Using Oracle Technology to Meet 21 CFR Part 11 Security ......– Detect and report unauthorized use – Use of document encryption and digital signature standards ySystem availability

Copyright 2004 Oracle Corporation

Meeting Place:1-888-967-2253 (US only)1-650-607-2253 (Local/Int'l)Meeting ID #: 959460 Meeting Password: 959460

Using Oracle Technology to Meet 21 CFR Part 11 Security &

Regulatory Requirements

Charlie Berger, Sr. Dir Product Mgmt, Life Sciences & Data MiningPaul Needham, Director of Product Mgmt, Database SecurityRaf Podowski, Sr. Product Manager, Life Sciences


What is 21 CFR Part 11?

Regulations that provide criteria for acceptance by FDA of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper

FDA’s rationale regarding 21 CFR Part 11:– Primary concern: ensuring public health and safety

– Risk-based compliance


21 CFR Part 11Technical Requirements

Strong security - to ensure the authenticity, integrity, and confidentiality of electronic records.

– Unique user name/password– Limit system access to authorized individuals– Detect and report unauthorized use– Use of document encryption and digital signature standards

System availabilityOperational system checksElectronic signatures – to ensure that the signer cannot readily repudiate he signed record.Audit trail


HIPAAHealth Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA)

– Kennedy-Kassenbaum Bill

Administrative simplification act– Privacy Rule: “what” individual health information must be

protected– Security Rule: “how” healthcare organizations need to

protect health-related information

Noncompliance would put you in jail75% polices/procedures, 25% Technology


HIPAA's Security & Privacy Technical Requirements

“Ensure the confidentiality, integrity, and availability of all electronic protected health information.”

Confidentiality protect health information from unauthorized disclosure

Integrity prevent unauthorized modification of health information

Availability information is available to authorized parties Authentication Assurance of identity of person or originator

of dataAuthorization rights to perform some actionAudits track who accesses healthcare information


HIPAA Security Requirements

Access control– Unique user identification– Emergency access procedure– Automatic logoff– Encryption and decryption

Transmission security– Integrity control– Encryption


Security ChallengesPrivacy of & integrity of communications

Are your query results read or modified in transit?

Sensitive data storage Are your patient privacy needs met at your site?

Access control Can you secure certain parts of a medical record?

Scalability Can you support 100,000s of users?

Ease of use Is it easy to use for users & administrators?

Know your users Who is accessing the data from the web?

Audit trail, eRecords &eSignatures

Can you comply with FDA requirements?


Platform Security & Identity Mgmt

Access Management

Directory Services

Provisioning Services

External Security Services Oracle

Platform Security

E-Business Suite

Responsibilities, Roles ….

Collaboration Suite

S-MIME, Interpersonal Rights …

OracleASPortal /Wireless

Roles, Privilege Groups …

Oracle Internet Directory

OracleASCertificate Authority

DirectoryIntegration &Provisioning

OracleASSingle Sign-on

Delegated AdministrationServices

3rd PartyApplications

Authorization, Privacy, audit, ….

OracleASPortal /Wireless

Roles, Privilege Groups …

Oracle Database

Enterprise users, VPD, EncryptionLabel Security

Application Security

Oracle Application Server

JAAS, WS SecurityJava2 Permissions..

Oracle Identity Management


Oracle Database 10g Key Messages

Industry Leading Access Control and Accountability– Privacy– Data Consolidation

Strong Authentication & Network Security– Privacy– Government regulations

Integrated Identity Management Capabilities– Provisioning– Lower TCO– Single user management repository for all databases– Centralized User Management and Authorization


Access Control Access Control &&

AccountabilityAccountability


Oracle Database 10g Virtual Private Database

Introduced in Oracle8iDatabase enforcedRow Level Security

Sales Rep

Customer

Select * from Orders

Select * from Orders

ORDERS

Where customer_id = 20

Where customer_id = 10

VPDPolicy



Column Relevant Policies– Policy enforced only if specific columns are

referenced

Patient_IDPatient_ID DiagnosisDiagnosis DepartmentDepartment

562871 CBC… Oncology

572259 MRI… Imaging

632261 EKG… Cardiology

457825 PSA… Urology

Select Patient_ID,Diagnosis…

(enforce)X

OKXX



Column Filtering– Optional VPD configuration to return all rows but

filter out column values in rows which don’t meet criteria

Patient_ID Diagnosis Department

562871 CBC… Oncology


632261 EKG… Cardiology

457825 PSA… Urology

Select Patient_ID,Diagnosis…

(enforce)

