloud environment down to the individual asset level. Rather than pulling individual services within your cloud console, the Dashboard provides a snapshot view of all cloud resources currently in use, including an asset inventory of all of your clusters and an inventory of all of your assets within each of the different cloud services. Additionally, our Healthcare Aware Distributed Tracing solution, ClearDATA Locate™, can provide you with insights from PHI inventories to help your organization discover areas for cost optimization and improve customer service.
These are just a sample of the types of questions CISOs ask us every day. What are yours? To ask your questions, schedule a call with us.