Oracle Health and AI (OHAI) Security Program

This OHAI Security Program is designed around OHAI’s hosted platforms —the hardware and operating systems upon which applications and solutions are deployed by OHAI in OHAI’s hosted environments on behalf of its clients. Oracle Health Millennium®, HealtheIntent® and CareAware® are examples of platforms. We take ownership and responsibility for cyber security and incident management of hosting operations systems to protect the confidentiality, integrity, and availability of hosted client data. Customers are responsible for managing certain aspects of security, including controlling end user access, adding custom extensions/integrations, and lawful data processing.

OHAI offers hosting services around the globe, utilizing the same security compliance program and information security policies regardless of the facility in which client data is hosted. Client data will be stored and hosted in the same country in which the client is located unless otherwise mutually agreed. There are some operational differences depending upon the type of data center utilized, but our information security program does not change.

  • OHAI Cloud Hosting – OHAI’s cloud hosting option allows our clients using cloud-enabled solutions to easily stay current on application functionality and technology used to deliver the applications to end-users. Oracle Cloud Infrastructure (OCI), Oracle’s cloud computing environment, is a scalable, highly available, and cost-effective cloud platform. OCI has commercial and government public cloud regions and is located around the globe. OHAI also utilizes a third-party public cloud provider for some hosted services.
  • OHAI Data Center Facilities – OHAI data center facilities are constructed taking into consideration any natural disaster risks for the geographic areas in which they are located. Data centers have physical and environmental security measures in a strategic layered approach to deter, delay, and detect any attempted intrusion. These measures are designed to provide a hardened, secure, and reliable environment.
  • Co-located Data Service Providers – OHAI utilizes Tier 3 equivalent data center co-location service providers in some regions. Services provided by data center providers include data center operations (i.e., delivery of power, cooling, fire suppression) and physical security up to OHAI data center cages. Computer equipment and networking equipment (such as servers, firewalls, or network cabling) is owned and maintained by OHAI and not shared with other data center tenants. The service providers do not have access to any data hosted within OHAI data center cages and they do not process any data pertaining to OHAI clients. Colocation service provider certifications include industry-recognized security, environmental, and health and safety certifications, such as ISO 27001 and ISO 14001 certifications and SOC 2 Type II reports.

Using a third-party data center colocation service provider does not change the way we manage our security program, nor does it provide the service provider with access to our systems or networks.

Policies and Procedures

OHAI maintains a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures which are designed to secure the information maintained on OHAI’s platforms. OHAI’s program, at a minimum:

  • Assigns data security responsibilities and accountabilities to specific individuals;
  • Describes acceptable use of OHAI’s platform;
  • Provides access control and password attributes for OHAI end users, administrators, and operating systems;
  • Enforces OHAI end user authentication requirements;
  • Describes audit logging and monitoring of OHAI-hosted production environments;
  • Details OHAI’s incident response plan;
  • Describes appropriate risk management controls, security certifications and periodic risk assessments; and
  • Describes the physical and environmental security requirements for OHAI’s networks, offices and data centers.

OHAI tightly controls and does not distribute written or electronic copies of its security policies and procedures. OHAI regularly reviews and modifies its security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.


Technical Security

Identity and Access Management

OHAI grants access to client systems based upon role, completion of required training, and the principle of least privilege necessary for job responsibilities. Access approval processes are strictly enforced ensuring access is appropriate and addresses compliance requirements.

Teams are required to monitor access and check for inactivity each month, revoking access authorization as appropriate. Employee identities are validated through two-factor authentication when using a VPN connection. Authentication using an approved VPN is required for access to cloud environments, which are segregated from corporate networks.

Access to resources and systems is reviewed when an employee changes role, with access revoked where appropriate. Employee access is also revoked when employment is terminated (voluntarily or involuntarily).

