This OHAI Security Program is designed around OHAI’s hosted platforms —the hardware and operating systems upon which applications and solutions are deployed by OHAI in OHAI’s hosted environments on behalf of its clients. Oracle Health Millennium®, HealtheIntent® and CareAware® are examples of platforms. We take ownership and responsibility for cyber security and incident management of hosting operations systems to protect the confidentiality, integrity, and availability of hosted client data. Customers are responsible for managing certain aspects of security, including controlling end user access, adding custom extensions/integrations, and lawful data processing.
OHAI offers hosting services around the globe, utilizing the same security compliance program and information security policies regardless of the facility in which client data is hosted. Client data will be stored and hosted in the same country in which the client is located unless otherwise mutually agreed. There are some operational differences depending upon the type of data center utilized, but our information security program does not change.
Using a third-party data center colocation service provider does not change the way we manage our security program, nor does it provide the service provider with access to our systems or networks.
OHAI maintains a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures which are designed to secure the information maintained on OHAI’s platforms. OHAI’s program, at a minimum:
OHAI tightly controls and does not distribute written or electronic copies of its security policies and procedures. OHAI regularly reviews and modifies its security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.
OHAI grants access to client systems based upon role, completion of required training, and the principle of least privilege necessary for job responsibilities. Access approval processes are strictly enforced ensuring access is appropriate and addresses compliance requirements.
Teams are required to monitor access and check for inactivity each month, revoking access authorization as appropriate. Employee identities are validated through two-factor authentication when using a VPN connection. Authentication using an approved VPN is required for access to cloud environments, which are segregated from corporate networks.
Access to resources and systems is reviewed when an employee changes role, with access revoked where appropriate. Employee access is also revoked when employment is terminated (voluntarily or involuntarily).
OHAI uses multiple overlapping security applications and countermeasures within its security program to protect the platforms. The following are some examples of the security technologies OHAI deploys to protect the platforms:
OHAI logs access to and activity on network devices, security infrastructure components, and server systems in an enterprise security logging repository. Logs are transferred to a Security Information and Event Management (SIEM) tool for monitoring, analysis, troubleshooting, compliance, and auditing of system events. Using the SIEM, security personnel devise profiles of common events to focus on unusual activity, avoid false positives, identify anomalies, and prevent insignificant alerts.
OHAI uses proper encryption mechanisms to safeguard data. OHAI performs risk assessments to evaluate how the data is being consumed and the overall sensitivity of the data. Data is encrypted in transmission over public networks. OHAI manages client network public and private key infrastructure. OHAI strives to use FIPS 140-2 algorithms when supported by the cryptographic module. OHAI also supports Advanced Encryption Standard (AES) and Transport Layer Security (TLS) encryption protocols.
Penetration testing is conducted by OHAI security professionals who have appropriate industry certifications and credentials. In addition, OHAI annually engages a third-party to conduct external penetration testing. As part of OHAI’s vulnerability and threat management program, OHAI’s security professionals analyze and quantify the risk potential of identified vulnerabilities and threats to both OHAI and its clients.
OHAI conducts continuous production scanning of OHAI’s platforms. OHAI scores vulnerabilities based upon the expected impact to the environment and external exposure. Once the vulnerability is scored, a process to mitigate or remediate the vulnerability is initiated.
Identified vulnerabilities are assessed for risk and mitigated or remediated according to their severity level. This analysis includes using industry standards, such as NIST’s common vulnerability scoring system (NIST CVSS), and by internal penetration scanning of environments using industry standard tools. OHAI strives to patch vulnerabilities within the timeframes set forth below:
Physical and environmental security measures are implemented in a strategic layered approach to deter, delay, and detect any attempted intrusion. These measures are designed both in accordance with needs unique to the facility and to ensure critical systems are provided a hardened, secure, and reliable environment.
