SlideShare uma empresa Scribd logo

Cloud-Native Security on Digital Health-Telehealth Use Case

Eiji Sasahara, Ph.D., MBA 笹原英司
Eiji Sasahara, Ph.D., MBA 笹原英司

1. Cybersecurity on Telehealth @NIST 2. Cybersecurity on Telehealth x Smart Home @NIST 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA 4. Cloud-Native Security on Telehealth @CSA 5. Conclusions

Tecnologia
1 de 30
Cloud-Native Security on Digital Health -Telehealth Use Case- GVHS 2022 on December 9, 2022 EIJI SASAHARA, PH.D., MBA HEALTHCARE CLOUD INITIATIVE, NPO CLOUD SECURITY ALLIANCE HEALTH INFORMATION MANAGEMENT WG
AGENDA 1. Cybersecurity on Telehealth @NIST 2. Cybersecurity on Telehealth x Smart Home @NIST 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA 4. Cloud-Native Security on Telehealth @CSA 5. Conclusions 2 https://www.linkedin.com/in/esasahara https://www.facebook.com/esasahara https://twitter.com/esasahara
1. Cybersecurity on Telehealth @NIST (1) “NIST SP1800-30 Securing Telehealth Remote Patient Monitoring Ecosystem”, February 22, 2022 https://csrc.nist.gov/publications/detail/sp/1800-30/final SP 1800-30A: Executive Summary SP 1800-30B: Approach, Architecture, and Security Characteristics 1. Summary 2. How to Use This Guide 3. Approach 4. Architecture 5. Security and Privacy Characteristic Analysis 6. Functional Evaluation 7. Future Build Considerations SP 1800-30C: How-To Guides 3 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
1. Cybersecurity on Telehealth @NIST (2) Remote Patient Monitoring (RPM) Architecture 4 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
1. Cybersecurity on Telehealth @NIST (3) RPM Architecture Layers 5 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
1. Cybersecurity on Telehealth @NIST (4) Final RPM Architecture 6 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
1. Cybersecurity on Telehealth @NIST (5) Security Characteristics and Controls Mapping– NIST Cybersecurity Framework •IEC TR 80001-2-2 •HIPAA Security Rule •ISO/IEC 27001 7 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
2. Cybersecurity on Telehealth x Smart Home @NIST (1) NIST “Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”, August 29, 2022 https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home- integration/final Objective: identify and mitigate cybersecurity and privacy risks based on patient use of smart home devices interfacing with patient information systems  a practice guide that describes a reference architecture for smart home integration with healthcare systems as part of a telehealth program. Reference: “NIST IR 8259: Foundational Cybersecurity Activities for IoT Device Manufacturers”, May 29, 2020 https://www.nist.gov/publications/foundational-cybersecurity-activities-iot-device-manufacturers “NIST IR 8259A: IoT Device Cybersecurity Capability Core Baseline”, May 29, 2020 https://www.nist.gov/publications/iot-device-cybersecurity-capability-core-baseline “NIST IR 8259B:IoT Non-Technical Supporting Capability Core Baseline”, August 25, 2021 https://csrc.nist.gov/publications/detail/nistir/8259b/final 8
2. Cybersecurity on Telehealth x Smart Home @NIST (2) Components of Architecture 9 Architecture Components Patient Home Environment Smart Home Devices, Personal Firewall, Wireless Access Point Router, Internet Router Cloud Service Provider Environment Voice Assist Platform, Cloud Platform Healthcare Technology Integration Solution Environment Telehealth Integration Applications Health Delivery Organization (HDO) Environment Electronic Health Record (EHR) System, Patient Portal, Network Access Control, Network Firewall, VPN Telehealth Ecosystem Actors Patients, HDO Clinicians, Support/Maintenance Staff
2. Cybersecurity on Telehealth x Smart Home @NIST (3) High-Level Architecture 10 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
2. Cybersecurity on Telehealth x Smart Home @NIST (4) Scenario 1: Patient Visit Scheduling 11 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
2. Cybersecurity on Telehealth x Smart Home @NIST (5) Scenario 2: Patient Prescription Refill 12 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
2. Cybersecurity on Telehealth x Smart Home @NIST (6) Scenario 3: Patient Regimen Check-In 13 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
2. Cybersecurity on Telehealth x Smart Home @NIST (7) Security Control Map: NIST SP 800-53 Revision 5 •IEC TR 80001-2-2 •HIPAA Security Rule •ISO/IEC 27001 14 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(1) Cloud Security Alliance Health Information Management WG, “Telehealth Data in the Cloud”, June 16, 2020 https://cloudsecurityalliance.org/artifacts/telehealth-data-in-the-cloud/ [Contents] Introduction Privacy Concerns Security Concerns Governance Compliance Confidentiality Integrity Availability Incident Response and Management Maintaining a Continuous Monitoring Program Conclusion References 15 Source:CSA Health Information Management WG, “Telehealth Data in the Cloud”, June 16, 2020
