September 2, 2021: Establishing routine protections for information security are paramount to establishing an effective set of security controls. While the technology is specific, the pedagogy of these actions may leave gaps for some of the new-mode approaches. Inspection of how we can define consistent control-planes are essential to the resiliency and scalability of the current- and future-state elements in all aspects of the protection model. Cloud has a known good baseline of security when it starts – how is this changing and adding risk? Do you think there will ever be a 100% cloud-based set of systems for healthcare, or will it always be in a hybrid-state?
Join our webinar “Coming Through a Ransomware Event – Best Practices and Lessons Learned” on Thursday, October 7th at 11:00 AM eastern time. We are going to take a unique look at the Sky Lakes Medical Center ransomware event with guests:
S4: Consistent Security Model for Cloud, Hybrid, and Local Datacenters with Sirius and Check Point
Transcript – September 2, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. Our topic for today is consistent security model for cloud hybrid and local data centers. Our sponsor for today’s segment is Checkpoint.
[00:00:25] We want to invite you to a special event that we have coming up Thursday, October [00:00:30] 7th at 11:00 AM eastern time. We are going to take a unique look at a healthcare ransomware event, an actual event that occurred. We have the CIO for Sky Lakes Medical Center, John Gaede, joining us. That is a health system that was ransomed.
[00:00:44] And we have Lee Milligan the CIO for Asante. Asante is the EHR host for Sky Lakes. They’re the community connections for Sky Lakes and they’re going to recount the events and the effects that it had on the interconnected health systems. Some of the things that [00:01:00] they did that they believed, worked pretty well and some of the things that they think could have prepared them better for the event.
[00:01:07] We’re also happy to be joined by our guest today, Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event, straight through to the end. And I believe with his insights and the CIO’s experience, this discussion is going to provide valuable insights into the best practices that are being adopted across the industry and maybe that you could adopt. [00:01:30] So we would love to have you join us. And if you want, you can provide us questions ahead of time. It’s in the sign up form, and we will make sure we address as many of those as we possibly can. So there’s a webinar Thursday, October 7th at 11:00 AM. Eastern time, you can sign up on our website thisweekhealth.com/register.
[00:01:48] Our topic for today is consistent security model for cloud hybrid and local data centers. Our sponsor for today’s segment is Checkpoint. Let’s get to it with Matt. This is an interesting [00:02:00] topic. As I look at this one the title almost answers the question. Consistent security model for cloud hybrid and local data centers. Frame this up for us a little bit. And let’s just talk about what is the challenge we’re trying to address here?
[00:02:13] Matt Sickles: Right. So we would love to think that healthcare can actually participate in cloud in a similar and same manner. It’s all other industry. We know that’s not the case. There are other industries such as financial investment that can’t go down the path of being [00:02:30] completely cloud either. So as we’re starting to see the blend of technologies go from on-premise in the local data center go completely into the cloud or that blend of a hybrid nature.
[00:02:42] And from a hybrid cloud nature, we know that there are some components that live in the cloud. Some that live on premise defining the hybrid. Those are going to be some of the biggest challenges that we have over time. We need to make sure that it’s consistent and as you’re moving these workloads into [00:03:00] cloud, there is a good admission criteria.
[00:03:03] How are you actually accepting the data in there? We’ve all heard ancillary information around how bit unsecured storage buckets have left information vulnerable. That has been a quote breach unquote. Well, the lack of configuration and the lack of consistency in a cloud workload may actually be worse on premise.
[00:03:24] So as we’re starting to blend these two together, we rely on our standard control sets [00:03:30] that are in healthcare, in the local data center to protect all of those assets. The minute you push your data into a cloud workload, you either have to recreate all those controls, or you have to send the data back through your control plane to be effective.
[00:03:45] If we look at a baseline problem statement of how do we consume consistently secure cloud and local. What you have to do is now start to blend those together. The policy, the standard, all [00:04:00] of the taxonomy you use has to be consistent. So if you’re building something for the cloud, it doesn’t have to be vendor match to vendor match. It doesn’t have to be solution for solution. It has to be capability by capability.
