2016 Internet2 Global Summit

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

SaaS Security in Healthcare: Can the Fox Guard the Hen House? Pros and Cons of an In-House CCM Validation and a Third-Party SOC2 Audit

Time 05/18/16 03:00PM-04:00PM

Room Lincolnshire 1&2 (6th Floor)

Session Abstract

Higher education as a whole, and academic healthcare in particular, are rapidly adopting cloud-based information services. An essential condition to the adoption of the cloud is a standardized and validated methodology to assess the overall IT security, privacy, and compliance risk of a cloud service provider. This need is compounded in healthcare due to the applicable laws and regulations surrounding protected health information. The Internet2 NET+ program utilizes a risk-mitigating framework, the Cloud Controls Matrix (CCM), developed by the Cloud Security Alliance, as one element to campuses an use to assess the security of SaaS service providers, thereby minimizing the risk of adopting cloud services. The Cloud Controls Matrix (CCM) is “designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.”

The first healthcare SaaS product in the Internet2 NET+ portfolio is ICE Health Systems (ICE), an electronic health record (EHR) for private dental practices as well as dental schools. Due to the sensitivity of healthcare among other reasons, some institutions, seeking to adopt ICE, required an external SOC2 audit performed by an external party, while others conducted their own CCM validation.

This program will discuss the rationale for differing approaches to security and compliance risk reviews by the Universities of Pittsburgh (centralized) and Michigan (decentralized) as applied to the adoption of ICE. Specifically, the CCM will be explained and examined with a special focus on its suitability in validating a healthcare information service.

Nick Lewis (CISSP) is a Program Manager for Security and Identity at Internet2, where he manages the NET+ security and identity services portfolio, while also contributing to the development of new NET+ offerings in cloud security. Nick rejoined Internet2 in 2015, after previously working here from 2002-2007. Nick has also held positions in information security at the University of Michigan and most recently was Director of IT Security and Compliance and Information Security Officer at Saint Louis University. He has also worked for Children’s Hospital Boston as an Information Security Manager and Michigan State University as an Information Technologist. Nick holds masters degrees in information assurance from Norwich University and telecommunications from Michigan State University. (nlewis@internet2.edu; 10 minutes)

Dion Taylor, Data Security Analyst Senior, University of Michigan School of Dentistry, will describe the customization made to the CCM in order to meet HIPAA and other healthcare provisions. He will briefly describe how Michigan heeded to map the CCM to NIST and HIPAA controls, the methods used to complete the CCM validation of ICE and the results obtained. (diont@umich.edu; 10 minutes).

Sol Berman, Privacy Officer and IT Policy and Compliance Strategist, University of Michigan, Infrastructure and Information Assurance, will describe the university’s overall approach to IT security and compliance risk reviews for external service providers, as well as describe the role of the university in providing collaboration and support to the School of Dentistry. (solb@umich.edu; 10 minutes)

Sean Sweeney, Chief information Security Officer, University of Pittsburgh, will present the reasons for the University of Pittsburgh’s request of a third-party audit SOC2 audit prior to the adoption of a cloud-based EHR. (SWEENEY2@pitt.edu,10 minutes)

Peter Hoven, Chief Technology Officer, ICE Health Systems, will describe the value of a CCM validation and SOC2 audit from the perspective of an EHR SaaS provider planning to expand their private practice EHR service to the NET+ community. He will describe the changes made as the result of each review. (Phoven@icehealthsystems.com; 10 minutes)

Paul Howell, Chief Cyberinfrastructure Security Officer, Internet2, will lead a point/counterpoint discussion of the CCM and third-party audit. Questions to be addressed include: What is the difference between CCM validation and a third party SOC2 audit? How is the service provider's response to either review meaningful? Which system is more suitable for higher education? Which one is more relevant to healthcare? Which method is more extensive in scope for an initial review? What is best for the community? What should Internet2 recommend going forward for new services? How does either the CCM and/or SOC2 ensure ongoing security improvements? Lastly, he will ask the audience what other changes are needed to the CCM in order to meet their needs. (phowell@internet2.edu, 20 minutes)


Speaker Dion Taylor University of Michigan - Ann Arbor

Speaker Sol Berman University of Michigan - Ann Arbor

Speaker Sean Sweeney University of Pittsburgh - Pittsburgh Campus

Speaker Peter Hoven ICE Health Systems, Inc.

Speaker Paul Howell Internet2

Speaker Nicholas Lewis Internet2

Presentation Media

media item thumbnail Saas in Healthcare

Speaker Peter Hoven ICE Health Systems, Inc.

Speaker Paul Howell Internet2

Speaker Nicholas Lewis Internet2

Speaker Sean Sweeney University of Pittsburgh - Pittsburgh Campus

Speaker Dion Taylor University of Michigan - Ann Arbor

Primary track Cyber Security and Trust and Identity in Education and Research

Secondary tracks Healthcare and Life Sciences

platinum Sponsors

gold Sponsors

silver Sponsors

supporter Sponsors