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(2) Considerations for Health Delivery Organizations (HDOs) regarding a Telehealth Agreement with a Cloud Provider: 16 # Key Questions 1 Does the telehealth provider (TP) describe the purpose(s) for which PHI is collected, used, maintained, and shared in its privacy notices? 2 Does the TP have, disseminate, and implement operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PHI? 3 Has the TP conducted a privacy impact assessment, and are they willing to share it? 4 Does the HDO have privacy roles, responsibilities, and access requirements for contractors and service providers? 5 Does the TP monitor and audit privacy controls and internal privacy policies to ensure effective implementation? 6 Does the TP design information systems to support privacy by automating privacy controls?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(3) (Continue) 17 # Key Questions 7 Does the TP maintain an accurate accounting of disclosures of information held in each system of records under its control, including: a. Date, nature, and purpose of each disclosure of a record. b. Name and address of the person or organization to which the disclosure was made. c. The identity of who authorized the disclosure. 8 Does the TP document processes to ensure the integrity of PHI through existing security controls? 9 Does the TP identify the minimum PHI elements relevant and necessary to accomplish the legally authorized purpose of collection? 10 Does the TP provide means for individuals to authorize the collection, use, maintenance, and sharing of PHI before its collection? 11 Does the TP have a process for receiving and responding to complaints, concerns, or questions from individuals about organizational privacy practices? 12 Does the TP provide sufficient notice to the public and to individuals regarding its activities that impact privacy? (e.g. collection, use, sharing, safeguarding, maintenance, and disposal of PHI) 13 Does the TP share PHI externally?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(4) Governance Compliance 18 # Key Questions 1 Does the service provider’s service-level agreement (SLA) clearly define how the service provider protects the confidentiality, integrity, and availability of all customer information? 2 Does the service provider’s SLA specify that the HDO will retain ownership of its data? 3 Will the service provider use the data for any purpose other than service delivery? 4 Is the service provider’s service dependent on any third-party stakeholders? # Key Questions 1 Does the cloud service provider allow the HDO to directly audit the implementation and management of the security measures in place to protect the service and the data it holds? 2 Will the service provider allow the HDO to review recent audit reports thoroughly? 3 Is the service provider HIPAA compliant? 4 Does the service provider comply with the GDPR?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(5) Confidentiality Protecting data from improper disclosure 19 # Key Questions 1 Authentication and Access Control a. Does the HDO have an identity management strategy that supports the adoption of cloud services? b. Is there an effective internal process that ensures that identities are managed and protected throughout their lifecycles? c. Is there an effective audit process to ensure that user accounts are appropriately managed and protected? Does the service provider meet those control requirements? d. Are all passwords encrypted, especially system/service administrators? e. Is multi-factor authentication required, and, if so, is it available? f. Does authentication and access control extend to devices? 2 Multi-Tenancy g. Will the service provider allow the HDO to review a recent third-party audit report that includes an assessment of the security controls and practices related to virtualization and separation of customer data? h. Do the service provider’s customer registration processes provide an appropriate level of assurance based on the criticality and sensitivity of the information in the cloud service?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(6) (Continue) 20 # Key Questions 3 Patch and Vulnerability Management i. Is the service provider responsible for patching all components that make up the cloud service? j. Does the service provider’s SLA include service levels for patch and vulnerability management that comprise a defined maximum exposure window? k. Does the HDO currently have an effective patch and vulnerability management process? l. Will the service provider allow the HDO to perform regular vulnerability assessments? 4 Encryption m. Does the service provider encrypt the information placed in the cloud service for both data at rest and in transit? n. Does the cloud service use only approved encryption protocols and algorithms (as defined in Federal Information Processing Standards 140-2)? o. Which party is responsible for managing the cryptographic keys? p. Are there separate keys for each customer? 5 Data Persistence q. Does the service provider have an auditable process for the secure sanitization of storage media before it is made available to another customer? r. Does the service provider have an auditable process for safe disposal or destruction of equipment and storage media containing customer data?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(7) Integrity Maintenance of data over its full lifecycle with the assurance it is accurate and consistent. consistent. 21 # Key Questions 1 Does the service provider provide data backup or archiving services as part of their standard service offering to protect against data loss or corruption? 2 How are data backup and archiving services provided? 3 Does the data backup or archiving service adhere to business requirements related to protection against data loss? 4 What level of granularity does the service provider offer for data restoration? 5 Does the service provider regularly perform test restores to ensure that data is recoverable from backup media?
