Cloud Cybersecurity: Strategies for Managing Vendor Risk

2. Agenda Cloud Shared Responsibility Model In a cloud vendor/ partner relationship, who has responsibility for what? Who is ultimately accountable for a security compromise or breach? Vendor Risk Evaluation With so many cloud vendors to choose from, what factors go into a final decision? What risks do you consider? What risk management strategies should be considered? Security Policy and Procedures Where do you start with building a Security Program? What standards does your organization align to? What regulatory frameworks need to be considered? Compliance What considerations should be given to compliance? What audits and certifications can help? Are there strategies to consider with alignment to vendor audits and certifications? The Journey What You’ll Learn Improvement is continuous. What does the outlook look like for organizations beginning the journey at various maturity levels? What’s At Risk? We will look at a historical view of past and current breaches that establish the importance of a shared security model between organizations and their vendors.

3. What is at Risk?

4. 23 19.1 127.7 35.7 222.5 16.2 22.9 17.3 91.98 85.61 169.07 36.6 197.61 471.23 164.68 300.5 157 321 446 656 498 662 419 447 614 783 781 1093 1632 1257 1473 1108 0 200 400 600 800 1000 1200 1400 1600 1800 2 0 0 5 2 0 0 6 2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2 2 0 1 3 2 0 1 4 2 0 1 5 2 0 1 6 2 0 1 7 2 0 1 8 2 0 1 9 2 0 2 0 Data breaches & records exposed in millions Data Beaches and Records Exposed Over Years Millions of Records Exposed Data Breaches Graph sourced from Identity Theft Resource Center, January 2021 Statistics and predictions for 2021 from Cybersecurity Ventures • More than 93% of healthcare organizations experienced a data breach between 2017 and 2020. • More than 57% have had more than 5 data breaches during the same time frame. • Predictions for 2021 estimate breaches at a pace of 2-3x more than 2020. • Ransomware attacks are predicted to grow by 5x in 2021. U.S. Annual Data Breaches and Exposed Records 2005–2020 (Millions) 4

5. Breaches with greater than 30,000 records World’s Biggest Data Breaches & Hacks Graph sourced from https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks 5

6. Breaches with greater than 30,000 records World’s Biggest Data Breaches Within Healthcare in 2020 Graph sourced from https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks 6

7. That is the goal, but… If you and your vendor, suffered a material data breach, could you together logically defend your combined cybersecurity practices to a very emotional audience? The Ultimate Goal is to Stay Out of the Bad Headlines 7

8. The Cloud Shared Responsibility Model

9. Image source from researchgate.net • Confidentiality – Keeping sensitive information private (PHI, PII, IP, etc). The goal being to prevent or minimize unauthorized access to data. • Integrity – Protects the reliability and correctness of data. To be maintained, objects must retain their veracity and be intentionally modified by only authorized subjects. • Availability – Authorized subjects are granted timely and uninterrupted access to systems, networks and data needed to perform daily tasks. The CIA Triad Is the Overarching Shared Goal and Objective 9

10. Types of Cloud Services Applications Database O/S Virtualization Servers Storage Networking Infrastructure Hardware Data Client On-Premise Infrastructure Hardware Applications Database O/S Virtualization Servers Storage Networking Data Client Vendor IaaS Virtualization Servers Storage Networking Infrastructure Hardware Applications Database O/S Data Client Vendor PaaS Applications Database O/S Virtualization Servers Storage Networking Infrastructure Hardware Data Vendor SaaS 10

11. SaaS PaaS IaaS Web Applications Analytic Accelerators Dashboards Networking Storage Virtualization Servers Analytic Engine Metadata Data Security Machine Learning A Closer Look with the Health Catalyst Data Operating System (DOSTM) 11

12. • Health Catalyst Data Operating System (DOSTM) is offered as a Platform as a Service (PaaS) moving to SaaS. • Relies on a shared security model where all layers above the Operating System (OS) level involves the partner to manage some aspect. • On premise components such as source systems, IPSec tunnels, point of contact, etc. are responsibilities not depicted that are retained by the customer. An Overview of the Cloud Shared Responsibility Model Using DOSTM 12

