As more organizations shift away from on-premise architectures toward the cloud or hybrid hosting models, critical cybersecurity concerns emerge. Organizations, especially health systems, should carefully examine the shared responsibility model in partnership with their cloud vendor. Kevin Scharnhorst, Health Catalyst Chief Information Security Officer, shares perspectives on how your organization’s security program, through adherence to standards-based policy and procedures, can align with your cloud vendor on reduced organizational risk.

1. © 2021 Health Catalyst
Cloud Cybersecurity:
Strategies for Managing Vendor Risk
Kevin Scharnhorst, CISSP, CISM
Chief Information Security Officer, Health Catalyst
February 10, 2021

2. Agenda
Cloud Shared Responsibility Model
In a cloud vendor/ partner relationship, who has responsibility
for what? Who is ultimately accountable for a security
compromise or breach?
Vendor Risk Evaluation
With so many cloud vendors to choose from, what factors go
into a final decision? What risks do you consider? What risk
management strategies should be considered?
Security Policy and Procedures
Where do you start with building a Security Program? What
standards does your organization align to? What regulatory
frameworks need to be considered?
Compliance
What considerations should be given to compliance? What
audits and certifications can help? Are there strategies to
consider with alignment to vendor audits and certifications?
The Journey
What You’ll Learn
Improvement is continuous. What does the outlook look like for
organizations beginning the journey at various maturity levels?
What’s At Risk?
We will look at a historical view of past and current breaches
that establish the importance of a shared security model
between organizations and their vendors.

3. What is at Risk?

4. 23 19.1
127.7
35.7
222.5
16.2 22.9 17.3
91.98
85.61
169.07
36.6
197.61
471.23
164.68
300.5
157
321
446
656
498
662
419 447
614
783 781
1093
1632
1257
1473
1108
0
200
400
600
800
1000
1200
1400
1600
1800
2
0
0
5
2
0
0
6
2
0
0
7
2
0
0
8
2
0
0
9
2
0
1
0
2
0
1
1
2
0
1
2
2
0
1
3
2
0
1
4
2
0
1
5
2
0
1
6
2
0
1
7
2
0
1
8
2
0
1
9
2
0
2
0
Data
breaches
&
records
exposed
in
millions
Data Beaches and Records Exposed Over Years
Millions of Records Exposed Data Breaches
Graph sourced from Identity Theft Resource Center, January 2021
Statistics and predictions for 2021 from Cybersecurity Ventures
• More than 93% of healthcare
organizations experienced a data
breach between 2017 and 2020.
• More than 57% have had more
than 5 data breaches during the
same time frame.
• Predictions for 2021 estimate
breaches at a pace of 2-3x more
than 2020.
• Ransomware attacks are
predicted to grow by 5x in 2021.
U.S. Annual Data Breaches and Exposed Records 2005–2020
(Millions)
4

5. Breaches with greater than 30,000 records
World’s Biggest Data Breaches & Hacks
Graph sourced from https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
5

6. Breaches with greater than 30,000 records
World’s Biggest Data Breaches Within Healthcare in 2020
Graph sourced from https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
6

7. That is the goal, but…
If you and your vendor, suffered
a material data breach, could
you together logically defend
your combined cybersecurity
practices to a very emotional
audience?
The Ultimate Goal is to Stay Out of the Bad Headlines
7

8. The Cloud Shared Responsibility Model

9. Image source from researchgate.net
• Confidentiality – Keeping sensitive information
private (PHI, PII, IP, etc). The goal being to
prevent or minimize unauthorized access to data.
• Integrity – Protects the reliability and correctness
of data. To be maintained, objects must retain
their veracity and be intentionally modified by
only authorized subjects.
• Availability – Authorized subjects are granted
timely and uninterrupted access to systems,
networks and data needed to perform daily
tasks.
The CIA Triad Is the Overarching Shared Goal and Objective
9

10. Types of Cloud Services
Applications
Database
O/S
Virtualization
Servers
Storage
Networking
Infrastructure
Hardware
Data
Client
On-Premise
Infrastructure
Hardware
Applications
Database
O/S
Virtualization
Servers
Storage
Networking
Data
Client
Vendor
IaaS
Virtualization
Servers
Storage
Networking
Infrastructure
Hardware
Applications
Database
O/S
Data
Client
Vendor
PaaS
Applications
Database
O/S
Virtualization
Servers
Storage
Networking
Infrastructure
Hardware
Data
Vendor
SaaS
10

11. SaaS
PaaS
IaaS
Web
Applications
Analytic
Accelerators
Dashboards
Networking
Storage
Virtualization
Servers
Analytic Engine
Metadata
Data
Security
Machine Learning
A Closer Look with the Health Catalyst Data Operating System (DOSTM)
11

12. • Health Catalyst Data Operating System
(DOSTM) is offered as a Platform as a Service
(PaaS) moving to SaaS.
• Relies on a shared security model where all
layers above the Operating System (OS) level
involves the partner to manage some
aspect.
• On premise components such as source
systems, IPSec tunnels, point of contact, etc.
are responsibilities not depicted that are
retained by the customer.
An Overview of the Cloud Shared Responsibility Model Using DOSTM
12

