CISO's best practices for compliance with Israeli health sector's security regulations while using cloud services

Cloud services play a vital role in the digital landscape, serving as a fundamental component of organizations and businesses' infrastructure. These technologies facilitate the consumption of remote computing and processing services, fostering innovation within organizations, enhancing operational flexibility, keeping technology current, optimizing computing resources, and delivering cost-efficiency benefits.

In the field of health, cloud computing* is a necessary infrastructure for healthcare organizations* in dealing with the challenges they face in the coming years: an increase in the amount of data per patient, huge data studies and the development and use of digital technologies to improve the medical service while promoting the field of digital health in the health system.

Besides the significant benefits (with an emphasis on the manner of conduct; implementation of innovative tools and solutions; fast application in the fields administrative, operational and research) which can enable economic efficiency and promote better health, there are challenges in the areas of privacy protection, information security and process and business continuity, which must be addressed appropriately.

Despite the numerous advantages offered by cloud computing, its adoption within a healthcare organization carries significant potential risks in terms of business, legal, and operational concerns. These risks encompass issues such as the potential loss of information availability, disruptions to operational continuity, threats to data security and cyber protection, and the safeguarding of patient information privacy. Additionally, cloud computing may impact the healthcare organization's overall business processes. Consequently, it is imperative that the adoption of cloud computing is approached thoughtfully and in compliance with the relevant regulatory frameworks governing its use.

Chief Information Security Officers (CISOs) are tasked with overseeing the information security strategy and its execution within an organization. In the global healthcare sector, including Israel, CISOs often serve as facilitators of business operations. They perceive the shift of their organization's systems to cloud computing as an integral part of technological advancement and progress, all while ensuring diligent risk management. To formulate a comprehensive security strategy for workloads that have made the leap to cloud computing, healthcare sector CISOs must consider numerous factors and collect pertinent data. These considerations encompass the organization's business objectives, business processes, and critical assets, as well as the outcomes of risk assessments, industry-specific threats, threats and vulnerabilities unique to the cloud environment, and pertinent regulatory requirements.

Healthcare organizations in Israel must comply also with the Israeli health sector's regulations, which are defined by the following regulators:

• The Israel Ministry of Health (MoH), which regulates activities in all Clinics, Health Maintenance Organizations (HMOs) and Hospitals.??
• The?Privacy Protection Authority?(PPA), which regulates and enforces data protection across all sectors, private and public, according to the provisions of the Privacy Protection Law.

`The various regulations in the Israeli health sector that are applicable to the use of cloud services are as follows: Use of Cloud Computing in the Israeli Healthcare System, Regulation for cyber protection in the health system in Israel (available in Hebrew), Data Transfer outside of the Country Borders - Q/A - 2001)?(available only in Hebrew),?Privacy Protection (Data Security) Regulations, Data Classification Policy based on ISO 27799 - Version 2 (01/2018)?(available only in Hebrew).

When healthcare organizations in Israel that utilize cloud services engage in the risk management process, a crucial factor to consider is the potential for failing to comply with the security related regulatory requirements outlined in the aforementioned regulations. Following a comprehensive analysis and consolidation of the security related regulatory requirements within the above regulations, this article details the CISO's best practices for compliance with Israeli healthcare sector's security regulations while using cloud services, with respect of the following topics: Organizational cloud policy, Application activation in cloud computing, Security Risk Management, Due Diligence and Security Audit, Security Incident Management, Encryption and Key Management, Business Continuity, and Documentation, reporting and document retention.