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(8) Availability Ability to ensure that required data is always accessible when and where needed. 22 # Key Questions 1 Does the SLA include an expected and minimum availability performance percentage over a clearly defined period? 2 Does the SLA include defined, scheduled outage windows? 3 Does the service provider utilize protocols and technologies that can protect against distributed denial-of-service (DDoS) attacks? 4 Do the network services directly managed or subscribed to by the HDO provide sufficient levels of availability? 5 Do the network services directly managed, or subscribed to by the HDO provide an adequate level of redundancy/fault tolerance? 6 Do the network services directly managed, or subscribed to by the HDO provide an adequate level of bandwidth? 7 Is the latency between the HDO network(s) and the service provider’s service at levels acceptable to achieve the desired user experience?
4. Cloud-Native Security on Telehealth @CSA(1) Cloud Security Alliance Health Information Management WG, “Telehealth Data in the Cloud”, June 10, 2021 https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home- integration/final [Contents] Introduction Governance Privacy Security Conclusion Reference 23 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
4. Cloud-Native Security on Telehealth @CSA(2) Information Governance: Establish the system, strategy, policies, procedures, guidelines, laws, and regulations that HDOs must adhere to. 24 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
4. Cloud-Native Security on Telehealth @CSA(3) Data Lifecycle: 25 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Definition 1. Create: Data is generated, acquired, or modified. 2. Store: Data is committed to a storage repository. 3. Use: Data is processed, viewed, or used in any other sort of activity. 4. Share: Data or information is made accessible to others. 5. Archive: Data is placed in long-term storage, per data retention guidelines and legal obligations. 6. Destroy: Data is no longer required and made inaccessible.
4. Cloud-Native Security on Telehealth @CSA(4) Cybersecurity and Pivacy Risk Relationship 26 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
4. Cloud-Native Security on Telehealth @CSA(5) Data Lifecycle and Cybersecurity(1) 27 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 1. Create: ・Any created data should fulfill a clear business need. ・HDOs must have consent to collect PHI or PII. ・Data creation regulatory requirements depend on where data is created. ・GDPR requires security be built in at the time of data creation. ・HIPAA requires protection for all PHI from inception to destruction. ・Data must be created in a secure environment. 2. Store: ・Data owners must determine where data originated and where it is stored. ・Service providers must protect cloud data (including access control and encryption). ・CSP should have a secure architecture that utilizes standard security best practices. (e.g. robust monitoring, auditing, and alerting capability) ・Data loss prevention system can help identify who is using the data and their location. ・CSP should complete a third party assessment and offer to share that insight with the HDO.
4. Cloud-Native Security on Telehealth @CSA(6) Data Lifecycle and Cybersecurity(2) 28 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 3. Use: ・Geography determines the regulatory requirements for both stored and processed data. (e.g. Telehealth solutions allow patients to access data from anywhere with internet access.) Organizations should use federation and multifactor authentication whenever possible access data. ・Identity and Access Management (IAM) is a vital part of securing data in use. ・Organizations should consider using an Application Programming Interface (API), which requires digital signatures to ensure security. 4. Share: ・When data sharing is required, the organization responsible for the data must ensure its security. IAM is critical for data security. ・Enact a Data Loss Prevention (DLP) program to discover, monitor, and protect data with regulatory or compliance implications in transit and at rest across the network, storage, and endpoints. Sharing requires data transmission from the cloud to all applicable data users. ・Encrypt data while in transit and use a secure protocol.
4. Cloud-Native Security on Telehealth @CSA(7) Data Lifecycle and Cybersecurity(3) 29 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 5. Archive: ・Essential data that does not require frequent access or modification often resides in a data archive. ・Archiving data provides many benefits, especially in terms of efficiency. ・Encrypt archived data and control access to the information. ・Keep personal data or healthcare data only if required for its original, intended purpose. 6. Destroy: ・Since cloud data exists in a shared, dispersed environment, typical data deletion and destruction methods (such as wiping) cannot ensure all data copies are destroyed. ・Encryption, followed by key destruction, is the best guarantee to ensure responsible data removal.
5. Conclusions 1. Adoption of NIST Cybersecurity Framework in Emerging Telehealth Services 2. Next Challenge: Integration of Telehealth with Smart Home 3. Privacy/Data Protection by Design: Agreement with Cloud Telehealth Providers 4. Cloud-Native Security with Continuous Data Lifecycle Management 30