[00:04:13] Bill Russell: I’ve talked to a lot of health systems on this week and health it about their cloud strategy. And almost all of them now have a cloud strategy if you were around eight years or so, that wasn’t necessarily the case. So now, as we’re looking at this from a security standpoint, you talk about [00:04:30] consistent security model across these things, but they’re, they’re very different.
[00:04:33] We can’t just assume that the cloud is secure and it’s baseline format. And if we put our stuff on there, it’s secure. We actually, I would assume as health systems, we have to create frameworks for the cloud and a framework for hybrid and a framework for our local data center that’s appropriate for that modality. Does that make sense? Is that accurate or am I missing something?
[00:04:56] Matt Sickles: No, you’re spot on. So think about it. When we get a [00:05:00] cloud instance, we have to either use their contractual language to validate that the data or information is going to be secure.
[00:05:07] We have to do a review of their controls and or we need to make sure that there’s a consistent methodology. So once you take over the ownership of a workspace in the cloud, you’re going to assume that it is controlled and secure. The minute you start putting your data in there and making major change.
[00:05:26] That’s when we start to drift the configuration drift [00:05:30] in a cloud environment. Is one of the most critical path items we have learned to deal with that on premise over time, but there’s a brand new lexicon. We have skills uplift lift that needs to occur in all industries, not just healthcare. So if we move data to the cloud, if we move information to the cloud, and then we change a configuration, there has to be a validation.
[00:05:53] We work very closely on standards that have been produced by the cloud security Alliance. It then references NIST [00:06:00] and ISO HIPAA, other methodologies. We do like cloud security frameworks for the reason that it gives us consistency. And if we follow a lot of the rubrics of success of how we get to cloud workload, we need to make sure that we’re not putting an undue burden on those remote resources.
[00:06:18] We’re not just guessing, but the effective security controls have been validated by that third party. So now think about the controls that have to be put in place. Not only effective controls in cloud, [00:06:30] not only the consistency of those controls on premise, but then a validation that both of them are working together well at a minimum that’s two times the level of effort, possibly higher.
[00:06:40] So that’s where we’re starting to see a lot more focus is before you deploy workloads to the cloud, make sure that your policies are either updated or consistent with securing a new made a new mode of data storage.
[00:06:54] Bill Russell: Do the tools, the technology tools, the the controls, is it the same kind of tool sets [00:07:00]across cloud hybrid and local data centers?
[00:07:01] Are we seeing like a common set of tools that we can apply across the entire enterprise? Or are we looking at a mishmash of tools to manage that environment securely?
[00:07:12] Matt Sickles: There are single pane of glass solutions that are very available. They’re very effective and they’re very expensive. So we see a lot of that, pushing things together. We see a lot of home grown solution and we try and get there on our own. [00:07:30] That’s going to have to be the biggest shift. We need more tool choices that work across the lines from cloud workload, back into the currency of our environment. We need to make sure that also that there are some healthcare specific tool sets for this.
[00:07:44] We need to have reporting that is always going to give similar or same sets of data. But as we see more and more data move to the cloud, there’s also a security risk and a control that a lot don’t think about. And that is the cost of moving information [00:08:00] from on-premise out to the cloud. And then back again, we have organizations, healthcare organizations, all verticals suffer from this when they go cloud first and they have their first year of billing, they see where they were trying to do the same old mode of validation through security and their costs just for moving the data back and forth was exorbitant.
[00:08:22] So now they have to redesign those systems. So we also want to look very carefully that a security risk to the organization. It could be an [00:08:30] unexpected cost for the data transfer, the data processing or the data storage.
[00:08:35] Bill Russell: So talk to me about secure healthcare data. So one of the things we have, we have PHI and those kind of things. When we’re moving that data around, yes it can be expensive but there’s also a regulatory framework around securing that data. How does that, how does that change as it moves from the local data center to hybrid to cloud into that cloud environment? Are we able to move the security controls with it to make sure that [00:09:00] that data is secure or when we move into the cloud environment? Do we just naturally open it up cause we just move it to an off premise system that can be accessed by, I don’t know, maybe a third-party cloud worker or those kinds of things. How do we secure that data just knowing that it’s no longer in our physical realm?
