Technical Security Measures For Electronic Personal Health Information

DEPARTMENT OF HEALTH AND HUMAN SERVICES GUIDANCE SPECIFYING THE TECHNOLOGIES AND
METHODOLOGIES THAT RENDER PROTECTED HEALTH INFORMATION UNUSABLE, INREADABLE OR

INDECIPHERABLE
CERNER GUIDANCE AND REFERENCE MATERIALS
CERNER CORPORATION
AUGUST 28, 2009
Introduction.................................................................................................................................................1
Regulatory Background................................................................................................................................2
Encryption...........................................................................................................................................3
Destruction..........................................................................................................................................3
A Little Perspective – To Encrypt or Not To Encrypt.....................................................................................3
Cerner Guidance and Resources..................................................................................................................5
Where to Go For More Information or Who to Contact If Interested........................................................15
Introduction
The purpose of this document is to provide an outline of technical security capabilities,

recommendations or reference materials for clients to consider in their use of Cerner Millennium
whether as a local implementation managed by a client or as hosted by Cerner through CernerWorks in
order to comply with the guidance issued by the federal Department of Health and Human Services
(DHHS) “Specifying the Technologies and Methodologies That Render Protected Health Information
Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach
Notification Requirements” of Section 13402 of Title XII (HITECH Act) of the American Recovery and
Reinvestment Act (ARRA) of 2009 – see full text of the original guidance issued in April, 2009 available at
the following link-
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreach
rfi.pdf. The guidance was updated in the interim final rule for breach notification from electronic
health records issued by DHHS on August 19, 2009. The updated guidance may be found in Section II of
that rule available at http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf. The
Cerner Corporation Confidential Information
Cerner Corporation. All rights reserved. This document contains confidential information which may not be
reproduced or transmitted without the express written consent of Cerner.
scope of this white paper are those technical computing infrastructure components that Cerner hosts,
installs or provides guidance on as to installation and maintenance for local client managed installations.
These materials are provided for consideration by clients in their efforts to secure electronic personal
health information in compliance with the safe harbor requirements of the federal Breach Notification
rules under the HITECH provisions of ARRA 2009 as specified by the DHHS guidance document.
Regulatory Background
Under the Breach Notification rules for breach of electronic Personal Health Information (ePHI)
developed by the Federal Trade Commission (FTC) for Personal Health Records (PHRs) and by the
Department of Health and Human Services (DHHS) for Electronic Health Records under ARRA 2009,
there is a safe harbor available to regulated entities/covered entities directly subject to the notification
requirements of both rules. The safe harbor is available to those affected entities subject to regulation to
be exempt from breach notification requirements if any ePHI under the control of those entities has
been appropriately secured by technical security measures specified by DHHS. DHHS developed their
initial guidance for appropriate technical security measures in April 2009. In that guidance, DHHS
focused on the following key points –
o The guidance focuses on the appropriate technical security measures HIPAA covered
entities and business associates along with PHR vendors, PHR related entities and third
party service provides can follow to ensure that they are appropriately securing
electronic personal health information that they may collect, record, store, access, use,
maintain, dispose, transmit or otherwise process, use and disclose
o If an entity follows the guidance, they can avoid breach notification requirements for
unauthorized acquisition, access, use or disclosure of electronic PHI as is subject to rule
making by HHS (for HIPAA covered entities and business associates) and the FTC (for PHR
vendors, PHR related entities and third party service providers)
o The guidance focuses on data at rest, data in transit and proper disposal of data
o The guidance suggests encryption is required for data at rest and data in transit
o The guidance outlines requirements for proper disposal and destruction of hardcopy and
soft media types that contain or are produced from electronic PHI
The guidance distinguishes particular states or conditions during which PHI can be vulnerable to a breach
including:
 Data in motion (moving through a network including wireless transmission)

