《云安全聯盟:2024醫療保健行業的信息技術治理、風險與合規性報告(第二版)(英文版)(21頁).pdf》由會員分享,可在線閱讀,更多相關《云安全聯盟:2024醫療保健行業的信息技術治理、風險與合規性報告(第二版)(英文版)(21頁).pdf(21頁珍藏版)》請在三個皮匠報告上搜索。
1、Information Technology Governance,Risk and Compliance in Healthcare v22 Copyright 2024,Cloud Security Alliance.All rights reserved.The permanent and official location for the Health Information Management Working Group is https:/cloudsecurityalliance.org/research/working-groups/health-information-ma
2、nagement 2024 Cloud Security Alliance All Rights Reserved.You may download,store,display on your computer,view,print,and link to the Cloud Security Alliance at https:/cloudsecurityalliance.org subject to the following:(a)the draft may be used solely for your personal,informational,non-commercial use
3、;(b)the draft may not be modified or altered in any way;(c)the draft may not be redistributed;and(d)the trademark,copyright or other notices may not be removed.You may quote portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,provided that you attribute t
4、he portions to the Cloud Security Alliance.3 Copyright 2024,Cloud Security Alliance.All rights reserved.AcknowledgmentsLead AuthorsDr.Jim AngleContributorsYutao MaAkhil MittalMichael RozaReviewersAnup GhatageTolgay Kizilelma,PhDNamal KulathungaYuvaraj MadheswaranVaibhav MalikAdeeb MohammedKenneth Mo
5、rasMeghana ParwateAkshay ShettyRose SongerUdith WickramasuriyaCSA Global StaffAlex KaluzaClaire Lehnert4 Copyright 2024,Cloud Security Alliance.All rights reserved.Table of ContentsAcknowledgments.3Abstract.5Introduction.5Emerging Technologies and Their Impact on GRC.6Governance.6Plan.7Define.10Moni
6、toring.11Discussion.11Threat.12Risk.12Assessing Risk.13Mitigating Risk.14Compliance.15Integration of Ethical Considerations in GRC.17Cloud Compliance Frameworks.17Global Cloud Frameworks.17Local Regulatory Frameworks.18Conclusion.19References.205 Copyright 2024,Cloud Security Alliance.All rights res
7、erved.AbstractIt is becoming increasingly common for Healthcare Delivery Organizations(HDOs)to use cloud services,but the transition to the cloud presents challenges.One of the main challenges is establishing Governance,Risk,and Compliance(GRC)in the cloud,which requires redefining business and tech
8、nology processes,and relying on third-party providers.To ensure that HDOs can reap the benefits of cloud computing,it is essential to design and implement a robust cloud GRC program that addresses these challenges and ensures compliance with industry regulations and standards.IntroductionHDOs recogn
9、ize the value of having a complete view of risk and compliance through Governance,Risk,and Compliance(GRC)programs,which enable HDOs to address technology risk from a business perspective by aligning business and technology in a top-down approach.This top-down approach ensures that risks are identif
10、ied and addressed while complying with industry regulations and standards.Cloud GRC is an effective means for organizations to gather important risk data,validate compliance,and report results.Cloud management is an important area of concern in cloud GRC,which is often implemented in silos across th
11、e organization.Failing to integrate the collective results into the GRC program can lead to a duplication of effort and not taking full advantage of GRC.A properly implemented GRC program can eliminate duplicate efforts,provide data repositories,and facilitate automation.This paper will discuss the
12、elements of a good cloud GRC program and what is required to establish the program.Artificial intelligence(AI)is quickly increasing in importance,particularly in the healthcare industry.As a result,GRC is getting increased attention.AI GRC focuses on data quality and accuracy of AI and machine learn
13、ing(ML)systems,ethical and legal issues,security,and privacy,given that patient and other sensitive data may be involved.GRC aims to establish the necessary oversight to align AI behaviors with ethical standards and societal expectations,and to safeguard against potential adverse impacts.GRC provide
14、s a means of sharing relevant information helping to bridge gaps and eliminate silos in the organization.6 Copyright 2024,Cloud Security Alliance.All rights reserved.Emerging Technologies and Their Impact on GRCThe rapid adoption of emerging technologies,such as blockchain,Internet of Things(IoT),AI
15、,and advanced analytics in healthcare,poses new challenges and opportunities for GRC frameworks.These technologies can help streamline processes,enhance data integrity,and improve patient outcomes,but they also introduce complexities in compliance and security management.Addressing these technologie
16、s within GRC frameworks ensures they align with healthcare standards and regulations while bolstering cybersecurity measures.GovernanceDue to the unique characteristics of cloud computing,as opposed to an on-premises data center,HDOs need to rethink how they accomplish IT governance.HDOs must implem
