Salesforce & HIPAA Compliance

Transcription

1 An ecfirst Case Study: Salesforce & HIPAA Compliance Salesforce Provides the Tool, You Are Responsible for Compliance 2014 All Rights Reserved ecfirst

2 TABLE OF CONTENTS EXECUTIVE SUMMARY... 3 WHAT IS SALESFORCE?... 3 WHY SALESFORCE.COM?... 4 SALESFORCE.COM SECURITY OVERVIEW... 5 HIPAA SAFEGUARDS... 5 Administrative Safeguards... 5 Physical Safeguards... 9 Technical Safeguards Policy & Procedures AUDITS & CERTIFICATIONS REFERENCES: All Rights Reserved ecfirst 2

3 What is Salesforce? EXECUTIVE SUMMARY ecfirst is constantly being asked to provide guidance on creating or moving healthcare applications to Salesforce. First one must have a better understanding of Force.com to make decisions about creating or migrating healthcare solutions to the Cloud. Force.com is the Platform or development environment on which Salesforce.com is built including the Core Database, Customizable User Interface, Customizable Programming (Apex & Visualforce), Security, etc. Force.com does not include what Salesforce.com calls their Sales and Service objects, such as Leads, Campaigns, Opportunities, Products, & Contracts. These standard objects are very useful and powerful and are not available in Force.com, however, more and more clients realize they need a tool that allows them to build what they need for their business rather than using off the shelf objects. Easily obtained 3 rd party products built on the Force.com platform add greatly to this functionality. Force.com is a great solution for these clients. Force.com is also very easy to customize and configure so it s usually a few hours of consulting to create exactly what the client needs. Many of these clients find that it makes more sense to do some lite configuration of Force.com to give them the features they need and not pay for the features of Salesforce.com that they don t. Salesforce is the web-based, customer relationship management (CRM) application that allows its users to administer and carry out almost every part of their job. With its cloud computing platform, Salesforce is able to provide accessibility from anywhere with a mobile device or Internet connection. This online CRM application can be seen as a model for managing a company s relations with its customers in both the present and the future while also offering flexibility in addition to its great accessibility. Ultimately, Force.com where one can combine Salesforce.com, along with a wealth of 3 rd party apps built on the Force.com to create a centralized place where one can track everything they need to run any size healthcare organization, whether it is big or small. New Microsoft/Saleforce Partnership deal Four months after being named CEO, Satya Nadella forged one of his very first partnership deals with Salesforce.com. According to the press release, Salesforce.com s products will now be better integrated with and enabled on future versions of Windows, Office and SharePoint as well as on OneDrive and just about any device available, mobile or stationary All Rights Reserved ecfirst 3

4 Why Salesforce.com? Easy to use - Salesforce CRM is as easy to use as the Web sites customer use every day. They can log in from anywhere, view and update customer data, and work with their colleagues anytime they want. Easy to set up - Import customer s existing data from ACT!, Gmail, or Outlook or upload an.xls/csv file and before they know it, they are ready to go. Click to customize - If customer can click a mouse, they can change workflows, add fields, and create sales processes. These results in higher productivity and automation like they have never had before. No software hassles - What if customer never had to buy, install, or upgrade software again? With cloud-based applications, upgrades are automatic, so customers can always have the latest version. And better yet, all the customizations stay intact through every upgrade. Security you can count on - All customer data is protected with physical security, data encryption, user authentication, application security, and more. Using the latest firewall protection, intrusion detection systems, and proprietary security products, Salesforce.com gives customers the peace of mind that only a world-class security infrastructure can provide All Rights Reserved ecfirst 4