Patient_IDPatient_ID DiagnosisDiagnosis DepartmentDepartment

562871 Oncology


632261 Cardiology

457825 Urology

OKOKOKOK


Oracle Label Security

Enterprise Edition Security optionOut-of-the-box row level securityBuilt on VPD

– Adds label based access control framework– Highly granular access control settings

Policy design based on stringent government and commercial requirements for row level security


Oracle Label Security ExampleUser Label (Level :: Compartment :: Group) Dr. Murphy Sensitive :: Orthopedic, Acute :: Active

Row Labels

Data Rows

Levels

Compartments

Groups

Identifiable Ambulatory Dep

Identifiable Orthopedic Active

Sensitive Radiology Ret

Confidential Disease Active

Sensitive Orthopedic Ret

Sensitive Acute Active

Hierarchical

Non-Hierarchical

Hierarchical

Levels : Confidential Sensitive IdentifiableGroups : Active Retired Departed


Oracle Database 10g Stored Data Encryption

Protect select data via encryption in the databaseExamples:

– Credit card numbers, patient’s SSNDBMS_OBFUSCATION_TOOLKIT package

– Supports Advanced Encryption Standard (AES), Data Encryption Standard (DES) and 3DES algorithms

– Supports MD5 to ensure data integrity


Oracle Audit TechnologyStandard Oracle auditing – Comprehensive auditing

by statement, by use of system privilege, by objectby user

Fine-grained auditing– Audit policies– Reduces audit collection

Selective Audit – Consulting Solution


Audit Table ExampleCOUNTY

START YEAR

STOP YEAR INCIDENCE MORTALITY

ALLEGANY 1994 1998 103.8 36SULLIVAN 1995 1999 139.8 36.2CHEMUNG 1995 1999 131.2 36.3RENSSELAER 1995 1999 136.1 36.5ALLEGANY 1995 1999 125.1 36.7ULSTER 1994 1998 114.8 37.2HAMILTON 1995 1999 149.6 37.5HERKIMER 1995 1999 129.9 38.5WARREN 1995 1999 142.6 38.9ULSTER 1995 1999 145.9 40.6WESTCHESTER 1990 1998 105.6 105.6

Audit Table Shows Insertions

COUNTYSTART YEAR


AUDIT USER AUDIT DATE GMT

AUDIT OPERATION

AUDIT CHRONICLE

ALLEGANY 1994 1998 103.8 36 RAF 5/20/2004 3:36:00 PM I 123001SULLIVAN 1995 1999 139.8 36.2 RAF 5/20/2004 3:36:00 PM I 123002CHEMUNG 1995 1999 131.2 36.3 RAF 5/20/2004 3:36:00 PM I 123003RENSSELAER 1995 1999 136.1 36.5 RAF 5/20/2004 3:36:00 PM I 123004ALLEGANY 1995 1999 125.1 36.7 RAF 5/20/2004 3:36:00 PM I 123005ULSTER 1994 1998 114.8 37.2 RAF 5/20/2004 3:36:00 PM I 123006HAMILTON 1995 1999 149.6 37.5 RAF 5/20/2004 3:36:00 PM I 123007HERKIMER 1995 1999 129.9 38.5 RAF 5/20/2004 3:36:00 PM I 123008WARREN 1995 1999 142.6 38.9 RAF 5/20/2004 3:36:00 PM I 123009ULSTER 1995 1999 145.9 40.6 RAF 5/20/2004 3:36:00 PM I 123010WESTCHESTER 1990 1998 105.6 105.6 RAF 5/20/2004 3:36:00 PM I 123011



START YEAR


ALLEGANY 1994 1998 103.8 36.1SULLIVAN 1995 1999 139.8 36.2CHEMUNG 1995 1999 131.2 36.3RENSSELAER 1995 1999 136.1 36.5ALLEGANY 1995 1999 125.1 36.7ULSTER 1994 1998 114.8 37.2HAMILTON 1995 1999 149.6 37.5HERKIMER 1995 1999 129.9 38.5WARREN 1995 1999 142.6 38.9ULSTER 1995 1999 145.9 40.6WESTCHESTER 1990 1998 105.6 105.6

