1. Cybersecurity on Telehealth @NIST
2. Cybersecurity on Telehealth x Smart Home @NIST
3. Cloud-Native Privacy/Data Protection on Telehealth @CSA
4. Cloud-Native Security on Telehealth @CSA
5. Conclusions
Cloud-Native Security on Digital Health-Telehealth Use Case
1. Cloud-Native Security on Digital Health
-Telehealth Use Case-
GVHS 2022 on December 9, 2022
EIJI SASAHARA, PH.D., MBA
HEALTHCARE CLOUD INITIATIVE, NPO
CLOUD SECURITY ALLIANCE
HEALTH INFORMATION MANAGEMENT WG
2. AGENDA
1. Cybersecurity on Telehealth @NIST
2. Cybersecurity on Telehealth x Smart Home
@NIST
3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA
4. Cloud-Native Security on Telehealth @CSA
5. Conclusions
2
https://www.linkedin.com/in/esasahara
https://www.facebook.com/esasahara
https://twitter.com/esasahara
3. 1. Cybersecurity on Telehealth @NIST (1)
“NIST SP1800-30 Securing Telehealth Remote Patient
Monitoring Ecosystem”, February 22, 2022
https://csrc.nist.gov/publications/detail/sp/1800-30/final
SP 1800-30A: Executive Summary
SP 1800-30B: Approach, Architecture, and Security
Characteristics
1. Summary
2. How to Use This Guide
3. Approach
4. Architecture
5. Security and Privacy Characteristic Analysis
6. Functional Evaluation
7. Future Build Considerations
SP 1800-30C: How-To Guides
3
Source:”NIST SP 1800-30: Securing Telehealth
Remote Patient Monitoring Ecosystem, February
22, 2022
8. 2. Cybersecurity on Telehealth x Smart Home
@NIST (1)
NIST “Mitigating Cybersecurity Risk in Telehealth Smart Home
Integration: Cybersecurity for the Healthcare Sector”,
August 29, 2022
https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-
integration/final
Objective: identify and mitigate cybersecurity and privacy risks based on
patient use of smart home devices interfacing with patient information
systems
a practice guide that describes a reference architecture for smart
home integration with healthcare systems as part of a telehealth
program.
Reference:
“NIST IR 8259: Foundational Cybersecurity Activities for IoT Device Manufacturers”, May 29, 2020
https://www.nist.gov/publications/foundational-cybersecurity-activities-iot-device-manufacturers
“NIST IR 8259A: IoT Device Cybersecurity Capability Core Baseline”, May 29, 2020
https://www.nist.gov/publications/iot-device-cybersecurity-capability-core-baseline
“NIST IR 8259B:IoT Non-Technical Supporting Capability Core Baseline”, August 25, 2021
https://csrc.nist.gov/publications/detail/nistir/8259b/final
8
9. 2. Cybersecurity on Telehealth x Smart Home
@NIST (2)
Components of Architecture
9
Architecture Components
Patient Home Environment Smart Home Devices, Personal Firewall, Wireless
Access Point Router, Internet Router
Cloud Service Provider
Environment
Voice Assist Platform, Cloud Platform
Healthcare Technology
Integration Solution
Environment
Telehealth Integration Applications
Health Delivery Organization
(HDO) Environment
Electronic Health Record (EHR) System, Patient Portal,
Network Access Control, Network Firewall, VPN
Telehealth Ecosystem Actors Patients, HDO Clinicians, Support/Maintenance Staff
10. 2. Cybersecurity on Telehealth x Smart Home
@NIST (3)
High-Level Architecture
10
Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart
Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022)
https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
11. 2. Cybersecurity on Telehealth x Smart Home
@NIST (4)
Scenario 1: Patient Visit Scheduling
11
Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart
Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022)
https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
12. 2. Cybersecurity on Telehealth x Smart Home
@NIST (5)
Scenario 2: Patient Prescription Refill
12
Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart
Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022)
https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
13. 2. Cybersecurity on Telehealth x Smart Home
@NIST (6)
Scenario 3: Patient Regimen Check-In
13
Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart
Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022)
https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
14. 2. Cybersecurity on Telehealth x Smart Home
@NIST (7)
Security Control Map: NIST SP 800-53 Revision 5
•IEC TR 80001-2-2
•HIPAA Security Rule
•ISO/IEC 27001
14
Source:National Institute of Standards and Technology (NIST), “Project Description] Mitigating Cybersecurity Risk in Telehealth Smart
Home Integration: Cybersecurity for the Healthcare Sector”(August 29, 2022)
https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-integration/final
15. 3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA(1)
Cloud Security Alliance Health Information Management WG,
“Telehealth Data in the Cloud”, June 16, 2020
https://cloudsecurityalliance.org/artifacts/telehealth-data-in-the-cloud/
[Contents]
Introduction
Privacy Concerns
Security Concerns
Governance
Compliance
Confidentiality
Integrity
Availability
Incident Response and Management
Maintaining a Continuous Monitoring Program
Conclusion
References
15
Source:CSA Health Information Management
WG, “Telehealth Data in the Cloud”, June 16,
2020
16. 3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA(2)
Considerations for Health Delivery Organizations
(HDOs) regarding a Telehealth Agreement with a
Cloud Provider:
16
# Key Questions
1 Does the telehealth provider (TP) describe the purpose(s) for which PHI is collected, used,
maintained, and shared in its privacy notices?
