RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Transcription

1 RaySafe S1 SECURITY WHITEPAPER

2 Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based solution Security Aspects - Application (user) perspective Security aspects - System architecture perspective 4 HIPAA SECURITY RULE COMPLIANCE 5 EU DATA PROTECTION DIRECTIVE COMPLIANCE 6. THE PERSONAL DATA ACT COMPLIANCE 6.1 Controller of personal data 6.2 Personal Data Assistant 7. ASSOCIATION POLICIES 7.1. Administrative Safeguards 7.2. Physical Safeguards 7.3 Technical Safeguards

3 1. INTRODUCTION RaySafe S1 is a cloud-based software solution that collects, adds value and shares radiology information to selected individuals in the diagnostic radiology process. This whitepaper is intended to assist in evaluating the security aspects of the RaySafe S1 solution and it follows: The Health Information Portability and Accountability Act (HIPAA) Security Rule compliance, Swedish Personal Data Act (PDA, 1998:204) compliance, Directive 95/46/EC of the European Parliament and of the Council compliance This aims to prevent the violation of personal integrity in the processing of personal data. RaySafe S1 is designed to meet the highest security standards and patient data integrity. The RaySafe S1 architecture is built on privacy by design principles to: minimize the amount of sensitive patient data restrict access to sensitive data using role based mechanisms and a work flow approach protect data via strong authentication and encryption log data usage on an individual level control user rights and behavior

4 2 ARCHITECTURE OVERVIEW 2.1 Structure The RaySafe S1 software solution consists of: The RaySafe S1 Data Collector - A Microsoft Windows service based application that is installed locally at the Medical Providers site and is registered in the DICOM network. The RaySafe S1 A cloud-based application which process received data and performs the major application business logic. 2.2 Workflow description Collect Modalities send dose data directly to the RaySafe S1 Data Collector using the DICOM standard (The DICOM standard describes the medical data format and medical data exchange process format and is established by National Electrical Manufacturers Association -NEMA) within the diagnostic imaging provider s network. The RaySafe S1 Data Collector can also retrieve data from PACS or other DICOM capable devices. The RaySafe S1 Data Collector supports both SCP and SCU roles and can handle MPPS, RDSR, MWL and IMAGE formats within the DICOM standard. When the RaySafe S1 Data Collector receives a DICOM message it stores and encrypts the data temporarily in a local queue. All encrypted DICOM messages in the local queue are sent to the RaySafe S1 cloud-based application outside the Medical Provider s network. Once the RaySafe S1 cloud-based application has confirmed the data transfer, the RaySafe S1 Data Collector removes the data from the queue. This local queue feature ensures data integrity for every started session. Add value and Share The RaySafe S1 application receives encrypted DICOM information and makes it available for encrypted storage and processing. The application logic adds value to received information and prepares it for sharing. Users of the RaySafe S1 application can access the data by using an approved web browser within or outside the medical facilities (depending on user role, medical providers requirements and established security

5 policies). This whitepaper describes the security features in the RaySafe S1 software solution which includes the following components: RaySafe S1 Data Collector RaySafe S1 Cloud-based application