17、ent and maintain a governance lifecycle to plan,define,implement,and monitor governance.HDOs must consider how they manage a shared responsibility model and a multi-tenancy environment.Additionally,while an HDO may have a cloud-first policy,they will be in a hybrid cloud environment,at least initial
18、ly.Effective IT governance in healthcare ensures that technology investments align with organizational goals,resources are allocated efficiently,and decision-making processes are transparent and accountable.This includes establishing policies,procedures,and standards for IT systems and personnel.Clo
19、ud-based architecture and business operations are more diverse and complex than traditional on-premises data center architecture,therefore relying on the same policies and tools used for on-premises environments will not ensure success in the cloud.1 Cloud governance is a collection of policies and
20、standards of the HDO based on risk and a standard framework.According to the Information Systems Audit and Control Association(ISACA),governance in the cloud environment helps to realize benefits resulting from the use of cloud computing services while minimizing risk,optimizing investments and ensu
21、ring compliance with legislative and regulatory requirements.By creating a cloud governance model,the HDO can avoid many pitfalls of a cloud-first strategy.Introducing cloud computing into an HDO affects roles,responsibilities,processes,and metrics.Without governance in place to provide standards an
22、d guidelines for navigating the risk and efficiently procuring and operating cloud services,an HDO may find itself faced with some common problems:1 Capgemini,2021.Cloud Governance Guide-Business Aligned Approach to Cloud Utilization,Retrieved from https:/ Copyright 2024,Cloud Security Alliance.All
23、rights reserved.Misalignment with enterprise objectives Frequent policy exception reviews Stalled projects Compliance or regulatory penalties or failures Data governance and management Budget overruns Incomplete risk assessments2The cloud governance lifecycle according to Service Oriented Architectu
24、re(SOA)framework consists of four phases:Plan Define Implement MonitorFigure 1:SOA Governance Vitality MethodPlan Planning starts with identifying stakeholder business needs and identifying how these needs will be addressed.The cloud computing governance lifecycle planning phase includes:1.Analyzing
25、 implemented governance models and processes.This involves assessing all aspects of corporate governance to find a starting point for creating or maintaining a cloud governance model in order to provide management level information to improve cloud computing governance,based on cloud computing gover
26、nance maturity level which is based on 6 levels.Level 0:Non-existent cloud computing governance Level 1:Initial/ad hoc cloud computing governance Level 2:Repeatable cloud computing governance Level 3:Defined cloud computing governance2 Object Management Group,2019.Practical Guide to Cloud Governance
27、,Retrieved from https:/www.omg.org/cloud/deliverables/practical-guide-to-cloud-governance.pdfImplementPlanMonitorDefine8 Copyright 2024,Cloud Security Alliance.All rights reserved.Level 4:Managed and measurable cloud computing governance Level 5:Optimized cloud computing governance 2.Cloud governanc
28、e vision and strategy.The cloud governance vision is based on the guiding principles of cloud governance and business strategy.The strategy for realizing the vision for cloud computing should include cloud governance evaluation and the metrics definition for measuring value obtained from cloud gover
29、nance.3.Scope of cloud governance.Identifying stakeholder needs Identifying cloud governance processes Identifying governance level and selection components of cloud governance 4.Adaptation of guiding principles.This activity is adapting cloud governance guiding principles for an HDO in accordance w
30、ith the principles of enterprise IT governance.ISACA organization believe there are 6 guiding principles for adopting and using the cloud:enablement,cost benefit,enterprise risk,capability,accountability and trust.These principles,by highlighting issues and concerns on cloud computing,give a high-le
31、vel guidance to HDO,and are helpful to satisfy HDOs business goal while adopting cloud solutions.5.Planning the cloud governance roadmap.A cloud governance roadmap defines the number of iterations in the cloud governance lifecycle.The initial deployment of cloud governance is performed during the im
