Welcome!

PHP Authors: Liz McMillan, Carmen Gonzalez, Hovhannes Avoyan, Lori MacVittie, Trevor Parsons

Blog Feed Post

Cloudy with a Chance of Pharma Security

pharmaceutical compliance HIPAA Compliance Cloud Security Cloud HIPAA Cloud Encryption  pharm cloud security Cloudy with a Chance of Pharma SecurityCloud computing changes the way companies consume IT resources. It shifts the burden of purchasing and maintaining IT infrastructure to specialized IT providers and allows the users to pay only for the resources they need, when they need them. In this new paradigm, cloud security is a top concern.  Companies want to reap the benefits of cloud computing, but are often hesitant because of concerns about security and compliance. In the 21CFR11 regulation, the FDA focused on requirements for ensuring electronic record integrity, accuracy, and availability for agency review throughout the retention period.  The regulation emphasizes record protection from unauthorized access and system validation. Other international agencies have similar regulations. This article captures key points from an interview with Gilad Parann-Nissany, a cloud security pioneer. He addressed some hard questions that have been the main obstacles to getting more regulated healthcare and life sciences companies to adopt cloud infrastructures.

Gilad Parann-Nissany built SaaS Clouds for medium and small enterprises and contributed to SAP products reaching more than 8 million users. He created a consumer Cloud at G.ho.st – a cloud operating system that provided browser-based and mobile access to data, people and applications.  He is now CEO of Porticor, a cloud security company.

AG: We realize the benefits of public clouds, mainly our ability to use and pay for what we need at any given time and not having to deal with the hassle of buying and managing our own data centers, but is there a way we can truly trust that our systems are still compliant with FDA regulations and our data is secured in a public cloud and is protected to ensure record integrity and confidentiality?

GPN: Yes, the FUD is that public cloud seems open to hackers, corporate spies, government surveillance, and the like. When you analyze this perception, it comes down to the fact that people are used to having walls around their servers and data storage. In the cloud, you manage your servers and disks using a browser, and the concern is that the bad guys can access you servers and disks with equal convenience. It’s actually a reasonable concern.

Yet there is a serious way to replace walls.  Strong data encryption, of course, is the accepted best practice.  Basically you are replacing physical walls with mathematical walls. If you do it right, you end up more secure in the cloud then you would be at the typical company.

You must choose the right encryption techniques. Once your data is encrypted, the management of the encryption keys becomes critical.

If you encrypt your data and store your encryption keys in the same place, the keys become vulnerable to the same threats.  If you give the keys to your cloud provider, then you have lost control of your data. People worry whether cloud provider employees are trustworthy, and of course from a regulatory point of view – you are simply not allowed to farm out ownership of your sensitive healthcare data. So the way to keep ownership and still enjoy the cloud, is to encrypt data and keep ownership of your encryption keys.

A technical solution to this need is split key encryption.  It’s like the safety deposit box systems, which have two keys.  Your data is encrypted, and the encryption key is split into two parts where one part is held only by you.  Both parts are always required to access the data.  This way, only you control your data and the public cloud becomes effectively private and confidential.

AG: Regulatory agencies require that electronic records be available for inspection throughout their retention period, which can be many years. Is it possible to ensure record availability in 15-20 years, considering technology changes and the risk that the vendor will no longer provide the service?

GPN: The possibility that technology will change or that a vendor will stop providing the service does of course need to be taken into account. The most basic answer involves ensuring ease of copying out data and meta-data from one solution and into another.

Copying out your terabyte of data to some new place may take some time, yet it’s not something you do every day. The important point is to ensure that your technology of choice, and your vendor of choice, make it possible if necessary. This should be a standard operation – for example, for copying out data, it is best to ensure that standard copying commands are available; for copying out meta-data, ensure you have standard APIs, such as RESTful APIs.

You do need to be thoughtful choose the right approach to the cloud, but for the typical small to medium company – building out such capabilities yourself is ridiculous compared with the price/performance of the cloud solution.

AG: For validated systems, will adding a security layer require revalidation of the applications?  Will it modify the way our applications handle data? Will the applications require any modification?

GPN: By default, the best solutions out there will give you a transparent encryption and key management solution. They should also allow you to do something special (with an API), if that is justified by your needs – but they should not require it.

Your chosen security solution should be able to be inserted transparently between the application layer and the data layer. Deployment models could be as an agent (which you install on your servers, but does not change your application), or as a Virtual Appliance (which does not touch your servers at all, and is available as a virtual machine running independently in your cloud). Good solutions will offer both options and let you choose.

AG: Are security technologies platform independent? Will adding a security layer require us to limit our systems to certain platforms?

GPN: The good ones will work on all the major cloud platforms and with all the major operating systems (Windows, Linux, Unix, etc).

AG: Will the cost of adding a security layer negate the cost benefit of using a cloud?

GPN: Hell no. But you need to choose right. Some vendors out there are trying to sell you the old economic model even when you move to the cloud, which means in practice a high up front cost for getting a solution. You should look for a solution that is pay as you go, so that you pay only for what you use and only when you use it. That’s the cloud economic model, it should be a no brainer. If you select right – you’ll actually end up better than before.

Cloud security and Cloud encryption can protect your data in the public cloud, and meet the regulatory requirements. Bottom line, for many of the Healthcare workloads out there, it is a strong and secure contender.

The post Cloudy with a Chance of Pharma Security appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

IoT & Smart Cities Stories
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Early Bird Registration Discount Expires on August 31, 2018 Conference Registration Link ▸ HERE. Pick from all 200 sessions in all 10 tracks, plus 22 Keynotes & General Sessions! Lunch is served two days. EXPIRES AUGUST 31, 2018. Ticket prices: ($1,295-Aug 31) ($1,495-Oct 31) ($1,995-Nov 12) ($2,500-Walk-in)
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.