Configuration Management & Network Protections

OHAI uses multiple overlapping security applications and countermeasures within its security program to protect the platforms. The following are some examples of the security technologies OHAI deploys to protect the platforms:

  • Anti-Virus Software – Anti-Virus (AV) software, anti-malware software, and compensating controls are used, as appropriate, throughout the hosted environment. Pattern file updates are deployed daily. Inbound data is scanned in real-time and system drives are scanned on a weekly basis. In addition to keeping virus signatures up to date, the AV software and scan engines are updated to maintain and improve their effectiveness.
  • Network Firewalls – Perimeter network and critical infrastructure connections are protected by industry standard network firewall technologies.
  • Intrusion Prevention Systems (IPS) – Inline appliances are strategically placed within the network infrastructure to identify malicious or anomalistic behavior. Each connection traversing interfaces of the firewall and each major connection traversing the core network is inspected to ensure validity.
  • Denial of Service – OHAI works closely with its internet service providers to detect and defend against denial-of-service access attacks.
  • Proxy Servers – External application access across public networks is scanned for worms and viruses prior to establishing the connection with the destination server. Outbound web and FTP requests are filtered against an authorized list and scanned for worms and viruses.
  • System Hardening – Server templates are updated for industry standard practices in secure configurations. New images are loaded onto all new servers and on older servers, as necessary.
  • Patch Management – OHAI maintains an automated system inventory and patching system providing visibility to system changes. OHAI obtains up-to-date patch notification through its partner relationships and tests patches using various processes prior to applying the patches within the applicable platform(s).
  • Separation of Environments – OHAI maintains appropriate logical and physical separation of its development, test, and client production environments.

System Management

System Level Logs

OHAI logs access to and activity on network devices, security infrastructure components, and server systems in an enterprise security logging repository. Logs are transferred to a Security Information and Event Management (SIEM) tool for monitoring, analysis, troubleshooting, compliance, and auditing of system events. Using the SIEM, security personnel devise profiles of common events to focus on unusual activity, avoid false positives, identify anomalies, and prevent insignificant alerts.

Encryption and Cryptographic Storage

OHAI uses proper encryption mechanisms to safeguard data. OHAI performs risk assessments to evaluate how the data is being consumed and the overall sensitivity of the data. Data is encrypted in transmission over public networks. OHAI manages client network public and private key infrastructure. OHAI strives to use FIPS 140-2 algorithms when supported by the cryptographic module. OHAI also supports Advanced Encryption Standard (AES) and Transport Layer Security (TLS) encryption protocols.

Vulnerability and Threat Management

Penetration testing is conducted by OHAI security professionals who have appropriate industry certifications and credentials. In addition, OHAI annually engages a third-party to conduct external penetration testing. As part of OHAI’s vulnerability and threat management program, OHAI’s security professionals analyze and quantify the risk potential of identified vulnerabilities and threats to both OHAI and its clients.

OHAI conducts continuous production scanning of OHAI’s platforms. OHAI scores vulnerabilities based upon the expected impact to the environment and external exposure. Once the vulnerability is scored, a process to mitigate or remediate the vulnerability is initiated.

Identified vulnerabilities are assessed for risk and mitigated or remediated according to their severity level. This analysis includes using industry standards, such as NIST’s common vulnerability scoring system (NIST CVSS), and by internal penetration scanning of environments using industry standard tools. OHAI strives to patch vulnerabilities within the timeframes set forth below:

  • Urgent – two weeks if an approved work around method is available or 48 hours when no associated workaround is available
  • Critical – 30 days
  • High – 90 days
  • Medium – 180 days
  • Low – 365 days

Physical and Environmental Security

Physical and environmental security measures are implemented in a strategic layered approach to deter, delay, and detect any attempted intrusion. These measures are designed both in accordance with needs unique to the facility and to ensure critical systems are provided a hardened, secure, and reliable environment.

At a minimum, OHAI ensures the following physical and environmental security controls are maintained at Oracle Health data centers and within any co-located service provider leveraged by OHAI:

  • Access control systems to restrict entry solely to OHAI personnel and authorized third parties.
  • Facility designed with industry standard environmental controls (such as fire detection and suppression systems, cooling systems, humidity controls, power distribution controls, uninterruptible power supply and back-up generator capability).
  • Facility designed with industry standard parameter controls (such as guard stations, physical barriers, video surveillance and appropriate weather resistant design).

Incident Management

Immediate Response Center (IRC)

The primary duty of the IRC is to answer second and third tier support calls from client help desks and resolve reported issues. Reported issues are documented and stored in a central repository. The IRC team uses system monitoring tools to track and respond to alarms and warnings and take appropriate action. OHAI’s IRC is staffed 24x7x365.