13. Security Policy and Procedures

14. • To build a comprehensive Information Security
Management Program (or system) (ISMS) that
considers layered security controls, you must
FIRST know your business and its assets you wish
to protect.
• Once identified, consider a strategy for how you
will classify or label those assets.
• What vulnerabilities exist that are a threat to the
assets you want to protect? Who is responsible to
protect it? Who is accountable to protect them?
• Risk management is at the core of a good
Information Security Program.
Know Your “What” and “Why” Before You Consider “How”
14

15. What Is the Risk (R) ?
Inventory
Vulnerabilities
Threats
Exposure
Compensating Controls
ƒ ( )
R = Likelihood X Business Impact
Confidentiality
Integrity
Availability
15

16. • Security policies and standards are
arguably the most important aspect of any
security program.
• When written and communicated
correctly, it informs staff, vendors and
contractors of acceptable conduct within
the work environment.
• Process documentation provides
instruction for how compliance is achieved
and evidenced.
Compliance Examines An Organization’s Security Processes
16

17. • Security is a clear set of technical systems and
tools and processes which are put in place to
protect and defend the organization’s
information and technology assets.
• Always consider the people, processes and
technologies that are involved with your assets.
• When Compliance and Security align in a
systematic and controlled way, that is the first
step toward reducing risk.
Security Aims To Protect Information and Technology Assets
17

18. The Challenge in Achieving Perfect Balance
• Information agility and security are inversely
proportional, opposing forces.
• Maximizing one, minimizes the other.
• Finding the perfect balance between the two
is an art, not a science.
• Where a clear decision between the two does
not exist, let your risk appetite inform.
• When your organization and vendor cannot
align, let your regulatory compliance
frameworks guide the path forward.
18

19. Compliance

20. What regulatory frameworks apply to your organization? Select all the apply.
• HIPAA – 85.71%
• PCI DSS – 34.29%
• GDPR – 25.71%
• State Based Data Privacy framework (CCPA) – 28.57%
• Unknown – 14.29%
Poll Question #1
20

21. Considering your vendors, what is the MOST IMPORTANT certifications you consider?
• SOC 2 – 14.29%
• HITRUST CSF – 34.29%
• ISO 27001/2 – 14.29%
• My organization’s own risk assessment process – 11.43%
• Unsure – 25.71%
Poll Question #2
21

22. Common Compliance Frameworks
22

23. Image Source - Image source - https://mindmajix.com/cyber-security-frameworks
Well-known Cyber Security Frameworks
23

24. Compliance Audits and Certifications
SOC Reports are Service Organization Control Reports that deal with managing
financial or personal information at a company. There are three different SOC
Reports. SOC 1 and SOC 2 are different types with SOC 1 applying to financial
information controls, while SOC 2 compliance and certification covers personal
user information. SOC 3 Reports are publicly accessible, so they do not include
confidential information about the company. These reports apply for a specific
period, and new reports consider any earlier findings.
The American Institute for Chartered Public Accountants (AICPA) defined them
as part of SSAE 18.
https://phoenixnap.com/blog/security-vs-compliance
24

25. Compliance Audits and Certifications
ISO 27001/2 certifications are globally recognized, standards-based approach to
security that outlines requirements for an organization’s Information Security
Management System (ISMS).
The HITRUST CSF leverages nationally and internationally accepted standards
including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security
controls. The CSF normalizes these security requirements and provides clarity and
consistency, reducing the burden of compliance with the varied requirements that
apply to organizations.
Measures the compliance with HIPAA and offers the assurance that the organization
has a HIPAA-compliance program with adequate measures for saving, accessing, and
sharing individual medicaland personal information.
25

26. Vendor Risk Evaluation

27. • Non-Disclosure Agreements (NDAs)
• Business Associate Agreements (BAAs)
• Data Use Agreements (DUAs)
• Service Level Agreements (SLAs)
• Operational Level Agreements (OLAs)
• Compliance Audits and Certifications
Vendor / Partner Considerations
27

28. • Internal GRC teams audit and assess
organizational risks
• Independent third-party auditors offer external
perspective and offer credibility.
• Perform compliance and risk assessment on your
vendor supply chain
• Value certifications that overlap between vendor
and your organization
Internal, External and Vendor Risk Assessments
28

29. Coming Back Full Circle….
• Where are your shared responsibilities?
• Do your and your vendors compliance
frameworks align?
• Do your certification strategies align to
hopefully minimize your own efforts for
certifications?
• How will you assess alignment and track
shared risk (misalignment)?
29

30. Image Source - https://quotefancy.com/
The Journey is Continuous….Embrace It
30

31. If you would like to learn more about Health Catalyst products and services, please answer
this poll question:
• Yes
• No
Poll Question #3
31

32. Questions?
Kevin Scharnhorst, CISSP, CISM
Chief Information Security Officer, Health Catalyst
kevin.scharnhorst@healthcatalyst.com