 Data at rest (resident in databases, file systems and other structured storage methods)
 Data in use (data in the process of retrieval, update, creation or deletion)
 Data disposed (discarded paper records or recycled electronic media)
The guidance focuses on methods of encryption and destruction for data in motion or data at rest.
Encryption
 Encryption under the HIPAA Security rule is described as use of an algorithmic process to
transform data into a form in which there is a low probability of assigning meaning without use
of a confidential process or key, and such confidential process or key that enables decryption has
not been breached.
o Valid encryption for data at rest is consistent with NIST Special Publication 800-111,
Guide to Storage Encryption Technologies for End User Devices
o Valid encryption for data in motion complies with Federal Information Processing
Standard (FIPS) 140-2 including as appropriate those contained in NIST Special
Publication s 800-52, Guidelines for the Selection and Use of Transport Layer Security
(TLS) Implementations and 800-77, Guide to IPsec VPNs or 800-113, Guide to SSL VPNs.
Destruction
 Destruction includes disposal of media on which PHI is stored in the following ways:
o For paper, film or other hard copy media – shredding or destruction in such a way that
the PHI cannot be read or otherwise reconstructed
o For electronic media that has been cleared, purged or destroyed – by a means consistent
with NIST Special Publication 800-88, Guidelines for Media Sanitization
A Little Perspective – To Encrypt or Not To Encrypt
Encryption under the original HIPAA Security rule is an “addressable” requirement, and DHHS is clear in
their updated guidance issued on August 19 that the guidance does not change the status of encryption
as an addressable requirement. DHHS also was clear in stating that an entity can comply with the HIPAA
Security rule without implementing encryption. Compliance with the technical security guidance issued
by DHHS for safe harbor purposes under the Breach Notification rules is voluntary for the purpose of
regulated entities under those rules being able to qualify for the safe harbor. Cerner recommends that
clients give serious thought about how to apply the technical security guidance to their operating
situation. Cerner does not recommend clients immediately leap to the conclusion to “encrypt
everywhere”, but to evaluate encryption in light of their own security risk assessment. The original HIPAA
Security rule offers this guidance relative to addressable requirements (See text of the Security Rule at
45 CFR Parts 160, 162 and 164 [CMS-0049-F] III.A.3) – final Security rule can be accessed at
http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf:
“In meeting standards that contain addressable implementation specifications, a covered entity will
ultimately do one of the following:
(a) Implement one or more of the addressable implementation specifications;
(b) Implement one or more alternative security measures;
(c) Implement a combination of both;
(d) Not implement either an addressable implementation specification or an alternative security
measure
In all cases, the covered entity must meet the standards, as explained below. The entity must decide
whether a given addressable implementation specification is a reasonable and appropriate security
measure to apply within its particular security framework. This decision will depend on a variety of
factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures
are already in place, and the cost of implementation. Based on this decision the following applies:
(a) If a given addressable implementation specification is determined to be reasonable and

appropriate, the covered entity must implement it.
(b) If a given addressable implementation specification is determined to be an inappropriate and/or
unreasonable security measure for the covered entity, but the standard cannot be met without
implementation of an additional security safeguard, the covered entity may implement an
alternate measure that accomplishes the same end as the addressable implementation
specification. An entity that meets a given standard through alternative measures must
document the decision not to implement the addressable implementation specification, the
rationale behind that decision, and the alternative safeguard implemented to meet the standard.
(c) A covered entity may also decide that a given implementation specification is simply not
applicable (that is, neither reasonable nor appropriate) to its situation and that the standard can
be met without implementation of an alternative measure in place of the addressable
implementation specification. In this situation, the covered entity must document the decision
not to implement the addressable specification, the rationale behind that decision, and how the
standard is being met.”
Cerner expects that clients will undertake risk assessments as required by the HIPAA Security Rule, and
especially in light of the breach notification requirements that are in place under the rule making to
implement those provisions of ARRA 2009, make their decisions on encryption as informed by the
security risk assessment each client should be performing. That risk assessment should highlight risk
areas that warrant encryption to be considered for particular segments or component areas of the
overall technical computing environment. Cerner also encourages clients to think in terms of what makes
sense given the costs and benefits of encryption when the relative risks are identified across different
parts of the computing environment based on the risk of theft or loss of data. Those risks are going to be
significantly higher for end user computing, mobile devices, removable media for download of electronic
data in the hands of end users and patients and for remote access to the electronic health record by
physicians and other users.
Cerner also appreciates that should the unfortunate circumstance of a breach of privacy occur that
involves the theft, loss or unauthorized access and acquisition of ePHI, the expectation by both HHS and
the FTC will be that corrective and preventive action be taken appropriate to the manner and nature of
the breach. This still may not mean “encryption everywhere” without due recognition of other technical
security measures a client may undertake, but it does at least mean that the lesson should be learned
relative to any other similar vulnerabilities a regulated or covered entity may have and that manner of
breach should be prevented in the future for the particular kind of breach experienced.
Cerner Guidance and Resources
Cerner has worked to identify available materials from Cerner and non-Cerner sources to help clients
assess their current deployments of Cerner Millennium whether locally installed and managed by clients
or as hosted by Cerner through CernerWorks.
The table below breaks out the various aspects of the technical computing infrastructure typically
involved in the day to day production use of Cerner Millennium and supporting storage systems where
data may be stored or data may be communicated and in transit. The capabilities are summarized and
reference links provided to reference documents or materials that explore those capabilities more fully.
AREA SUMMARY OF CAPABILITY REFERENCE MATERIALS

