Using Oracle Technology to Meet 21 CFR Part 11 Security ... · 457825 PSA … Urology Select ......
Transcript of Using Oracle Technology to Meet 21 CFR Part 11 Security ... · 457825 PSA … Urology Select ......
Copyright 2004 Oracle Corporation
Meeting Place:1-888-967-2253 (US only)1-650-607-2253 (Local/Int'l)Meeting ID #: 959460 Meeting Password: 959460
Using Oracle Technology to Meet 21 CFR Part 11 Security &
Regulatory Requirements
Charlie Berger, Sr. Dir Product Mgmt, Life Sciences & Data MiningPaul Needham, Director of Product Mgmt, Database SecurityRaf Podowski, Sr. Product Manager, Life Sciences
Copyright 2004 Oracle Corporation
What is 21 CFR Part 11?
Regulations that provide criteria for acceptance by FDA of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper
FDA’s rationale regarding 21 CFR Part 11:– Primary concern: ensuring public health and safety
– Risk-based compliance
Copyright 2004 Oracle Corporation
21 CFR Part 11Technical Requirements
Strong security - to ensure the authenticity, integrity, and confidentiality of electronic records.
– Unique user name/password– Limit system access to authorized individuals– Detect and report unauthorized use– Use of document encryption and digital signature standards
System availabilityOperational system checksElectronic signatures – to ensure that the signer cannot readily repudiate he signed record.Audit trail
Copyright 2004 Oracle Corporation
HIPAAHealth Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA)
– Kennedy-Kassenbaum Bill
Administrative simplification act– Privacy Rule: “what” individual health information must be
protected– Security Rule: “how” healthcare organizations need to
protect health-related information
Noncompliance would put you in jail75% polices/procedures, 25% Technology
Copyright 2004 Oracle Corporation
HIPAA's Security & Privacy Technical Requirements
“Ensure the confidentiality, integrity, and availability of all electronic protected health information.”
Confidentiality protect health information from unauthorized disclosure
Integrity prevent unauthorized modification of health information
Availability information is available to authorized parties Authentication Assurance of identity of person or originator
of dataAuthorization rights to perform some actionAudits track who accesses healthcare information
Copyright 2004 Oracle Corporation
HIPAA Security Requirements
Access control– Unique user identification– Emergency access procedure– Automatic logoff– Encryption and decryption
Transmission security– Integrity control– Encryption
Copyright 2004 Oracle Corporation
Security ChallengesPrivacy of & integrity of communications
Are your query results read or modified in transit?
Sensitive data storage Are your patient privacy needs met at your site?
Access control Can you secure certain parts of a medical record?
Scalability Can you support 100,000s of users?
Ease of use Is it easy to use for users & administrators?
Know your users Who is accessing the data from the web?
Audit trail, eRecords &eSignatures
Can you comply with FDA requirements?
Copyright 2004 Oracle Corporation
Platform Security & Identity Mgmt
Access Management
Directory Services
Provisioning Services
External Security Services Oracle
Platform Security
E-Business Suite
Responsibilities, Roles ….
Collaboration Suite
S-MIME, Interpersonal Rights …
OracleASPortal /Wireless
Roles, Privilege Groups …
Oracle Internet Directory
OracleASCertificate Authority
DirectoryIntegration &Provisioning
OracleASSingle Sign-on
Delegated AdministrationServices
3rd PartyApplications
Authorization, Privacy, audit, ….
OracleASPortal /Wireless
Roles, Privilege Groups …
Oracle Database
Enterprise users, VPD, EncryptionLabel Security
Application Security
Oracle Application Server
JAAS, WS SecurityJava2 Permissions..
