Cloud Security

MedOne is proud to add ISO 270001 certification, for cloud data security, to the portfolio of strict standards that the company meets in the interests of its clients. Those standards already include European Safe Harbor (a data security framework requiring clients outside the European Union to meet certain privacy demands), SSAE-16 (an American auditing standard for service organizations), HIPAA (an American standard protecting individuals’ medical records and other personal health information), and more.

MedOneCloud considers cloud data security to require a multifaceted approach. Because clients request, and receive, complete control over their cloud-based servers and networks, the MedOneCloud administrators must assume a significant part of the security burden and take appropriate measures to handle it. The IT team complements the clients’ own security approach on a number of levels:

  • Physical security for the cloud installations — 8 strict circles of security deployment, including constant automatic monitoring of exceptional incidents and manual or automatic response to them.
  • Security for the infrastructures of virtualization and communications, the storage installations, and the administrative-layer cloud control applications.
  • Flexibility for clients in specifying the degree to which their various computing environments are shared or isolated.
  • Built-in ability to compartmentalize by means of multi-tenancy.
  • Examination of day-to-day performance via the reporting layer of the cloud control system.

Over and above the computerized physical security layers at each MedOne hosting site, our cloud solution integrates additional layers of security for cloud data by isolation of all the client data in a virtual data center implemented by the network domain segregation technology of F5 Networks Inc.

A firewall from F5 Networks makes it possible to protect every VLAN at the layer-2 level and to create virtual connections. The client can create up to 1000 firewall rules in each network domain. An advanced system from Alert Logic detects attempts at intrusion and makes it possible to identify internet applications and protect them against attack, to identify and mitigate web-based threats and cross-infrastructure vulnerabilities, and to analyze logs and discover behavioral deviations. Arbor Peakflow is used for preventing DOS/DDOS attacks and defending against them.

The system monitors the information flow, constantly performs comparisons, and identifies any instances where live traffic deviates from normative patterns of network behavior. The cloud platform is secured by means of an advanced SIEM system that monitors events in real time and that is backed by an SOC staffed 24 hours a day, 7 days a week, all year. A system of Security as a Service, supplied as a value-added service to the client, provides for managed SIEM and SOC services among others.

Name of StandardDescription of Standard
ISO 27001 – Information security management systems (Standards Institution of Israel)The ISO 27001 standard for information security management systems specifies simple, methodical, practical principles for setting up, managing, and maintaining an appropriate data security system for an organization. For a data security management system, certification according to the requirements of ISO 27001 demonstrates that the organization is taking appropriate measures to fulfill the duty of efficiently preserving and managing data. The certificate is suitable for all organizations.
ISO 27001 – Information security controls for cloud servicesThis is a relatively new standard, defined in 2015 and defining relevant additions for cloud computing. The standard explicitly specifies the cloud provider’s and customer’s joint responsibility for data security and defines each side’s sphere of responsibility.
ISO 27799 – Information security management in health This international standard for IT system security in the health industry was published near the end of 2010 by the International Organization for Standardization (ISO). Its purpose is to provide tools to medical organizations for protecting the personal medical information at their disposal. The initiative for formulating the standard came from Israel. The personal medical information stored at health organizations around the world is particularly sensitive on the one hand while on the other hand it occupies an environment crowded with users and visitors. As health organizations increase their use of wireless and internet technology, a vital and immediate need emerges for an interpretation of the ISO 27002 standard appropriate specifically to protecting personal medical information. This special need was pinpointed by Itzik Kochav, who is responsible for data protection at Clalit Health Services, as he was implementing ISO 27001 at Clalit’s institutions. Kochav approached the ISO together with the Standards Institution of Israel, and he actively participated in formulating the standard. It was a complex international process involving all the world’s health and medical organizations as well as drug companies, insurance companies, and medical equipment companies.
CSA STAR certification The Cloud Security Alliance (CSA) constructed a Cloud Controls Matrix (CCM) to reflect the degree to which a Cloud Service Provider (CSP) is prepared from the standpoint of data security, risk management, and survivability for those of its clients and potential clients who are interested in purchasing such services. At the CSA website, a CSP may answer a self-administered questionnaire based on the CCM and make clear its degree of CCM compliance. In addition, and under the authority of international standards organizations, the CSA provides certification under the name STAR so that CSPs may be assessed. Documentation regarding how CSPs are expected to report may be found on the CSA website.
HIPAA – Health Insurance Portability and Accountability Act The HIPAA Privacy Rule establishes standards to protect individuals’ medical records and other personal health information. It applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.
Melach, the National Emergency Economy System Melach is the Hebrew acronym for Israel’s National Emergency Economy System, an interministerial team in charge of preparing vital factories, services, and products for times of emergency in order to provide for a properly routine day-to-day life on the home front insofar as possible. Melach is also responsible for the operation of those facilities in time of war or emergency, for preparing the local authorities, and for readiness to handle evacuees. This team does not yet exist as an independent organization.
SSAE 16 – Statement on Standards for Attestation Engagements In America, the SSAE-16 standard replaces the SAS-70 standard, making for a small revolution in reporting and a large revolution in the responsibility undertaken by the service office management for the information detailed in the report, for reporting on problems and on monitoring inside the company, and for the processes of examination as the accountants prepare their opinion of the report.
Safe Harbor Safe Harbor refers to the US Securities and Exchange Commission’s directives regarding all aspects of forward-looking statements by corporate management. Many companies make a practice of helping their investors form a conception regarding their future performance. Some even reveal expectations of sales volume and profits expected in the coming quarter or year.
AGCC (Alderney Gambling Control Commission) The AGCC has set widely respected standards for protective measures in the realm of online gambling.