It has been said that the “hero of a successful digital transformation is GRC.” The ISACA website states, “to successfully manage the risk in digital transformation you need a modern approach to governance, risk and regulatory compliance.” For GRC program development, it is important to understand the health information technology resources and tools available to enable long term success.
What is GRC and why it important?
According to the HIPAA Journal, the average cost of a healthcare data breach is now $9.42 million. In the first half of 2021, 351 significant data breaches were reported, affecting nearly 28 million individuals. The needs have never been more acute among healthcare providers, insurers, biotechnology and health research companies for effective information security and controls. Protecting sensitive data and establishing a firm security posture is essential. Improving health care and reducing cost relies on structured approaches and thoughtful implementation of available technologies to help govern data and mitigate risk across the enterprise.
Effective and efficient management of governance, risk, and compliance, or GRC, is fast becoming a business priority across industries. Leaders at hospitals and health systems of all sizes are looking for ways to build operating strategies that harmonize and enhance efforts for GRC. Essential to that mission are effective data governance, risk management, regulatory compliance, business continuity management, project governance, and security. But rather than stand-alone or siloed security or compliance efforts, a cohesive program coupled with GRC solutions allow for organizational leaders to address the multitude of challenges more effectively and efficiently.
What are the goals for I.T. GRC?
For GRC efforts, leaders are looking to:
Safeguard Protected Healthcare Data
Meet and Maintain Compliance to Evolving Regulatory Mandates and Standards
Identify, Mitigate and Prevent Risk
Reduce operational friction
Build in and utilize best practices
Managing governance, risk, and compliance in healthcare enterprises is a daunting task. GRC implementation for healthcare risk managers can be difficult, especially during this time of rapid digital and cloud transformation. But relying on internal legacy methods and tools leads to the same issues that have been seen on-premises, stifling innovation and improvement. As organizations adapt to cloud environments as a key element of digital transformation and integrated health care, leaders are realizing that now is the time to leverage the technology to implement GRC frameworks that accelerate their progress toward positive outcomes. What’s needed is expertise and a clear roadmap to success.
Cloud Automation of GRC
The road to success starts with a framework, aligned to business objectives, that provides cloud automation of Governance, Risk, and Compliance. Breaking this into three distinct phases, ideally this would involve:
Building a Solid Foundation – within the cloud environment, ensuring infrastructure and applications are secured before they are deployed.
Image/Operation System hardening automation pipelines.
Infrastructure Deployment Automation Pipelines including Policy as Code to meet governance requirements.
CI/CD Pipelines including Code Quality and Code Security.
Disaster Recovery as a Service (DRaaS) meeting the organization’s Business Continuity Planning requirements.
Configuration Management to allow automatic remediation of your applications and operating systems.
Cost Management strategies with showback and chargeback implementation.
Automatic deployment and enforcement of standard security tools including FIM, IDS/IPS, AV and Malware tooling.
IAM integration for authorization and authentication with platforms such as Active Directory, Okta, and PingFederate, allowing for more granular control over users and elevated privileges in the clouds.
Reference Architectures created for the majority of the organization’s needs that are pre-approved, security baked-in to be used in the infrastructure pipelines.
Self-service CMDB integration with tools such ServiceNow, remedy and Jira ServiceDesk allowing business units to provision their own infrastructure while providing the proper governance guardrails.
Resilient Architecture designs
Proper Configuration and Maintenance – Infrastructure misconfiguration is the leading cause of data breaches in the cloud, and a big reason misconfiguration happens is infrastructure configuration “drift,” or change that occurs in a cloud environment post-provisioning. Using automation to monitor and self-remediate the environment will ensure the cloud environment stays in the proper configuration eliminating the largest cause of incidents. Since workloads will live most of their life in this phase, it is important to ensure there isn’t any drift from the original secure deployment. An effective program will need:
Cloud Integrity Monitoring using cloud native tooling.
Log Management and Monitoring with centralized logging, critical in a well-designed environment.
Managed Services including patching to resolve issues.
SLAs to address incidents and quickly get them resolved.
Cost Management to ensure that budgets are met and there are no runaway costs.
Perimeter security utilizing cloud native and 3rd party security appliance and services.