CernerWorks CernerWorks provides clients with http://my.cerner.com/org/CernerWorks/KM/Ctrl
Hosted Client guidance on HIPAA Security rule Docs/Documents/Standard_HIPAA_Security_Res
Production requirements and the measures ponse-18WP000010.pdf
Domains taken within its operations to assure
the security and integrity of ePHI.
The reference materials provided
represent a matrix of those
requirements and measures
followed including for relevant
requirements such as transmission
security, system backup, physical
security and other measures.
Middle Tier – Cerner’s middle tier consists of http://www.cerner.com/members/Cerner_3.asp
Ports, services that are configured ?id=25213
Network particular to the ports and protocols
Protocols and Cerner Millennium applications Reference materials on this web page available
Services used make use of for normal operation to on cerner.com cover configuration guidance for
manage requests and replies services related to shared services, print services,
between the end user application MQ and other middle tier components. Within
and the database. Cerner uses a each guide, the system settings for definition of
common service architecture and protocols and minimal privileges for running the
configuration that most application service is addressed.
services share. These services are
configured to use specific ports and http://www.cerner.com/clientresources/cmsgs/d
protocols, and registered recognized etails.aspx?SolnID=267&ReleaseID=5&TypeID=1
services authorized to converse with
the backend. Aside from shared Reference materials on this web page available
services, specific configurations are on cerner.com cover configuration guidance for
used for other services such as application servers that utilize shared services.
multimedia services, print services, Within each guide, the system settings for port
system integration services, medical and privilege requirements are discussed.
device services or drug information
database services. Each of these
services is also configured to use
specific ports and specific protocols.
Middle Tier – Websphere Java Servers are used for WAS v7 Security Guide
Use of application servers within Cerner http://www.redbooks.ibm.com/abstracts/sg2476
WebSphere Millennium. The servers support use 60.html
Java Servers of compliant levels of Secure Socket
Layer (SSL). Specific security WAS v6.1 Security Handbook
materials used for WebSphere Java http://www.redbooks.ibm.com/abstracts/SG246
Servers are available in the 316.html
documents linked to in the
Reference column
Middle Tier – Specific security materials used for WebSphere MQ Security

Use of Websphere MQ which is utilized by http://publib.boulder.ibm.com/infocenter/wmqv
Websphere Cerner Millennium’s application 6/v6r0/topic/com.ibm.mq.csqzas.doc/sy10120_.
MQ services are available in the htm
documents linked to in the
Reference column. MQ supports the Enabling SSL in an existing WebSphere MQ
use of SSL. cluster
http://www.ibm.com/developerworks/webspher
e/library/techarticles/0608_vanstone/0608_vans
tone.html
Planning for SSL on the WebSphere MQ

