Minimizing Cloud Security RisksUMPC's John Houston and Accenture's Ira 'Gus' Hunt on Monitoring Service Providers
Healthcare organizations need to take bold steps to help ensure that their cloud services providers are effectively protecting patient data. That's the advice of John Houston, CISO of UPMC, formerly known as University of Pittsburgh Medical Center, and Ira "Gus" Hunt, a security specialist at the consultancy Accenture Federal Services.
"Historically, healthcare providers had direct control and responsibility for securing their information," Houston notes in joint interview with Hunt. "But now we are moving to an environment where we have to rely upon others to secure information. And, unfortunately, the biggest challenge in respect to that is we're dealing with many different cloud services providers, whether they're SaaS [software as a service] or otherwise."
A major challenge for healthcare organizations is ensuring that information remains secure when so many third parties have access to it, the CISO says. To help address the challenge, UPMC has worked with a group of other healthcare provider organizations to form the Provider Third-Party Risk Management Council.
"What we're pushing as a group is that if you want to do business with us ... you want to deliver services to us through the cloud, you have to be HITRUST-certified," Houston says.
HITRUST is best known for its Common Security Framework.
"HITRUST certification allows for us to have a high level of confidence that you have a mature security program based on industry approved and proven security frameworks," Houston says.
Hunt calls on all healthcare organizations to hold their cloud vendors accountable.
"At a minimum, the vendors in the healthcare market are going to have to ensure that ... all data is encrypted at rest and in transit," he says. "Healthcare software, whether it's in the cloud or in a data center - you have to have really strict role-based access controls," such as multifactor authentication, he adds.
Hunt also recommends that patient information - no matter where it resides - "should be tokenized and segmented so that it makes it very tough for an adversary who gets into the system to walk out with all the data in the system."
In this joint interview with Information Security Media Group, (see audio link below photo), Houston and Hunt also discuss:
- Key challenges involving private versus public cloud services in healthcare;
- Steps to defend against ransomware and other attacks;
- The promise of blockchain.
Houston is UPMC's vice president of information security and privacy and also serves as associate counsel. He's a co-founder of the Provider Third-Party Risk Management Council, which develops and promotes practices to effectively manage information security-related risks in the healthcare provider supply chain.
Hunt is managing director and cyber strategy lead for Accenture Federal Services. He was previously chief architect and the head of strategic external partnerships for the hedge fund Bridgewater Associates. Hunt retired in 2013 as the chief technology officer for the Central Intelligence Agency, where he served for 28 years. As CTO, he was responsible for setting the CIA's information technology strategic direction and technology investment plan.