COUNTYSTART YEAR



AUDIT OPERATION

AUDIT CHRONICLE

ALLEGANY 1994 1998 103.8 36 RAF 5/20/2004 3:36:00 PM ISULLIVAN 1995 1999 139.8 36.2 RAF 5/20/2004 3:36:00 PM ICHEMUNG 1995 1999 131.2 36.3 RAF 5/20/2004 3:36:00 PM IRENSSELAER 1995 1999 136.1 36.5 RAF 5/20/2004 3:36:00 PM IALLEGANY 1995 1999 125.1 36.7 RAF 5/20/2004 3:36:00 PM IULSTER 1994 1998 114.8 37.2 RAF 5/20/2004 3:36:00 PM IHAMILTON 1995 1999 149.6 37.5 RAF 5/20/2004 3:36:00 PM IHERKIMER 1995 1999 129.9 38.5 RAF 5/20/2004 3:36:00 PM IWARREN 1995 1999 142.6 38.9 RAF 5/20/2004 3:36:00 PM IULSTER 1995 1999 145.9 40.6 RAF 5/20/2004 3:36:00 PM IWESTCHESTER 1994 1998 105.6 105.6 RAF 5/20/2004 3:36:00 PM IALLEGANY 1994 1998 103.8 36.1 RAF 5/27/2004 1:21:10 PM U

123001123002123003123004123005123006123007123008123009123010123011123012

Tracking Changes

Update



START YEAR


ALLEGANY 1994 1998 103.8 36.1SULLIVAN 1995 1999 139.8 36.2CHEMUNG 1995 1999 131.2 36.3RENSSELAER 1995 1999 136.1 36.5ALLEGANY 1995 1999 125.1 36.7ULSTER 1994 1998 114.8 37.2HAMILTON 1995 1999 149.6 37.5HERKIMER 1995 1999 129.9 38.5WARREN 1995 1999 142.6 38.9ULSTER 1995 1999 145.9 40.6WESTCHESTER 1994 1998 105.6 38.2

COUNTYSTART YEAR



AUDIT OPERATION

AUDIT CHRONICLE

ALLEGANY 1994 1998 103.8 36 RAF 5/20/2004 3:36:00 PM I 123001SULLIVAN 1995 1999 139.8 36.2 RAF 5/20/2004 3:36:00 PM I 123002CHEMUNG 1995 1999 131.2 36.3 RAF 5/20/2004 3:36:00 PM I 123003RENSSELAER 1995 1999 136.1 36.5 RAF 5/20/2004 3:36:00 PM I 123004ALLEGANY 1995 1999 125.1 36.7 RAF 5/20/2004 3:36:00 PM I 123005ULSTER 1994 1998 114.8 37.2 RAF 5/20/2004 3:36:00 PM I 123006HAMILTON 1995 1999 149.6 37.5 RAF 5/20/2004 3:36:00 PM I 123007HERKIMER 1995 1999 129.9 38.5 RAF 5/20/2004 3:36:00 PM I 123008WARREN 1995 1999 142.6 38.9 RAF 5/20/2004 3:36:00 PM I 123009ULSTER 1995 1999 145.9 40.6 RAF 5/20/2004 3:36:00 PM I 123010WESTCHESTER 1994 1998 105.6 105.6 RAF 5/20/2004 3:36:00 PM I 123011ALLEGANY 1994 1998 103.8 36.1 RAF 5/27/2004 1:21:10 PM U 123012WESTCHESTER 1990 1998 105.6 38.2 RAF 5/27/2004 1:23:22 PM U 123013WESTCHESTER 1994 1998 105.6 38.2 RAF 5/27/2004 1:24:02 PM I 123014WESTCHESTER 1990 1998 105.6 38.2 RAF 5/27/2004 1:24:02 PM D 123015

Primary key change automatically triggers both I and D

Primary Key is a combination of 3 columns


Oracle Database 10g AuditingFine Grained Auditing (FGA)

– Support extended to provide granular auditing of insert, update and delete operations

– Enhanced access to audit records with new view– New single audit view in database

Select name, salary from emp where name = ‘KING’, <timestamp>

Audit Record Shows...

Enforce Audit Policy in Database...Where Salary > 500000AUDIT COLUMN = Salary

Select name, salary from emp where...

User Queries...


CommunicationsCommunicationsandand

StrongStrongAuthenticationAuthentication


Oracle Advanced Security OptionNetwork Security

– Encryption (Net8 Native, SSL, Java)Strong Authentication

– PKI– Kerberos– Single Sign-On (Entrust, PKI)– Radius


Oracle Advanced Security Network Encryption

Encrypts all communications with the database – AES– RSA RC4 (40-, 56-, 128-, 256-bit keys) – DES (40-, 56-bit) and 3DES (2- and 3-key)– Diffie-Hellman key exchange

Data integrity with checksums – MD5, SHA-1– Automatically detects modifications, replays, missing

packets


PKI in Oracle Today

Oracle Products Enabled for PKI– Oracle Database– OracleAS HTTPS Server– OracleAS Single Sign-on– S/MIME– SSL