Oracle Identity Management
Copyright 2004 Oracle Corporation
Oracle Database 10g Key Messages
Industry Leading Access Control and Accountability– Privacy– Data Consolidation
Strong Authentication & Network Security– Privacy– Government regulations
Integrated Identity Management Capabilities– Provisioning– Lower TCO– Single user management repository for all databases– Centralized User Management and Authorization
Copyright 2004 Oracle Corporation
Oracle Database 10g Virtual Private Database
Introduced in Oracle8iDatabase enforcedRow Level Security
Sales Rep
Customer
Select * from Orders
Select * from Orders
ORDERS
Where customer_id = 20
Where customer_id = 10
VPDPolicy
Copyright 2004 Oracle Corporation
Oracle Database 10g Virtual Private Database
Column Relevant Policies– Policy enforced only if specific columns are
referenced
Patient_IDPatient_ID DiagnosisDiagnosis DepartmentDepartment
562871 CBC… Oncology
572259 MRI… Imaging
632261 EKG… Cardiology
457825 PSA… Urology
Select Patient_ID,Diagnosis…
(enforce)X
OKXX
Copyright 2004 Oracle Corporation
Oracle Database 10g Virtual Private Database
Column Filtering– Optional VPD configuration to return all rows but
filter out column values in rows which don’t meet criteria
Patient_ID Diagnosis Department
562871 CBC… Oncology
572259 MRI… Imaging
632261 EKG… Cardiology
457825 PSA… Urology
Select Patient_ID,Diagnosis…
(enforce)
Patient_IDPatient_ID DiagnosisDiagnosis DepartmentDepartment
562871 Oncology
572259 MRI… Imaging
632261 Cardiology
457825 Urology
OKOKOKOK
Copyright 2004 Oracle Corporation
Oracle Label Security
Enterprise Edition Security optionOut-of-the-box row level securityBuilt on VPD
– Adds label based access control framework– Highly granular access control settings
Policy design based on stringent government and commercial requirements for row level security
Copyright 2004 Oracle Corporation
Oracle Label Security ExampleUser Label (Level :: Compartment :: Group) Dr. Murphy Sensitive :: Orthopedic, Acute :: Active
Row Labels
Data Rows
Levels
Compartments
Groups
Identifiable Ambulatory Dep
Identifiable Orthopedic Active
Sensitive Radiology Ret
Confidential Disease Active
Sensitive Orthopedic Ret
Sensitive Acute Active
Hierarchical
Non-Hierarchical
Hierarchical
Levels : Confidential Sensitive IdentifiableGroups : Active Retired Departed
Copyright 2004 Oracle Corporation
Oracle Database 10g Stored Data Encryption
Protect select data via encryption in the databaseExamples:
– Credit card numbers, patient’s SSNDBMS_OBFUSCATION_TOOLKIT package
– Supports Advanced Encryption Standard (AES), Data Encryption Standard (DES) and 3DES algorithms
– Supports MD5 to ensure data integrity
Copyright 2004 Oracle Corporation
Oracle Audit TechnologyStandard Oracle auditing – Comprehensive auditing
by statement, by use of system privilege, by objectby user
Fine-grained auditing– Audit policies– Reduces audit collection
Selective Audit – Consulting Solution
Copyright 2004 Oracle Corporation
Audit Table ExampleCOUNTY
START YEAR
STOP YEAR INCIDENCE MORTALITY