32、plementation of the first cycle.During subsequent iterations,a whole cloud governance vision can be gradually implemented.3As an HDO starts planning for its governance model,two areas are critical for success.First is data classification.Data classification sets data access,use,and sharing rules acr
33、oss the ecosystem.The security requirements for the data determine classification.How secure does the data have to be?Is it Personally Identifiable Information(PII)or Protected Health Information(PHI),or can the data be freely shared?Second,identifying the roles and responsibilities.Cloud computing
34、is in a shared responsibility environment.The following chart from Microsoft shows the responsibilities for different functions:3 Karkokov,S.&Feuerlicht G.,2016.Cloud Computing Governance Lifecycle,Acta Informatica Pragensia,5(1):5671 DOI:10.18267/j.aip.859 Copyright 2024,Cloud Security Alliance.All
35、 rights reserved.Figure 2:Cloud Shared Responsibilities from MicrosoftAs you can see,with a shared responsibility model,a governance model based on an on-premises data center will not be sufficient in a hybrid cloud environment.Its essential to have a clear understanding of the compliance inheritanc
36、e from cloud service providers.This is because they are responsible for implementing controls that apply to the shared responsibility portion of what theyre controlling.As a customer,you are also responsible for implementing controls to achieve holistic compliance with regulations.For instance,if yo
37、ure required to comply with the Health Insurance Portability and Accountability Act(HIPAA),your cloud service provider would implement a set of controls based on their portion of shared responsibilities for areas such as data center and virtualization security.However,as the cloud service customer,y
38、ou are also accountable for implementing the remaining controls that come from compliance inheritance,such as implementing proper Identity and Access Management(IAM),access control to your applications,systems,and data,managing application vulnerabilities,ensuring that you have a secure software dev
39、elopment lifecycle,adhering to data retention and data disposal requirements,implementing security controls,monitoring your cloud resources for anomalies and malicious activities,and handing incidents.IT GRC is an ongoing process that requires continuous monitoring,assessment,and improvement.Healthc
40、are organizations should regularly review their IT GRC frameworks,assess their effectiveness,and make necessary adjustments to address changing risks,regulations,and business needs.MicrosoftCustomerSharedSaaSPaaSIaaSOn-preResponsibilityResponsibility always retained by the customerResponsibility var
41、ies by typeResponsibility transfers to cloud providerInformation and dataDevices(Mobile and PCs)Identity and directory infrastructureApplicationsNetwork controlsOperating systemPhysical hostsPhysical networkPhysical datacenterAccounts and identities10 Copyright 2024,Cloud Security Alliance.All right
42、s reserved.DefineDefine is the process of defining the steps required to achieve the objectives of the planning phase.The following are some of the activities in this step.1.Evaluate the current state of cloud governance against a recognized governance maturity model.2.Define the governance policies
43、 and compliance regulations that apply to the HDO.43.Identify gaps that must be closed to meet the HDOs cloud governance requirement.4.Define governance bodies to carry out all governance processes.5.Define a governance framework.The Cloud Security Alliance(CSA)Cloud Controls Matrix(CCM)framework fo
44、cuses on the entire information security lifecycle.5Additionally,the technology and tools required for implementing and managing cloud governance are defined in this activity.An analysis of existing enterprise technology and tools is conducted,and gaps are identified.The gap analysis results serve a
45、s the basis for acquiring technology and tools that should support automation capabilities for cloud governance.ImplementationImplementing a governance framework is a challenging process that requires collaboration,communication,monitoring,and continuous improvement.The HDOs defined the processes,te
46、chnology,and tools in the Define phase.Now,the HDO needs to define the standards and procedures.These include guidelines for all aspects of cloud computing,such as provisioning,access management,and change control.These standards and procedures must be communicated to all stakeholders,clearly statin
47、g the roles and responsibilities of each stakeholder.Additionally,the HDO should provide training to familiarize all stakeholders with the cloud governance policies,procedures,and standards.6It is important to understand that implementing cloud governance will involve challenges.Some of the challeng
