SaaS continues to grow as a popular way to deploy business applications. It is crucial for businesses to understand what data they are storing in their SaaS cloud applications and how to protect it from data breaches. So, listen to us discuss securing your SaaS.
In this episode:
Secure Your SaaS – Ep 334
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Upcoming Events:
The HIPAA Boot Camp Virtual Edition Feb 22-24, 2022
Sign up now.
The Privacy and Security Boot Camp
3.5 day In Person Event
Sep 12, 13, 14 and 15
More details coming soon…
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[10:35] Today, we have two things to mention during this segment.First, HC3 (Health Sector Cybersecurity Coordination Center) recently published an explanation on Zero Day Attacks and how they are being used a lot, especially in the Health and Public Health (HPH) sector. They provide some very good information, so it is well worth checking it out.
So, keep your guard up. Criminals love to send tons of phishing emails to try to entice you to click on their malicious links. Don’t forget about your phones. Criminals send text messages and try to have you download their infected apps. Any data on your phones, including PHI if you use it for work, could be compromised by these scams.
——
This next one is definitely a “HIPAA Say What!?!” We’ve said many times before that you can be criminally liable for some HIPAA violations. You can go to jail for up to 10 years and pay a fine up to $200,000. Snooping is one of those violations that can fall under the criminal aspect because there is typically malicious intent to view patient records you shouldn’t.
Case in point, one of the hospitals in New York just announced a data breach where they notified 13,000 patients where, in February 2019, a night shift employee improperly accessed electronic medical patient records. Apparently, there was no role based authorization between October 2018 and February 2019. The night shift employee was suspended, then later terminated. But, then the hospital also notified law enforcement. It’s not clear what prompted that, but typically you bring in law enforcement because there was malicious intent. This has resulted in the individual being criminally charged. If you’re not a lookin’, trouble might be a cookin’.
Huntington Hospital – Notice of Unauthorized Access to Personal Information
Secure Your SaaS
[17:36] I saw this article recently that talked about how security frameworks (NIST, HIPAA, ISO, etc) can’t keep up with the changes in cybersecurity. We always say that security frameworks are like we treat HIPAA: It’s no check the box. You don’t use it that way. You do an assessment of your risk and identify all the things you need to worry about. Then, whether it’s listed in the framework or not, you need to determine whether you are handling this risk.So, what is the threat? How big is it? What should I do about it?
When Will Security Frameworks Catch Up With the New Cybersecurity Normal?
Now, what about SaaS (software as a service), i.e. applications you use that reside in the cloud. For those of you that think you don’t have to worry about HIPAA or security because you use an app in the cloud… WRONG!
SaaS is great in some cases. Basically you are outsourcing some of the tasks or management steps that need to be done. But, just because your EHR is in the cloud doesn’t mean the EHR vendor is “doing HIPAA” for you. HIPAA and security and securing your data is a shared responsibility.
The problem with SaaS is that for the “problems” it solves, it creates other issues. When you move an application to the cloud and even get a BAA with the vendor, you still have to perform steps to set up the platform so that it is properly securing your data. Shared responsibility. It is up to you, or your IT vendor, to make sure you are on the correct platform or plan with the SaaS vendor and that it is configured properly.
The good thing about SaaS apps are some of the security features are handled by someone else, but
- You need to make sure that they actually are handled, because not all apps are the same.
- You need to make sure you know where the line is between what their responsibilities are what your are.
- You need to build your security protocols, audits and controls around those cloud apps versus how you did it on the server before.
Below are some links to both Microsoft 365 and Google Workspace tools and guides that can help you confirm you are supposed to be doing. Both SaaS apps have these capabilities, they just have different ways of setting them up. Don’t assume these controls are set up automatically for you. You should know what those are. It’s important to define your controls in your SaaS environment just like you define controls in your local environment.
Microsoft 365
Microsoft 365 auditing solutions – Microsoft 365 Compliance
Microsoft 365 compliance documentation
Google Workspace
Google Workspace security whitepaper
AWS
[30:56] A lot of businesses use Amazon Web Services (AWS) to develop and or host applications. We hear all the time from the business’ IT vendor, “You don’t have to worry about us, we are on AWS.” That’s a “shake our heads” moment for us. Just because you are on the AWS platform does not make all your troubles go aways.The cool thing about AWS is that they have a page (link below) that says, right up front, that this is a shared responsibility model. They include a really nice chart that shows what is Amazon’s responsibility and what is the customer’s responsibility. At the top of the list it says that Customer Data is the customer’s responsibility, meaning it is on you or your IT vendor who you entrust to set the AWS platform up properly for you.