ALLEGANY 1994 1998 103.8 36SULLIVAN 1995 1999 139.8 36.2CHEMUNG 1995 1999 131.2 36.3RENSSELAER 1995 1999 136.1 36.5ALLEGANY 1995 1999 125.1 36.7ULSTER 1994 1998 114.8 37.2HAMILTON 1995 1999 149.6 37.5HERKIMER 1995 1999 129.9 38.5WARREN 1995 1999 142.6 38.9ULSTER 1995 1999 145.9 40.6WESTCHESTER 1990 1998 105.6 105.6
Audit Table Shows Insertions
COUNTYSTART YEAR
STOP YEAR INCIDENCE MORTALITY
AUDIT USER AUDIT DATE GMT
AUDIT OPERATION
AUDIT CHRONICLE
ALLEGANY 1994 1998 103.8 36 RAF 5/20/2004 3:36:00 PM I 123001SULLIVAN 1995 1999 139.8 36.2 RAF 5/20/2004 3:36:00 PM I 123002CHEMUNG 1995 1999 131.2 36.3 RAF 5/20/2004 3:36:00 PM I 123003RENSSELAER 1995 1999 136.1 36.5 RAF 5/20/2004 3:36:00 PM I 123004ALLEGANY 1995 1999 125.1 36.7 RAF 5/20/2004 3:36:00 PM I 123005ULSTER 1994 1998 114.8 37.2 RAF 5/20/2004 3:36:00 PM I 123006HAMILTON 1995 1999 149.6 37.5 RAF 5/20/2004 3:36:00 PM I 123007HERKIMER 1995 1999 129.9 38.5 RAF 5/20/2004 3:36:00 PM I 123008WARREN 1995 1999 142.6 38.9 RAF 5/20/2004 3:36:00 PM I 123009ULSTER 1995 1999 145.9 40.6 RAF 5/20/2004 3:36:00 PM I 123010WESTCHESTER 1990 1998 105.6 105.6 RAF 5/20/2004 3:36:00 PM I 123011
Copyright 2004 Oracle Corporation
Audit Table ExampleCOUNTY
START YEAR
STOP YEAR INCIDENCE MORTALITY
ALLEGANY 1994 1998 103.8 36.1SULLIVAN 1995 1999 139.8 36.2CHEMUNG 1995 1999 131.2 36.3RENSSELAER 1995 1999 136.1 36.5ALLEGANY 1995 1999 125.1 36.7ULSTER 1994 1998 114.8 37.2HAMILTON 1995 1999 149.6 37.5HERKIMER 1995 1999 129.9 38.5WARREN 1995 1999 142.6 38.9ULSTER 1995 1999 145.9 40.6WESTCHESTER 1990 1998 105.6 105.6
COUNTYSTART YEAR
STOP YEAR INCIDENCE MORTALITY
AUDIT USER AUDIT DATE GMT
AUDIT OPERATION
AUDIT CHRONICLE
ALLEGANY 1994 1998 103.8 36 RAF 5/20/2004 3:36:00 PM ISULLIVAN 1995 1999 139.8 36.2 RAF 5/20/2004 3:36:00 PM ICHEMUNG 1995 1999 131.2 36.3 RAF 5/20/2004 3:36:00 PM IRENSSELAER 1995 1999 136.1 36.5 RAF 5/20/2004 3:36:00 PM IALLEGANY 1995 1999 125.1 36.7 RAF 5/20/2004 3:36:00 PM IULSTER 1994 1998 114.8 37.2 RAF 5/20/2004 3:36:00 PM IHAMILTON 1995 1999 149.6 37.5 RAF 5/20/2004 3:36:00 PM IHERKIMER 1995 1999 129.9 38.5 RAF 5/20/2004 3:36:00 PM IWARREN 1995 1999 142.6 38.9 RAF 5/20/2004 3:36:00 PM IULSTER 1995 1999 145.9 40.6 RAF 5/20/2004 3:36:00 PM IWESTCHESTER 1994 1998 105.6 105.6 RAF 5/20/2004 3:36:00 PM IALLEGANY 1994 1998 103.8 36.1 RAF 5/27/2004 1:21:10 PM U
123001123002123003123004123005123006123007123008123009123010123011123012
Tracking Changes
Update
Copyright 2004 Oracle Corporation
Audit Table ExampleCOUNTY
START YEAR
STOP YEAR INCIDENCE MORTALITY
ALLEGANY 1994 1998 103.8 36.1SULLIVAN 1995 1999 139.8 36.2CHEMUNG 1995 1999 131.2 36.3RENSSELAER 1995 1999 136.1 36.5ALLEGANY 1995 1999 125.1 36.7ULSTER 1994 1998 114.8 37.2HAMILTON 1995 1999 149.6 37.5HERKIMER 1995 1999 129.9 38.5WARREN 1995 1999 142.6 38.9ULSTER 1995 1999 145.9 40.6WESTCHESTER 1994 1998 105.6 38.2
COUNTYSTART YEAR
STOP YEAR INCIDENCE MORTALITY
AUDIT USER AUDIT DATE GMT
AUDIT OPERATION
AUDIT CHRONICLE