48、es will include security and privacy.The HDO needs to articulate the requirements for both.Challenges can be posed by the business in terms of roadmaps and overall strategy.This can lead to major delays when trying to roll out governance frameworks within the organization,in particular,when needing
49、to work with engineering,DevOps,and developers that could prevent the ability to roll these out successfully.Additionally,lack of education on the importance of governance,and what controls actually mean,can pose unexpected challenges during implementation.4 Arend,C.,&Helkenberg,R.2021.Cloud Governa
50、nce Success:A Practical Framework to Getting Started with Cloud Data Governance,Retrieved from https:/ Object Management Group,2019.Practical Guide to Cloud Governance,Retrieved from https:/www.omg.org/cloud/deliverables/practical-guide-to-cloud-governance.pdf 6 Ancoris,2023.Cloud Governance Framewo
51、rk:How to Develop,Implement and Follow One,Retrieved from https:/ Copyright 2024,Cloud Security Alliance.All rights reserved.MonitoringContinuous monitoring is crucial for ensuring the effectiveness of cloud governance.Policies and standards are not static;they must be updated as technology and regu
52、lations change.It is essential to review and update policies and standards as changes occur.The HDO should conduct periodic assessments to identify areas for improvement and make necessary adjustments.Monitoring allows the HDO to collect performance information on cloud governance processes and this
53、 information can be a key input for the next cycle.The HDO can then ensure the cloud governance goals and objectives are met.Monitoring must be continuous to provide current and accurate information.Measured data is evaluated continuously or at set intervals according to business needs7.Implementing
54、 Cloud Security Posture Management(CSPM)solutions offers comprehensive insights into cloud misconfigurations,delivering timely recommendations and effective strategies to mitigate technological risk exposures.Furthermore,the adoption of Infrastructure as Code(IaC)has revolutionized the management of
55、 cloud computing infrastructures,promoting proactive risk management.By utilizing static code analysis techniques,organizations can identify and address misconfigurations in their IaC scripts before they are deployed into production environments.This proactive approach significantly enhances the ret
56、urn on investment(ROI)by streamlining risk detection and facilitating swift remediation efforts,thereby fortifying cloud governance frameworks.DiscussionCloud governance can significantly enhance an HDOs ability to meet business needs using cloud computing.As HDOs continue to move to the cloud,they
57、must understand how to utilize cloud services and achieve business-IT alignment.While there is not one specific cloud governance framework,HDOs need to pick a framework and adapt it to their needs.The CSA CCM framework focuses on the entire lifecycle and can benefit the HDO when developing its frame
58、work.Implementing cloud governance impacts business value creation and the benefit of cloud service utilization.However,HDOs may face some difficulties,such as integrating cloud governance into their existing governance processes,planning the governance roadmap,and designing the governance structure
59、.Developing clear guidelines for implementing cloud governance will help overcome difficulties8.7 Karkokov,S.&Feuerlicht G.,2016.Cloud Computing Governance Lifecycle,Acta Informatica Pragensia,5(1):5671 DOI:10.18267/j.aip.85 8 Rasner,G.,2021.Cybersecurity&Third-Party Risk:Third-Party Threat Hunting,
60、John Wiley&Sons,Inc.,Hoboken,NJ.12 Copyright 2024,Cloud Security Alliance.All rights reserved.ThreatUnlike traditional cybersecurity,which is adopted to protect assets,cybersecurity on healthcare is always relevant to human beings,it is usually connected directly to patient-facing networked technolo
61、gy for example,implantable medical devices which are vital to a patients life.On the other hand,the cybersecurity threat is increasing in terms of quantity,types(such as ransomware),and attacks on vulnerable IoT systems.In 2016,WannaCry was a non-targeted ransomware attack on more than 150 countries
62、,including healthcare systems.WannaCrys most profound impact occurred in the UK and,as a result,Britains National Health Service(NHS)was severely infected,ransomware encrypted files,and criminals demanded a ransom before releasing medical records or critical devices from encoding.The result was disr
63、uption to the normal medical operations of more than 80 individual hospitals over four days.This cyberattack directly impacted lives and brought a new threat to the HDO.Tens of thousands of scheduled surgeries and clinical appointments between May 12 and May 19 had to be canceled.RiskCybersecurity r