2 Does the TP have, disseminate, and implement operational privacy policies and procedures
that govern the appropriate privacy and security controls for programs, information systems,
or technologies involving PHI?
3 Has the TP conducted a privacy impact assessment, and are they willing to share it?
4 Does the HDO have privacy roles, responsibilities, and access requirements for contractors
and service providers?
5 Does the TP monitor and audit privacy controls and internal privacy policies to ensure
effective implementation?
6 Does the TP design information systems to support privacy by automating privacy controls?
17. 3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA(3)
(Continue)
17
# Key Questions
7 Does the TP maintain an accurate accounting of disclosures of information held in each system
of records under its control, including:
a. Date, nature, and purpose of each disclosure of a record.
b. Name and address of the person or organization to which the disclosure was made.
c. The identity of who authorized the disclosure.
8 Does the TP document processes to ensure the integrity of PHI through existing security
controls?
9 Does the TP identify the minimum PHI elements relevant and necessary to accomplish the legally
authorized purpose of collection?
10 Does the TP provide means for individuals to authorize the collection, use, maintenance, and
sharing of PHI before its collection?
11 Does the TP have a process for receiving and responding to complaints, concerns, or questions
from individuals about organizational privacy practices?
12 Does the TP provide sufficient notice to the public and to individuals regarding its activities that
impact privacy? (e.g. collection, use, sharing, safeguarding, maintenance, and disposal of PHI)
13 Does the TP share PHI externally?
18. 3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA(4)
Governance
Compliance
18
# Key Questions
1 Does the service provider’s service-level agreement (SLA) clearly define how the service
provider protects the confidentiality, integrity, and availability of all customer information?
2 Does the service provider’s SLA specify that the HDO will retain ownership of its data?
3 Will the service provider use the data for any purpose other than service delivery?
4 Is the service provider’s service dependent on any third-party stakeholders?
# Key Questions
1 Does the cloud service provider allow the HDO to directly audit the implementation and
management of the security measures in place to protect the service and the data it holds?
2 Will the service provider allow the HDO to review recent audit reports thoroughly?
3 Is the service provider HIPAA compliant?
4 Does the service provider comply with the GDPR?
19. 3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA(5)
Confidentiality
Protecting data from improper disclosure
19
# Key Questions
1 Authentication and Access Control
a. Does the HDO have an identity management strategy that supports the adoption of cloud
services?
b. Is there an effective internal process that ensures that identities are managed and protected
throughout their lifecycles?
c. Is there an effective audit process to ensure that user accounts are appropriately managed
and protected? Does the service provider meet those control requirements?
d. Are all passwords encrypted, especially system/service administrators?
e. Is multi-factor authentication required, and, if so, is it available?
f. Does authentication and access control extend to devices?
2 Multi-Tenancy
g. Will the service provider allow the HDO to review a recent third-party audit report that
includes an assessment of the security controls and practices related to virtualization and
separation of customer data?
h. Do the service provider’s customer registration processes provide an appropriate level of
assurance based on the criticality and sensitivity of the information in the cloud service?
20. 3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA(6)
(Continue)
20
# Key Questions
3 Patch and Vulnerability Management
i. Is the service provider responsible for patching all components that make up the cloud
service?
j. Does the service provider’s SLA include service levels for patch and vulnerability
management that comprise a defined maximum exposure window?
k. Does the HDO currently have an effective patch and vulnerability management process?
l. Will the service provider allow the HDO to perform regular vulnerability assessments?
4 Encryption
m. Does the service provider encrypt the information placed in the cloud service for both data
at rest and in transit?
n. Does the cloud service use only approved encryption protocols and algorithms (as defined in
Federal Information Processing Standards 140-2)?
o. Which party is responsible for managing the cryptographic keys?
p. Are there separate keys for each customer?
5 Data Persistence
q. Does the service provider have an auditable process for the secure sanitization of storage
media before it is made available to another customer?
r. Does the service provider have an auditable process for safe disposal or destruction of
equipment and storage media containing customer data?
21. 3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA(7)
Integrity
Maintenance of data over its full lifecycle with the assurance it is
accurate and consistent.
consistent.
21
# Key Questions
1 Does the service provider provide data backup or archiving services as part of their standard
service offering to protect against data loss or corruption?
2 How are data backup and archiving services provided?
3 Does the data backup or archiving service adhere to business requirements related to protection
against data loss?
4 What level of granularity does the service provider offer for data restoration?
5 Does the service provider regularly perform test restores to ensure that data is recoverable from
backup media?
