Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security for eHealth – Study Validation

Published byMaximillian Higgins Modified over 6 years ago

Similar presentations

Presentation on theme: "Cloud Security for eHealth – Study Validation"— Presentation transcript:

1 Cloud Security for eHealth – Study Validation
Dimitra Liveri, Ilias Bakatsis, Athanasios Drougkas| ENISA 2nd eHealth Security Workshop| Vienna | 23rd November

2 Cloud Security in eHealth
Objectives Measure Cloud adoption in the eHealth sector Identify examples of services deploying cloud and the specific security requirements Analyse the cyber security challenges and the opportunities Security self assessment tool for healthcare organisations Secure infrastructures to improve patients’ safety

3 Study Overview Scope Target Audience Methodology
Cloud applications and services in eHealth (IaaS/PaaS/SaaS/eHaaS) Healthcare Providers / Hospitals All cloud deployment models (Private/Public/Hybrid) Security requirements, challenges and opportunities Target Audience Healthcare Providers / Hospitals – CIOs/CISOs etc. Cloud Service Providers Policy Makers Methodology Desktop research Interviews with hospitals’ CISOs Online survey Responders form 2 groups: Hospital CISO/CIO (“user side”) CSPs, SW vendors, Policy Makers, security service providers etc.

4 Current cloud adoption in eHealth
Do you implement/use/deploy cloud computing services to support eHealth system/services? What is the cloud service model? (more than 1 answer possible) What is the cloud deployment model? (more than 1 answer possible) Which services do you support or plan to support using cloud deployments?

5 What type of external users can access the Cloud Services?
Half of the responders do have users involved in external access and those are mostly healthcare professionals or staff, and in less than half of the situations, the patient.

6 Is your CSP aware of the clinical context?

7 Do you have any specific contractual clause or constraints on the use of data in the cloud, in particular concerning secondary use of data?

8 Which are the main benefits in eHealth services offered by the use of Cloud?
Cost aspects and availability are main drivers Proven Cloud tools to support healthcare are perhaps not yet available

9 Which services do you not yet support using cloud deployments but you plan or would like to do so in the future? BUT Trend is in integrating cloud tighter with core processes and facilitate patient data access

10 What are the main security concerns that prevent you from the adoption of cloud solutions?
Additional remarks: Vendor-level lack of support has to be taken into account EU Privacy legislation and multinational CSP

11 Security requirements for a cloud implementation that the CSP would need to fulfil:
Confidentiality, Integrity, Availability; Data encryption, Multi-Factor Authentication (MFA), Information Security Management System (ISMS) adoption and Audit log were also mentioned independently; Interoperability, exit strategy; provider-to-provider interoperability, international best practices (e.g., NIST special publication); SLA and measurements; for automatic detection of intrusion, leakage, isolation failure; Legal compliance of both member state laws and EU laws.EU Privacy legislation and multinational CSP

12 SLA for an eHealth cloud should additionally address:
Strong log management Availability of regular audits reports of the whole system, including the organization itself, the customer support, the network, etc. Software release management plan including application on due time of security patches – on the cloud software as well as on networking equipment Clear and effective information channels for reporting incidents Continuous monitoring of the system (including preventive monitoring)

13 Cloud adoption security challenges
Lack of “real-time” Cloud Security assessment Most of the cloud users are relying on SLA to guarantee security, but common SLAs don’t address eHealth-specific security issues (e.g. data theft) There is a lack of commonly accepted security frameworks and certification processes specifically for eHealth & cloud - no "gold standard" identified by participants Little to no recommendations / good practices for the use of mobile devices to access cloud applications for eHealth Contract for cloud services don’t typically address unexpected loss of governance (e.g. in case of bankruptcy)

14 Recommendations Overview
Healthcare Providers should: Establish a Hospital Privacy and Risk manager role Perform a risk assessment and a possible threat analysis on the target assets that will be implemented as Cloud Services In the procurement process, consider CSPs domain knowledge Define, together with the CSP, a strategy to achieve business continuity and a clear exit-strategy Cloud Service Providers should: Offer solutions based on standards and on a private domain basis Patients / Users should: Treat the Cloud Services as facilitators usually offered by the providers to increase the quality of delivering healthcare; Be aware of protecting enough the devices (e.g., medical, or smart devices) from unauthorized access; Use adequate identification mechanism (e.g., biometric, secure channels) Policy makers should: Provide guidelines on adoption of cloud services Standardization bodies should: Engage studies and roundtables to start a standardization process regarding cloud and eHealth

15 Recommendations to Healthcare Providers
Healthcare Providers should establish a Hospital Privacy and Risk manager role, “to supervise clinical data management, protection and security”. The institution of such a role is crucial for introducing an appropriate security governance framework. Healthcare Providers should perform a risk assessment and a possible threat analysis on the target assets that will be implemented as Cloud Services. In the procurement process, Healthcare Providers should consider CSPs domain knowledge, i.e. deep knowledge of the hospital workflows or general awareness of the eHealth context. Healthcare Providers should define, together with the CSP, a strategy to achieve business continuity and a clear exit-strategy (e.g., moving to/from different CSPs) by focusing on the use of standards.

16 Recommendations to CSPs
Cloud Service Providers should offer solutions based on standards and on a private domain basis (either private infrastructures or private services) and not mutualized infrastructure with different users.

17 Recommendations to Patients/Users
Patients / Users should treat the Cloud Services as facilitators usually offered by the providers to increase the quality of delivering healthcare; In order to not deteriorate the security of the EHR/PHR attached to the cloud service, patients / users should be aware of adequately protecting the devices (e.g., medical, or smart devices) from unauthorized access; Patients / users should use adequate identification mechanism (e.g., biometric, secure channels).

18 Recommendation to Policy Makers
The EU commission should provide guidelines on adoption of cloud services, to facilitate the creation of contracts and SLA for both healthcare providers and patients. Example: Contracts for cloud services that involve storage/management of health data should foresee yearly audit of CSP’s financial and judicial status to avoid unexpected loss of governance (e.g. in case of bankruptcy)

19 Recommendations to Standardization Bodies
Standardization bodies should engage studies and roundtables to start a standardization process regarding cloud and eHealth. The availability of standards would act a market opener.

20 Thank you eHealthSecurity@enisa.europa.eu

Download ppt "Cloud Security for eHealth – Study Validation"

Similar presentations

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
Training to care for people with dementia Dementia Training Partner logo here Training support Skills development Competency Assessment Scholarships Education.

Training to care for people with dementia Dementia Training Partner logo here Training support Skills development Competency Assessment Scholarships Education.
Cloud computing security related works in ITU-T SG17

Cloud computing security related works in ITU-T SG17
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Montse Moharra; Antoni Parada on behalf of WP8 of the EUnetHTA project Catalan Agency for Health Technology Assessment and Research EUnetHTA HANDBOOK ON.

Montse Moharra; Antoni Parada on behalf of WP8 of the EUnetHTA project Catalan Agency for Health Technology Assessment and Research EUnetHTA HANDBOOK ON.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Building Public Health / Clinical Health Information Exchanges: The Minnesota Experience Marty LaVenture, MPH, PhD Director, Center for Health Informatics.

Building Public Health / Clinical Health Information Exchanges: The Minnesota Experience Marty LaVenture, MPH, PhD Director, Center for Health Informatics.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Test Organization and Management

Test Organization and Management
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Similar presentations

Ads by Google