Computer Security Incident Response Center (CSIRC)

OHAI’s Computer Security Incident Response Center (CSIRC) is the control center for security incident event management and is responsible for 24x7x365 continuous threat monitoring of OHAI’s platforms. The CSIRC team ingests and coordinates responses to international, federal, and tech industry threat intelligence information, in an effort to safeguard OHAI environments. In addition, the team leverages industry standard tools to systematically analyze logs to identify potential unauthorized activity and focus on potential threats.

Security Incidents

OHAI maintains a security incident management process to investigate, mitigate, and communicate system security events occurring within a platform. Impacted clients are informed of relevant security incidents in a timely manner and advised of recommended corrective measures to be taken.

Security Event Management

OHAI does not notify clients or publicly speak about “named” vulnerability events. At OHAI’s sole discretion, OHAI may issue a response specific to a vulnerability which OHAI has determined to require immediate attention based on gathered threat intelligence. Otherwise, OHAI does not notify clients or address client requests to review an environment for vulnerabilities.


Change Management

OHAI maintains change management processes, based on Information Technology Infrastructure Library (ITIL) best practices, which are designed around the type of change and level of risk associated with that change. OHAI’s policies require OHAI to communicate relevant non-routine changes it makes to a client’s system with the impacted client. Changes are validated, reviewed, and receive approvals commensurate with the risk of the change. OHAI uses Change Advisory Boards (CABs) to review significant changes with known downtime or heightened risk. Changes are logged and maintained within OHAI’s centralized change request system. Clients are responsible for controlling and documenting any system modifications they perform.


Contingency Planning

OHAI’s contingency program is based on ISO 22301 and is designed to ensure continued operation of essential technology by supporting internal and external client functions during any incident (e.g., a situation that might be, or could lead to, an extended disruption, loss, emergency, or crisis).

Disaster Recovery and Resiliency

OHAI provides a redundant and highly available infrastructure to minimize disruptions to the production environments. If a disruptive incident occurs, OHAI follows an established, exercised and documented contingency program to restore service as quickly and effectively as possible, using commercially reasonable measures. The incident management portion of OHAI’s contingency planning program is tested, reviewed, and updated annually. OHAI offers different levels of disaster recovery services based on the applicable platform.


Software Development Lifecycle

OHAI is aligning its security practices with Oracle. For the development of new products, OHAI leverages Oracle Software Security Assurance (OSSA), which encompasses every phase of the product development lifecycle and is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products. Oracle’s secure development practices are intended to prevent common vulnerabilities, including those identified in the OWASP Top 10. For more information, see https://www.oracle.com/corporate/security-practices/assurance/development/


Personnel

Security Awareness

OHAI’s security awareness program requires associates to participate in mandatory education and training activities related to their specific role. These activities are designed to maintain the effectiveness of OHAI’s security posture and include:

  • Continuing education campaigns;
  • Annual security training;
  • Localized security training;
  • Phishing and other scam recognition; and
  • Targeted security bulletins.

Employment Requirement Guidelines

In 2003, OHAI began its process of regularly screening its offer-stage employment candidates through a background check process. Beginning in 2012, OHAI started requiring candidates submit to a drug screening prior to beginning employment.

Background Checks

OHAI’s applicant background check process varies based on the candidate’s potential role and applicable law. For example, to the extent allowed by applicable law, background checks in the U.S. and Canada consist of:

  • Employment history dating back five years;
  • Education verification (highest degree), as required based on role;
  • Criminal search dating back seven years;
  • Social Security Number trace (U.S. only);
  • Healthcare sanctions check (U.S. only);
  • Global sanctions and enforcement check;
  • Drug testing (for certain positions only): and;
  • Professional certificates (for certain positions only).

Subcontractors

OHAI requires subcontractors to assure the competency and eligibility of its employees who provide services to OHAI’s clients. Subcontractor personnel are required to complete background checks applicable to the services performed; such background checks must be at least as prescriptive as the background checks OHAI requires for OHAI associates.

Third Party Risk Management

OHAI requires business associate agreements and nondisclosure agreements with its co-location service providers and the suppliers it uses to provide the platform, as appropriate based on that entity’s access to data and other confidential information. OHAI requires that its suppliers complete a data security questionnaire as part of OHAI’s evaluation process for the supplier. In addition, OHAI conducts annual supplier security risk assessments on its suppliers based on that supplier’s risk profile.