Recomendados

IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARE
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARETRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARE
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCAREMervat Bamiah
 
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...IRJET Journal
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
Deep Learning and Big Data technologies for IoT Security
Deep Learning and Big Data technologies for IoT SecurityDeep Learning and Big Data technologies for IoT Security
Deep Learning and Big Data technologies for IoT SecurityIRJET Journal
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET Journal
 
IRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET Journal
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...IRJET Journal
 

Recomendados

IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARE
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARETRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCARE
TRUSTED_CLOUD_COMPUTING_FRAMEWORK_FOR_HEALTHCAREMervat Bamiah
 
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...
A Novel Healthcare-based Block chain (HBC) System for Security Healthcare Dat...IRJET Journal
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
Deep Learning and Big Data technologies for IoT Security
Deep Learning and Big Data technologies for IoT SecurityDeep Learning and Big Data technologies for IoT Security
Deep Learning and Big Data technologies for IoT SecurityIRJET Journal
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET Journal
 
IRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET Journal
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...IRJET Journal
 
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...IRJET Journal
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...IRJET Journal
 
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET Journal
 
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREUSING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREIJCI JOURNAL
 
E-Health Care Cloud Solution
E-Health Care Cloud SolutionE-Health Care Cloud Solution
E-Health Care Cloud SolutionIRJET Journal
 
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET Journal
 
Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...eSAT Journals
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Dalton Valadares
 
Security and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesSecurity and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesIOSRjournaljce
 
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET Journal
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
Framework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home ServicesFramework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home Servicesijtsrd
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
IRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET Journal
 
Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case StudyEvelyn Donaldson
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Journals
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Publishing House
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of ThingsThe Security of Things Forum
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfamitkhanna2070
 
Healthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyHealthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyIJECEIAES
 
Metaverse and NFTs on the Healthcare Cloud
Metaverse and NFTs on the Healthcare CloudMetaverse and NFTs on the Healthcare Cloud
Metaverse and NFTs on the Healthcare CloudEiji Sasahara, Ph.D., MBA 笹原英司
 
米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOM米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOMEiji Sasahara, Ph.D., MBA 笹原英司
 

Mais conteúdo relacionado

Semelhante a Cloud-Native Security on Digital Health-Telehealth Use Case

DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...IRJET Journal
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...IRJET Journal
 
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET Journal
 
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREUSING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREIJCI JOURNAL
 
E-Health Care Cloud Solution
E-Health Care Cloud SolutionE-Health Care Cloud Solution
E-Health Care Cloud SolutionIRJET Journal
 
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET Journal
 
Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...eSAT Journals
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Dalton Valadares
 
Security and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesSecurity and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesIOSRjournaljce
 
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET Journal
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
Framework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home ServicesFramework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home Servicesijtsrd
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
IRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET Journal
 
Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case StudyEvelyn Donaldson
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Journals
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Publishing House
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfamitkhanna2070
 
Healthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyHealthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyIJECEIAES
 

Semelhante a Cloud-Native Security on Digital Health-Telehealth Use Case (20)

DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
DIFFERENCES OF CLOUD-BASED SERVICES AND THEIR SAFETY RENEWAL IN THE HEALTH CA...
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
 
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
IRJET- Secrecy Preserving and Intrusion Avoidance in Medical Data Sharing...
 
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCAREUSING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
USING BLOCKCHAIN TO ACHIEVE DECENTRALIZED PRIVACY IN IOT HEALTHCARE
 
E-Health Care Cloud Solution
E-Health Care Cloud SolutionE-Health Care Cloud Solution
E-Health Care Cloud Solution
 
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
IRJET- Implementation of Cloudlet-based Medical Data Sharing using ECC Crypto...
 
Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...Cloud assisted privacy preserving and data integrity for mobile health monito...
Cloud assisted privacy preserving and data integrity for mobile health monito...
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
 
Security and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile DevicesSecurity and Privacy of Big Data in Mobile Devices
Security and Privacy of Big Data in Mobile Devices
 
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud ComputingIRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
IRJET- Secure Re-Encrypted PHR Shared to Users Efficiently in Cloud Computing
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
Framework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home ServicesFramework to Manage Big Data in Smart Home Services
Framework to Manage Big Data in Smart Home Services
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
IRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using BlockchainIRJET - Health Record Transaction in Hospital Management using Blockchain
IRJET - Health Record Transaction in Hospital Management using Blockchain
 
Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case Study
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...
 
Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...Enhancing security features in cloud computing for healthcare using cipher an...
Enhancing security features in cloud computing for healthcare using cipher an...
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
 
Healthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technologyHealthcare information exchange using blockchain technology
Healthcare information exchange using blockchain technology
 

Mais de Eiji Sasahara, Ph.D., MBA 笹原英司

米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOM米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOMEiji Sasahara, Ph.D., MBA 笹原英司
 
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティSDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティEiji Sasahara, Ph.D., MBA 笹原英司
 
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~Eiji Sasahara, Ph.D., MBA 笹原英司
 
ゲノムデータのサイバーセキュリティとアクセス制御
ゲノムデータのサイバーセキュリティとアクセス制御ゲノムデータのサイバーセキュリティとアクセス制御
ゲノムデータのサイバーセキュリティとアクセス制御Eiji Sasahara, Ph.D., MBA 笹原英司
 
プライバシーエンジニアリング技術標準化の欧米比較
プライバシーエンジニアリング技術標準化の欧米比較プライバシーエンジニアリング技術標準化の欧米比較
プライバシーエンジニアリング技術標準化の欧米比較Eiji Sasahara, Ph.D., MBA 笹原英司
 
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理Eiji Sasahara, Ph.D., MBA 笹原英司
 
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
最新事例に学ぶクラウドネイティブな医療AIのセキュリティEiji Sasahara, Ph.D., MBA 笹原英司
 
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023Eiji Sasahara, Ph.D., MBA 笹原英司
 
バイオエコノミー産業の サイバーセキュリティ最新動向
バイオエコノミー産業の サイバーセキュリティ最新動向バイオエコノミー産業の サイバーセキュリティ最新動向
バイオエコノミー産業の サイバーセキュリティ最新動向Eiji Sasahara, Ph.D., MBA 笹原英司
 
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザインEiji Sasahara, Ph.D., MBA 笹原英司
 
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説Eiji Sasahara, Ph.D., MBA 笹原英司
 
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説Eiji Sasahara, Ph.D., MBA 笹原英司
 
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~Eiji Sasahara, Ph.D., MBA 笹原英司
 
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)Eiji Sasahara, Ph.D., MBA 笹原英司
 
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理Eiji Sasahara, Ph.D., MBA 笹原英司
 

Mais de Eiji Sasahara, Ph.D., MBA 笹原英司 (20)

Metaverse and NFTs on the Healthcare Cloud
Metaverse and NFTs on the Healthcare CloudMetaverse and NFTs on the Healthcare Cloud
Metaverse and NFTs on the Healthcare Cloud
 
米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOM米国大統領令を起点とする医療機器のゼロトラストとSBOM
米国大統領令を起点とする医療機器のゼロトラストとSBOM
 
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティSDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
SDGs達成に向けたデジタルヘルスを支えるクラウドネイティブセキュリティ
 
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
ロボット支援手術(RAS)システムの脅威モデリング ~医療ロボットから自動車への横展開~
 
ゲノムデータのサイバーセキュリティとアクセス制御
ゲノムデータのサイバーセキュリティとアクセス制御ゲノムデータのサイバーセキュリティとアクセス制御
ゲノムデータのサイバーセキュリティとアクセス制御
 
プライバシーエンジニアリング技術標準化の欧米比較
プライバシーエンジニアリング技術標準化の欧米比較プライバシーエンジニアリング技術標準化の欧米比較
プライバシーエンジニアリング技術標準化の欧米比較
 
医療におけるサードパーティベンダーリスク管理
医療におけるサードパーティベンダーリスク管理医療におけるサードパーティベンダーリスク管理
医療におけるサードパーティベンダーリスク管理
 
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
バイオ/医療サプライチェーンのサイバーセキュリティリスク管理
 
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
最新事例に学ぶクラウドネイティブな医療AIのセキュリティ
 
医療クラウドにおけるランサムウェア攻撃予防対策
医療クラウドにおけるランサムウェア攻撃予防対策医療クラウドにおけるランサムウェア攻撃予防対策
医療クラウドにおけるランサムウェア攻撃予防対策
 
遠隔医療のクラウド利用とリスク管理
遠隔医療のクラウド利用とリスク管理遠隔医療のクラウド利用とリスク管理
遠隔医療のクラウド利用とリスク管理
 
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
Landscape of Cloud-Driven Digital Health Platform Market in Japan 2023
 
バイオエコノミー産業の サイバーセキュリティ最新動向
バイオエコノミー産業の サイバーセキュリティ最新動向バイオエコノミー産業の サイバーセキュリティ最新動向
バイオエコノミー産業の サイバーセキュリティ最新動向
 
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
[ハードウェア編] クラウドネイティブアーキテクチャとIoTセキュリティ・バイ・デザイン
 
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
「NISTIR 8320B ハードウェア対応セキュリティ:信頼されたコンテナプラットフォームにおけるポリシーベースのガバナンス」概説
 
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
 
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
情報プラットフォーム構築に必要なこと~欧州のユースケースに学ぶ医療・介護・健康情報連携基盤~
 
医療におけるブロックチェーン利用
医療におけるブロックチェーン利用医療におけるブロックチェーン利用
医療におけるブロックチェーン利用
 
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
セキュアなサーバーレスアーキテクチャ設計手法の概説 (v0)
 