network
http://www.ibm.com/developerworks/webspher
e/techjournal/0901_mismes/0901_mismes.html
End User Cerner uses Citrix for session Information on the use of Citrix and Security
Computing – management for most purposes for Considerations for Session Management may be
Session front end computing – Citrix enables found at
Management compliant methods of session http://www.cerner.com/members/Cerner_3.asp
encryption leveraging SSL to protect ?id=25232
patient data that is being accessed
and presented within the end user General resource information on the Security
session. capabilities within Citrix may be found at
http://www.citrix.com/English/SS/supportThird.a
sp?slID=162512&tlID=162513
End User For patient data that may be stored Security Considerations for Cerner Millennium
Computing – on mobile or point of care devices Mobile are available in the following link -
Mobile recommended for use with Cerner http://www.cerner.com/members/webfiledownl
Devices Millennium Mobile, the devices oad.asp?
support use of SSL, secure WiFi id=1232&cmsgID=24107&cm_id=A1001001A06B
protocols (especially for WM5+ 15B52404A61421
devices), lockdown menus to
prevent tampering and encryption Security Considerations for use of Wireless Local
of patient data that may be stored Area Networks (WLANs) are covered in the
on the device. That database is following link –
encrypted using a hard coded key
and a GUID that can only be http://krpro01/Action/DocFrame.asp?FN=33174
accessed using the username and
password appropriate for the device
to unencrypt the file that contains
the GUID. AES standard encryption is
used to encrypt.
Removable Cerner does not directly provide Presentation given at the 2008 CHC on
Media guidance for how to make use of encryption of ePHI downloaded to CD (using
removable media for download of Medical Record Publishing) –
ePHI such as to a CD-ROM or to a
thumb drive. Cerner is looking at http://www.cerner.com/public/Cerner_3.asp?
development of guidance in this id=32432
area, but commercially available
packages can be used to encrypt
files stored to removable media with
appropriate password protections to
secure access to the encrypted files.
One such method was presented at
the 2008 Cerner Health Conference
by UPMC which is available in the
Reference Materials column.
System Many backup systems have Materials for Cerner’s Storage System Partners is
Backup encryption capabilities available available through the following link –
provided additional backup
management system modules that http://www.cerner.com/members/Cerner_3.asp
enable encryption are acquired and ?id=26150
placed into use. Cerner provides
access to reference materials from
partners like Veritas and IBM (for
Tivoli Storage Manager) that include
documentation on these features. If
the data backup physically leaves
the data center, Cerner recommends
that clients consider use of
encryption capabilities that may be
present in the storage management
solution. Cerner also emphasizes
appropriate handling of the
encryption keys also be addressed
so that they are readily available in
the case of a restore. Encrypted
backups cannot be restored without
the encryption key. If backups are
stored physically in a secure vault or
storage area within the data center,
Cerner typically recommends that
clients place reliance on the physical
security, least access privileges for
system administrators responsible
for the storage and strong
authentication for access to the
storage vault as the primary means
of securing backups. Encryption may
be considered, but may not be
necessary if the tapes are kept
under a high degree of control such
that theft or loss is strongly
mitigated short of necessitating the
use of encryption.
Image CareAware MultiMedia Archive
Archive (CAMM) is typically contained on a
secure Local Area Network (LAN).
For objects transferred to the
archive, DICOM based storage
supports encryption in transit. For
non-DICOM images, SSL can be
enabled for transactions inbound,
but it is up to the source to send the
image inbound as encrypted. Short
term storage of the images for a
temporary cache is typically on the
client SAN space (see discussion of
SANs below), and not controlled by
CAMM. For permanent storage
within CAMM, the storage is
typically a slower SAN than the
cache, and is not encrypted. For
sending objects to consuming client
applications, if the consuming
application is a Cerner viewer, it has
the ability to be SSL encrypted in
transit. Non-DICOM transmissions
can also use SSL encryption
depending on the consumer
application and how the data is
requested. The object backups are
typically done to tape and backup
SANs via 3rd party technologies such
as TSM. Many of these technologies
support encryption (See SAN
discussion below). Deletions are
made both from the permanent
storage and the cache. For any
entities to communicate with
CAMM, CAMM uses node
configuration or username
configuration, and all
communication is audited.
Business Business Objects is typically