64、isk is a subset of business risk and,as such,should be talked about in business terms.HDOs should view information risk in the context of organizational risk.When HDOs implement information security controls,their goal is to reduce risk.Since no information system is one hundred percent secure,the p
65、urpose of the control then is to reduce risk to an acceptable level and managing risk.To build a sound cyber defense,the HDO must understand risk.Cloud risk management is the process of identifying,assessing,and controlling risk within the modern hybrid cloud environments throughout the lifecycle of
66、 the cloud relationship.Risk management is complicated by the shared responsibility model due to the different cloud types(IaaS,PaaS,SaaS)adopted,and the lack of visibility into the CSP offerings and environments which is also part of Third-Party Risk Management(TPRM).Risk assessments can also be di
67、fferent,depending on the form of cloud deploymentprivate,public,or hybrid.Identifying risks is a foundational risk management activity;an HDO faces difficulties in successfully managing its risks if it does not identify them.HDOs must ensure they can identify risks promptly and then communicate them
68、 to the appropriate stakeholders.Important activities in risk identification include the following:Establish categories for risk.A common way of considering the threat landscape is to identify sources of risks/threats.This approach facilitates grouping risks into categories with common traits,tactic
69、s,and trends.Identify sources of risk for operations dependent on technology and information assets.Reviewing the HDOs historical experience with negative operational events can be a good first step toward identifying risk sources.An HDO could start with this list and then customize it based on the
70、scope of its risk management activities and unique operating environment.13 Copyright 2024,Cloud Security Alliance.All rights reserved.Log identified risks in a risk register or other tracking mechanism,which organizes and records information on identified operational risks.The HDOs risk management
71、strategy must prioritize operational activities and processes into those that are managed and those that are less important and require lower focus levels.9 HDOs should use a risk registry to log and manage identified risks.The following table is an example from the Cyber Resilience Review Supplemen
72、tal Resource Guide:Risk Management.10 Establishing a reporting mechanism that aligns to the manner in which your tech organization likes to work,such as engineers utilizing a Slack channel for risks they would like to report.This is beneficial as it doesnt leave the responsibility on GRC to identify
73、 risk,and creates a security mindfulness culture that embraces and understands risk to the point they can report on them.Figure 3:Risk register CRR Supplemental Resource Guide Vol.7:Risk ManagementAssessing RiskThe risk analysis process ensures that all identified risks are evaluated in the context
74、of the HDOs risk drivers to inform risk disposition decisions.Regardless of the methodology used to conduct the risk analysis,it is important to document the process to ensure consistency and provide context for future improvements.11 When conducting a cloud risk assessment,it is important to unders
75、tand the shared responsibility model.In a traditional data center,all the security responsibility falls on the HDO.The most important thing is to understand who is responsible for all phases of a cloud deployment.12 Before acquiring a cloud service,HDO needs to analyze the risk associated with adopt
76、ing a cloud-based solution and plan the risk treatment and control activities associated with the cloud-based operations.To do so,a cloud consumer needs to gain the perspective of the entire cloud Ecosystem that will serve the operations of their cloud-based information system.13 9 Carnegie Mellon U
77、niversity,2016.Cyber Resilience Review Supplemental Resource Guide:Risk Management,Department of Homeland Security10 Rasner,G.,2021.Cybersecurity&Third-Party Risk:Third-Party Threat Hunting,John Wiley&Sons,Inc.,Hoboken,NJ.11 Carnegie Mellon University,2016.Cyber Resilience Review Supplemental Resour
78、ce Guide:Risk Management,Department of Homeland Security12 Rasner,G.,2021.Cybersecurity&Third-Party Risk:Third-Party Threat Hunting,John Wiley&Sons,Inc.,Hoboken,NJ.13 Iorga,M.,Karmel,A.,Managing Risk in a Cloud Ecosystem,doi.org/10.1109/MCC.2015.122Risk IDDate IdentifiedImpactLikelihoodDispositionRi
79、skRatingRiskOwnerRisk DescriptionMitigating Controls14 Copyright 2024,Cloud Security Alliance.All rights reserved.It is important to use a recognized risk management framework when assessing risk.Recognized frameworks from ISO and NIST are developed with considerable input from large,diverse bodies.
