Getting Cloud Security RightFormer Tufts Medical Center CISO Sonia Arista on Avoiding Mistakes
When working with cloud service providers, healthcare organizations must take responsibility for security practices rather than relying on the vendor, says Sonia Arista, a security consultant who formerly was CISO at Tufts Medical Center.
"People tend to put a lot of emphasis on the cloud provider establishing the security baselines, when in reality, anyone who's ever done a migration to the cloud understands that a lot of the security configurations are the responsibility of the ... [organization] procuring the service, and that the cloud provider isn't willing to take that amount of risk on themselves," she says in an interview with Information Security Media Group at the HIMSS18 conference. Arista is a featured speaker at the event, where she's addressing how to build a data security program.
In cloud environments, Arista says, "I find there's higher visibility on who's accessing the data because of the innate controls in the cloud infrastructure itself as opposed to the old data centers. Visibility is a little better when you have a tool that applies user behavioral analytics to who's accessing that data. ... It'll get you further to use cloud authentication."
In the interview (see audio link below photo), Arista also discusses:
- Cyber-related mistakes that healthcare entities commonly make;
- Medical device cybersecurity challenges;
- Tips for healthcare CISOs on key relationships they should build in their organizations.
Arista has more than 20 years of experience as information security and information technology specialist. Before becoming principal consultant for healthcare at GuidePoint Security, she was CISO at Tufts Medical Center, a Boston-based academic medical center and pediatric hospital, where she was responsible for the development and management of information security programs.