Organizational cloud policy

Work together with the Organizational Cloud Committee* to formulate the organizational cloud policy that will include, at the minimum, the following subjects:

• The guidelines and criteria for determining the types of applications that can be used in cloud computing.
• The organizational procedures and the hierarchy of organizational authorities for approving the use of cloud computing, including the organization's risk management methodology.
• Authorities, responsibilities and actions to be taken by the various officials, within the healthcare organization or in the Cloud Computing Provider* (CCP), with respect to the use of cloud computing, including risk management, legal, maintenance, monitoring, data security and cyber security, incident handling, business continuity and functional continuity.
• Procedures of labeling information classifications (specifically "unclassified", "confidential", and "highly confidential"*) in cloud computing, per Data Classification Policy based on ISO 27799 - Version 2, in addition to guidelines of using and protecting each information classification, based on the guidelines of the Ministry of Health.
• Principles of engagement with a CCP, including the means and mechanisms for monitoring and controlling the CCP;
• Information security, cyber security and privacy protection policies of the organization, with respect to the use of cloud computing, including the controls to be implemented by the organization.
• The life cycle of the processes of cloud computing usage, including the termination of its usage.
• A comprehensive organization's business continuity management framework for the use of cloud computing.
• Appropriate access controls for cloud computing, including specific network restrictions and the enforcement of multi-factor authentication for access to systems and data.
• The usage of cloud computing for research of health data within the scope of the Director General's Circular 1/2018 (secondary uses of health information, available only in Hebrew) (and/or any other circular that may replace it), while also complying with the De-Identification requirements listed in Draft guidelines for obtaining health information for research purposes (available only in Hebrew).
• The explicit requirement to use cloud computing while complying with ISO 27001, ISO 27799, the Privacy Protection Law, and the regulations thereunder, including with regard to outsourcing activities and the obligations for maintaining the integrity, availability and confidentiality of the information and implementing the information security and privacy protection requirements that apply to it as the controller of the data pursuant to the law.
• The organizational procedures that enforces full ownership of the organization on the transmitted information as well as the ability to restrict how it is used when using cloud computing.
• The organizational procedures that support monitoring, detecting, handling, responding, communicating and reporting cybersecurity incidents which are applicable to the cloud computing applications.
• The organizational protocol which mandates the regular provision of secure usage and / or operations training to all employees utilizing and / or operating cloud computing applications within the organization, as well as to the employees supporting these applications within the CCP, the tracking of training completion and the attainment of attestation from these employees, confirming their commitment to cybersecurity requirements.
• The organizational protocol which mandates recurring training for all individuals responsible for managing cybersecurity incidents related to cloud computing. This training focuses on the identification and response to such incidents.
• Other relevant issues given the characteristics of the healthcare organization.

Ensure that the organizational cloud policy is:

• Approved by the organization management.
• Reviewed once a year by the Organizational Cloud Committee for an update based on the technological developments and regulatory, organizational, business and threat of attribution changes in the previous year.
• Reviewed by the Organizational Cloud Committee for an update after a significant cybersecurity incident which is applicable to cloud computing.
• Reviewed and approved by the management of the healthcare organization whenever a substantial change or update of the policy is made, but not less than once every two years.
• Shared with the Chief Information and Cyber Security Officer of the Ministry of Health once it is approved by the healthcare organization management for the first time and after any substantial update or change.

Incorporate the response to the inherent security risks of cloud computing and the controls that are being applied or planned to be applied, to mitigate them, into the multi-year cybersecurity work plan of the organization (in accordance with the principles set forth in Security Risk Management). The response to the inherent security risks of cloud computing should be aligned also with the organizational cloud policy, ISO 27001, ISO 27799 and the guidelines of the sectoral cyber unit of the Ministry of Health.

Ensure that the Organizational Cloud Committee meets at least semi-annually to receive updates on cybersecurity incidents relevant to cloud computing, provide guidance on necessary actions, and oversee the timely execution of the multi-year cybersecurity work plan specific to cloud computing.

Application activation in cloud computing?

