Sharing Cloud Security Responsibilities episode artwork

EPISODE · Mar 12, 2020

Sharing Cloud Security Responsibilities

from Info Risk Today Podcast · host InfoRiskToday.com

A cloud computing security model needs to be customized to fit how the cloud provider serves its clients, says privacy attorney Adam Greene.

Episode metadata supplied by the publisher feed · Published Mar 12, 2020

A cloud computing security model needs to be customized to fit how the cloud provider serves its clients, says privacy attorney Adam Greene.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Sharing Cloud Security Responsibilities

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

I'm Marianne Colbusak-McGee, executive editor at Information Security Media Group. Today I'm speaking with privacy attorney Adam Green of the law firm Davis Wright to remain about cloud security issues, including cloud computing shared security models. So Adam, when it comes to a cloud computing shared security model, what does that mean in the context of health care sector covered entities and business associates? So shared security is the idea that there are certain security responsibilities that for example under the HIPAA security rule may be required but could be delegated from one entity or the other.

So if you think about this more broadly, the HIPAA security rule treats every covered entity or business associate as if it's an island, as if it's all alone, and has to comply with all the various different types of controls. But you could have a health care provider for example, and a software as a service provider, and then an infrastructure as a service provider, and they may all work together and have a single set of protected health information, and it doesn't necessarily make sense for each one of them to separately encrypt the same information. And so that's where kind of shared security comes in. This idea that even though the security rule talks about requiring each entity to encrypt information, that could be delegated out to the most appropriate covered entity or business associate in a relationship.

So Adam, you mentioned that different responsibilities can be delegated to different people or different partners in the various cloud computing sorts of arrangements that companies have. When it comes to access controls and encryption of data, as you mentioned, and other important considerations, how should these responsibilities be shared between cloud service providers and health care sector clients, especially when there's more than one vendor involved? How do you ensure that somebody's not going to drop the bull taking what somebody else was supposed to do something? Communication, communication, communication is the key here.

There's not a one-size-fits-all. You may have, for example, one cloud provider who's a software as a service provider that might more or less take care of practically all of the security requirements, at least from technical and physical safeguards perspective, versus there might be a different situation where you have an infrastructure as a service provider that really provides the configurations that allow the customer, the covered entity, for example, to turn on certain technical controls, but leaves it entirely for the customer to do so. And the only way to really know who's got what responsibility is to have open-minds of communication and understanding between the parties so that no one is in fact dropping the ball. So there are going to be some responsibilities like physical safeguards that will primarily fall on the cloud provider who may be responsible for protecting the physical data center.

But then there are things like technical safeguards like encryption or audit logs or things like that that it's very important that the parties communicate and understand who's turning on what, who's got what responsibility. So Adam, when it comes to the health care sector, what are some of the top mistakes that you see entities making when it comes to cloud security that are getting them into trouble? I think sometimes it's thinking that this is sort of a plug-and-play situation where if the cloud provider has good security, then that gets just plugged into the covered entity, the health care provider, for example, their compliance and they don't have to do anything more. And it's important for them to understand that they will still have fair number of responsibilities on their side.

So for example, their risk analysis has to reflect some of the risks associated with the use of the cloud. What happens if there's a network outage and therefore the cloud services are unavailable? What happens if the cloud services user on the covered entity side sets a poor password, which means that even though the cloud service provider may provide more or less Fort Knox, doesn't do much good if the health care provider has left the team the door by having really weak passwords on its side. So it's important for the covered entities to understand where their responsibilities fall on the security side and also to some degree on the privacy side.

So for example, what is their responsibility in an accounting disclosure situation to know what information was in a cloud account that may have been disclosed in a responsible order, for example. So the biggest, I think, challenge area is the parties, especially on the customer side, not fully appreciating what responsibilities fall to them. So Adam, as you know, we're seeing a flurry of breaches and ransomware attacks on cloud services providers as well as other vendors. What are some of your top tips for health care sector entities when it comes to disruptive attacks on critical vendors, whether it be a cloud-based HR vendor or another vendor that handles PHI in various professional services that it provides a covered entity?

What are some of the key considerations? Really, it's looking at what is your disaster recovery? What are your contingency plans if for one reason or another, whether it's the fault of the cloud provider or if it might be the fault of internet service provider in between, if for some reason the cloud service has become unavailable? So if you are relying on the cloud service provider for a particular type of functionality, have you considered and tested what you will do if that suddenly becomes unavailable, including do you have backups of relevant protected health information?

Do you have offline means of trying to accomplish the same type of service? So an example might be if you're relying on a cloud service provider for dictation services and that becomes unavailable, how do you test it? Do you understand how you will proceed when that service might be unavailable? And Adam, what about cloud service providers that might be located outside the US?

Offshore companies, what are some of the critical security risk considerations for US-based health care sector entities that use these services? Not all countries are the same. And so, frankly, there are countries outside the US that have far more robust privacy and security requirements than found in the US. And so you have to be careful about drawing two broad conclusions and treating it as if outside the US is inherently bad.

There is guidance that the US Department of Health and Human Services put out on HIPAA and cloud service providers that talks about identifying whether they're maybe at higher risk because a cloud service provider is in a different country. So, for example, if a cloud service provider is in a country that has a much higher incidence of hacking, that's certainly something that the covered entity should take under consideration in its risk assessment and potentially identify whether there is a higher risk for that particular, for PHI, that is with that particular cloud service provider, whether it be a higher risk of confidentiality breach or a higher risk of loss of availability. So it's also important to understand that a covered entity is required to have a business assessment agreement with a cloud service provider, whatever country that cloud service provider may exist in. So, there will be a contractual right to the covered entity.

But meanwhile, HIPAA may not necessarily govern that cloud service provider. That cloud service provider may instead be subject to the laws of its country. And so, you should understand that HHS, for example, may not be able to penalize a cloud service provider overseas the same way they might be able to do so for a US-based cloud service provider. And doesn't mean that there's not some other foreign government that would potentially penalize a cloud service provider overseas for its failures, its compliance problems.

But understand that it's a whole different world in understanding what those laws are and whether you have any recourse with respect to a foreign government's regulation of its businesses. And finally, Adam, aside from some of the topics that we just discussed, is there one top cloud security challenge that you see healthcare sector entities struggling most with right now? I think one big challenge is making sure that only appropriate cloud services are used and they're properly configured. It is so easy for anyone within a workforce to open up a cloud account, which creates this big risk that PHI will go out to a cloud service provider with whom the covered entity does not have a business assistance agreement and does not manage as part of the compliance program.

Cloud services offer potentially greater information security than might be available in-house. This is something that they specialize in and many of them are very good at. But understanding how your workforce is using cloud service providers and making sure it's properly managed is a very significant challenge for the healthcare industry. Thanks, Adam.

I've been speaking to attorney Adam Green. I'm Mary Ann Kobzak-McGee of Information Security Media Group. Thanks for listening.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on March 12, 2020.

What is this episode about?

A cloud computing security model needs to be customized to fit how the cloud provider serves its clients, says privacy attorney Adam Greene.

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!