Healthcare is no stranger to security frameworks the can help provider organizations get their arms around sprawling and detailed infosec challenges through concrete checklists and sets of best practices. They’re hugely helpful, even if far too few providers make use of them.
For one of its most recent data security products, Amazon Web Services made sure to check in with one of the most trusted frameworks, the NIST Cybersecurity Framework.
Its core principles – identify, protect, detect, respond and recover – have helped AWS engineers be “sure we have coverage across those functions in terms of our security best practices,” said Ely Kahn, principal product manager at AWS Security Hub.
Kahn was speaking during a session this past week at AWS Summit Online, a virtual event designed to help developers and end users get up-close looks at new products and services from analytics and AI/machine learning to databases, networking and storage.
He was describing the AWS Foundational Security Best Practices standard, a newish AWS Security Hub feature that can help healthcare and other organizations automate the monitoring of their own security posture – detecting and alerting IT and security teams when their resources aren’t deployed consistent with an evolving and expanding list of best practices.
The AWS Security Hub exists as a way to offer comprehensive visibility into the many tools – endpoint protection, firewalls, identity and access management, and vulnerability scanners – deployed by hospitals and health systems.
“Organizations have a bunch of different security tools. Using them individually as point solutions, they’re much less effective than using them in combination,” said Kahn. “Ultimately that’s what we’re trying to do with Security Hub – uniting your security tools to give you visibility and improve your security across your AWS workloads.”
The challenge is that, with potentially thousands of security alerts every day, security teams have to have visibility into myriad tools to stay on top of them all.
The Foundational Security Best Practices standard, first launched back in April, aims to help automate some of the key tools that can help ensure a robust cybersecurity posture.
The tool traces its roots to a list of Top 10 key areas of security focus for AWS customers, developed recently by AWS Chief Information Security Officer Steve Schmidt.
- Accurate account information.
- Use multi-factor authentication.
- No hard-coding secrets.
- Limit security groups.
- Intentional data policies.
- Centralize CloudTrail logs.
- Validate IAM roles.
- Rotate keys.
- Be involved in the dev cycle.
The list was based on real-world evidence, Khan explained. “We had analysts go through all the major security incidents that our professional services and security teams had responded to … based on the analysis of the root causes of those incidents,” he said.
The AWS Foundational Security Best Practices standard can help hospitals by offering a set of automated checks that can alert IT and security staff when AWS accounts and other deployed resources aren’t in line with those and other security best practices.
By developing a curated and regularly updated set of important controls, AWS can help automate adherence to those best practices.
“We looked at all of our major AWS services to come up with not only the security best practices for each of those services, but the automated security checks that can help you assess in an automated way whether you’re aligning to those security best practices,” said Kahn.
“We put a lot of thoughts into what these controls should be,” said Kahn, who explained that, beyond the best practices of Schmidt’s Top 10 list, AWS experts incorporated existing configuration rules, drew on other AWS technologies such as Trusted Advisor and Well-Architected Tool, and then applied them to each AWS service to “define key best practices.”
The list is reviewed monthly with security engineers and other experts across AWS, and updated with new releases of new best practices and controls, he said: “These are getting a lot of vetting before we roll them out as a blessed security best practice.”
Healthcare IT News is a publication of HIMSS Media.