Work together with the Chief Information Officer and the organization's legal counsel to implement an organizational internal examination of the transition to cloud computing usage that will support the activation approval of the use of cloud computing application. The organizational examination procedure will address, at least, the following aspects:

• The business process in which the system or information requested is transferred to the cloud, including the significance and advantages for the healthcare organization or patients in the transition to cloud computing;
• Analysis of the information and system, including mapping and classification of the information, the users, and the CCP.
• Compliance of the cloud computing usage pursuant to any applicable law and regulation, and in particular the Privacy Protection Law, the?Privacy Protection (Data Security) Regulations, and to the Ministry of Health's guidelines on these issues.
• Compliance of the cloud computing usage with ISO 27001, ISO 27799 and with the Ministry of Health's requirements regarding cybersecurity and information security.
• The due diligence results, based on the principles set forth in Due Diligence and Security Audit.
• Assessment and management of the risks from the use of cloud computing in accordance with the approved organizational cloud policy in accordance with the principles set forth in Security Risk Management.
• The architecture, interfaces and requirements of information security and cyber security;
• Presenting compensating controls vis-a-vis the risk management process.?

Work with the organization's legal counsel and the privacy protection officer of the healthcare organization to determine, document and approve the risk level classification for using the cloud computing application based on the findings of the risk assessment process documented in Security Risk Management.

Ensure that the Organizational Cloud Committee grants their approval for the operation of the cloud computing application after conducting a review of the following:

• The organizational internal examination results.
• The risk level classification for using the cloud computing application.
• The opinion of the Sectoral Cloud Committee* (subject to condition determined by the Sectoral Cloud Committee and the risk level classification).

Before granting approval for the activation of the cloud computing application's usage, perform a comprehensive information security check, a durability and resilience test (soundness testing, penetration testing, and targeted weaknesses testing of cloud application), to examine the proposed solution and the components on which the system/application is installed.

Make sure that changes made to the system at all stages of testing and Acceptance Test Procedures (ATP) are documented.

Once all detected failures (if any) have been fixed and following the Organizational Cloud Committee approval of the operation of the cloud computing application, you may also grant the approval for the activation of the cloud computing application's usage.

Together with the Chief Information Officer continuously monitor, implement supervisory and control activities and report to the Organizational Cloud Committee, on regular basis, with respect to the following:

• Planning versus execution of the the implementation of the solution in the organization.
• Examination of the integrity of the solution and monitoring the status of improvement of deficiencies.
• The risk management findings and controls that were defined at the time of its approval, to mitigate or minimize the risk findings.
• Use of cloud computing, pursuant to the principles outlined in the organizational cloud policy and in the Ministry of Health guidelines.

Security Risk Management

Execute security risk mapping for each cloud computing implementation to support the examination of the transition to cloud computing usage and before contracting with the CCP, while taking into account also the following aspects:

• The business process in which there will be use of the system or information requested to be transferred to cloud computing, as well as the interactions between processes within the healthcare organization and systems tangent to the cloud or to the healthcare organization.
• The objective of the system and its usage purposes, as well as the reasons and expected benefits from the transition to the use of cloud computing.?
• The information that is expected to be transferred to the cloud environment, including who should be exposed to the information (public, external parties, internal employees, etc), the information classification and sensitivity (which should be defined also according to the Data Classification Policy based on ISO 27799 - Version 2, available only in Hebrew), whether it will contain data that may affect the proper functioning of the healthcare organization and may harm governance, whether it will contain medical data, and the level of its identifiability, etc.
• The amount of information expected to be transmitted during the use of the system.
• The external interfaces of the internal network and the external interfaces of other suppliers. Address the communication frequency, the direction of the interface, the protocol, the type of verification and the nature of the reading, in addition to the information security controls that will be provided to the system.
• The users and parties that use the application and the permissions required of them, and the users and parties that will have access to cloud computing. Users' classification, number of users, administrators, user definition and permissions, and access to the system must also be addressed.
• The existing systems or cloud environments in the organization, including possible interfacing of the system with other systems in the organization and past experience versus transferring systems to cloud application in the organization.
• The following about the communication provider to the CCP: Who is the provider? What are its infrastructures? What regulations apply to it and to the infrastructures? What is the defined level of service? What internal and external protection measures does the provider allows? Who will have access to cloud computing? And what is the requested service model.?
• The CCP's and the organization's existing infrastructure with respect to the operation of the requested application, as well as the options for data backup, data durability, and monitoring of information and the system, in addition to the way of data storage and encryption, data portability at the end of the usage, and performance of penetration tests.
• Inherent risks associated with a CCP having access to the healthcare organization’s facilities or the possession / development of dedicated software.
• Supply chain threat scenarios and processes that may be harmed as a result of harm to a CCP or the execution of a cyberattack via a CCP.
• Risks that flow from dependency on CCPs for its critical processes.
• Regulatory risk originating in use of a cloud computing located outside the borders of the State of Israel, such as difficulty in complying with security aspects in the regulations of the State of Israel and of the country where the service or the data operate or stored.
• Risk originating in the use or non use of a multi cloud configuration.
• Risk of CCP lock, such as limitation to data, components, and systems portability.
• Leakage of databases and sensitive information stored in the cloud computing environment at the end of the engagement with a CCP, without sufficient controls required to protect such information, while not compliant with the requirements in the Privacy Protection Law and applicable regulations in Israel.
• Risks related to the attack surface, such as the integration of mobile devices into the cloud computing application.
• Loss or disruption of information due to a malfunction at the CCP, including physical destruction of computing infrastructure, an attack that has penetrated the cloud computing environment or cease of CCP's services.
• Loss of information availability in cloud computing which may harm the provision of essential medical services in times of normalcy and especially during emergencies, can occur in different scenarios, such as: the CCP cannot allow system availability due to a malfunction or Denial of Service (DoS) attack, the ability to connect to the system is prevented due to a network connection failure or a DoS attack, the cloud computing account is blocked due to a malfunction, attack, or violation of the terms of service, the CCP does not meet the loads or SLA required to implement the cloud computing application, the CCP was forced to discontinue the service due to a court order due to a violation of a law/regulations/business/financial decision, a CCP's failure to allocate advance appropriate resources.
• Leakage of theft of medical information, which is sensitive personal information, can have serious consequences both at the personal level and from the perspective of trust in Israel’s health institutions.?
• The damage that could be caused by altering the data in a patient’s clinical file can sometimes be worse than the damage from stealing that patient’s data, given that altering the data can become the basis for erroneous medical decisions.
• Risks associated with the healthcare organization emergency systems, such as a mass-casualty incident, a special situation on the homefront, etc, and applicable to cloud computing.
• Risk associated with the fact that the required processes does not meet the legal requirements, the guidelines of the Ministry of Health, the Cyber Directorate and and / or the ICT Authority.

Execute security risk assessment for each of the mapped risks to support the examination of the transition to cloud computing usage and before contracting with the CCP, while following the below practice:

• Address the probability of its occurrence, the severity of the damage, and the controls to be implemented to balance and reduce the chances of occurrence and the severity of the damage.
• Examine the risk according to the values of confidentiality, availability, and integrity of the information and in accordance with the defined model of cloud computing usage, and the division of responsibilities between the CCP and the healthcare organization.
• Determine the level of risk will be determined, among other things, by taking into account the following parameters: the type of information and its sensitivity; the scope of the data transmitted to cloud computing - both in terms of the number of records and in terms of the depth of information in each record; and the length of time the information will be in the cloud.
• Define and document the measures that will be implemented by the healthcare organization / CCP to respond to the risk, as well as their chances of reducing the risk in question.?The response to the inherent security risks should be aligned also with the organizational cloud policy, ISO 27001, ISO 27799 and the guidelines of the sectoral cyber unit of the Ministry of Health.

Document the proposed architecture for the solution, including the solution components, the interfaces, the security mechanisms that will be activated, and the method of their implementation.

Update the security risk assessment regularly, in accordance with technological, legal, regulatory, business, and organizational changes, at the healthcare organization and at the CCP, and at least once every year.

Based on the?shared responsibility model?define a model for the apportionment of information security and cyber defense responsibilities between the healthcare organization and the CCP.?

Deploy information security and cyber defense means for all access channels to and from the used cloud computing application, based on the?shared responsibility model?of the CCP, to minimize the use of these channels to attack the healthcare organization.

In order to address potential cybersecurity incident scenarios, such as unreliable data or attacks on the backup system of the cloud computing application, ensure that the healthcare organization's data stored in the cloud computing application is regularly exported to the healthcare organization's premises.

Due Diligence and Security Audit

As part of due diligence and periodic risk assessment process (with a frequency that will be defined by the organization’s management, which will not be less than once every 18 months), use also the CCPs security testing reports, SOC 2 audit reports, along other available audit reports, and ISO 27001/27017/27018 certifications, along other available certifications, to validate at least the following:

• The CCP supports an adequate level of cyber defense as defined in the organizational cloud policy and in the multi-year cybersecurity work plan.
• The CCP's professional competence and its technological capabilities to provide the requested services and meet its legal commitments.
• The CCP's governance framework supports the implementation of the model of the apportionment of responsibilities between the healthcare organization and the CCP.
• The CCP is compliant with ISO 27001 and supports the healthcare organization to be compliant with ISO 27799, where applicable.
• The healthcare organization’s ability to receive and to share with the regulator, upon request, and at least annually, the CCPs security testing reports (which are performed and documented by independent qualified third parties), audit reports and certifications (which are performed and documented by independent qualified and accredited third parties), which are applicable to the used cloud computing application.?
• The CCP's ability to maintain the cloud computing application business continuity as defined in the organizational cloud policy under various scenarios.
• The CCP supports multiple availability sites in each geographical site.
• The committed SLA of the CCP for the availability of the geographical sites must be aligned with the RPO and RTO values of the healthcare organization's information systems, and in accordance with the organizational cloud policy.
• The CCP enforces multi-factor authentication for access to customer data by its customers, employees and third parties.
• The ability to label information classifications to data in the cloud computing application.
• The ability of the cloud computing application to encrypt messages.
• The ability of the cloud computing application to allow access to medical information only in time of patient treatment (to support compliance with ISO 27799 and with the Patient's Rights Law 20(3)).
• The ability of the cloud computing application to manage patient's consent for sharing the patient's data with third parties.
• The resources to support activation or deactivation of the cloud computing application, including blockage of access, in cases of a suspected are actual cybersecurity incident, are defined.
• The ability to automatically lock out user accounts that have not been used for more than 90 days from accessing the cloud computing application and the data.
• The ability of the cloud computing application to simultaneously create and export (using standardized protocols) a secure control record for every user access to create, update or archive personal medical information, which will individually identify the user, patient, and type of activity performed by the user and record the date and time when the operation was performed and the information technology component was used (log).
• Availability of a mechanism that generates and exports (using standardized protocols) control records about events in the cloud computing application, which identifies at least the user, the type of activity performed, the date and time of the event and the information technology component was used.
• The CCP is committed to notify the healthcare organization without undue delay on any known and applicable cybersecurity incident and / or data breach.
• If needed, the CCPs security monitoring tools meet acceptable standards and allow integration with the organization's existing monitoring systems.
• Organization's data deletion per organization request results with non retrievable information from the cloud computing application nor from the CCP.

Maintain continual and regular communication with the organization's legal counsel to ensure validation of the following:

• The CCPs compliance with all relevant laws and regulations for the use of the cloud computing application in effect in the state in which it operates.
• If the cloud computing application data is stored or processed in a country outside of Israel, ensure that the relevant country meets the requirements of the Privacy Protection Regulations (Transfer of Information to Databases Outside the Country's Borders) (available only in Hebrew).
• The CCP enables the healthcare organization to comply with the requirements of Israeli law and the regulatory guidelines that apply to it with regard to the use of cloud computing.
• No negative legal implications of the use of cloud computing outside the borders of the State of Israel, including the application of foreign law to the information in this case.
• The organization is prepared to operate a contractual, procedural, and technological information cybersecurity incident towards the CCP.
• Registration of all organizational databases applicable to the cloud computing application in accordance with the guidelines of the Registrar of Databases in the Ministry of Justice and with the guidelines of the Ministry of Health, based on the provisions of the Privacy Protection Law and the?Privacy Protection (Data Security) Regulations.

Preference should be given to selecting CCP who implements a recognized and accepted international standards, such as ISO 27001, ISO 27017, ISO 27018, SOC 2, CSA.

Monitor the following and assess the need to make changes to the organizational cloud policy, security assessment results,?database definitions document?and / or the contract with CCP, at least annually, or as needed:

• The cloud computing application security posture (by using monitoring means that comply with the organization’s risk appetite).
• The CCP's implementation of the guidelines of the model of apportionment of responsibilities.
• Occurrences of a material incident or material change in the cloud computing application or in the CCP.
• Changes in security aspects of applicable regulation of relevance for the use of the cloud computing application.

Work together with the organization's legal counsel to implement the following periodically, but no less than once every two years:

• Review and re-evaluate the CCP and the cloud computing applications provided by it, in accordance with technological, regulatory, organizational and business changes.
• Incorporate the review and evaluation results into the multi-year cybersecurity work plan.

Security Incident Management

Ensure that information security events and incidents that are related to the cloud computing application and its use in cloud computing systems are monitored throughout the period of the cloud computing application usage.

Define monitoring objectives, including the following:

• The types of information and activities to be monitored.
• The type of required monitoring.
• How monitored information is to be saved and for how long time.
• Who will be authorized to access the monitoring information.
• How the monitoring information will be accessed.

If monitoring is done using tools provided by the CCP, verify that the tools meet acceptable standards and allow integration with the organization's existing monitoring systems.

Implement the monitoring system in such a way that records of access to the data in the cloud computing application are retained for at least 24 months.

Include the plan for identifying, handling, responding, communication and reporting cybersecurity incidents in cloud computing applications, in the multi-year cybersecurity work plan.

In the quarterly report distributed to all members of the Steering Committee for Cybersecurity and Privacy Protection and to the sectoral cyber unit, make sure to include notable cybersecurity events related to cloud computing that took place within the healthcare organization during that quarter. Additionally, provide a concise overview of all cybersecurity incidents linked to cloud computing that the healthcare organization encountered during the same period.

Establish a cybersecurity system applicable to cloud computing that brings to fruition the following principles:

• Highlight the importance of strengthening cybersecurity incident recovery and resilience capabilities, with a particular focus on the role of medical staff members as compensatory controls. Additionally, consider incorporating activities that minimize dependence on technological systems wherever possible to ensure uninterrupted service delivery in the event of an incident.
• Place a strong emphasis on effectively managing the organization's cybersecurity incidents, shifting the perspective from solely "preventing" such events to proactively "managing" them.

In the event of a serious cybersecurity incident applicable to cloud computing as defined in the Privacy Protection Regulations, together with the organization's legal counsel, ensure that notification of the cybersecurity incident is sent immediately to the database registrar of the Privacy Protection Authority and if instructed by the latter, notify the person(s) about the event about whom there is information in the database.

Ensure that the healthcare organization liaises with the National Center for Preparedness and Confronting Cyber Threats in the Health Sector (SOC Ministry of Health) where applicable to the cloud computing application.

Ensure that cybersecurity incidents or suspected cybersecurity incidents are reported to the Ministry of Health’s sectoral cyber unit, in a timely manner.

Encryption and Key Management

Manage Information Security and Cyber Defense risks in the cloud computing application while considering the following aspects, among others:

• Information classification.
• Location of encryption keys.
• Organization involvement in managing encryption keys and encryption level.
• Encryption methods.

Ensure encryption in transit and encryption at rest of the organization's information which is transmitted and stored in the cloud computing application using an encryption algorithm with the strength of AES 256 or above. In cases where difficulties arise to encrypt all organization's information, ensure encryption of at least the data that is classified as sensitive information or that may harm the healthcare organization and its patients, if exposed.

Examine the use of Bring On Your Key (BYOK) solutions to support storing the encryption keys at the healthcare organization while ensuring that the solutions of encryption key lifetime, generation, storage or transmission are aligned with the healthcare organization’s risk appetite and with the organizational cloud policy.

Business Continuity

Ensure that the multi-year cybersecurity working plan for cloud computing and the?business continuity plan?(BCP) are aligned on relevant topics. Ensure that the documented and implemented BCP will have the following properties:

• The various disaster scenarios and the processes critical to the realization of the healthcare organization’s objectives when using cloud computing.
• Regular inspection of data backups.
• Periodically BCP updates in accordance with process and technological changes but not less than once a year.
• BCP exercises at least once every 12 months.

When using a cloud computing application outside of Israel ensure that the multi-year cybersecurity work plan for cloud computing includes also plans for response to the following scenarios:

• Service unavailability caused by communication disruption or geopolitical events in relation to the foreign country.
• Reduced performance in business continuity resulting from threats originating within the host country.

Documentation, reporting and document retention

Ensure that all stages of the approval processes of the use of cloud computing are documented and that the documentation is kept for a period of no less than 7 years from the end of the usage period of cloud computing.

Ensure that the healthcare organization reports to the Chief Information and Cyber Security Officer of the Ministry of Health about the following:

• Any new use of cloud computing approved by the organization, and attach the approval documents and the minutes of the meeting of the Organizational Cloud Committee, within 30 days from the date agreement with the CCP was signed.
• Once a year on all uses of cloud computing that were discontinued in the year prior to the report date, and to the extent the reason for discontinuation relates to information security or privacy protection matters - the reasons thereof.

Assist the Ministry of Health in conducting audits related to the approved or terminated utilization of cloud computing resources and in assessing the adherence to the guidelines outlined in in Use of Cloud Computing in the Israeli Healthcare System.

*

Definitions

Healthcare organization

1. A medical institution that provides health services, and consists of one of the following: The Ministry of Health and the dependent units of the Ministry, a Health Maintenance Organization (HMO) and their institutions, a hospital (public or private), a pharmacy, rescue and evacuation organizations, and any clinic or other organization that is required to register according to the Public Health Ordinance.

Unclassified information

1. General information which is publicly available, statistical information, Ministry of Health directives, publications, general medical information?that does not identify an individual or aggregative information that cannot be used to identify an individual.

Confidential information

1. Information directly relating to the physical or psychological situation of a patient or the medical treatment that he / she is receiving, information that identifies an individual, business information.

Highly Confidential information

1. Information directly relating to the physical or psychological situation of a patient or the medical treatment that he / she is receiving and that is related to specific sensitive topics such as Infertility Treatment or Genetic Information.

Cloud Computing Provider (CCP)

1. Entities who have verifiably significant production?cloud computing offerings.

Organizational Cloud Committee

1. A committee that operates in the healthcare organization and includes at least the following officials: a representative of the CEO; a representative of the organization's legal counsel; the organization’s chief information security and cyber security officer, or his representative; the organization’s privacy protection officer, or his representative, if such appointed, and the organization’s chief information systems officer, or his representative. A healthcare organization may define an existing committee as the Organizational Cloud Committee, provided that it meets the conditions set forth in these provisions. A committee member may hold one or more positions, depending on the definitions of his professional roles in the organization, provided the committee composed of at least 3 members.

Sectoral Cloud Committee

1. A committee operating in the Ministry of Health, and whose members will include: a representative of the Director General of the Ministry of Health; a representative of the Legal Counsel of the Ministry of Health; Chief Information Security and Cyber Security Officer of the Ministry of Health; Representative of the Digital Health Department of the Ministry of Health; Representative of the National Cyber Directorate; Representative of the ICT Authority; And a representative of the Privacy Protection Authority.

Cloud computing

1. Computing infrastructures and resources (such as servers, storage devices, networks, applications and services), which are accessed via the Internet and/or a dedicated communication line, on demand and by use.