80、After assessing the risk,the HDO should apply controls to manage it.When carrying out risk assessment on a cloud platform,it is necessary to combine multiple assessment methods,such as configuration inspection and vulnerability scanning.However,the cloud platform introduces more valuable resources a
81、nd has service level agreements with tenants,so some assessment methods need to be adjusted based on the characteristics of cloud computing.Questionnaire survey:The questionnaire provides a set of questions about management and operational control for system technical or managerial personnel to inpu
82、t.The questionnaire should include the HDO business strategy,security needs,management systems,system and data sensitivity,system size and structure,and so on.Interview:On-site interviews involve evaluators going to the site to interview system technical or managerial personnel and collect informati
83、on on the physical,environmental,and operational aspects of the system.The content of the interview should include:Whether there is a design for data storage integrity testing Whether there are means and measures for clearing data copies The capability to identify,alarm,and block sustained large-tra
84、ffic attacks,and whether there are specialized equipment to detect network intrusions Method of isolation between virtual machines(VMs)and between VMs and hosts Preliminary plans for exiting cloud computing services or changing cloud service providers,and plans for operational and security training
85、for relevant customer personnel Security penetration testing:Due to the impact of infrastructure,penetration testing may not be allowed in SaaS environments.Cloud penetration testing is allowed in PaaS and IaaS,but requires certain coordination.Its worth noting that the SLA in the contract will dete
86、rmine what types of testing should be allowed,and how often testing should occur.Mitigating RiskHDOs will most likely be unable to assess the controls the CSP is responsible for.However,the cloud provider should be able to provide the HDO with a report from an independent assessor to validate that t
87、he proper controls are in place and working as intended.HDOs can request third-party attestation artifacts from the cloud service provider,such as SOC2.The HDO is responsible for conducting a risk assessment on their area of responsibility based on the shared responsibility model.In most cloud servi
88、ce models,the HDO remains accountable for the devices used to access the cloud,network connectivity,your accounts and identities,and your data.14 Risk assessments evaluate the effectiveness,efficiency,and appropriateness of HDOs security controls.This includes but is not limited to checking whether
89、encryption standards are met for data at rest and in transit,whether logging and monitoring are correctly configured,whether 14 Microsoft,2023.Risk Assessment Guide for Microsoft Cloud,Retrieved from https:/ 15 Copyright 2024,Cloud Security Alliance.All rights reserved.security groups and network ac
90、cess control lists are properly restricting access,whether identity and access management are working as intended,and whether vulnerabilities discovered in a timely manner and are properly managed.HDOs must map their risk and controls framework to a framework that addresses cloud risks in a standard
91、ized way.If HDOs existing risk assessment model does not address the specific challenges of cloud computing,it can benefit from a broadly adopted and standardized framework,such as ISO 27001,COBIT,and NIST.To better understand the potential threats and risks related to cloud computing platforms,refe
92、r to the CSA“Top Threats to Cloud Computing Pandemic Eleven”report15.This report provides insights into the most significant security challenges cloud users and providers face,including data breaches,misconfigurations,insecure interfaces and APIs,and insider threats.By being aware of these threats,o
93、rganizations can take proactive measures to mitigate risks and enhance their cloud security posture.ComplianceCloud Compliance refers to the guidelines,laws,and regulations designed to protect and regulate information stored on the cloud platforms.For HDOs,this refers to regulations and laws coverin
94、g both security and privacy.This includes how data is stored,protected,and used.It must be protected whether its PII,PHI,or Payment Card Industry(PCI)data.Cloud compliance is about ensuring that utilization of cloud services meets compliance requirements.When HDOs use cloud computing,they are not ou
95、tsourcing their compliance responsibilities to the CSP.Regulatory agencies and customers can still hold them responsible as HDOs are accountable for compliance with legal,statutory,regulatory,and contractual obligations.16In the U.S.,you confront industry-specific or legal-area-specific rules when c
96、onfronting federal regulations.That is,each form of information has its own set of rules.PHI in the U.S.has the Health Insurance Portability and Accountability Act(HIPAA).For PCI,its the PCI Data Security Standards(PCI DSS).Different countries have national laws for protecting the PII of their data
97、subjects.This covers data stored within the country and outside their country.In the U.S.,while there are not always comprehensive national laws for all compliance requirements,each state has its requirements.For example,requirements regarding protecting personal information most prominently in Cali