Use of Industry Leading Tools – for risk assessment, reporting, verification and remediation. Thwart future problems and provide evidence to stakeholders that the cloud environment is rock solid. Tools and verification components would include:
Risk Registry integration into tools
Future attestations (BAAs)
Audit evidence generation
Where do you go from here?
Your organization needs to innovate faster and drive value with the confidence of remaining in compliance. You need to get to a proactive state instead of being reactive. Consider an assessment to help you evaluate your organization’s place in the cloud journey and how the disparate forms of data in the organization are collected, controlled, processed, stored, and protected.
Start with an assessment that includes:
Identification of security gaps
Identification of foundational gaps
Managed service provider onboarding plan
A Phase Two (Foundational/Remediation) proposal and Statement of Work
About 2nd Watch
2nd Watch is a trusted and proven partner, providing deep skills and advisory to leading organizations for over a decade. We earned a client Net Promoter Score of 85, a good way of telling you that our customers nearly always recommend us to others. We can help your organization with cloud native solutions. We offer skills in the following areas:
Developing cloud first strategies
Migration of workloads to the cloud
Implementing automation for governance and security guardrails
Implementing compliance controls and processes
Pipelines for data, infrastructure and application deployment
You migrated your applications to the cloud for a reason. Now that you’re there, what’s next? How do you take advantage of your applications and data that reside in the cloud? What should you be thinking about in terms of security and compliance? In this first episode of a 5-part series, we discuss 5 strategies you should consider to maximize the value of being on the cloud. Listen now on Spotify, iTunes, iHeart Radio, Stitcher, or wherever you get your podcasts.
We’d love to hear from you! Email us at CloudCrunch@2ndwatch.com with comments, questions and ideas.
Now that you’ve migrated your applications to AWS, how can you take the value of being on the cloud to the next level? To provide guidance on next steps, here are 5 things you should consider to amplify the value of being on AWS.
The security processes and controls you put in place must meet the compliance standards required for your industry. Whether it’s GDPR, CCPA, or any other state, federal, or industry specific regulation, there are at least three things you need to do to meet the minimum requirements. Of course, each regulation comes with its unique conditions, but these are the first steps to take when moving toward a more secure and compliant environment.
1. Data discovery and data mapping
Most of the compliance standards today surround the data an organization collects from consumers. The first step to understanding your data, for both compliance and to inform decision making, is to collect and analyze all of your data from the various sources it originates. In addition to data discovery, you need to have a process for data mapping as well. Data mapping matches the data fields of data from one database to another.
It’s important to have data flows so you know how your data gets to you, how it’s entered into various systems, what resources it hits, and where it finally ends up. Knowing, at every point, were your data lives is the key first step, regardless of which law you need to comply with.
A strict tagging strategy that is uniform and specific across departments aids in ongoing data mapping. Review your strategy regularly to make sure your teams are following it and it still works as expected with any advancements made in the data you’re collecting. You can also use the tools available through cloud providers to help with these governance tasks. Some recommended tools include Amazon Macie and AWS Config, as well as Azure Security Center.
2. Notification and purge mechanisms with identity validation and an audit trail
A person’s data belongs to them, regardless of which company holds it. In order to field data requests from consumers, you need to have some sort of notification mechanism that allows you to understand and deliver what the consumer wants. They may want to know what data you have and how it is being used. People may want to update inaccurate data or, depending on the regulations in your area, they may request that it be deleted.
In order to fulfil a consumer’s request to delete or update data, you need a purge mechanism. A purge mechanism clears data once such action has been approved. In order to complete any data request, you must first validate the identity of the requesting consumer.
While this step is necessary, there is not yet an industry gold standard on how best to verify data without threatening the personal information provided. Additionally, data requests need to be checked against any compliance exceptions that may complicate your ability to do what the consumer wants. You may need the data because the person is still using your services, or, depending on the compliance standards you adhere to, you may be required to maintain certain pieces of data for a set period of time.
Meeting consumer requests for data management can be tricky depending on the compliance standards in your location and industry. A proper audit trail that proves your best attempt at compliance is critical, should a lawsuit or formal complaint ever come your way. Hopefully all of these processes will be automated through machine learning one day, but for now, notification and purge mechanisms, identity validation, and a comprehensive audit trail are the most important factors in proving compliance.