At a minimum, OHAI ensures the following physical and environmental security controls are maintained at Oracle Health data centers and within any co-located service provider leveraged by OHAI:
The primary duty of the IRC is to answer second and third tier support calls from client help desks and resolve reported issues. Reported issues are documented and stored in a central repository. The IRC team uses system monitoring tools to track and respond to alarms and warnings and take appropriate action. OHAI’s IRC is staffed 24x7x365.
OHAI’s Computer Security Incident Response Center (CSIRC) is the control center for security incident event management and is responsible for 24x7x365 continuous threat monitoring of OHAI’s platforms. The CSIRC team ingests and coordinates responses to international, federal, and tech industry threat intelligence information, in an effort to safeguard OHAI environments. In addition, the team leverages industry standard tools to systematically analyze logs to identify potential unauthorized activity and focus on potential threats.
OHAI maintains a security incident management process to investigate, mitigate, and communicate system security events occurring within a platform. Impacted clients are informed of relevant security incidents in a timely manner and advised of recommended corrective measures to be taken.
OHAI does not notify clients or publicly speak about “named” vulnerability events. At OHAI’s sole discretion, OHAI may issue a response specific to a vulnerability which OHAI has determined to require immediate attention based on gathered threat intelligence. Otherwise, OHAI does not notify clients or address client requests to review an environment for vulnerabilities.
OHAI maintains change management processes, based on Information Technology Infrastructure Library (ITIL) best practices, which are designed around the type of change and level of risk associated with that change. OHAI’s policies require OHAI to communicate relevant non-routine changes it makes to a client’s system with the impacted client. Changes are validated, reviewed, and receive approvals commensurate with the risk of the change. OHAI uses Change Advisory Boards (CABs) to review significant changes with known downtime or heightened risk. Changes are logged and maintained within OHAI’s centralized change request system. Clients are responsible for controlling and documenting any system modifications they perform.
OHAI’s contingency program is based on ISO 22301 and is designed to ensure continued operation of essential technology by supporting internal and external client functions during any incident (e.g., a situation that might be, or could lead to, an extended disruption, loss, emergency, or crisis).
OHAI provides a redundant and highly available infrastructure to minimize disruptions to the production environments. If a disruptive incident occurs, OHAI follows an established, exercised and documented contingency program to restore service as quickly and effectively as possible, using commercially reasonable measures. The incident management portion of OHAI’s contingency planning program is tested, reviewed, and updated annually. OHAI offers different levels of disaster recovery services based on the applicable platform.
OHAI is aligning its security practices with Oracle. For the development of new products, OHAI leverages Oracle Software Security Assurance (OSSA), which encompasses every phase of the product development lifecycle and is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products. Oracle’s secure development practices are intended to prevent common vulnerabilities, including those identified in the OWASP Top 10. For more information, see https://www.oracle.com/corporate/security-practices/assurance/development/
OHAI’s security awareness program requires associates to participate in mandatory education and training activities related to their specific role. These activities are designed to maintain the effectiveness of OHAI’s security posture and include:
In 2003, OHAI began its process of regularly screening its offer-stage employment candidates through a background check process. Beginning in 2012, OHAI started requiring candidates submit to a drug screening prior to beginning employment.
OHAI’s applicant background check process varies based on the candidate’s potential role and applicable law. For example, to the extent allowed by applicable law, background checks in the U.S. and Canada consist of:
OHAI requires subcontractors to assure the competency and eligibility of its employees who provide services to OHAI’s clients. Subcontractor personnel are required to complete background checks applicable to the services performed; such background checks must be at least as prescriptive as the background checks OHAI requires for OHAI associates.
OHAI requires business associate agreements and nondisclosure agreements with its co-location service providers and the suppliers it uses to provide the platform, as appropriate based on that entity’s access to data and other confidential information. OHAI requires that its suppliers complete a data security questionnaire as part of OHAI’s evaluation process for the supplier. In addition, OHAI conducts annual supplier security risk assessments on its suppliers based on that supplier’s risk profile.