98、fornia with the California Consumer Protection Act.Also,Maine with the Maine Act to Protect the Privacy of Online Consumer Information,and Nevada with the Nevada Senate Bill 220 Online Privacy Law.1715 Cloud Security Alliance,2023.Top Threats to Cloud Computing Pandemic Eleven,Retrieved from https:/
99、cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-pandemic-eleven16 Shacklett,M.,2023.What is Cloud Compliance?A Comprehensive Guide,Retrieved from https:/ Moschovitis,C.,2021.Privacy Regulations and Cybersecurity:The Essential Business Guide,JohnWiley&Sons,Inc.,New Jersey16 Copyrig
100、ht 2024,Cloud Security Alliance.All rights reserved.Besides the U.S.regulations,Canada and Mexico have their own regulations.Canada has two major privacy legislation:The Privacy Act and the Personal Information Protection and Electronic Documents Act.In Mexico,The Federal Law on the Protection of Pe
101、rsonal Data held by Private Parties has since been enhanced with The General Law on the Protection of Personal Data in Possession of Obligated Subjects.The European Union has implemented the General Data Protection Regulation(GDPR),which defines PII and requires transparency in processing.The direct
102、ive also prohibits the transfer of PII to any country that did not demonstrate adequate protection.The following chart shows how the GDPR applies.Figure 4:Territorial scope of the GDPR18The list of regulations presented gives the reader an idea of the vast array of regulations that must be considere
103、d when identifying compliance requirements.This is just a small sample of the requirements;the HDO needs to research the requirements for their specific locations for data storage and subjects.Healthcare organizations often rely on third-party vendors and service providers for various IT services.It
104、s essential to assess the security posture of third-party vendors,conduct due diligence on their security practices,and establish contractual agreements that outline security responsibilities and compliance requirements.18 Varankevich,S.,2017.Territorial Scope of GDPR,Retrieved from https:/ the proc
105、essing relate to monitoring the behavior in EU?Does the processing relate to offering goods or services?Is the data subject currently traveling in EU?GDPR doesnt applyDoes the data subject reside or stay in EU?Is the company in the EU?GDPR appliesNoNoNoNoYesYesYesYesNoYes117 Copyright 2024,Cloud Sec
106、urity Alliance.All rights reserved.Implementing an effective cloud compliance policy is crucial for organizations to ensure security and regulatory adherence to their cloud environments.HDOs should establish clear compliance objectives aligned with industry regulations and their specific business re
107、quirements.HDOs can identify potential security risks and compliance gaps by conducting a comprehensive risk assessment.Developing well-defined and documented policies and procedures is essential.These policies should cover access controls,encryption,data handling,incident response and management,ch
108、ange management,vulnerability management,and data breach notification.Continuous monitoring of the cloud environment helps promptly identify and rectify noncompliance issues or security incidents.19Integration of Ethical Considerations in GRCAs technology continues to permeate all aspects of healthc
109、are,ethical considerations become increasingly critical.It is essential to integrate ethical guidelines into the GRC framework to address issues,such as data privacy,patient consent,and algorithmic biases in AI applications.This integration ensures that technological advancements benefit patients wi
110、thout compromising their rights or autonomy.Cloud Compliance FrameworksThese frameworks speak specifically to cloud compliance requirements.Both cloud vendors and customers should have in-depth knowledge of these frameworks including globally adopted framework and local countrys regulatory framework
111、.Global Cloud FrameworksCloud Controls Matrix(CCM):The Cloud Security Alliance(CSA)published the CCM,providing a framework for assessing cloud security.This foundational grouping of security controls,created by CSA,provides a basic guideline for security vendors.Additionally,this framework helps cus
112、tomers appraise the risk posture of prospective cloud vendors.CSA also developed a certification program called Security,Trust,Assurance,and Risk(STAR).The STAR Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud offerings.Federal Ris
113、k and Authorization Management Program(FedRAMP):FedRAMP is a government-wide program that provides a standardized approach to security assessment,authorization,and continuous monitoring of cloud products and services.Meeting this set of cloud-specific data security regulations is necessary for organ
114、izations looking to do business with any federal agency.ISO/IEC 27017:The International Organization for Standardization(ISO)published multiple standards on cybersecurity,among which ISO/IEC 27017:2015 is the standard that provides guidelines for information security controls for cloud services.19 S
115、utradhar C.,2023.Cloud Compliance-Protecting Your Data and Maintaining Trust,Retrieved from https:/ 18 Copyright 2024,Cloud Security Alliance.All rights reserved.Cloud compliance frameworks help you navigate the regulatory landscape and avoid the financial and reputational cost of non-compliance.Add