Shared Responsibility Model – Amazon Web Services (AWS)
AWS has a lot of options to help you make sure you have what you need to properly secure your connection and your data. So, when you use AWS you should be able to show how you addressed the shared responsibility model.
Other Common SaaS Apps
[34:20] EHRsIt used to be commonplace to hear practice’s believe, or even EHR sales reps saying, that by moving your EHR to the cloud you don’t have to do HIPAA anymore. WRONG! The practice still has to set their EHR security features up properly and control the level of access staff has within the EHR. There are so many other things you have to worry about from a privacy and security and HIPAA perspective.
Accounting Apps
QuickBooks Online, XERO, Freshbooks, etc are all SaaS apps. These could contain information in them that can be tied to PHI and especially confidential information that helps keep your business up and running. So, you will want to evaluate the features of these apps and make sure you properly secure them. And, of course, get a BAA with the vendor if needed.
Sidebar: A huge value of using SaaS apps is that you can connect them using APIs (application program interfaces). But when you do this to set up some cool automations between apps, keep in mind that you have created another vulnerability that has to be managed, another risk that has to be assessed. These things are often forgotten about.
RMMs
Many MSPs, and some internal IT teams, use a remote monitoring and management tool (RMM) which is the software that they put on the workstations and servers, primarily. This tool reports back to the RMM server and provides all kinds of data so that the MSP can monitor and manage the system. Basically, the tool allows the MSP to see that software needs to be updated or that the computer needs to be rebooted or that there was an error in a system log that needs to be addressed. This all happens behind the scenes and allows the MSP to manage your system remotely.
This is also a scary thing. The problem is that the RMM software has the ability to fully control your computers. As IT folks, we are there to help you and we have to have full control in order to do so. So, these RMM tools need to be secured. If they are not secured properly from internal threats as well as external threats. If a bad guy is able to get into your MSP’s RMM, they now have access to every single client network that they manage. And that is a bad, bad day! There are ways a business can limit their exposure to this type of attack from their MSP, but those aren’t ideal either.
RATs
[45:05] Along these same lines are remote access tools (RATs), apps that allow you to work remotely to connect to your computer in the office. It is alarming how many businesses we see that are still using old, outdated RATs. The most common ones include LogMeIn, Team Viewer, Splashtop, VNC, ScreenConnect/ConnectWise Control, Remote Desktop Protocol, etc. These tools need to be updated to the latest versions and NOT configured to be publically available.There are many apps out there today that have a local version of the software installed on your computer that connects to the SaaS app. They allow you to do things locally on your computer, even when you aren’t connected to the internet, and it syncs your work to the SaaS cloud app. These too need to be kept up to date.
Social Media
All social media apps are SaaS apps. Most businesses around the world have a social media presence. Many couldn’t do what they do without a social media presence. It’s used as a marketing platform or a customer connection platform. Those need to be secured too as well. You don’t want your social media account to be taken over and run by someone else. You never know what they may put out there. You should even make sure your personal, individual social media accounts are secure as well.
Cover your SaaS
[51:06] When we talk about security, what security features should you have in place?- Use multi-factor authentication (MFA) everywhere you can. Most platforms offer this security feature. Turn it on. Use it. If they offer you multiple ways to do MFA, you should use an Authenticator app (such as Google Authenticator, Microsoft Authenticator, LastPass Authenticator etc.). Do not choose to use the SMS or email version of MFA unless that is your only option. Pro tip: If you use an app on your phone for MFA, before you go and wipe that phone, you better back up that app or you are in for a lot of work.
- Least privilege. Don’t give everybody rights to do everything. Security is not supposed to be convenient.
- Logging. Make sure you are logging things in your apps. Turn on the app’s logging features.
- Auditing. Make sure you perform routine audits of app logs and access privileges.
- Data Loss Prevention (DLP). DLP is a way to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. For example, if you send an email and it looks like you might have entered a SSN in it, it stops the sending of the email and makes you clarify this is intended.
- Don’t skimp on licenses to a SaaS app. Don’t pay for only one license to an app and give it to everybody because you don’t want to pay for multiple licenses. That will negate the requirement of having a unique identifier to understand who is doing what in the app, which violates HIPAA.
Every installed application on your computer comes with vulnerabilities. Every single piece of software has risks. Understand that just by moving your app to the cloud, doesn’t mean you remove that risk. You still have to properly configure and secure the SaaS application. You have to do the monitoring and you still have to manage the cloud app. So, get out there and secure your SaaS!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