6 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector RaySafe S1 Data Collector is installed on the Medical Providers own server (virtual or physical) based on Microsoft technology. The Medical Provider is responsible for this environment and normally should practice its own appropriate security policies (Microsoft Windows user administrative privileges, virus protection, back up procedures, firewall protection, contingency plan, recovery plan, etc.). Prior to installation, the RaySafe S1 Data Collector instance must be registered in the RaySafe S1 cloudbased application with a unique ID and a medical provider ID with an additional security key. Data from any unregistered RaySafe S1 Data Collector is ignored by the cloud service. Windows user administrative privileges should be set appropriately to allow a user to change the RaySafe S1 Data Collector configuration. On a protocol level, the RaySafe S1 Data Collector uses SSL to secure communications with the RaySafe S1 cloud-based application. The RaySafe S1 Data Collector invokes Microsoft Windows services to transmit data (data in transfer is encrypted). The RaySafe S1 Data Collector supports detailed logging of all activities to ensure that any suspicious activity or unforeseen events are identified. Every DICOM file transaction, exception and session is logged and stored in a simple, readable format. To ensure data integrity in case of unforeseen internet connectivity loss, the RaySafe S1 Data Collector utilizes a queue buffer. Data is automatically stored locally until internet connectivity is restored. The RaySafe S1 Data Collector can provide anonymization of received data. Patient identification information such as Patient ID and Patient name is then replaced using a SHA 256 hash algorithm. The algorithm provides one-way data encryption that can t be reverted. If anonymization is enabled, the RaySafe S1 Cloud-based application will only store and display anonymized patient information. 3.2 Security Aspects for RaySafe S1 cloud-based solution Security Aspects - Application (user) perspective RaySafe S1 is a role based application which means that access to data is restricted by giving users the appropriate authorization. Sensitive patient data is limited by role based mechanisms and a work flow approach. Medical providers administrate their own users and distribute role permissions. If the Unfors RaySafe support team needs to have access to the RaySafe S1 application, a temporary authorization should be granted by the Medical Provider. Generic search functionality is not available to limit the access of data. The list of all users and their roles, as well as status (active/inactive) is always visible for the Medical Provider. All user connections are secured using the RaySafe S1 cloud-based application server SSL certificate. Any non-authorized connection attempts will be terminated by the RaySafe S1 cloud-based application server. If strong authentication is required, the RaySafe S1 login page will be integrated with additional control mechanisms. RaySafe S1 logs all user behavior and data usage (e.g. a search on patient ID will be recorded). The security log report is available for the Medical Provider via the RaySafe S1 user interface (logs data usage on user level). RaySafe S1 is prepared for integration with other systems (RIS, PACS, etc.) so for Medical Providers who choose the integration approach, the RaySafe S1 searching mechanisms can be disabled. RaySafe S1 also provides session expiration control to automatically log off users who are not active and thus protect sensitive data Security aspects - System architecture perspective The RaySafe S1 application is protected by a two-step firewall solution. RaySafe S1 uses SSL to secure communications with the RaySafe S1 Data Collector. The RaySafe S1 Data Collector invokes RaySafe S1 services to transmit data (data in transit is encrypted). The data storage layer of RaySafe S1 is protected by EFS (Encrypted File System). The technology enable files to be transparently encrypted to protect confidential data from unauthorized usage in case of any

7 unauthorized physical access to the file system. The encryption key is only available to selected Unfors RaySafe system administrators and will only be used in case of RaySafe S1 reinstallation or data migration/recovery. In similar manner to the RaySafe S1 Data Collector, the RaySafe S1 application also supports detailed logging of all activities to ensure that any suspicious activity or unforeseen events are identified. Every DICOM file transaction, exception and session is logged and stored in a simple, readable format.

8 4 HIPAA SECURITY RULE COMPLIANCE The HIPAA Security Rule ( the rule ) was published to protect the confidentiality, integrity and availability of electronic protected health information (ephi). The rule defined in 45 CFR Parts 160, 162 and 164 establishes the minimum standards for information systems with access to ephi. DCA manages and stores ephi as xml data locally and as serialized objects for transmitting to the service. Thus it must be included in the risk assessment activities of our customers pursuant to HIPAA Security Rule compliance. The rule establishes a minimum set of administrative, technical and physical standards and implementation specifications which must be addressed. However, it is written in terms that are as generic as possible and which, generally speaking, may be met through various approaches or technologies. [Federal Register / Vol. 68, No. 34, pp. 8336]. Thus the rule is not prescriptive. The steps an institution will actually need to take to comply with these regulations will be dependent upon its own particular environment and circumstances and risk assessment. [IBID], An Institution cannot simply purchase HIPAA certified hardware or software to achieve compliance. Rather, it must implement policies and procedures which are consistent with the rule and evaluate technology decisions based upon a risk assessment process. The standards do not allow organizations to make their own rules, only their own technology choices. [Federal Register / Vol. 68, No. 34, pp. 8343] HIPAA is flexible. According to the rule, Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. What is reasonable and appropriate is based upon the findings of a risk assessment which considers size, complexity, capability, technical infrastructure, probability of risk, criticality of data and cost of the security measure. In other words, an institution must demonstrate that its choices are reasonable and appropriate given the cost and benefit. 5 EU DATA PROTECTION DIRECTIVE COMPLIANCE EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. Directive 95/46/EC encompasses all key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence. The Directive is based on the 1980 OECD Recommendations of the Council concerning guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data. These recommendations are founded on seven principles, since enshrined in EU Directive 94/46/EC: Notice: subjects whose data is being collected should be given notice of such collection. Purpose: data collected should be used only for stated purpose(s) and for no other purposes. Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s). Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss. Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data. Access: subjects should granted access to their personal data and allowed to correct any inaccuracies. Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.

