What if things go wrong? If you are managing Health or Financial data, you need to meet HIPAA, PCI or other regulations. You've done all the right things, checked all the right checklists. But in the real world things can still go wrong. The concept of 'Safe Harbor' is about achieving such high security that you can still recover reasonably even if things do go wrong.

1. Safe Harbor in the Cloud
What if things go wrong?
December 2013
contact@porticor.com
http://www.porticor.com

2. Who is Porticor?
Overview
Available on strategic platforms
 Cloud encryption and key
management
 Focused on Healthcare
security in the cloud
 Only solution that is “pure
cloud” yet provides Safe
Harbor for Healthcare
 Offices: Campbell, California
© Porticor Confidential

3. Compliance and Security are #1
concerns for cloud healthcare
Customer concerns about
security
Customers requirements for
Compliance and Regulation
© Porticor Confidential

4. What happens when things go wrong?
•
•
Updated HIPAA Omnibus rules put more liability on ISVs as “Business Associates”
Normal operations mean that your security works and everything goes right
– Achieved through HIPAA safeguards
•
•
But, what if the safeguards were breached, through human error or malice?
If ePHI (electronic Personal Health Information) may have been exposed, the
following may be mandated or occur
–
–
–
–
–
•
Risk assessment
Reporting to state attorneys and to individual persons
High reporting costs
High fines
Damage to reputation
Any mitigation? Safe harbor!
© Porticor Confidential

5. What is Safe Harbor?
• HHS guidance: “technologies and methodologies that
render protected health information unusable, unreadable,
or indecipherable to unauthorized individuals”
• Data encryption is the high road to achieving this status
• “If protected health information is encrypted pursuant to
this guidance, then no breach notification is required
following an impermissible use of disclosure of the
information.” [78 Federal Register 5644]”
• You are saved many of the reporting costs, fines and
damage to reputation (you do not need to inform each
individual!)
© Porticor Confidential

6. Cloud Types
SaaS
PaaS
IaaS
Your mission
critical
Healthcare
app is here
© Porticor - Confidential
6

7. You need…
Pure cloud solution for
encrypting data at rest
and in use
A solution that securely
stores keys in the cloud
Available with major
platforms
© Porticor - Confidential
7

8. Porticor Solution
State of the art encryption
• We did not “invent the wheel”: AES 256 / SHA 2
• But we have implemented it with best-in-class
performance
• Streaming and caching mechanisms
Cloud key management - The “banker”
• Metaphor: a physical safety deposit box is behind strong
walls, and requires two keys to open/lock: one for the
customer, the other for the banker
• The secret sauce: our “split key” and “homomorphic”
technology creates this in a virtual environment
© Porticor Confidential

9. Porticor platform
Protection Platform for all Cloud
Resources
Enterprise
secrecy,
Cloud
flexibility
Split-Key Encryption &
Homomorphic Key management
Up in minutes
© Porticor Confidential

10. A master key protects all cloud
resources, yet is never in the cloud
Keep your key where its safe:
outside any computing environment
Users, Groups, Roles
Enabled by unique “split key” and
“homomorphic key” technology
Application-level fields
Admin Sessions
Data & Storage
VMs and Compute
Virtual Network
© Porticor Confidential

11. Key-splitting and Homomorphic
Technology together deliver Trust
The “Swiss Banker” metaphor
 Customer has a key, “Banker” has a key
Master key with Homomorphic key encryption
© Porticor Confidential

12. What is “Homomorphic” ?
A mathematical technique
• Business consequence:
• Industry’s first
– Key-splitting and key-joining
without knowing the keys
– We only know the encrypted
form of the keys
– For example we can do A+B
without knowing A or B
© Porticor Confidential

13. Customers’ Critical Needs for Cloud Data Security
1.
2.
3.
4.
5.
Regulatory Compliance (HIPAA & PCI)
High Security (PRISM is setting the stage)
Flexible deployment & provisioning
Dealing with Complexity
Effective Key Management
© Porticor 2009-2012
13

14. Healthcare App in the Cloud
Note
usage of
Porticor
API for
finegranular
encryption
© Porticor Confidential

15. Healthcare ISV
Challenge
• Maintain HIPAA compliance
• Automate the key management and encryption process
• Distribute keys to end users
How Porticor is used
• API Integration for encryption keys creation, revocation, etc
• Tokens creation and distribution directly to end users
• A cluster of Porticor Virtual Appliances for full redundancy
Result
• Fully integrated with ISV’s workflow
• PHI data is always encrypted - the patient and Doctor maintain control through personal tokens
© Porticor Confidential