5 SALESFORCE.COM SECURITY OVERVIEW Salesforce.com understands that the confidentiality, integrity, and availability of their customers' information are vital to their business operations and their own success. They use a multi-layered approach to protect that key information, constantly monitoring and improving their application, systems, and processes to meet the growing demands and challenges of security. Salesforce.com maintains appropriate administrative, physical, and technical safeguards to help protect the security, confidentiality, and integrity of data their customers submit to the Salesforce.com service as customer data. Additionally, the Salesforce Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis. Salesforce.com's customers are responsible for ensuring the security of their customer data in their use of the service. HIPAA Safeguards Administrative Safeguards Risk Management Salesforce.com conducts all vulnerability testing against Trial or Developer Edition organizations (instances) of their online services to minimize the risk to their customers data. Salesforce.com tests all code for security vulnerabilities before release, and regularly scans their network and systems for vulnerabilities. Third-party assessments are also conducted regularly: Application vulnerability threat assessments Network vulnerability threat assessments Selected penetration testing and code review Security control framework review and testing Sanction Policy If you are an employee of the Salesforce.com, violation of the Code or any applicable law may subject you to disciplinary action by Salesforce.com including, without limitation, warnings, reprimands, temporary suspensions, probation or termination of employment. The Compliance Officer, after 2014 All Rights Reserved ecfirst 5

6 consultation with the Senior Vice President of Employee Success, shall be responsible for implementing the appropriate disciplinary action in accordance with Salesforce.com s policies and procedures for any employee who is found to have violated the Code. If you are a Service Provider to Salesforce.com, violation of the Code or any applicable law may result in immediate termination of the Service Provider relationship and agreement with Salesforce.com. The Compliance Officer shall be responsible for determining whether to terminate the relationship. Information System Activity Review All Salesforce.com systems used in the provision of the Salesforce Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable the security audits referred to above. Assigned Security Responsibility The CEO has selected an employee to act as the Corporate Compliance Officer. The Corporate Compliance Officer is currently Salesforce.com s General Counsel. The Compliance Officer s charter is to ensure communication, training, monitoring, and overall compliance with the Code. The Compliance Officer will, with the assistance and cooperation of the Salesforce.com s officers, directors, and managers, foster an atmosphere where employees and Service Providers are comfortable in communicating and/or reporting concerns and possible Code violations. Workforce Clearance Procedure Salesforce.com exercises due diligence when hiring and promoting employees and, in particular, when conducting an employment search for a position involving the exercise of substantial discretionary authority, such as a member of the executive team, a senior management position, or an employee with financial management responsibilities. Salesforce.com makes reasonable inquiries into the background of each individual who is a candidate for such a position. All such inquiries shall be made in accordance with applicable law and good business practice. Access Authorization Access to Salesforce Services requires authentication via one of the supported mechanisms as described in the Security Implementation Guide, including user ID/password, SAML based Federation, Oauth, Social Login, or Delegated 2014 All Rights Reserved ecfirst 6

7 Authentication as determined and controlled by customer. Following successful authentication, a random session ID is generated and stored in the user's browser to preserve and track session state Security Awareness and Training Salesforce.com's comprehensive privacy and security program includes communicating with personnel and customers about current issues and best practices. Internal Training and Communications for Salesforce.com Personnel Salesforce.com regularly communicates with their personnel about their obligation to safeguard confidential information, including customer data and personal information. Salesforce.com provides classroom training around confidentiality, privacy, and information security for all new employees during its monthly new hire orientation. All Salesforce.com personnel are required to complete an annual privacy and security training and are tested on the materials presented. Salesforce.com communicates with all personnel about privacy and information security awareness through monthly newsletters. Customer End User Awareness Salesforce.com strongly encourages all of their customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers from security attacks. Salesforce.com communicates with their customers about current issues and trends through their Trust web site. Salesforce.com s end users about specific security issues when warranted. Salesforce.com publishes a Security Implementation Guide for customers to learn more about how to implement customer-controlled security settings. The Security Implementation Guide is available in the Help & Training section of the Salesforce.com service. Salesforce.com offers customers a complimentary AppExchange program that enables them to evaluate their use of Salesforce customer-controlled security settings The Security section of the Trust Web site includes a security webinar and various security-related white papers All Rights Reserved ecfirst 7

