Meeting Place: 1-888-967-2253 (US only) 1-650-607-2253 (Local/Int'l) Meeting ID #: 959460 Meeting Password: 959460 Using Oracle Technology to Meet 21 CFR Part 11 Security & Regulatory Requirements Charlie Berger, Sr. Dir Product Mgmt, Life Sciences & Data Mining Paul Needham, Director of Product Mgmt, Database Security Raf Podowski, Sr. Product Manager, Life Sciences
41
Embed
Using Oracle Technology to Meet 21 CFR Part 11 Security ......– Detect and report unauthorized use – Use of document encryption and digital signature standards ySystem availability
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Using Oracle Technology to Meet 21 CFR Part 11 Security &
Regulatory Requirements
Charlie Berger, Sr. Dir Product Mgmt, Life Sciences & Data MiningPaul Needham, Director of Product Mgmt, Database SecurityRaf Podowski, Sr. Product Manager, Life Sciences
Copyright 2004 Oracle Corporation
What is 21 CFR Part 11?
Regulations that provide criteria for acceptance by FDA of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper
FDA’s rationale regarding 21 CFR Part 11:– Primary concern: ensuring public health and safety
– Risk-based compliance
Copyright 2004 Oracle Corporation
21 CFR Part 11Technical Requirements
Strong security - to ensure the authenticity, integrity, and confidentiality of electronic records.
– Unique user name/password– Limit system access to authorized individuals– Detect and report unauthorized use– Use of document encryption and digital signature standards
System availabilityOperational system checksElectronic signatures – to ensure that the signer cannot readily repudiate he signed record.Audit trail
Copyright 2004 Oracle Corporation
HIPAAHealth Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA)
– Kennedy-Kassenbaum Bill
Administrative simplification act– Privacy Rule: “what” individual health information must be
protected– Security Rule: “how” healthcare organizations need to
protect health-related information
Noncompliance would put you in jail75% polices/procedures, 25% Technology
Copyright 2004 Oracle Corporation
HIPAA's Security & Privacy Technical Requirements
“Ensure the confidentiality, integrity, and availability of all electronic protected health information.”
Confidentiality protect health information from unauthorized disclosure
Integrity prevent unauthorized modification of health information
Availability information is available to authorized parties Authentication Assurance of identity of person or originator
of dataAuthorization rights to perform some actionAudits track who accesses healthcare information
Copyright 2004 Oracle Corporation
HIPAA Security Requirements
Access control– Unique user identification– Emergency access procedure– Automatic logoff– Encryption and decryption
Security ChallengesPrivacy of & integrity of communications
Are your query results read or modified in transit?
Sensitive data storage Are your patient privacy needs met at your site?
Access control Can you secure certain parts of a medical record?
Scalability Can you support 100,000s of users?
Ease of use Is it easy to use for users & administrators?
Know your users Who is accessing the data from the web?
Audit trail, eRecords &eSignatures
Can you comply with FDA requirements?
Copyright 2004 Oracle Corporation
Platform Security & Identity Mgmt
Access Management
Directory Services
Provisioning Services
External Security Services Oracle
Platform Security
E-Business Suite
Responsibilities, Roles ….
Collaboration Suite
S-MIME, Interpersonal Rights …
OracleASPortal /Wireless
Roles, Privilege Groups …
Oracle Internet Directory
OracleASCertificate Authority
DirectoryIntegration &Provisioning
OracleASSingle Sign-on
Delegated AdministrationServices
3rd PartyApplications
Authorization, Privacy, audit, ….
OracleASPortal /Wireless
Roles, Privilege Groups …
Oracle Database
Enterprise users, VPD, EncryptionLabel Security
Application Security
Oracle Application Server
JAAS, WS SecurityJava2 Permissions..