Data is the life blood of most organizations and it needs to be protected. Simply put, encrypt everything! Additionally, make sure your identity and access management (IAM) policies are up to date. The most common vulnerabilities are problems with an organization’s IAM. There might be an abundance of keys spread across the business or keys might not have been rotated regularly. Unauthorized employees might have admin credentials, or there’s no incident response policy in place.
If your data is breached, either by cyber attack or human error, you need a process to get servers back up and running again as soon as possible. You also need to preserve the evidence of the attack, or accidental deletion, in order to prevent a recurrence. Don’t assume your data is safe, instead, be ready to quickly recover from data loss.
While these three necessities are required for most compliance standards, there are certainly more you need to be following. Let 2nd Watch provide a prescriptive security roadmap to ensure compliance no matter where your business is going. You can also take advantage of our four-phased security assessment that runs an automatic skim of your environment to identify vulnerabilities. Contact Us to make sure the next step you take in your cloud journey is a compliant one.
You migrated your applications to AWS for a reason. Maybe it was for the unlimited scalability, powerful computing capability, ease and flexibility of deployment, movement from CapEx to OpEx model, or maybe it was simply because the boss told you to. However you got there, you’re there. So, what’s next? How do you take advantage of your applications and data that reside in AWS? What should you be thinking about in terms of security and compliance? Here are 5 things you should consider in order to amplify the value of being on AWS:
Create competitive advantage from your AWS data
Accelerate application development
Increase the security of your AWS environment
Ensure cloud compliance
Reduce cloud spend without reducing application deployment
Create competitive advantage from your data
You have a wealth of information in the form of your AWS datasets. Finding patterns and insights not just within these datasets, but across all datasets is key to using data analysis to your advantage. You need a modern, cloud-native data lake.
Data lakes, though, can be difficult to implement and require specialized, focused knowledge of data architecture. Utilizing a cloud expert can help you architect and deploy a data lake geared toward your specific business needs, whether it’s making better-informed decisions, speeding up a process, reducing costs or something else altogether.
Download this datasheet to learn more about transforming your data analytics processes into a flexible, scalable data lake.
Accelerate application development
If you arrived at AWS to take advantage of the rapid deployment of infrastructure to support development, you understand the power of bringing applications to market faster. Now may be the time to fully immerse your company in a DevOps transformation.
A DevOps Transformation involves adopting a set of cultural values and organizational practices that improve business outcomes by increasing collaboration and feedback between business stakeholders, Development, QA, IT Operations, and Security. This includes an evolution of your company culture, automation and tooling, processes, collaboration, measurement systems, and organizational structure—in short, things that cannot be accomplished through automation alone.
How do you know if you’re AWS environment is truly secure? You don’t, unless you deploy a comprehensive security assessment of your AWS environment that measures your environment against the latest industry standards and best practices. This type of review provides a list of vulnerabilities and actionable remediations, an evaluation of your Incident Response Policy, and a comprehensive consultation of the system issues that are causing these vulnerabilities.
Deploying and managing cloud infrastructure requires new skills, software and management to maintain regulatory compliances within your organization. Without the proper governance in place, organizations can be exposed to security vulnerabilities and potentially compromise confidential information.
A partner like 2nd Watch can be a great resource in this area. The 2nd Watch Compliance Assessment and Remediation service is designed to evaluate, monitor, auto-remediate, and report on compliance of your cloud infrastructure, assessing industry standard policies including CIS, GDPR, HIPAA, NIST, PCI-DSS, and SOC2.
Reduce cloud spend without reducing application deployment
Need to get control of your cloud spend without reducing the value that cloud brings to your business? This is a common discussion we have with clients. To reduce your cloud spend without decreasing the benefits of your cloud environment, we recommend examining the Pillars of Cloud Cost Optimization to prevent over-expenditure and wasted investment. The pillars include:
Auto-parking and on-demand services
Instance family / VM type refresh
For organizations that incorporate cloud cost optimization into their cloud infrastructure management, significant savings can be found, especially in larger organizations with considerable cloud spend.
After you’ve migrated to AWS, the next logical step in ensuring IT satisfies corporate business objectives is knowing what’s next for your organization in the cloud. Moving to the cloud was the right decision then and can remain the right decision going forward. Implement any of the five recommendations and accelerate your organization forward.
-Michael Elliott, Sr Director of Product Marketing