9 6. THE PERSONAL DATA ACT COMPLIANCE The (Swedish) Personal Data Act 1998:20, issued 29 April 1998, is based on Directive 95/46/EC which aims to prevent the violation of personal integrity in the processing of personal data. As defined by the Personal Data Act - personal data is any kind of information that directly or indirectly may refer to a physical, living person. Processing means any operation or set of operations which utilize or include personal data, whether or not it occurs by automatic means, for example collection, recording, organization, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction. The controller of personal data shall ensure that: Process Personal data is processed only if it is lawful Personal data is always processed in a correct manner and in accordance with good practice Purpose Personal data is only collected for specific, explicitly stated and justified purposes Personal data is not processed for any incompatible purposes Personal data The personal data that is processed is adequate and relevant in relation to the purposes of the processing The amount of personal data processed is no more than necessary in regard to the purposes of the processing The personal data that is processed is correct and, if necessary, up to date All reasonable measures are taken to correct, block or erase personal data that is incorrect or incomplete in regard to the purposes of the processing Personal data is not kept for a longer period than necessary in regard to the purpose of the processing 6.1 Controller of personal data The controller of personal data is liable to implement technical and organizational measures to protect personal data. These measures shall attain a suitable level of security. When the controller engages an assistant to conduct the processing of personal data, there shall be a written contract that specifically regulates the security aspects. The controller is also responsible to ensure that the assistant actually implements the necessary security measures. 6.2 Personal Data Assistant The Medical Provider is the controller of personal/patient data when using RaySafe S1. Unfors RaySafe has the role of Personal Data Assistant, which processes personal data on behalf of the controller. RaySafe provides additional information about sub-assistants and this is regulated through the Personal Data Assistant Agreement.

10 7. ASSOCIATION POLICIES 7.1. Administrative Safeguards Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) This whitepaper provides details intended to assist an institution in completing a HIPAA, Directive95/46/EC and Personal Data Act 1998:20 risk analysis of the RaySafe S1 solution RaySafe S1 solution includes a number of configurable security measures that improve an institution s ability to manage risks and vulnerabilities. These security measures include: user and password management session encryption audit and logging mechanisms configurable workflow processes that can improve data integrity Passwords can be administratively changed to revoke access in support of a sanction policy. User accounts can be administratively disabled to revoke access in support of sanction policy Audit reports provide vital information Two levels of authority, Site Administrator and System Administrator are provided for administration of the various security mechanisms featured in the RaySafe S1 application Workforce Security Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) For RaySafe S1 cloud-based application the role-based user accounts can be easily incorporated into the access authorization and workforce clearance process procedures that an institution implements to determine appropriate access to protected information Unfors RaySafe personnel security risk assessment is performed Including pre-employment checks (identity, nationality or status, employment history and references, criminal convictions). This is valid for the role of RaySafe S1 System Administrator. Passwords can be administratively changed to revoke access in support of termination procedures. User accounts can be administratively disabled or completely removed to revoke access in support of termination procedures Information Access Management Isolating Health Care Clearinghouse Functions (R) Access Authorization (A) RaySafe S1 supports clearinghouse authorization through the use of user accounts based on roles, thus users are granted unique user rights and privileges RaySafe S1 relies on Windows file permissions to control access to directories and files containing sensitive information (valid for RaySafe S1 Data Collector) and security encryption (valid for database and files stored on RaySafe S1 cloud-based server side)