Oracle PKI Components

Oracle Internet Directory– Public place for user certificates, CRL, and wallets

Oracle Wallet Manager – Create, manage key pair and certificate for server

Oracle Certificate Authority – New component in Oracle Application Server 10g– A trusted authority to issue certificates– Manage life cycle of certificate– Issue and update CRL– Works with browsers to enable web applications


Historical Challenges of PKI

ProvisioningProvisioning

ApplicationApplicationTransparencyTransparency

Ease of use/Ease of use/DeploymentDeployment

StandardsStandardsCompliantCompliant


OracleAS Certificate Authority 10g

ProvisioningProvisioning Integrated with OracleAS Single Sign-on 10gIntegrated with OracleAS Single Sign-on 10g

ApplicationApplicationTransparencyTransparency

Provides strong authentication for OracleAS Single Sign-On 10g enabled applicationsProvides strong authentication for OracleAS Single Sign-On 10g enabled applications

Ease of use/Ease of use/DeploymentDeployment Web based user and admin interfacesWeb based user and admin interfaces

StandardsStandardsCompliantCompliant Issues industry standard X.509V3 CertificatesIssues industry standard X.509V3 Certificates


PKI EnablementAuthentication (usually with transmission encryption)

– Example is SSLv3Persistent digital signature

– Usually through digitally signed hash of document or file, or portion thereof

Persistent encryption– Usually in conjunction with symmetric

encryption– Public key used to encrypt symmetric key


Data

Security & Privacy

Network

HealthcareWorker

Identify&

Authenticate

DiagnosisCoverage

Office Visit

Therapy

X-Ray

Enrollment

Lab Test

Rx Shot

Cert 973

Cert Child

Outpatient

Accesscontrol

Nurse

Doctor

Clerical

Employer

Privacy &integrity of

data

Comprehensiveauditing

Privacy &integrity of

communications


Case StudiesCase Studies


Built specifically to supports FDA 21 CFR Part 11 ComplianceDesigned for Life Sciences Data & File Management

FeaturesVersioning, Advance Searching, Check-in/Check-OutIntegrated storage of files from any sourceUniversal access through Web browserComplete Audit Trail of File Operations

“With Oracle as the foundation, we were able to develop a solution that can secure a vast array of file-based data with vault like security.”

- Bill Gargano, President and COO Taratec Development Corporation

Taratec e-ComplianceTM


University of California San Diego School of Medicine

The Patient Centered Access to Secure Systems Online (PCASSO)

– 178,000 Medical Records– Provides trusted access to a patient’s health information

from healthcare providers over the Internet – Oracle Label Security & Virtual Private Database

The security is locked to the data and therefore can’t be subvertedNo application coding needed to implement security

“In defining those levels, we needed to separately protect highly sensitive information that – by law-requires special protection. …Label-based access control is ideal for this purpose”

- Dixie Baker, Corporate VP of Technology and CTO for SAIC’s Healthcare Practice


What About The Competition?

Security FeatureSecurity Feature OracleOracle10g10g IBMIBMDB2DB2

MicrosoftMicrosoftSS2000SS2000

Row Level Security (VPD)Row Level Security (VPD) YesYes NoNo NoNo

Label SecurityLabel Security YesYes NoNo NoNo

Data EncryptionData Encryption YesYes YesYes NoNo

FineFine--grained Auditinggrained Auditing YesYes NoNo NoNo

compete3.us.oracle.com


Technology PLUS Assurance

Security CriteriaSecurity Criteria OracleOracle

TCSEC, Level B1TCSEC, Level B1 1

TCSEC, Level C2TCSEC, Level C2 1

ITSEC, levels E3/FITSEC, levels E3/F--C2C2 3

ITSEC, levels E3/FITSEC, levels E3/F--B1B1 3

Common Criteria, level EALCommon Criteria, level EAL--44 6

Russian Criteria, levels III, IVRussian Criteria, levels III, IV 2

FIPS 140FIPS 140--1, level 21, level 2 2

TOTALTOTAL 18


Summary: Oracle features to achieve HIPAA goals

Network EncryptionDatabase EncryptionRestricts Data AccessData Sensitivity LabelsComprehensive AuditingIdentity ManagementSingle Sign-onUser AuthenticationIndependent EvaluationAssurance


Resources


Sample Code


Discussion Forums

Q U E S T I O N SQ U E S T I O N SA N S W E R SA N S W E R S


Identification & Authentication

Oracle Workflow supports password based signing.

– Next release: certificate based signing

Biometric (e.g. fingerprint reader)– external

Using Oracle Technology to Meet 21 CFR Part 11 Security ......– Detect and report unauthorized use – Use of document encryption and digital signature standards ySystem availability

Documents