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
クラウドにおける医療ビッグデータのプライバシー保護/セキュリティ管理
 

Último

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Último (20)

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Cloud-Native Security on Digital Health-Telehealth Use Case

  • 1. Cloud-Native Security on Digital Health -Telehealth Use Case- GVHS 2022 on December 9, 2022 EIJI SASAHARA, PH.D., MBA HEALTHCARE CLOUD INITIATIVE, NPO CLOUD SECURITY ALLIANCE HEALTH INFORMATION MANAGEMENT WG
  • 2. AGENDA 1. Cybersecurity on Telehealth @NIST 2. Cybersecurity on Telehealth x Smart Home @NIST 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA 4. Cloud-Native Security on Telehealth @CSA 5. Conclusions 2 https://www.linkedin.com/in/esasahara https://www.facebook.com/esasahara https://twitter.com/esasahara
  • 3. 1. Cybersecurity on Telehealth @NIST (1) “NIST SP1800-30 Securing Telehealth Remote Patient Monitoring Ecosystem”, February 22, 2022 https://csrc.nist.gov/publications/detail/sp/1800-30/final SP 1800-30A: Executive Summary SP 1800-30B: Approach, Architecture, and Security Characteristics 1. Summary 2. How to Use This Guide 3. Approach 4. Architecture 5. Security and Privacy Characteristic Analysis 6. Functional Evaluation 7. Future Build Considerations SP 1800-30C: How-To Guides 3 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 4. 1. Cybersecurity on Telehealth @NIST (2) Remote Patient Monitoring (RPM) Architecture 4 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 5. 1. Cybersecurity on Telehealth @NIST (3) RPM Architecture Layers 5 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 6. 1. Cybersecurity on Telehealth @NIST (4) Final RPM Architecture 6 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 7. 1. Cybersecurity on Telehealth @NIST (5) Security Characteristics and Controls Mapping– NIST Cybersecurity Framework •IEC TR 80001-2-2 •HIPAA Security Rule •ISO/IEC 27001 7 Source:”NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, February 22, 2022
  • 8. 2. Cybersecurity on Telehealth x Smart Home @NIST (1) NIST “Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”, August 29, 2022 https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home- integration/final Objective: identify and mitigate cybersecurity and privacy risks based on patient use of smart home devices interfacing with patient information systems  a practice guide that describes a reference architecture for smart home integration with healthcare systems as part of a telehealth program. Reference: “NIST IR 8259: Foundational Cybersecurity Activities for IoT Device Manufacturers”, May 29, 2020 https://www.nist.gov/publications/foundational-cybersecurity-activities-iot-device-manufacturers “NIST IR 8259A: IoT Device Cybersecurity Capability Core Baseline”, May 29, 2020 https://www.nist.gov/publications/iot-device-cybersecurity-capability-core-baseline “NIST IR 8259B:IoT Non-Technical Supporting Capability Core Baseline”, August 25, 2021 https://csrc.nist.gov/publications/detail/nistir/8259b/final 8
  • 9. 2. Cybersecurity on Telehealth x Smart Home @NIST (2) Components of Architecture 9 Architecture Components Patient Home Environment Smart Home Devices, Personal Firewall, Wireless Access Point Router, Internet Router Cloud Service Provider Environment Voice Assist Platform, Cloud Platform Healthcare Technology Integration Solution Environment Telehealth Integration Applications Health Delivery Organization (HDO) Environment Electronic Health Record (EHR) System, Patient Portal, Network Access Control, Network Firewall, VPN Telehealth Ecosystem Actors Patients, HDO Clinicians, Support/Maintenance Staff
  • 10. 2. Cybersecurity on Telehealth x Smart Home @NIST (3) High-Level Architecture 10 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 11. 2. Cybersecurity on Telehealth x Smart Home @NIST (4) Scenario 1: Patient Visit Scheduling 11 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 12. 2. Cybersecurity on Telehealth x Smart Home @NIST (5) Scenario 2: Patient Prescription Refill 12 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 13. 2. Cybersecurity on Telehealth x Smart Home @NIST (6) Scenario 3: Patient Regimen Check-In 13 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 14. 2. Cybersecurity on Telehealth x Smart Home @NIST (7) Security Control Map: NIST SP 800-53 Revision 5 •IEC TR 80001-2-2 •HIPAA Security Rule •ISO/IEC 27001 14 Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022) https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
  • 15. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(1) Cloud Security Alliance Health Information Management WG, “Telehealth Data in the Cloud”, June 16, 2020 https://cloudsecurityalliance.org/artifacts/telehealth-data-in-the-cloud/ [Contents] Introduction Privacy Concerns Security Concerns Governance Compliance Confidentiality Integrity Availability Incident Response and Management Maintaining a Continuous Monitoring Program Conclusion References 15 Source:CSA Health Information Management WG, “Telehealth Data in the Cloud”, June 16, 2020
  • 16. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(2) Considerations for Health Delivery Organizations (HDOs) regarding a Telehealth Agreement with a Cloud Provider: 16 # Key Questions 1 Does the telehealth provider (TP) describe the purpose(s) for which PHI is collected, used, maintained, and shared in its privacy notices? 2 Does the TP have, disseminate, and implement operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PHI? 3 Has the TP conducted a privacy impact assessment, and are they willing to share it? 4 Does the HDO have privacy roles, responsibilities, and access requirements for contractors and service providers? 5 Does the TP monitor and audit privacy controls and internal privacy policies to ensure effective implementation? 6 Does the TP design information systems to support privacy by automating privacy controls?