[00:09:21] Matt Sickles: Right. We can rely on a lot of the controls to be able to encrypt the data so that if a physical disc is lost, it’s going to be [00:09:30] meaningless. There won’t be any recoverable information. Just as we do data destruction policies for local data centers. There are data destruction from cloud. So let’s throw that concept out right now that if we put it in the cloud, others have access to it. No. It’s going to be secure as long as you have the framework around securing and encrypting that data.
[00:09:51] However, you can still move that data. We have to make sure that the policies can be a femoral and they can follow around where you’re going. Our [00:10:00] policy decision and our policy enforcement in the cloud is much more granted. Role-based access control, where you’re coming from, what permissions you have access to are all going to determine what systems that you get.
[00:10:13] Now, these are native and inherent controls that are built into most of the public cloud platforms. You don’t have to go and buy a huge suite of solutions so we can see why it’s enticing to move to the cloud because a lot of these controls are built in and effective. As we get larger [00:10:30] and larger, we have to layer on a lot of those third party or marketplace controls in a cloud workload.
[00:10:35] But from the baseline cloud systems have been designed to be very secure. There are good success models, and there’s good levels of how to put those controls in place. And more importantly, how to validate that the controls are being effective. When we have a firewall on premise, we always use that as our baseline. Now we get to follow the person and the data.
[00:10:58] Bill Russell: Talk to me about what a mature [00:11:00] system, a mature health system would look like in terms of their model across cloud hybrid and local data centers. What would I mature framework look like from a health system like that?
[00:11:12] Matt Sickles: Sure. So we have to make sure that the data of record and the data ownership has good performance. The very first thing that we have to look at is how do we put effective security? And we can put controls in place without impacting the [00:11:30] performance. So if we move a workload to the cloud, will it perform?
[00:11:33] That is one of the most mature organizational questions that can be asked. So if you’re asking about performance instead of security, and you have a security plan already, the performance is a very mature statement of what can we get. Will we be able to have access if there is an event. So let’s take a ransomware event, let’s layer it on top of an organization.
[00:11:56] Let’s say that they have their data for their EHR EMR in [00:12:00] a hybrid state, they have an air gap backup and a clean room that they can put their systems in. Instead of seeing 30 plus days of recovery, a mature organization can see four hours for recovery, a real return to operations, a downtime that is reasonable and meaningful for the organization and something that’s also manageable.
[00:12:22] That would be the maturity curve that we want to see. We want to see an organization that is not just self-healing, but it’s [00:12:30] also healable with minimal intervention.
[00:12:34] Bill Russell: So what’s next. So I’m a health system, I’m a health system leader, and I’m looking at this going. Yeah, I’m not sure we have the frameworks in place. I’m not sure we are at a good maturity framework across our various environments. How do we get there? What are some steps? What’s the next steps I should take?
[00:12:54] Matt Sickles: The baseline of what you have today is one of the most critical path items. If you know what [00:13:00] systems you’re using where the data is moving into cloud platforms, whether it is infrastructure as a service platform, as a service or software as a service, knowing exactly how you’re communicating in the currency of what cloud is.
[00:13:14] Taking that baseline of what you’re exchanging. Now take a look at what the goals are for the architecture. Will you be able to affectively put that workload into a cloud? Will you be able to bridge that with your local data center for a hybrid approach? [00:13:30] So the baseline of what you have today, where your security controls are effective, and most importantly, how you can shift that from the traditional access model to that role-based access control, that granular access.
[00:13:45] That’s going to be one of the most effective starting points. And once you get the baseline of how secure are you, how are people accessing the data and where is data going? You can start to just lay out those large building blocks and come up with [00:14:00] goals near term midterm and longterm. That is going to be the success story that most organizations has is taking an honest look at themselves today and where they want to be in 12 months and develop a plan to get there and get there effectively within budget and within timeline.
[00:14:18] Bill Russell: Fantastic. Thanks Matt. Appreciate your time. That really sets up our next conversation. Well, thanks again.
[00:14:23] Matt Sickles: Hey, thanks Bill.
[00:14:24] Bill Russell: What a phenomenal conversation. We want to thank our sponsors Sirius Healthcare and Checkpoint who are [00:14:30] investing in our mission to develop the next generation of health leaders. Thanks for listening. That’s all for now.