OHAI is a global company with offices and associates throughout the world. OHAI’s current operational and support model includes the use of global associates. OHAI may provide temporary access to the platforms from outside of the country where the applicable platform is hosted. All associates with access to the platform are required to participate in mandatory education and training activities related to their specific role and are required to follow OHAI’s security policies and processes. Training records are tracked and maintained for compliance purposes.
All storage media used for the delivery of OHAI’s hosting services is purged and disposed of in accordance with OHAI’s policy for electronic media disposal. The policy adheres to the HIPAA Security Rule, ISO 27001, and NIST 800-88.
OHAI may provide hardware to clients for use at their locations. Any information stored on OHAI-provided hardware but located at a client site is considered the responsibility of the client. In such cases, clients are responsible for decisions regarding sanitization or destruction of data storage media at the end of the hardware’s usage life cycle.
OHAI regularly conducts internal assessments and undergoes external audits to examine the controls present within the platform and OHAI’s operations and to validate that OHAI is operating effectively in accordance with its OHAI Security Program.
OHAI has established and maintains the necessary controls required for compliance with HIPAA (as amended by HITECH). HIPAA (internal or external) assessments take place on an annual basis and examine all appropriate corporate and client environments in our U.S. locations.
Third-party attestations are performed on OHAI’s hosted environments by measuring and testing the effectiveness of OHAI’s risk mitigations related to the AICPAs Trust Service Principles relevant to security, availability, and confidentiality. SOC reports are prepared under the AICPAs SSAE guidelines and are specific to the hosting services and controls managed by OHAI and presently include the following hosting locations: U.S., Canada, and Sweden. SOC reporting locations are subject to change as OHAI reviews its ever-changing business needs. We will work with clients to assist them in obtaining the appropriate SOC report from OHAI, as applicable, or a colocation provider.
OHAI’s Information Security Management Framework (ISMF) is compliant with the principles of the ISO 27001/27002:2022 standard and the ISMF’s policies are applicable to most of OHAI’s platforms.
We have a dependency on co-location data centers in Canada, Sweden, United Kingdom, France and Australia and public cloud service providers for their physical and environmental security controls. According to our independent auditor(s), only Oracle Health owned data centers and offices can be identified and included in Oracle Health’s ISO certification. Processes that manage colocation data centers are covered by Oracle Health offices identified in ISO certification. Oracle Health can confirm that its processes that manage data centers within colocation data center service providers were included in Oracle Health’s ISO certification. This is consistent with the multiple colocation data center service providers used across the globe. Oracle Health only owns data centers in the United States, which is why they are identified in the certification. For specific colocation data center service providers operations, clients would need to rely upon the provider’s own ISO certification.
OHAI annually engages a third party to perform external penetration tests against OHAI’s platforms. OHAI receives a penetration testing summary report which describes the penetration testing performed, confirms that an industry standard methodology, testing tools and a national vulnerability database were used in conducting the penetration testing, and identifies known vulnerabilities within the Platforms. OHAI remediates identified vulnerabilities based on risk and addresses those vulnerabilities through an actively monitored plan for remediation.
OHAI receives a third-party Attestation of Compliance (AoC) to demonstrate PCI DSS compliance as a Level 1 Service provider for the processing of payments supported by certain OHAI solutions. For more information about what OHAI solutions are supported by this AoC, please contact your OHAI representative.
OHAI has self-certified to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield.
Upon a client’s request to complete a security questionnaire or assessment, OHAI will provide applicable third-party documentation from our Security Compliance Program as described above. Additional documentation may be provided when it is available, such as pre-completed standardized security questionnaires (CAIQs) or a Supplier Risk Management Overview of a third-party application. Clients may leverage these reports to assess OHAI’s security posture and compliance with contractual terms. We will collaborate with clients in answering reasonable, specific security assessment questions not addressed through these standard deliverables.
One of our many security controls includes ensuring that we do not provide confidential and sensitive information that exposes OHAI or our clients to additional risk. We take the security of your data very seriously, and we will not jeopardize it to satisfy requests for specific sensitive information when third-party auditors have validated our security program.