Offshore Resources

OHAI is a global company with offices and associates throughout the world. OHAI’s current operational and support model includes the use of global associates. OHAI may provide temporary access to the platforms from outside of the country where the applicable platform is hosted. All associates with access to the platform are required to participate in mandatory education and training activities related to their specific role and are required to follow OHAI’s security policies and processes. Training records are tracked and maintained for compliance purposes.

Destruction of Media

All storage media used for the delivery of OHAI’s hosting services is purged and disposed of in accordance with OHAI’s policy for electronic media disposal. The policy adheres to the HIPAA Security Rule, ISO 27001, and NIST 800-88.

OHAI may provide hardware to clients for use at their locations. Any information stored on OHAI-provided hardware but located at a client site is considered the responsibility of the client. In such cases, clients are responsible for decisions regarding sanitization or destruction of data storage media at the end of the hardware’s usage life cycle.


Certifications and Audits

OHAI regularly conducts internal assessments and undergoes external audits to examine the controls present within the platform and OHAI’s operations and to validate that OHAI is operating effectively in accordance with its OHAI Security Program.

HIPAA – Health Insurance Portability and Accountability Act of 1996

OHAI has established and maintains the necessary controls required for compliance with HIPAA (as amended by HITECH). HIPAA (internal or external) assessments take place on an annual basis and examine all appropriate corporate and client environments in our U.S. locations.

SOC 1 and SOC 2 Type II Attestations

Third-party attestations are performed on OHAI’s hosted environments by measuring and testing the effectiveness of OHAI’s risk mitigations related to the AICPAs Trust Service Principles relevant to security, availability, and confidentiality. SOC reports are prepared under the AICPAs SSAE guidelines and are specific to the hosting services and controls managed by OHAI and presently include the following hosting locations: U.S., Canada, and Sweden. SOC reporting locations are subject to change as OHAI reviews its ever-changing business needs. We will work with clients to assist them in obtaining the appropriate SOC report from OHAI, as applicable, or a colocation provider.

ISO 27001/27002:2022

OHAI’s Information Security Management Framework (ISMF) is compliant with the principles of the ISO 27001/27002:2022 standard and the ISMF’s policies are applicable to most of OHAI’s platforms.

We have a dependency on co-location data centers in Canada, Sweden, United Kingdom, France and Australia and public cloud service providers for their physical and environmental security controls. According to our independent auditor(s), only Oracle Health owned data centers and offices can be identified and included in Oracle Health’s ISO certification. Processes that manage colocation data centers are covered by Oracle Health offices identified in ISO certification. Oracle Health can confirm that its processes that manage data centers within colocation data center service providers were included in Oracle Health’s ISO certification. This is consistent with the multiple colocation data center service providers used across the globe. Oracle Health only owns data centers in the United States, which is why they are identified in the certification. For specific colocation data center service providers operations, clients would need to rely upon the provider’s own ISO certification.

Penetration Testing Summary Report

OHAI annually engages a third party to perform external penetration tests against OHAI’s platforms. OHAI receives a penetration testing summary report which describes the penetration testing performed, confirms that an industry standard methodology, testing tools and a national vulnerability database were used in conducting the penetration testing, and identifies known vulnerabilities within the Platforms. OHAI remediates identified vulnerabilities based on risk and addresses those vulnerabilities through an actively monitored plan for remediation.

PCI-DSS – Payment Card Industry Data Security Standard

OHAI receives a third-party Attestation of Compliance (AoC) to demonstrate PCI DSS compliance as a Level 1 Service provider for the processing of payments supported by certain OHAI solutions. For more information about what OHAI solutions are supported by this AoC, please contact your OHAI representative.

EU-U.S. Privacy Shield Framework

OHAI has self-certified to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield.

Supporting Client Security Questionnaires

Upon a client’s request to complete a security questionnaire or assessment, OHAI will provide applicable third-party documentation from our Security Compliance Program as described above. Additional documentation may be provided when it is available, such as pre-completed standardized security questionnaires (CAIQs) or a Supplier Risk Management Overview of a third-party application. Clients may leverage these reports to assess OHAI’s security posture and compliance with contractual terms. We will collaborate with clients in answering reasonable, specific security assessment questions not addressed through these standard deliverables.

One of our many security controls includes ensuring that we do not provide confidential and sensitive information that exposes OHAI or our clients to additional risk. We take the security of your data very seriously, and we will not jeopardize it to satisfy requests for specific sensitive information when third-party auditors have validated our security program.