ALLEGANY 1994 1998 103.8 36 RAF 5/20/2004 3:36:00 PM I 123001SULLIVAN 1995 1999 139.8 36.2 RAF 5/20/2004 3:36:00 PM I 123002CHEMUNG 1995 1999 131.2 36.3 RAF 5/20/2004 3:36:00 PM I 123003RENSSELAER 1995 1999 136.1 36.5 RAF 5/20/2004 3:36:00 PM I 123004ALLEGANY 1995 1999 125.1 36.7 RAF 5/20/2004 3:36:00 PM I 123005ULSTER 1994 1998 114.8 37.2 RAF 5/20/2004 3:36:00 PM I 123006HAMILTON 1995 1999 149.6 37.5 RAF 5/20/2004 3:36:00 PM I 123007HERKIMER 1995 1999 129.9 38.5 RAF 5/20/2004 3:36:00 PM I 123008WARREN 1995 1999 142.6 38.9 RAF 5/20/2004 3:36:00 PM I 123009ULSTER 1995 1999 145.9 40.6 RAF 5/20/2004 3:36:00 PM I 123010WESTCHESTER 1994 1998 105.6 105.6 RAF 5/20/2004 3:36:00 PM I 123011ALLEGANY 1994 1998 103.8 36.1 RAF 5/27/2004 1:21:10 PM U 123012WESTCHESTER 1990 1998 105.6 38.2 RAF 5/27/2004 1:23:22 PM U 123013WESTCHESTER 1994 1998 105.6 38.2 RAF 5/27/2004 1:24:02 PM I 123014WESTCHESTER 1990 1998 105.6 38.2 RAF 5/27/2004 1:24:02 PM D 123015
Primary key change automatically triggers both I and D
Primary Key is a combination of 3 columns
Copyright 2004 Oracle Corporation
Oracle Database 10g AuditingFine Grained Auditing (FGA)
– Support extended to provide granular auditing of insert, update and delete operations
– Enhanced access to audit records with new view– New single audit view in database
Select name, salary from emp where name = ‘KING’, <timestamp>
Audit Record Shows...
Enforce Audit Policy in Database...Where Salary > 500000AUDIT COLUMN = Salary
Select name, salary from emp where...
User Queries...
Copyright 2004 Oracle Corporation
CommunicationsCommunicationsandand
StrongStrongAuthenticationAuthentication
Copyright 2004 Oracle Corporation
Oracle Advanced Security OptionNetwork Security
– Encryption (Net8 Native, SSL, Java)Strong Authentication
– PKI– Kerberos– Single Sign-On (Entrust, PKI)– Radius
Copyright 2004 Oracle Corporation
Oracle Advanced Security Network Encryption
Encrypts all communications with the database – AES– RSA RC4 (40-, 56-, 128-, 256-bit keys) – DES (40-, 56-bit) and 3DES (2- and 3-key)– Diffie-Hellman key exchange
Data integrity with checksums – MD5, SHA-1– Automatically detects modifications, replays, missing
packets
Copyright 2004 Oracle Corporation
PKI in Oracle Today
Oracle Products Enabled for PKI– Oracle Database– OracleAS HTTPS Server– OracleAS Single Sign-on– S/MIME– SSL
Copyright 2004 Oracle Corporation
Oracle PKI Components
Oracle Internet Directory– Public place for user certificates, CRL, and wallets
Oracle Wallet Manager – Create, manage key pair and certificate for server
Oracle Certificate Authority – New component in Oracle Application Server 10g– A trusted authority to issue certificates– Manage life cycle of certificate– Issue and update CRL– Works with browsers to enable web applications
Copyright 2004 Oracle Corporation
Historical Challenges of PKI
ProvisioningProvisioning
ApplicationApplicationTransparencyTransparency
Ease of use/Ease of use/DeploymentDeployment
StandardsStandardsCompliantCompliant
Copyright 2004 Oracle Corporation
OracleAS Certificate Authority 10g
ProvisioningProvisioning Integrated with OracleAS Single Sign-on 10gIntegrated with OracleAS Single Sign-on 10g
ApplicationApplicationTransparencyTransparency
Provides strong authentication for OracleAS Single Sign-On 10g enabled applicationsProvides strong authentication for OracleAS Single Sign-On 10g enabled applications
Ease of use/Ease of use/DeploymentDeployment Web based user and admin interfacesWeb based user and admin interfaces
