Healthcare Data Privacy on the Cloud (AKA How can we use a public - - PowerPoint PPT Presentation

kunwadee (AT) nectec.or.th

Healthcare Data Privacy on the Cloud (AKA How can we use a public cloud for patient health records?)

Kunwadee Sripanidkulchai, Ph.D. Head of Healthcare Systems and Data Analytics Lab (HDA), NECTEC

1

kunwadee (AT) nectec.or.th

Around 2011, we started this massive healthcare data project...

2

4

Health Information Exchange and Data Analytics Platform

II

Hospital C Electronic Health Records

Cloud-based

Hospital B Data Analytics and Health Records SaaS Hospital A

kunwadee (AT) nectec.or.th

Motivation for using a public cloud as the underlying infrastructure for a new SaaS offering

• Lower barrier to deployment
• Easier to implement
• Rapid elasticity and auto-scaling
• High availability
• Data durability (automatic replication)
• Backups
• Future-proof approach through automatic patching and upgrade of the

hardware, OS and platform services

3

kunwadee (AT) nectec.or.th

Public Cloud Show-Stoppers

• Most popular question: Will the data be private?
• Caveats (in Thailand’s case):
• Cloud location
• Legal implications for location of data storage
• Network performance
• Cost

4

kunwadee (AT) nectec.or.th

For the rest of this talk

• Focus on the privacy of data
• Assume that cloud provider implements and ensures best

practices in infrastructure security

• Assume we implement best practices in application-level security

5

kunwadee (AT) nectec.or.th

My users’ worst nightmares

Is deleted data really deleted? http://alestic.com/2009/09/ec2-public-ebs-danger

6

kunwadee (AT) nectec.or.th

My users’ worst nightmares

Is deleted data really deleted? http://alestic.com/2009/09/ec2-public-ebs-danger

6

Source: wikipedia

kunwadee (AT) nectec.or.th

My users’ worst nightmares

Is deleted data really deleted? http://alestic.com/2009/09/ec2-public-ebs-danger

6

Remediation: Cloud user must perform secure delete

Source: wikipedia

kunwadee (AT) nectec.or.th

So secure delete will work for files or instances that I terminate myself...

• What about deleted database records?
• What about data on instances that are auto-scaled? What

happens when they crash or when the provider terminates them?

• What about data on “durable” data replicas that the provider

automatically creates for me? What happens when they crash or when the provider terminates them?

7

Source: wikipedia

kunwadee (AT) nectec.or.th

So secure delete will work for files or instances that I terminate myself...

• What about deleted database records?
• What about data on instances that are auto-scaled? What

happens when they crash or when the provider terminates them?

• What about data on “durable” data replicas that the provider

automatically creates for me? What happens when they crash or when the provider terminates them?

7

Source: wikipedia

kunwadee (AT) nectec.or.th

So secure delete will work for files or instances that I terminate myself...

• What about deleted database records?
• What about data on instances that are auto-scaled? What

happens when they crash or when the provider terminates them?

• What about data on “durable” data replicas that the provider

automatically creates for me? What happens when they crash or when the provider terminates them?

7

Source: wikipedia

Remediation: Data encryption.

kunwadee (AT) nectec.or.th

What about other types of breaches?

• Heartbleed (SSL) may have exposed sensitive account

information

• Amazon Cross-Site Scripting (XSS) bug
• VENOM (qemu) and other possible cross-VM side channels

8

Source: Crowdstrike

kunwadee (AT) nectec.or.th

What about other types of breaches?

• Heartbleed (SSL) may have exposed sensitive account

information

• Amazon Cross-Site Scripting (XSS) bug
• VENOM (qemu) and other possible cross-VM side channels

8

Remediation: Data encryption.

Source: Crowdstrike

kunwadee (AT) nectec.or.th

Encryption sounds easy enough, but is it?

• Search over encrypted data
• Key management (preferably outside the public cloud)
• Manage application user access to data (preferably outside the

public cloud)

9

kunwadee (AT) nectec.or.th

Encryption sounds easy enough, but is it?

• Search over encrypted data
• Key management (preferably outside the public cloud)
• Manage application user access to data (preferably outside the

public cloud)

9

Remediation: Encryption and decryption of data

• ff the cloud!

kunwadee (AT) nectec.or.th

Encryption sounds easy enough, but is it?

• Search over encrypted data
• Key management (preferably outside the public cloud)
• Manage application user access to data (preferably outside the

public cloud)

9

Remediation: Encryption and decryption of data

• ff the cloud!

Source: wikipedia

kunwadee (AT) nectec.or.th

Implications of off-cloud encryption

• The cloud must only see and

use encrypted data at any point in time, thus data must be encrypted and decrypted

• ff the public cloud
• We must run application

servers to support encryption and decryption off the public cloud

• Application servers that are off

the public cloud no longer benefit from high availability, auto-scaling, and back-ups

• ffered by the public cloud

10

Key management Application servers Simplified implementation

kunwadee (AT) nectec.or.th

Summary

• We can use the public cloud to store encrypted data that will support data

privacy, as long as, we have an infrastructure off-the-cloud that will perform all encryption, decryption, and key management

• We lose the benefits of cloud computing as the encrypt/decrypt

computation infrastructure and the key management infrastructure needs to be off-the-cloud

• No auto-scaling
• No high-availability
• No automated backups

11

We are left to implement these features in our

• wn private

cloud.