116、itionally,these frameworks provide the guidelines and structure necessary for maintaining the level of security your customers demand.By implementing a compliance framework,HDOs can demonstrate their commitment to privacy and data protection.This will help regulators boost credibility and trust with
117、 their patients and third-party partners.20Local Regulatory FrameworksThere are many country-specific cloud frameworks.Here are examples.Two Guidelines from Three Ministries(2G3M):In Japan,the government regulates medical institutions practices on securing medical information with third-party servic
118、e providers,cloud service providers,and the applicable party.It defines that cloud service providers have obligations to review measures on cloud risk management with two guidelines released by two Japanese government ministries:Guideline for the Security Management of Medical Information Systems ve
119、rsion 5.1(Jan,2021)by Ministry of Health,Labor&Welfare Safety Management Guideline for Information Systems and Service Providers Handling Medical Information(Aug,2020)by Ministry of Economy,Trade&IndustryHbergeur de Donnes de Sant(HDS):In France,HDS certification is introduced by the French governme
120、ntal agency.It requires service providers hosting PHI to follow their framework to ensure secure protection of PHI.Maintenance in operational condition of physical sites for hosting the physical infrastructure Maintenance in operational condition of the application platform hosting the information s
121、ystem Maintenance in operational condition of the virtual infrastructure of the information system used for the processing of health data Administration and operation of the information system containing the health data Backup of health data20 Knowles,M.,2023.Cloud Compliance Frameworks:What You Nee
122、d to Know,Retrieved from https:/hyperproof.io/resource/cloud-compliance-frameworks/19 Copyright 2024,Cloud Security Alliance.All rights reserved.ConclusionGovernance,Risk,and Compliance(GRC)is a set of processes,practices,frameworks,and technologies that helps Healthcare Delivery Organizations(HDOs)
123、structure their approach to governance,risk management,and regulatory compliance.The goal is to unify and align the organizations risk management and regulatory compliance efforts.A well-planned GRC strategy can help HDOs achieve several benefits.When adopting cloud computing,it becomes essential fo
124、r HDOs to diligently identify their security requirements,assess the service providers security and privacy controls,and understand shared responsibilities and compliance inheritance.By thoroughly understanding the compliance requirements and performing a complete risk assessment,HDOs can lay the fo
125、undation for a secure and compliant cloud adaptation.GRC can help align performance activities with business goals,manage enterprise risk,and meet compliance regulations,ensuring a safe and secure environment for healthcare delivery.20 Copyright 2024,Cloud Security Alliance.All rights reserved.Refer
126、encesAncoris,2023.Cloud Governance Framework:How to Develop,Implement and Follow One,Retrieved from https:/ Governance Success:A Practical Framework to Getting Started with Cloud Data Governance,Retrieved from https:/ Capgemini,2021.Cloud Governance Guide-Business Aligned Approach to Cloud Utilizati
127、on,Retrieved from https:/ Mellon University,2016.Cyber Resilience Review Supplemental Resource Guide:Risk Management,Department of Homeland SecurityCloud Security Alliance,2023.Top Threats to Cloud Computing Pandemic Eleven,Retrieved from https:/cloudsecurityalliance.org/artifacts/top-threats-to-clo
128、ud-computing-pandemic-elevenHealth Security,2020.Healthcare Challenges in the Era of Cybersecurity,Retrieved from https:/bioethics network.org/sites/default/files/webinar/documents/hs.2019.0123.pdfISACA,2014.Controls&Assurance in the Cloud:Using COBIT 5.New York:ISACA.ISACA,2012.Guiding Principles f
129、or Cloud Computing Adoption and Use,Retrieved from https:/www.eurogeography.eu/SoC/sofia-workshop/SoC-implementation/ISACA-Guiding-Principles.pdfIorga,M.,Karmel,A.,Managing Risk in a Cloud Ecosystem,doi.org/10.1109/MCC.2015.122 Karkokov,S.&Feuerlicht G.,2016.Cloud Computing Governance Lifecycle,Acta
130、 Informatica Pragensia,5(1):5671 DOI:10.18267/j.aip.85 Knowles,M.,2023.Cloud Compliance Frameworks:What You Need to Know,Retrieved from https:/hyperproof.io/resource/cloud-compliance-frameworks/Microsoft,2023.Risk Assessment Guide for Microsoft Cloud,Retrieved from https:/ Moschovitis,C.,2021.Privac
131、y Regulations and Cybersecurity:The Essential Business Guide,John Wiley&Sons,Inc.,New JerseyObject Management Group,2019.Practical Guide to Cloud Governance,Retrieved from https:/www.omg.org/cloud/deliverables/practical-guide-to-cloud-governance.pdf 21 Copyright 2024,Cloud Security Alliance.All righ
132、ts reserved.Rasner,G.,2021.Cybersecurity&Third-Party Risk:Third-Party Threat Hunting,John Wiley&Sons,Inc.,Hoboken,NJ.Shacklett,M.,2023.What is Cloud Compliance?A Comprehensive Guide,Retrieved from https:/ C.,2023.Cloud Compliance-Protecting Your Data and Maintaining Trust,Retrieved from https:/ Scope of GDPR,Retrieved from https:/