8 Salesforce.com offers security-related sessions at their annual conference, Dreamforce. Protection from Malicious Software To ensure the highest level of data protection, Salesforce.com s IT infrastructure includes a host of enhancements. All production servers use hardened UNIX/Linux operating systems; additional measures include centralized logging and alerting, intrusion detection, network access control, anti-virus/anti-malware, host-based firewalls, and data loss prevention tools. The core production servers are further protected by Juniper stateful firewalls, Cisco perimeter and core routers, and F5 load balancers. These servers are managed via bastion hosts that require two-factor authentication to access. The Salesforce Services will not introduce any viruses to a customer s systems. However, the Salesforce Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into the Salesforce Services by a customer. Any such uploaded attachments will not be executed in the Salesforce Services and therefore will not damage or compromise the Salesforce Services. Login Monitoring User access log entries will be maintained, containing date, time, User ID, URL executed or entity ID operated on, operation performed (created, updated, deleted) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP. If there is suspicion of inappropriate access, Salesforce.com can provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis. Logging will be kept for a minimum of 90 days. Logging will be kept in a secure area to prevent tampering. Password Management User passwords are stored using a salted hash format for encryption. Passwords are not logged under any circumstances. Salesforce.com personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via to the requesting user. A password cannot contain a customer s User Name and cannot match their first or last name All Rights Reserved ecfirst 8

9 Additionally: A password must contain at least eight characters. A password must contain at least one alphabetic character and one number. The answer to the question posed if a customer forgets their password cannot contain their password. The last three passwords are remembered and cannot be reused when customers are changing their password. Security Incident Procedures Salesforce.com, or an authorized third party, will monitor the Salesforce Services for unauthorized intrusions using network-based intrusion detection mechanisms. Salesforce.com maintains security incident management policies and procedures. Salesforce.com promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective Customer Data to the extent permitted by law. Data Backup Plan All data is backed up to tape at each data center, on a rotating schedule of incremental and full backups. The backups are cloned over secure links to a secure tape archive. Tapes are not transported offsite and are securely destroyed when retired. Disaster Recovery Plan The Salesforce service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center; data are transmitted across encrypted links. Disaster recovery tests verify their projected recovery times and the integrity of the customer data. Physical Safeguards Facility Access Control Production data centers used to provide the Salesforce Services have access control systems. These systems permit only authorized personnel to have access to secure areas. Salesforce employs 24-hour manned security, including foot patrols and perimeter inspections; also video surveillance throughout facility and perimeter. Biometric scanning for secure area access is in place All Rights Reserved ecfirst 9

10 Dedicated concrete-walled Data Center rooms are used to house all systems. Computing equipment is also secured in access-controlled steel cages. As an ISO/IEC 27001:2005 certified facility, Salesforce.com has fulfilled the industry standard requirements for access control validation. Access to secure sub-areas is allocated on a role specific basis. Only authorized data center personnel have access to data halls. Sensitive equipment such as plant and information processing facilities, including customer servers, are housed in secure sub areas within the secure perimeter and are subject to additional controls. Centralized Security Management Systems are deployed at all data centers to control the Electronic Access Control Systems and CCTV networks. Disposal After contract termination, Customer Data submitted to the Salesforce Services is retained in inactive status within the Salesforce Services for 180 days and a transition period of up to 30 days, after which it is securely overwritten or deleted. Customer Data submitted to the Salesforce Services (including Customer Data retained in inactive status) will be stored on backup media for an additional 90 days after it is securely overwritten or deleted from the Salesforce Services. This process is subject to applicable legal requirements. Technical Safeguards Access Controls Salesforce.com provides each User within each client account with a unique user name and password that must be entered each time a User logs on. To protect established sessions, Force.com monitors and terminates idle sessions after a configurable period of time. Audit Controls Record Modification Fields All objects include fields to store the name of the user who created the record and who last modified the record. This provides some basic auditing information. Login History Customers can review a list of successful and failed login attempts to their organization for the past six months All Rights Reserved ecfirst 10