22. 3. Cloud-Native Privacy/Data Protection
on Telehealth @CSA(8)
Availability
Ability to ensure that required data is always accessible when and where needed.
22
# Key Questions
1 Does the SLA include an expected and minimum availability performance percentage over a clearly
defined period?
2 Does the SLA include defined, scheduled outage windows?
3 Does the service provider utilize protocols and technologies that can protect against distributed
denial-of-service (DDoS) attacks?
4 Do the network services directly managed or subscribed to by the HDO provide sufficient levels of
availability?
5 Do the network services directly managed, or subscribed to by the HDO provide an adequate level
of redundancy/fault tolerance?
6 Do the network services directly managed, or subscribed to by the HDO provide an adequate level
of bandwidth?
7 Is the latency between the HDO network(s) and the service provider’s service at levels acceptable
to achieve the desired user experience?
23. 4. Cloud-Native Security on Telehealth @CSA(1)
Cloud Security Alliance Health Information Management WG,
“Telehealth Data in the Cloud”, June 10, 2021
https://csrc.nist.gov/publications/detail/white-paper/2022/08/29/mitigating-cyber-risk-in-telehealth-smart-home-
integration/final
[Contents]
Introduction
Governance
Privacy
Security
Conclusion
Reference
23
Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
24. 4. Cloud-Native Security on Telehealth @CSA(2)
Information Governance:
Establish the system,
strategy, policies,
procedures, guidelines,
laws, and regulations
that HDOs must adhere
to.
24
Source:CSA Health
Information Management WG,
“Telehealth Risk management”,
June 10, 2021
25. 4. Cloud-Native Security on Telehealth @CSA(3)
Data Lifecycle:
25
Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
Phase Definition
1. Create: Data is generated, acquired, or modified.
2. Store: Data is committed to a storage repository.
3. Use: Data is processed, viewed, or used in any other sort of
activity.
4. Share: Data or information is made accessible to others.
5. Archive: Data is placed in long-term storage, per data retention
guidelines and legal obligations.
6. Destroy: Data is no longer required and made inaccessible.
26. 4. Cloud-Native Security on Telehealth @CSA(4)
Cybersecurity and Pivacy Risk Relationship
26
Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
27. 4. Cloud-Native Security on Telehealth @CSA(5)
Data Lifecycle and Cybersecurity(1)
27
Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
Phase Considerations
1. Create: ・Any created data should fulfill a clear business need.
・HDOs must have consent to collect PHI or PII.
・Data creation regulatory requirements depend on where data is created.
・GDPR requires security be built in at the time of data creation.
・HIPAA requires protection for all PHI from inception to destruction.
・Data must be created in a secure environment.
2. Store: ・Data owners must determine where data originated and where it is
stored.
・Service providers must protect cloud data (including access control
and encryption).
・CSP should have a secure architecture that utilizes standard security
best practices. (e.g. robust monitoring, auditing, and alerting capability)
・Data loss prevention system can help identify who is using the data
and their location.
・CSP should complete a third party assessment and offer to share that
insight with the HDO.
28. 4. Cloud-Native Security on Telehealth @CSA(6)
Data Lifecycle and Cybersecurity(2)
28
Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
Phase Considerations
3. Use: ・Geography determines the regulatory requirements for both stored and
processed data. (e.g. Telehealth solutions allow patients to access data from
anywhere with internet access.)
Organizations should use federation and multifactor authentication whenever
possible access data.
・Identity and Access Management (IAM) is a vital part of securing data in use.
・Organizations should consider using an Application Programming Interface
(API), which requires digital signatures to ensure security.
4. Share: ・When data sharing is required, the organization responsible for the data
must ensure its security. IAM is critical for data security.
・Enact a Data Loss Prevention (DLP) program to discover, monitor, and
protect data with regulatory or compliance implications in transit and at rest
across the network, storage, and endpoints.
Sharing requires data transmission from the cloud to all applicable data users.
・Encrypt data while in transit and use a secure protocol.
29. 4. Cloud-Native Security on Telehealth @CSA(7)
Data Lifecycle and Cybersecurity(3)
29
Source:CSA Health Information Management WG, “Telehealth Risk management”, June 10, 2021
Phase Considerations
5. Archive: ・Essential data that does not require frequent access or modification
often resides in a data archive.
・Archiving data provides many benefits, especially in terms of efficiency.
・Encrypt archived data and control access to the information.
・Keep personal data or healthcare data only if required for its original,
intended purpose.
6. Destroy: ・Since cloud data exists in a shared, dispersed environment, typical
data deletion and destruction methods (such as wiping) cannot ensure
all data copies are destroyed.
・Encryption, followed by key destruction, is the best guarantee to
ensure responsible data removal.
30. 5. Conclusions
1. Adoption of NIST Cybersecurity Framework in
Emerging Telehealth Services
2. Next Challenge: Integration of Telehealth with
Smart Home
3. Privacy/Data Protection by Design:
Agreement with Cloud Telehealth Providers
4. Cloud-Native Security with Continuous
Data Lifecycle Management
30