CISOs share cloud security concerns
BOSTON — Cambridge Health Alliance recently moved to Google Apps and knew it had to tread carefully when it comes to compliance.
"They say it’s HIPAA compliant but Google Apps is only good until we start to change it," said Arthur Ream, chief information security officer of Cambridge Health Alliance here at the Privacy & Security Forum. "When we start to change that it can break Google’s contracts."
Merely understanding a cloud provider’s contracts is another concern, according to Clyde Hewitt, vice president of security strategy at consultancy CynergisTek.
"If you can’t get a SOC2 audit that tells me they might have things to hide," Hewitt said. “If you can get a SOC-2 audit that tells means there’s a management commitment to security."
[Live coverage: Here's what happening at the Privacy & Security Forum right now]
At Christiana Care Health System, meanwhile, moving to Office 365 means that CISO Anahi Santiago’s staff now has to master not just security Office but also doing so in the cloud.
And that is not as simple as it might sound — particularly as Johns Hopkins Darren Lacey said that large cloud providers can become more attractive targets than individual healthcare entities because if cybercriminals can break into one cloud host and access the data of many customers the potential payload is more lucrative than attacking several hospitals one at a time.
The great majority of successful breaches, in fact, are motivated by money, said Joel Brenner, a research fellow at the Massachusetts Institute of Technology and former senior counsel at the National Security Agency.
"What makes us vulnerable? The same things that make us productive and make life more convenient: digitization, massive data consolidation, ubiquitous connectivity.
"Putting more stuff in one place is undoubtedly efficient but it also makes thievery more efficient," Brenner said.
Back at Cambridge Health Alliance another concern is old Business Associate Agreements because even partners the provider no longer does business with can still have its protected health information or personally identifiable information.
"We have 385 business associates," Ream said. "Even inactive ones can be problematic. Once a year we do a non-physical site audit."
The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet