An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Transcription

1 An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

2 Executive Overview... 1 Health Information Portability and Accountability Act Security Rule... 2 Protected Health Information Defined... 2 Standard and Specification Categories... 2 Security Rule Impact on Covered Entities... 2 Update Password Management and Infrastructure... 3 Eliminate Shared Passwords... 3 Control Network Infrastructure... 4 Conclusion... 5 Appendix A: Security Rule Safeguard Matrix... 6 Appendix B: Safeguard Requirements and Application Capabilities.. 8

3 Executive Overview The federal government put in place the Health Information Portability and Accountability Act of 1996 (HIPAA) to address three core healthcare issues: Efficiency and effectiveness of healthcare through standardization of all shared electronic information Privacy and security of patient information stored and exchanged electronically Cost of exchanging information among healthcare partners One component of the HIPAA rules is the Administrative Simplification Compliance Act. The act requires covered entities entities required to comply with HIPAA rules to address five areas: electronic transaction standards, standard code sets, privacy, security, and national identifiers. This white paper focuses on security, specifically the HIPAA Security Rule and how organizations can leverage Oracle Enterprise Single Sign-On Suite Plus to achieve compliance. 1

4 Health Information Portability and Accountability Act Security Rule What is the HIPAA Security Rule, and what do covered entities need to do to comply with it? The Security Rule is concerned with protected health information that is in electronic form. Protected Health Information Defined The following is a definition of protected health information (PHI): PHI means individually identifiable health information that is Transmitted by electronic media Maintained in any medium described in the definition of electronic media Transmitted or maintained in any other form or medium PHI excludes individually identifiable health information in Education records covered by the Family Educational Rights and Privacy Act (FERPA) Records described in FERPA Employment records held by a covered entity in its role as employer The Security Rule addresses only electronic PHI (ephi) not written or verbal communications. Standard and Specification Categories The Security Rule is a set of standards and specifications that indicate to a covered entity how it is to address the confidentiality, integrity, and availability of ephi. The standards and specifications are divided into three categories: Administrative safeguards Physical safeguards Technical safeguards The individual standards and specifications exist in one of two categories: Required. A covered entity must implement a solution for every required specification. Addressable. A covered entity can implement this item, implement a reasonable alternative, or document why it is not reasonable for them to comply. Appendix A provides a summary of Security Rule standards and specifications. Security Rule Impact on Covered Entities What does all this mean to the average covered entity that must comply with the Security Rule? It means that the covered entity will have to create or upgrade its policies and procedures and acquire hardware or software to provide for the confidentiality, integrity, and availability of ephi. The degree 2

5 of investment in hardware and software will vary based on how well managed a company is and how thoroughly it has implemented security safeguards as the normal course of business. It should be noted that the Security Rule is technology neutral it does not specify any particular technology, so covered entities are free to choose cost-effective products that best fit into their infrastructure. Given that most covered entities will have to make some adjustment to their processes and infrastructure to comply with the Security Rule, it is important to consider specific examples of weak processes or technology in the healthcare industry that expose the covered entity to security risks. Update Password Management and Infrastructure A major area of concern is password management. Most companies will have multiple applications or servers that an employee would want to access. Normally, employees will use the same user account name but different passwords. The challenge in managing all these passwords will cause an employee to write down the passwords, thus creating a security exposure. Another problem is that older applications and operating systems have password structures that do not adhere to industry best practices, such as using passwords with eight alphanumeric characters or more, changing passwords on a fixed cycle (90 days), and locking user accounts after three incorrect password attempts. Oracle Enterprise Single Sign-On Suite Plus Oracle Enterprise Single Sign-On Suite Plus is a suite of products that address several Security Rule issues. The suite includes Oracle Logon Manager, which can solve all the password issues previously stated. For employees, Oracle Logon Manager will elevate one of their existing accounts, typically their Microsoft Windows account, to be the master account. This account supports industry best practices regarding password length, automatic prompting for change, and account locking after failed logon attempts. Behind the master account, Oracle Logon Manager builds a table of all passwords and user IDs that the employee would use to access company resources. After this table is set up, the employee no longer needs to remember this information. Oracle Logon Manager will handle the logon process for the employee. Thus, the password management challenge of remembering and securing multiple user accounts and passwords is replaced by a solution that automatically takes care of this for the user. Oracle Logon Manager will also automatically change application passwords using random alphanumeric passwords. So, even though an outdated application might only support six character passwords, which do not meet industry best practice standards, Oracle Logon Manager will maximize the password complexity available in six characters. This solution provides a reasonable alternative that is likely to pass a security audit, without having to modify the application. Eliminate Shared Passwords A common practice in many healthcare entities is to have a group of employees assigned to handle patients. For example, a managed care business might have one group of nurses handling home health issues while another is handling acute care. The grouping allows nurses to cover for one another in 3

6 absence situations. To facilitate this arrangement, the employees in the group might share a common account and password or share passwords. Both situations can compromise the confidentiality and integrity of PHI, and in fact, HIPAA (a)(1) requires each user to have a unique ID and password. Oracle Enterprise Single Sign-On solves this problem by establishing a unique user account and password for each employee. Employees belonging to a group can be identified even though they might share an account or password for a particular application. Any logon to an application with a shared ID or password performed by Oracle Enterprise Single Sign-On can be traced to a unique user. Control Network Infrastructure The Security Rule requires organizations to control access to information based on methodology and point of entry, be it a shared kiosk or a workstation. Access Control The Security Rule also has requirements regarding the access to PHI that an employee is given. There are different access methodologies that can be used, including role-based access. Role-based access means an employee is given access to PHI based on job function or role. For example, a new employee in the finance department would have access to one group of applications containing PHI, whereas a new employee in the claims department would have access to a different set of applications. Oracle Enterprise Single Sign-On can support this access methodology by allowing an administrator of the product to build multiple groups that define access to different sets of applications, and assigning the appropriate group to a new employee account based on role or function. Session Control Kiosks present a PHI problem in that they typically do not provide session control. Physicians and nurses can walk up to any kiosk, open up applications containing ephi, step away, and leave the data exposed to anyone who passes by. The Oracle Kiosk Manager another application in Oracle Enterprise Single Sign-On solves this problem by providing full session control to kiosks: rapid logon, fast user switching, automatic session locking, and automatic closure of open applications and session termination after an elapsed period of inactivity. Workstation Control A final area of concern in many healthcare entities is that employees can walk up to any workstation that is not being used and log on. The Security Rule does require that a covered entity provide some level of security relative to who can use a workstation. The Oracle Authentication Manager application within Oracle Enterprise Single Sign-On can provide workstation security with strong authentication. Oracle Authentication Manager allows a security device (such as a biometric device, a smartcard, or a token) to be attached to a workstation, and access is only allowed to employees who are able to authenticate. This is an effective solution for any area where access to workstations needs to be tightly controlled. Moreover, it is the ultimate best practice in meeting the unique user identification requirement of HIPAA (a)(1), because whereas an ID and password can be shared without accountability, strong authentication devices cannot. 4

7 Conclusion As the previously discussed examples illustrate, some common problems exist in most vertical business markets and, in this case, the healthcare industry. But there are solutions available. Oracle Enterprise Single Sign-On provides the authentication and access controls necessary to help covered entities comply with the Security Rule. For a detailed review of the standards and specifications in the HIPAA Security Rule, see Appendix A. Appendix B illustrates which of the requirements that Oracle Enterprise Single Sign-On addresses. 5

8 Appendix A: Security Rule Safeguard Matrix TABLE A1. ADMINISTRATIVE SAFEGUARDS STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Security Management Process (a)(1) Risk Analysis Risk Management Sanction Policy Information System Activity Review Assigned Security Responsibility (a)(2) Workforce Security (a)(3) Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures Information Access Management (a)(4) Isolating Health care Clearinghouse Function Access Authorization Access Establishment and Modification Security Awareness and Training (a)(5) Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures (a)(6) Response and Reporting Contingency Plan (a)(7) Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedure Applications and Data Criticality Analysis Evaluation (a)(8) Business Associate Contracts (b)(1) Written Contract or Other Arrangement 6

9 TABLE A2. PHYSICAL SAFEGUARDS STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Facility Access Controls (a)(1) Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Workstation Use (b) Workstation Security (c) Device and Media Controls (d)(1) Disposal Media Re-use Accountability Data Backup and Storage TABLE A3. TECHNICAL SAFEGUARDS STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Access Control (a)(1) Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls (b) Integrity (c)(1) Mechanism to Authenticate ephi Person or Entity Authentication (d) Transmission Security Integrity Controls Encryption 7

10 Appendix B: Safeguard Requirements and Application Capabilities TABLE B1. ADMINISTRATIVE SAFEGUARDS AND ORACLE ENTERPRISE SINGLE SIGN-ON SUITE PLUS STANDARDS SECTIONS SPECIFICATIONS DESCRIPTION ORACLE ENTERPRISE SINGLE SIGN-ON SUITE PLUS Security (a)(1) Risk Implement security Automates logon to all systems on behalf of Management Management measures sufficient to users, and tracks this activity, providing the Process reduce risks and Security Officer and the IT department with vulnerabilities to a an enterprise view of all logon activity across reasonable and all networks, operating systems, and appropriate level to applications. This centralized, unified view of comply with system access provides a review and audit (a). capability that would be almost impossible to match any other way. This allows the Security Officer to assess and manage risk from a single access point and to do this quickly, efficiently and comprehensively. Provides for aggressive risk management by allowing biometric and other strong authentication devices to be deployed in areas where the access to PHI is highly sensitive. Provides an ability to eliminate security weaknesses present in kiosks by automatically terminating inactive sessions and closes applications. Automates password management and compliance to associated security policies, such as password complexity and frequency of password change, thereby eliminating the risk that users will mismanage passwords. Eliminates password resets, freeing up IT resources to other security activities, such as examining audit logs, which can enhance the covered entity s overall security position. Sanction Policy Apply appropriate A single control point to monitor and detect sanctions against inappropriate employee access and logon workforce members activity, thereby providing the data needed to who fail to comply invoke the sanction policy. with the security policies and procedures of the covered entity. 8

11 Information Implement Expedites the system activity review process by System Activity procedures to providing an enterprise view and log of all Review regularly review access to a company s resources: networks, records of information operating systems, databases and applications. system activity, such as audit logs, access reports, and security incident tracking reports. Workforce (a)(3) Authorization Implement Provides a central control point for Security and/or procedures for the management to monitor workforce member Supervision authorization and/or access to resources containing PHI. supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Workforce Implement Provides a mechanism for quickly identifying Clearance procedures to which systems and applications are accessible Procedure determine that the by a workforce member. This allows a Security access of a workforce Officer to easily determine if a workforce member to electronic member s access to PHI is appropriate by protected health comparing what applications are actually information is accessible and used by that member against appropriate. the application access rights associated to that member. Termination Implement The process of terminating all access for a Procedures procedures for terminated workforce member is very error terminating access to prone given the manual, time consuming nature electronic protected of the process. Provides the capability of health information disabling or deleting all access rights of a when the employment workforce member with a single command. of a workforce This greatly increases the security of any member ends or as enterprise. required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section. 9

12 Information (a)(4) Isolating If a health care For any covered entity that provides Access Healthcare clearinghouse is part clearinghouse functionality, can provide the Management Clearinghouse of a larger necessary isolation of functions between the Function organization, the business entity having PHI and the business clearinghouse must entity not who should not have access to implement policies PHI. and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Can segregate applications that contain PHI from those that do not, and only allow authorized users to have access to them. By disallowing users to actually know the application passwords, those passwords cannot be shared with unauthorized users, and compliance is thereby ensured. Access Implement policies Can be used as the central point for authorizing Authorization and procedures for and controlling access to an enterprise assets, granting access to because an administrator can determine which electronic protected applications, network resources, operating health information, for resources and databases for a specific user, example, through role or group. access to a workstation, transaction, program, process, or other mechanism. Access Implement policies Can provide a mechanism to support the Establishment and procedures that, implementation of role-based access. and Modification based upon the Applications, databases and network resources entity s access containing PHI can be identified and logically authorization policies, grouped by function (such as a workforce establish, document, member in a finance role needs access to review, and modify a applications A, B and C while in clinical user s right of access operations, a member needs access to B, D to a workstation, and E.) An enterprise s resources that contain transaction, program, PHI can be grouped by function and access or process. controls for a workforce member can be setup, so that the applications will only logon to applications associated with that group. Security (a)(5) Security Periodic security Future v-go Feature: v-go has a function that Awareness Reminders updates. allows a text message to be displayed for a and Training brief time period on a workforce members workstation when they log on, either at start up or upon logon to any resource. This text message can be a customizable security reminder, that could for example, be changed on a weekly basis. 10

13 Log-in Procedures for Normally, if a Security Officer wanted to audit Monitoring monitoring log-in login for different applications and resources, attempts and they would have to examine any such log file reporting on a sequential basis by opening one log file at discrepancies. a time. SSO provides a single database that shows all logins for a given workforce employee. The Security Officer can quickly and efficiently review this enterprise-wide log file for unusual login situations. He or she can then investigate the detailed log files of the enterprise resources identified as possibly compromised by unauthorized access. Password Procedures for Because the Windows logon is the primary Management creating, changing, password that unlocks all other application and safeguarding credentials, it enables enterprises to set a passwords. single strong password policy that meets industry best practices in order to control access to all other enterprise resources. In addition, 3 bad logon attempts will lock out the Windows account, thereby locking out v- GO and the possibility of accessing any other application since only the ESSO knows the application passwords. For application passwords, to correct the problems associated with older infrastructure and applications that have inadequate password schemes, the applications automated password change functionality maximizes the password strength possible for a given application s password constraints. i.e., if an old mainframe application only accepts 6 character passwords, the ESSO will pick 6 character passwords that are randomized and include alphanumerics and special characters. Security (a)(6) Response and Identify and respond Can expedite the detection and reporting on Incident Reporting to suspected or security incidents associated with inappropriate Procedures known security logon attempts. By using the database the incidents; mitigate, to records login attempts via SSO, a Security the extent practicable, Officer can quickly identify logon anomalies and harmful effects of extract data to generate an incident report. security incidents that are known to the covered entity; and document security incidents and their outcomes. 11

14 Emergency Mode Operation Plan Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. It allows a table to be created on user accounts that are authorized for use in an emergency. When an emergency occurs, the Security Officer or other designated official can disable all normal enterprise user account access and activate access to the accounts contained in an emergency table for designated individuals. When the emergency is resolved, emergency access can be deactivated and all normal user account access restored. TABLE B2. PHYSICAL SAFEGUARDS AND ORACLE ENTERPRISE SINGLE SIGN-ON SUITE PLUS STANDARDS SECTIONS SPECIFICATIONS DESCRIPTION ORACLE ENTERPRISE SINGLE SIGN-ON SUITE PLUS Facility (a)(1) Access Control Implement As stated above in the administrative section, Access and Validation procedures to control SSO can support role-based access by Controls Procedures and validate a grouping entities that contain PHI by function person s access to and associating user accounts with these facilities based on groups. their role or function, including visitor control, and control of access to software programs for testing and revision. TABLE B3. TECHNICAL SAFEGUARDS AND ORACLE ENTERPRISE SINGLE SIGN-ON SUITE PLUS STANDARDS SECTIONS SPECIFICATIONS DESCRIPTION ORACLE ENTERPRISE SINGLE SIGN-ON SUITE PLUS Access (a)(1) Unique User Assign a unique name As stated earlier, the application is designed to Control Identification and/or number for assign a unique name/identifier for all identifying and workforce members such that a workforce tracking user identity. members activity can be traced. Additionally, it supports industry best practice relative to password structure and can resolve the security gap caused by legacy applications that have inadequate password implementations. 12

15 Emergency Access Procedure Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. As stated above the application can function as a key component of a covered entity s emergency operation plan. It allows a table to be created on user accounts that are authorized for use in an emergency. When an emergency occurs, the Security Officer or other designated official can disable all normal enterprise user account access and activate access to the accounts contained in an emergency table for designated individuals. When the emergency is resolved, the emergency access can be deactivated and all normal user account access restored. Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Implements automatic logoff for all enterprise applications linked to v-go. This function resolves the security gap created by legacy applications that do not termination sessions or connections to databases after a defined period of inactivity. Audit Controls (b) none Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information Provides an enterprise-wide view of access to all applications and network resources containing PHI. The activity log generated by v- GO can be used by an auditor to examine activity in information systems that contain PHI. Integrity (c)(1) Protection Against Improper Alteration or Destruction of Data Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Because the solution protects application data from unauthorized access, it protects against improper alteration and destruction by unauthorized users. Person or Entity Authentication (d) none Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Supports strong authenticators biometrics, smart cards, tokens and proximity cards. These products greatly enhance the process of verifying that a workforce member requesting access is the one they claim to be. A covered entity can establish non-repudiation of access events. 13

16 Leveraging Oracle Enterprise Single Sign-On to Achieve HIPAA Compliance December 2010 Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA U.S.A. Worldwide Inquiries: Phone: Fax: oracle.com Copyright 2005, 2010, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. 0410