Oracle Identity Management
Copyright 2004 Oracle Corporation
Oracle Database 10g Key Messages
Industry Leading Access Control and Accountability– Privacy– Data Consolidation
Strong Authentication & Network Security– Privacy– Government regulations
Integrated Identity Management Capabilities– Provisioning– Lower TCO– Single user management repository for all databases– Centralized User Management and Authorization
Copyright 2004 Oracle Corporation
Access Control Access Control &&
AccountabilityAccountability
Copyright 2004 Oracle Corporation
Oracle Database 10g Virtual Private Database
Introduced in Oracle8iDatabase enforcedRow Level Security
Sales Rep
Customer
Select * from Orders
Select * from Orders
ORDERS
Where customer_id = 20
Where customer_id = 10
VPDPolicy
Copyright 2004 Oracle Corporation
Oracle Database 10g Virtual Private Database
Column Relevant Policies– Policy enforced only if specific columns are
– PKI– Kerberos– Single Sign-On (Entrust, PKI)– Radius
Copyright 2004 Oracle Corporation
Oracle Advanced Security Network Encryption
Encrypts all communications with the database – AES– RSA RC4 (40-, 56-, 128-, 256-bit keys) – DES (40-, 56-bit) and 3DES (2- and 3-key)– Diffie-Hellman key exchange
Data integrity with checksums – MD5, SHA-1– Automatically detects modifications, replays, missing
packets
Copyright 2004 Oracle Corporation
PKI in Oracle Today
Oracle Products Enabled for PKI– Oracle Database– OracleAS HTTPS Server– OracleAS Single Sign-on– S/MIME– SSL
Copyright 2004 Oracle Corporation
Oracle PKI Components
Oracle Internet Directory– Public place for user certificates, CRL, and wallets
Oracle Wallet Manager – Create, manage key pair and certificate for server
Oracle Certificate Authority – New component in Oracle Application Server 10g– A trusted authority to issue certificates– Manage life cycle of certificate– Issue and update CRL– Works with browsers to enable web applications
Copyright 2004 Oracle Corporation
Historical Challenges of PKI
ProvisioningProvisioning
ApplicationApplicationTransparencyTransparency
Ease of use/Ease of use/DeploymentDeployment
StandardsStandardsCompliantCompliant
Copyright 2004 Oracle Corporation
OracleAS Certificate Authority 10g
ProvisioningProvisioning Integrated with OracleAS Single Sign-on 10gIntegrated with OracleAS Single Sign-on 10g
ApplicationApplicationTransparencyTransparency
Provides strong authentication for OracleAS Single Sign-On 10g enabled applicationsProvides strong authentication for OracleAS Single Sign-On 10g enabled applications
Ease of use/Ease of use/DeploymentDeployment Web based user and admin interfacesWeb based user and admin interfaces
StandardsStandardsCompliantCompliant Issues industry standard X.509V3 CertificatesIssues industry standard X.509V3 Certificates
Copyright 2004 Oracle Corporation
PKI EnablementAuthentication (usually with transmission encryption)
– Example is SSLv3Persistent digital signature
– Usually through digitally signed hash of document or file, or portion thereof
Persistent encryption– Usually in conjunction with symmetric
encryption– Public key used to encrypt symmetric key
Copyright 2004 Oracle Corporation
Data
Security & Privacy
Network
HealthcareWorker
Identify&
Authenticate
DiagnosisCoverage
Office Visit
Therapy
X-Ray
Enrollment
Lab Test
Rx Shot
Cert 973
Cert Child
Outpatient
Accesscontrol
Nurse
Doctor
Clerical
Employer
Privacy &integrity of
data
Comprehensiveauditing
Privacy &integrity of
communications
Copyright 2004 Oracle Corporation
Case StudiesCase Studies
Copyright 2004 Oracle Corporation
Built specifically to supports FDA 21 CFR Part 11 ComplianceDesigned for Life Sciences Data & File Management
FeaturesVersioning, Advance Searching, Check-in/Check-OutIntegrated storage of files from any sourceUniversal access through Web browserComplete Audit Trail of File Operations
“With Oracle as the foundation, we were able to develop a solution that can secure a vast array of file-based data with vault like security.”
- Bill Gargano, President and COO Taratec Development Corporation
Taratec e-ComplianceTM
Copyright 2004 Oracle Corporation
University of California San Diego School of Medicine
The Patient Centered Access to Secure Systems Online (PCASSO)
– 178,000 Medical Records– Provides trusted access to a patient’s health information
from healthcare providers over the Internet – Oracle Label Security & Virtual Private Database
The security is locked to the data and therefore can’t be subvertedNo application coding needed to implement security
“In defining those levels, we needed to separately protect highly sensitive information that – by law-requires special protection. …Label-based access control is ideal for this purpose”
- Dixie Baker, Corporate VP of Technology and CTO for SAIC’s Healthcare Practice