11 Field History Tracking Customers can also enable auditing for individual fields, which will automatically track any changes in the values of selected fields. Although auditing is available for all custom objects, only some standard objects allow field-level auditing. Setup Audit Trail Administrators can also view a Setup Audit Trail, which logs when modifications are made to organization s configuration. Transmission Security Connections to the Salesforce environment are secured via SSL 3.0/TLS 1.0, using certificates from Verisign, ensuring that users have a secure connection from their browsers to their service. Individual user sessions are identified and reverified with each transaction, using a unique token created at login. Encryption The Salesforce Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer's network and the Salesforce Services, including minimum 128-bit VeriSign SSL Certification and minimum 2048-bit RSA public keys. Additionally, Customer Data is encrypted during transmission between data centers for replication purposes. Policy & Procedures Salesforce.com has privacy and security-conscious policies that apply to all of their information handling practices. Contractual Privacy Protection for Customers o o Salesforce.com's contracts include confidentiality provisions that prohibit them from disclosing customer confidential information, including customer data, except under certain narrowly defined circumstances, such as when required by law. Salesforce.com agrees not to access customer's accounts, including customer data, except to maintain the service, prevent or respond to technical or service problems, at a customer's request in connection with a customer support issue, or where required by law. Code of Conduct, Confidentiality Agreements, and Information Security Policies o Every Salesforce.com employee and contractor must follow Salesforce.com s code of conduct, sign confidentiality agreements, and follow Salesforce.com s information security policies All Rights Reserved ecfirst 11

12 Privacy Statement o o o For information collected on Salesforce s Web site, Salesforce.com provides assurances around the types of information collected, how that information may be used, and how that information may be shared. Salesforce.com offers individuals the opportunity to manage their receipt of marketing and other non-transactional communications. Salesforce.com offers individuals the opportunity to update or change the information they provide All Rights Reserved ecfirst 12

13 AUDITS & CERTIFICATIONS ISO certification: Salesforce.com is subject to an information security management system (ISMS) in accordance with the ISO international standard. Salesforce.com has achieved ISO certification for its ISMS from an independent third party. SSAE 16 Service Organization Control (SOC) reports: Salesforce.com s information security control environment applicable to the Salesforce Services undergoes an independent evaluation in the form of SSAE 16 Service Organization Control. (SOC-1, SOC-2, or SOC-3) reports. EU/US and Swiss/US Safe Harbor self-certifications: Customer Data submitted to the Salesforce Services is within the scope of Salesforce.com s annual self-certification to the EU/US and Swiss/US Safe Harbor frameworks as administered by the U.S. Department of Commerce. TRUSTe Privacy Seal: Salesforce.com has been awarded the TRUSTe Privacy Seal signifying that Salesforce.com s Web Site Privacy Statement and associated practices related to the Salesforce Services have been reviewed by TRUSTe for compliance with TRUSTe s program requirements, including transparency, accountability, and choice regarding the collection and use of personal data. PCI: For the Salesforce Services, Salesforce.com has obtained a signed Attestation of Compliance ( AoC ) demonstrating Level 1 compliance with the Payment Card Industry Data Security Standard version 2.0, as formulated by The Payment Card Industry Security Standards Council ("PCI DSS") as a data storage entity or third party agent from an Qualified Security Assessor that is certified as such by The Payment Card Industry Security Standards Council All Rights Reserved ecfirst 13

14 REFERENCES: certification&language=en_us Service-Organization-Control-SOC-reports&language=en_US Attestation-of-Compliance&language=en_US 2014 All Rights Reserved ecfirst 14

15 Corporate Office 295 NE Venture Drive Waukee, IA Toll Free: x17 Phone: x17 Fax: All Rights Reserved ecfirst 15