  • 17. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(3) (Continue) 17 # Key Questions 7 Does the TP maintain an accurate accounting of disclosures of information held in each system of records under its control, including: a. Date, nature, and purpose of each disclosure of a record. b. Name and address of the person or organization to which the disclosure was made. c. The identity of who authorized the disclosure. 8 Does the TP document processes to ensure the integrity of PHI through existing security controls? 9 Does the TP identify the minimum PHI elements relevant and necessary to accomplish the legally authorized purpose of collection? 10 Does the TP provide means for individuals to authorize the collection, use, maintenance, and sharing of PHI before its collection? 11 Does the TP have a process for receiving and responding to complaints, concerns, or questions from individuals about organizational privacy practices? 12 Does the TP provide sufficient notice to the public and to individuals regarding its activities that impact privacy? (e.g. collection, use, sharing, safeguarding, maintenance, and disposal of PHI) 13 Does the TP share PHI externally?
  • 18. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(4) Governance Compliance 18 # Key Questions 1 Does the service provider’s service-level agreement (SLA) clearly define how the service provider protects the confidentiality, integrity, and availability of all customer information? 2 Does the service provider’s SLA specify that the HDO will retain ownership of its data? 3 Will the service provider use the data for any purpose other than service delivery? 4 Is the service provider’s service dependent on any third-party stakeholders? # Key Questions 1 Does the cloud service provider allow the HDO to directly audit the implementation and management of the security measures in place to protect the service and the data it holds? 2 Will the service provider allow the HDO to review recent audit reports thoroughly? 3 Is the service provider HIPAA compliant? 4 Does the service provider comply with the GDPR?
  • 19. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(5) Confidentiality Protecting data from improper disclosure 19 # Key Questions 1 Authentication and Access Control a. Does the HDO have an identity management strategy that supports the adoption of cloud services? b. Is there an effective internal process that ensures that identities are managed and protected throughout their lifecycles? c. Is there an effective audit process to ensure that user accounts are appropriately managed and protected? Does the service provider meet those control requirements? d. Are all passwords encrypted, especially system/service administrators? e. Is multi-factor authentication required, and, if so, is it available? f. Does authentication and access control extend to devices? 2 Multi-Tenancy g. Will the service provider allow the HDO to review a recent third-party audit report that includes an assessment of the security controls and practices related to virtualization and separation of customer data? h. Do the service provider’s customer registration processes provide an appropriate level of assurance based on the criticality and sensitivity of the information in the cloud service?
  • 20. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(6) (Continue) 20 # Key Questions 3 Patch and Vulnerability Management i. Is the service provider responsible for patching all components that make up the cloud service? j. Does the service provider’s SLA include service levels for patch and vulnerability management that comprise a defined maximum exposure window? k. Does the HDO currently have an effective patch and vulnerability management process? l. Will the service provider allow the HDO to perform regular vulnerability assessments? 4 Encryption m. Does the service provider encrypt the information placed in the cloud service for both data at rest and in transit? n. Does the cloud service use only approved encryption protocols and algorithms (as defined in Federal Information Processing Standards 140-2)? o. Which party is responsible for managing the cryptographic keys? p. Are there separate keys for each customer? 5 Data Persistence q. Does the service provider have an auditable process for the secure sanitization of storage media before it is made available to another customer? r. Does the service provider have an auditable process for safe disposal or destruction of equipment and storage media containing customer data?
  • 21. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(7) Integrity Maintenance of data over its full lifecycle with the assurance it is accurate and consistent. consistent. 21 # Key Questions 1 Does the service provider provide data backup or archiving services as part of their standard service offering to protect against data loss or corruption? 2 How are data backup and archiving services provided? 3 Does the data backup or archiving service adhere to business requirements related to protection against data loss? 4 What level of granularity does the service provider offer for data restoration? 5 Does the service provider regularly perform test restores to ensure that data is recoverable from backup media?