StandardsStandardsCompliantCompliant Issues industry standard X.509V3 CertificatesIssues industry standard X.509V3 Certificates
Copyright 2004 Oracle Corporation
PKI EnablementAuthentication (usually with transmission encryption)
– Example is SSLv3Persistent digital signature
– Usually through digitally signed hash of document or file, or portion thereof
Persistent encryption– Usually in conjunction with symmetric
encryption– Public key used to encrypt symmetric key
Copyright 2004 Oracle Corporation
Data
Security & Privacy
Network
HealthcareWorker
Identify&
Authenticate
DiagnosisCoverage
Office Visit
Therapy
X-Ray
Enrollment
Lab Test
Rx Shot
Cert 973
Cert Child
Outpatient
Accesscontrol
Nurse
Doctor
Clerical
Employer
Privacy &integrity of
data
Comprehensiveauditing
Privacy &integrity of
communications
Copyright 2004 Oracle Corporation
Built specifically to supports FDA 21 CFR Part 11 ComplianceDesigned for Life Sciences Data & File Management
FeaturesVersioning, Advance Searching, Check-in/Check-OutIntegrated storage of files from any sourceUniversal access through Web browserComplete Audit Trail of File Operations
“With Oracle as the foundation, we were able to develop a solution that can secure a vast array of file-based data with vault like security.”
- Bill Gargano, President and COO Taratec Development Corporation
Taratec e-ComplianceTM
Copyright 2004 Oracle Corporation
University of California San Diego School of Medicine
The Patient Centered Access to Secure Systems Online (PCASSO)
– 178,000 Medical Records– Provides trusted access to a patient’s health information
from healthcare providers over the Internet – Oracle Label Security & Virtual Private Database
The security is locked to the data and therefore can’t be subvertedNo application coding needed to implement security
“In defining those levels, we needed to separately protect highly sensitive information that – by law-requires special protection. …Label-based access control is ideal for this purpose”
- Dixie Baker, Corporate VP of Technology and CTO for SAIC’s Healthcare Practice
Copyright 2004 Oracle Corporation
What About The Competition?
Security FeatureSecurity Feature OracleOracle10g10g IBMIBMDB2DB2
MicrosoftMicrosoftSS2000SS2000
Row Level Security (VPD)Row Level Security (VPD) YesYes NoNo NoNo
Label SecurityLabel Security YesYes NoNo NoNo
Data EncryptionData Encryption YesYes YesYes NoNo
FineFine--grained Auditinggrained Auditing YesYes NoNo NoNo
compete3.us.oracle.com
Copyright 2004 Oracle Corporation
Technology PLUS Assurance
Security CriteriaSecurity Criteria OracleOracle
TCSEC, Level B1TCSEC, Level B1 1
TCSEC, Level C2TCSEC, Level C2 1
ITSEC, levels E3/FITSEC, levels E3/F--C2C2 3
ITSEC, levels E3/FITSEC, levels E3/F--B1B1 3
Common Criteria, level EALCommon Criteria, level EAL--44 6
Russian Criteria, levels III, IVRussian Criteria, levels III, IV 2
FIPS 140FIPS 140--1, level 21, level 2 2
TOTALTOTAL 18
Copyright 2004 Oracle Corporation
Summary: Oracle features to achieve HIPAA goals
Network EncryptionDatabase EncryptionRestricts Data AccessData Sensitivity LabelsComprehensive AuditingIdentity ManagementSingle Sign-onUser AuthenticationIndependent EvaluationAssurance