« Ripple20 - CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11901他 | Main | ドイツ:BfDI発行2019年次報告書 »


CSA クラウドを利用した遠隔医療データのプライバシー、セキュリティ・プロトコルの遵守に関するガイダンス


Cloud Security Alliance (CSA)がクラウドを利用した遠隔利用データのプライバシー、セキュリティ・プロトコルの遵守に関するガイドラインを公表していますね。割と短めの読みやすいものです。。。



・2020.06.18 Cloud Security Alliance Offers Guidance on Adhering to Privacy, Security Protocols for Telehealth Data in the Cloud


Telehealth data in the cloud  [PDF]


Table of Contents

Privacy Concerns
Security Concerns
Incident Response and Management
Maintaining a Continuous Monitoring Program


Privacy Concern

1. Does the telehealth provider (TP) describe the purpose(s) for which PHI is collected, used, maintained, and shared in its privacy notices?

2. Does the TP have, disseminate, and implement operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PHI?

3. Has the TP conducted a privacy impact assessment, and are they willing to share it?

4. Does the HDO have privacy roles, responsibilities, and access requirements for contractors and service providers?

5. Does the TP monitor and audit privacy controls and internal privacy policies to ensure effective implementation?

6. Does the TP design information systems to support privacy by automating privacy controls?

7. Does the TP maintain an accurate accounting of disclosures of information held in each system of records under its control, including:

 a. Date, nature, and purpose of each disclosure of a record; and

 b. Name and address of the person or organization to which the disclosure was made.

 c. The identity of who authorized the disclosure.

8. Does the TP document processes to ensure the integrity of PHI through existing security controls?

9. Does the TP identify the minimum PHI elements relevant and necessary to accomplish the legally authorized purpose of collection?

10. Does the TP provide means for individuals to authorize the collection, use, maintenance, and sharing of PHI before its collection?

11. Does the TP have a process for receiving and responding to complaints, concerns, or questions from individuals about organizational privacy practices?

12. Does the TP provide sufficient notice to the public and to individuals regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PHI?

13. Does the TP share PHI externally?



1. Does the service provider’s service-level agreement (SLA) clearly define how the service provider protects the confidentiality, integrity, and availability of all customer information?

2. Does the service provider’s SLA specify that the HDO will retain ownership of its data?

3. Will the service provider use the data for any purpose other than service delivery?

4. Is the service provider’s service dependent on any third-party stakeholders?


1. Does the cloud service provider allow the HDO to directly audit the implementation and management of the security measures in place to protect the service and the data it holds?

2. Will the service provider allow the HDO to review recent audit reports thoroughly?

3. Is the service provider HIPAA compliant?

4. Does the service provider comply with the GDPR?



1. Authentication and Access Control

 a. Does the HDO have an identity management strategy that supports the adoption of cloud services?

 b. Is there an effective internal process that ensures that identities are managed and protected throughout their lifecycles?

 c. Is there an effective audit process to ensure that user accounts are appropriately managed and protected? Does the service provider meet those control requirements?

 d. Are all passwords encrypted, especially system/service administrators?

 e. Is multi-factor authentication required, and, if so, is it available?

 f. Does authentication and access control extend to devices?

2. Multi-Tenancy

 g. Will the service provider allow the HDO to review a recent third-party audit report that includes an assessment of the security controls and practices related to virtualization and separation of customer data?

 h. Do the service provider’s customer registration processes provide an appropriate level of assurance based on the criticality and sensitivity of the information in the cloud service?

3. Patch and Vulnerability Management

 i. Is the service provider responsible for patching all components that make up the cloud service?

 j. Does the service provider’s SLA include service levels for patch and vulnerability management that comprise a defined maximum exposure window?

 k. Does the HDO currently have an effective patch and vulnerability management process?

 l. Will the service provider allow the HDO to perform regular vulnerability assessments?

4. Encryption

 m. Does the service provider encrypt the information placed in the cloud service for both data at rest and in transit?

 n. Does the cloud service use only approved encryption protocols and algorithms (as defined in Federal Information Processing Standards 140-2)?

 o. Which party is responsible for managing the cryptographic keys?

 p. Are there separate keys for each customer?

5. Data Persistence

 q. Does the service provider have an auditable process for the secure sanitization of storage media before it is made available to another customer?

 r. Does the service provider have an auditable process for safe disposal or destruction of equipment and storage media (e.g., hard disk drives and backup tapes) containing customer data?


1. Does the service provider provide data backup or archiving services as part of their standard service offering to protect against data loss or corruption?

2. How are data backup and archiving services provided?

3. Does the data backup or archiving service adhere to business requirements related to protection against data loss?

4. What level of granularity does the service provider offer for data restoration?

5. Does the service provider regularly perform test restores to ensure that data is recoverable from backup media?



1. Does the SLA include an expected and minimum availability performance percentage over a clearly defined period?

2. Does the SLA include defined, scheduled outage windows?

3. Does the service provider utilize protocols and technologies that can protect against distributed denial-of-service (DDoS) attacks?

4. Do the network services directly managed or subscribed to by the HDO provide sufficient levels of availability?

5. Do the network services directly managed, or subscribed to by the HDO provide an adequate level of redundancy/fault tolerance?

6. Do the network services directly managed, or subscribed to by the HDO provide an adequate level of bandwidth?

7. Is the latency between the HDO network(s) and the service provider’s service at levels acceptable to achieve the desired user experience?


Incident Response and Management

1. Does the service provider have a formal incident response and management process with plans that clearly define how they detect and respond to information security incidents?

2. Does the service provider test and refine its incident response and management process and plans regularly?

3. Does the service provider’s SLA clearly define the support they will provide to the HDO should an information security incident arise?

4. Does the service provider furnish enough information to enable the HDO to cooperate effectively with an investigation by a regulatory body?

5. Does the service provider›s incident response plan clearly define reporting requirements to meet regulatory requirements?





« Ripple20 - CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11901他 | Main | ドイツ:BfDI発行2019年次報告書 »


Post a comment

(Not displayed with comment.)

Comments are moderated, and will not appear on this weblog until the author has approved them.

« Ripple20 - CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11901他 | Main | ドイツ:BfDI発行2019年次報告書 »