11 Access Establishment and Modification (A) RaySafe S1 provides comprehensive and easy-to-use tools to create and manage user accounts and associated roles and privileges via two levels of administration (Site Administrators, System Administrators) which have grouping of functions applied to each administrative level. The following roles can be added or revoked by administrators depending on their privileges, per user: Referring Physician - enables access to perform justification and examination monitoring functions; Technologist/Operator - enables access to perform examination monitoring functions; Radiologist - enables access to perform examination monitoring functions; Site Manager - enables access to perform system configuration inside the Medicare provider; Also enables access to perform account administration functions; Radiation Safety Officer (RSO) - enables access to perform reporting and supervision functions Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Strong password reminder; change password reminder after initial login RaySafe S1 Data Collector is known to work with the following anti-virus packages: Symantec Endpoint Protection For RaySafe S1 Data Collector security login monitoring on operating system level based on Microsoft mechanisms For RaySafe S1 cloud-based application system support, log-in monitoring performed by Microsoft Azure Management Portal (operation log) For RaySafe S1 cloud-based application user log in monitoring is performed indirectly with search and behavior log of user usage of application. The following password management features are available: Masked password entry Administrative password reset and change Password option requiring minimum length of 6 characters with at least one letter and one digit Password encrypted in storage Security Incident Procedures Response and Reporting (R) See Technical Support ( Technical%20Support) Contingency Plan Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) The RaySafe S1 Data Collector backup consists of the following parts: local database, configuration, modules. All information is presented in the operating system file system. The backup could be performed using any software (or automation script) that supports the file system. The RaySafe S1 Data Collector configuration backups are also stored in RaySafe S1 cloud-based servers. The RaySafe S1 application storage backups are provided by geographically redundant storage (data remains within EU). Data backups are performed every day by automatic scripts and include: database backup, actions logs backup, DICOM storage backup, instructions backup and all data stored in the application. Information upon request Information upon request

12 Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) Evaluation (R) Information upon request Information upon request Unfors RaySafe continually review customer requests for security features and enhancements based upon the results of internal risk and assessment activities Business Associate Contracts and Other Arrangements Written Contract or Other Arrangement (R) Processor agreement with subcontracting entities

13 7.2 Physical Safeguards Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use (R) Workstation Security (R) RaySafe S1 Data Collector relies on standard Windows workstations security features (e.g. user login, password protected screensaver) and directory/file permissions to deter from unauthorized access to the application and associated files. RaySafe S1 cloud-based application relies on Windows Azure security features. Device and Media Controls Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A) N/A 7.3 Technical Safeguards Access Control Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (R) The RaySafe S1 Data Collector only relies on Microsoft Server operating system user identification mechanisms for installation and administration purposes. The RaySafe S1 cloud-based application has comprehensive user account-, role- and permissions management. It provides strong authentication, authorization and unique identification of users. User identification could be based on one- or two factor authentication including user certificate validation. Administrator accounts can be used to provide full access to system features in the event of an emergency RaySafe S1 has a configurable inactivity timeout feature - session expiration. Session expiration time is configurable and is equal to 20 minutes by default The RaySafe S1 Data Collector encrypts all data stored in the local database, using built-in encryption mechanisms. Communication with the RaySafe S1 cloud-based application is encrypted using TLS (SSL) technology. The RaySafe S1 cloud-based applications database and file structure is encrypted using Microsoft Transparent Database encryption and Encrypted File System (EFS) technologies. All critical data in the database are encrypted using unique hash algorithms. Standard audit and logging features found in Windows operating system and SQL server database systems are provided

14 Integrity Mechanism to Authenticate ephi (A) Person or Entity Authentication (R) Application and operating system features are utilized to restrict access rights to authorized users as a preventive integrity control. Application logs can be used to track the activity of authorized users and detect activity of unauthorized users as a detective integrity control. N/A Transmission Security Integrity Controls (A) Encryption (A) The RaySafe S1 Data Collector instance must be registered in the RaySafe S1 cloud-based application with a unique ID and a medical provider ID along with an additional security key. RaySafe S1 cloud-based application support Secure Sockets Layer (SSL) encryption communication between browser-based clients and servers to protect data integrity and data confidentiality.