13. Security Policy and Procedures

14. • To build a comprehensive Information Security Management Program (or system) (ISMS) that considers layered security controls, you must FIRST know your business and its assets you wish to protect. • Once identified, consider a strategy for how you will classify or label those assets. • What vulnerabilities exist that are a threat to the assets you want to protect? Who is responsible to protect it? Who is accountable to protect them? • Risk management is at the core of a good Information Security Program. Know Your “What” and “Why” Before You Consider “How” 14

15. What Is the Risk (R) ? Inventory Vulnerabilities Threats Exposure Compensating Controls ƒ ( ) R = Likelihood X Business Impact Confidentiality Integrity Availability 15

16. • Security policies and standards are arguably the most important aspect of any security program. • When written and communicated correctly, it informs staff, vendors and contractors of acceptable conduct within the work environment. • Process documentation provides instruction for how compliance is achieved and evidenced. Compliance Examines An Organization’s Security Processes 16

17. • Security is a clear set of technical systems and tools and processes which are put in place to protect and defend the organization’s information and technology assets. • Always consider the people, processes and technologies that are involved with your assets. • When Compliance and Security align in a systematic and controlled way, that is the first step toward reducing risk. Security Aims To Protect Information and Technology Assets 17

18. The Challenge in Achieving Perfect Balance • Information agility and security are inversely proportional, opposing forces. • Maximizing one, minimizes the other. • Finding the perfect balance between the two is an art, not a science. • Where a clear decision between the two does not exist, let your risk appetite inform. • When your organization and vendor cannot align, let your regulatory compliance frameworks guide the path forward. 18

19. Compliance

20. What regulatory frameworks apply to your organization? Select all the apply. • HIPAA – 85.71% • PCI DSS – 34.29% • GDPR – 25.71% • State Based Data Privacy framework (CCPA) – 28.57% • Unknown – 14.29% Poll Question #1 20

21. Considering your vendors, what is the MOST IMPORTANT certifications you consider? • SOC 2 – 14.29% • HITRUST CSF – 34.29% • ISO 27001/2 – 14.29% • My organization’s own risk assessment process – 11.43% • Unsure – 25.71% Poll Question #2 21

22. Common Compliance Frameworks 22

23. Image Source - Image source - https://mindmajix.com/cyber-security-frameworks Well-known Cyber Security Frameworks 23

24. Compliance Audits and Certifications SOC Reports are Service Organization Control Reports that deal with managing financial or personal information at a company. There are three different SOC Reports. SOC 1 and SOC 2 are different types with SOC 1 applying to financial information controls, while SOC 2 compliance and certification covers personal user information. SOC 3 Reports are publicly accessible, so they do not include confidential information about the company. These reports apply for a specific period, and new reports consider any earlier findings. The American Institute for Chartered Public Accountants (AICPA) defined them as part of SSAE 18. https://phoenixnap.com/blog/security-vs-compliance 24

25. Compliance Audits and Certifications ISO 27001/2 certifications are globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS). The HITRUST CSF leverages nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations. Measures the compliance with HIPAA and offers the assurance that the organization has a HIPAA-compliance program with adequate measures for saving, accessing, and sharing individual medicaland personal information. 25

26. Vendor Risk Evaluation

27. • Non-Disclosure Agreements (NDAs) • Business Associate Agreements (BAAs) • Data Use Agreements (DUAs) • Service Level Agreements (SLAs) • Operational Level Agreements (OLAs) • Compliance Audits and Certifications Vendor / Partner Considerations 27

28. • Internal GRC teams audit and assess organizational risks • Independent third-party auditors offer external perspective and offer credibility. • Perform compliance and risk assessment on your vendor supply chain • Value certifications that overlap between vendor and your organization Internal, External and Vendor Risk Assessments 28

29. Coming Back Full Circle…. • Where are your shared responsibilities? • Do your and your vendors compliance frameworks align? • Do your certification strategies align to hopefully minimize your own efforts for certifications? • How will you assess alignment and track shared risk (misalignment)? 29

30. Image Source - https://quotefancy.com/ The Journey is Continuous….Embrace It 30

31. If you would like to learn more about Health Catalyst products and services, please answer this poll question: • Yes • No Poll Question #3 31

32. Questions? Kevin Scharnhorst, CISSP, CISM Chief Information Security Officer, Health Catalyst kevin.scharnhorst@healthcatalyst.com