Genomic Health: Protecting business in the cloud, public and private

About five years ago Genomic Health began to introduce cloud-based business applications. Ken Stineman, senior director of enterprise architecture and security, quickly became aware of the security risks these apps posed.

CSO contributor Bob Violino recently interviewed Stineman on the topic of cloud security.

CSO: Please describe your organizations cloud environment, including the types of cloud services and how the company is using the cloud.

Ken Stineman, Genomic Health: Public and private cloud services have become a strategic part of Genomic Health's information technology strategy. We initially leveraged public cloud providers for commoditized Internet infrastructure services such as spam filtering, domain naming services and worldwide content distribution. Over the past three years we have significantly expanded our cloud bias and use of software as-a-service [SaaS] applications. We now utilize more than 20 SaaS providers for key business applications including payroll and human resources, expense reporting, performance management, project management, learning management, document collaboration, identity management, financial analysis, retirement planning, applicant tracking, and stock options management.

Also read Cloud computing tools: Improving security through visibility and automation

We are in the process of expanding our hybrid cloud and accelerating our use of public and virtual-private Amazon Web Services and Microsoft Azure. These cloud providers will be essential to providing burstable high-performance compute, storage and messaging for our world-wide laboratory business. We are in the process of migrating our on-premise ERP and CRM solutions to a private cloud SaaS provider.

CSO: What assurances have your cloud providers given you that the data is protected?

Stineman: As a healthcare provider and lifescience company, the security and privacy of patient information and intellectual property is critical. We conduct security assessments of our vendors and ensure they have certified processes such as SSAE16 and/or ISO and review their security whitepapers, business continuity and encryption processes. Our contractual commitments must include physical, technical, and administrative safeguards, as well as data breach notification.

We have been extremely cautious and careful in our plans to store health information in the cloud. We require encryption or healthcare business associate agreements with cloud vendors who process or store protected health information. Cloud vendors are just beginning to be positioned and ready to commit to HIPAA, HITECH, and international data protection requirements.

CSO: What concerns do you have about emerging security threats and cloud technology flaws?

Stineman: Coordinated denial of service attacks and cybercrime networks characterized as advanced persistent threats are both concerns for Genomic Health. At the same time, our greatest risk and entry point for malware continues to be social engineering attacks such as spearphishing and Web-based trojans [through which] users inadvertently introduce malware to our networks.

We are concerned that cloud providers today do not offer a consistent set of protections, monitoring, encryption and vulnerability threat detection. Especially from smaller providers, we continue to find failures in best-practices in password security. Many of these vendors do not take full responsibility in their contract agreements for the security of information. Premiere cloud providers have made extensive investments in security and have applied more dedicated engineers, auditors, code review and deep security process to better secure virtual machines, harden their networks and keep their platforms patched.

CSO: Are your organization or its cloud providers doing anything to sure up security in light of these emerging threats, and if so what?


Security awareness training of employees using cloud and social networking services is critical.

Traditional firewalls and anti-virus end-point protection continue to be essential, but they are no longer sufficient to protect against emerging threats.

IPS/IDS, log monitoring, security event correlation and 24x7 security monitoring are essential to detecting and responding to intrusions on our network.

Malware content filtering using technologies on premise and in the cloud for laptops have become an indispensable part of our defense-in-depth strategy.

Automated vulnerability scanning of our Web properties using services, human expert vulnerability testing, OS patching, and application vulnerability patching have also become critical to securing weak spots.

CSO: What are some best practices youd recommend for improved cloud security?

Stineman: Understand what data you will be storing in the cloud and assess the risk to your business and customers if that data is breached. Select a provider to consolidate the identity and access management and facilitate centralized employee access to your cloud applications. Ensure your cloud vendor contract includes specific terms requiring timely notification of security failures and information breach. Require your cloud vendor to share their vulnerability assessment results or collaborate with them to execute your own due-diligence vulnerability tests. Provide ongoing security awareness and social media training to your employees.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place