  • 22. 3. Cloud-Native Privacy/Data Protection on Telehealth @CSA(8) Availability Ability to ensure that required data is always accessible when and where needed. 22 # Key Questions 1 Does the SLA include an expected and minimum availability performance percentage over a clearly defined period? 2 Does the SLA include defined, scheduled outage windows? 3 Does the service provider utilize protocols and technologies that can protect against distributed denial-of-service (DDoS) attacks? 4 Do the network services directly managed or subscribed to by the HDO provide sufficient levels of availability? 5 Do the network services directly managed, or subscribed to by the HDO provide an adequate level of redundancy/fault tolerance? 6 Do the network services directly managed, or subscribed to by the HDO provide an adequate level of bandwidth? 7 Is the latency between the HDO network(s) and the service provider’s service at levels acceptable to achieve the desired user experience?
  • 23. 4. Cloud-Native Security on Telehealth @CSA(1) Cloud Security Alliance Health Information Management WG, “Telehealth Data in the Cloud”, June 10, 2021 https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home- integration/final [Contents] Introduction Governance Privacy Security Conclusion Reference 23 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
  • 24. 4. Cloud-Native Security on Telehealth @CSA(2) Information Governance: Establish the system, strategy, policies, procedures, guidelines, laws, and regulations that HDOs must adhere to. 24 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
  • 25. 4. Cloud-Native Security on Telehealth @CSA(3) Data Lifecycle: 25 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Definition 1. Create: Data is generated, acquired, or modified. 2. Store: Data is committed to a storage repository. 3. Use: Data is processed, viewed, or used in any other sort of activity. 4. Share: Data or information is made accessible to others. 5. Archive: Data is placed in long-term storage, per data retention guidelines and legal obligations. 6. Destroy: Data is no longer required and made inaccessible.
  • 26. 4. Cloud-Native Security on Telehealth @CSA(4) Cybersecurity and Pivacy Risk Relationship 26 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
  • 27. 4. Cloud-Native Security on Telehealth @CSA(5) Data Lifecycle and Cybersecurity(1) 27 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 1. Create: ・Any created data should fulfill a clear business need. ・HDOs must have consent to collect PHI or PII. ・Data creation regulatory requirements depend on where data is created. ・GDPR requires security be built in at the time of data creation. ・HIPAA requires protection for all PHI from inception to destruction. ・Data must be created in a secure environment. 2. Store: ・Data owners must determine where data originated and where it is stored. ・Service providers must protect cloud data (including access control and encryption). ・CSP should have a secure architecture that utilizes standard security best practices. (e.g. robust monitoring, auditing, and alerting capability) ・Data loss prevention system can help identify who is using the data and their location. ・CSP should complete a third party assessment and offer to share that insight with the HDO.
  • 28. 4. Cloud-Native Security on Telehealth @CSA(6) Data Lifecycle and Cybersecurity(2) 28 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 3. Use: ・Geography determines the regulatory requirements for both stored and processed data. (e.g. Telehealth solutions allow patients to access data from anywhere with internet access.) Organizations should use federation and multifactor authentication whenever possible access data. ・Identity and Access Management (IAM) is a vital part of securing data in use. ・Organizations should consider using an Application Programming Interface (API), which requires digital signatures to ensure security. 4. Share: ・When data sharing is required, the organization responsible for the data must ensure its security. IAM is critical for data security. ・Enact a Data Loss Prevention (DLP) program to discover, monitor, and protect data with regulatory or compliance implications in transit and at rest across the network, storage, and endpoints. Sharing requires data transmission from the cloud to all applicable data users. ・Encrypt data while in transit and use a secure protocol.
  • 29. 4. Cloud-Native Security on Telehealth @CSA(7) Data Lifecycle and Cybersecurity(3) 29 Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021 Phase Considerations 5. Archive: ・Essential data that does not require frequent access or modification often resides in a data archive. ・Archiving data provides many benefits, especially in terms of efficiency. ・Encrypt archived data and control access to the information. ・Keep personal data or healthcare data only if required for its original, intended purpose. 6. Destroy: ・Since cloud data exists in a shared, dispersed environment, typical data deletion and destruction methods (such as wiping) cannot ensure all data copies are destroyed. ・Encryption, followed by key destruction, is the best guarantee to ensure responsible data removal.
  • 30. 5. Conclusions 1. Adoption of NIST Cybersecurity Framework in Emerging Telehealth Services 2. Next Challenge: Integration of Telehealth with Smart Home 3. Privacy/Data Protection by Design: Agreement with Cloud Telehealth Providers 4. Cloud-Native Security with Continuous Data Lifecycle Management 30