Objects contained on a secure Local Area
(PowerInsight Network (LAN). Business Objects has
) a proprietary security layer for
authentication and authorization.
Business Objects report output is
stored in a Business Objects file type
that is proprietary. These files can
be viewed, but the data is
obfuscated. In addition, Business
Objects can be configured to purge
all reports so that no data is stored
in the report file and forcing the user
to “Refresh on open” which will
apply any extra security applied at
report level and re-run the report.
This alleviates the possibility of a
user opening an existing report and
seeing data from a previous
execution. As for report export
formats that are PDF, Excel, or CSV
files, these would be no different
than controlling a printed report.
For Web services, data can be
cached to speed execution. To
alleviate concerns on the cache, the
option to use cache can be turned
off. Business Objects is planning to
encrypt these cache files in the next
major release (release 4.0) expected
in first half of 2010.
Healthe Hub Cerner’s Healthe Hub supports Information on the connectivity and security for
– Transaction transaction services for HIPAA EDI data communication for HIPAA EDI is covered in
Services standard transactions, for the following
connection to electronic prescribing http://www.cerner.com/members/webfiledownl
networks and for other purposes – oad.asp?
the connections for transacting are id=1232&cmsgID=29981&cm_id=A1001001A07F
protected by use of secure FTP 06B01005D09072
services and by secure network
transmissions using compliant Information on the connectivity and security for
transmission security (e.g. TLS) data communication for electronic prescribing is
covered in the following -
Backend and The backend for Cerner Millennium
Database maintained in Oracle is usually
maintained in a physical computing
environment that is tightly physically
secure, is protected by a dedicated
firewall, protected by network
segmentation, subject to least
access privileges for system
administrators and accessible only
by database servers that transact
only with registered application
servers. At present the backend is
not encrypted. Cerner is considering
capabilities present in Oracle 11 that
would use advanced (Invisible)
encryption which would allow
Cerner Millennium applications to
be able to read the data, but protect
the data from theft or loss (e.g. In
transit to a physically separate
backup storage facility), Cerner is
evaluating this encryption capability
for its impact on system
performance and system use. At
present, no decision has been made
to proceed with acting on use of this
capability. If encryption is utilized in
the SAN (see below), that can serve
to mitigate the need to encrypt the
database itself.
Remote Cerner supports use of fax based Client facing reference materials for the Cerner
Report and transmission in current state Remote Interchange are under development. Materials
Fax Report Distribution (RRD) for for RRD are available at
Distribution distribution of clinical reports, http://www.cerner.com/members/webfiledownl
Services prescriptions and other oad.asp?
communications. The distribution id=1232&cmsgID=29749&cm_id=A1001001A07E
via this means relies on a dedicated 16B23052A98983.
phone line for transmission of a
named file to the remote recipient
device. Cerner is moving away from
this technology to use the Cerner
Interchange as supported by the
Healthe Message Center to provide
a secure transport to send
information outside the provider
entity. The recipient is provided a
web application to access the
distributed material so they can be
printed on demand. The material
that is distributed is secured using
SSL within the Healthe Message
Center’s mail server.
Remote Web Powerchart Outreach is available for Use of SSL by Powerchart Outreach
Access use by community based physicians http://www.cerner.com/members/webfiledownl
and others for access to clinical oad.asp?
information made available via the id=1232&cmsgID=24049&cm_id=A1001001A06J
web. Powerchart Outreach supports 24B34319D37976#d0e1537
use of SSL leveraged through the
Websphere 6.1.x. Information on
this is available through the CMSG
for Powerchart Outreach as noted in
the Reference Materials column.
Downtime Access to ePHI is facilitated through PCLA Reference materials are pending update for
Access Powerchart Local Access (PCLA). For the replacement strategy discussed in the
legacy PCLS, the patient data is previous column.
already encrypted at the desktop. To
be able to access the data, the
password for the view itself must be
broken. The client maintains these
passwords. For 724Access Level 1,
a full copy of the Cerner Cerner
Millennium database is used that is
typically housed in a client data
center or by CernerWorks. The
database itself is not encrypted. For
724Access Level 2 which will be
PCLA’s replacement strategy, the
passwords used to access the
solution will be encrypted. For the
patient data that resides on the PC,
Cerner is rolling out encryption using
FreeOTFE (3rd party software) to
encrypt the data. This is targeted to
start in September 2009. Until that
rollout is available to a given client,
Cerner recommends clients consider
use of hardware based encryption of
the MySQL database on the PC.
Storage Area Cerner does not usually recommend IBM Tivoli Storage Manager (TSM)
Networks encryption within Storage Area TSM feature overview (including security
(SANs) Networks (SANs), but there are features like encryption, data shredding, etc):
encryption technologies both with ftp://ftp.software.ibm.com/common/ssi/pm/sp/
the Storage Area Networks (SAN) n/tsd03066usen/TSD03066USEN.PDF
and Storage arrays to perform
hardware based encryption from TSM administration guide (including detailed
those technologies. Encryption for discussions of the TSM security features):
data at rest in a backend database or http://publib.boulder.ibm.com/infocenter/tsminf
for data in transit for a variety of o/v6/topic/com.ibm.itsm.srv.doc/b_srv_admin_g
uses is available at the SAN switch or uide_aix.pdf
fabric, through storage arrays,
virtual tape libraries and physical Symantec (Veritas) NetBackup
tape libraries and drivers and for NetBackup feature overview:
storage media. SAN/Storage based http://eval.symantec.com/mktginfo/enterprise/f
does not provide end to end act_sheets/b-
encryption but affords protection for netbackup_6.5.4_DS_12995286.en-us.pdf
what is managed within the
SAN/storage zone. For clients who NetBackup Security and Encryption Guide:
would consider use of SAN based http://ftp.support.veritas.com/pub/support/pro
encryption, the management data ducts/NetBackup_Enterprise_Server/290226.pdf
(e.g. passwords, encryption keys,
etc) must be appropriately protected
as well. Most SANs use secure Here are some links/references for the
protocols like HTTPS to SAN/storage paragraph:
administrative management of the
storage system. Proper key SAN Security Links
management allows for NetApp (DeCru) DataFort:
maintenance of the encryption keys http://www.netapp.com/us/products/storage-
and for decrypting of the data as security-systems/datafort/
needed and should be part of any
security management procedures Brocade Encryption SAN Switch:
for the storage system. http://www.brocade.com/products-
solutions/products/switches/product-
details/encryption-switch/index.page
Cisco Storage Media Encryption:

http://www.cisco.com/en/US/prod/collateral/ps
4159/ps6409/ps6028/ps8502/product_data_she
et0900aecd8068ed59.pdf
Storage Array Security Links

IBM DS5000 and DS8000 (encryption performed
at drive level):
http://www.ibm.com/common/ssi/rep_ca/8/897
/ENUS109-188/ENUS109-188.PDF
http://www.seagate.com/docs/pdf/whitepaper/t
p565_drive_trust.pdf
HP XP20000 and XP24000 (encryption performed

at processor level):
http://h71028.www7.hp.com/ERC/downloads/4
AA2-2629ENW.pdf
EMC Symmetrix:
http://www.emc.com/collateral/hardware/data-
sheet/c1005-dmx-series-ds.pdf
Key Management Links

NetApp Lifetime Key Management:
http://www.netapp.com/us/products/storage-
security-systems/lifetime-key/
IBM Tivoli Key Lifecycle Manager:

http://www-
01.ibm.com/software/tivoli/beat/10212008.html
?
ca=tivolid2w&me=web&met=feature&P_Site=cu
rrent
HP StorageWorks Secure Key Manager:

http://h18006.www1.hp.com/products/storagew
orks/secure_key/index.html
CareAware CareAware MDBus stores

MDBus identifiable personal health
information within a database that is
customarily deployed on a private
network for the purpose of
preserving patient to device
associations so that appropriate
associations can be preserved
historically with patient context
enabled. The device specific data
and the patient to device association
are stored in distinct databases. For
data in transit between the device
and the bus, the transport is
protected by SSL 2.0, and any client
application consuming the data
through the bus can be similarly
protected for communication. The
data storage is usually within a
secure LAN protected behind a
dedicated firewall.
Where to Go For More Information or Who to Contact If Interested
The federal guidance as originally issued by HHS may be accessed at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf
The updated guidance issued with the DHHS breach notification rule may be accessed at
http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf
If interested in exploring any of the methods of encryption or technical security discussed in this
document, please make contact through your Cerner client relationship executive, Cerner DeviceWorks
contact, technical engagement leader or log a Service Request with Cerner for the appropriate technical
support services area of interest.

Technical Security Measures For Electronic Personal Health Information

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Technical Security Measures For Electronic Personal Health Information

Caricato da

Copyright:

Formati disponibili

DEPARTMENT OF HEALTH AND HUMAN SERVICES GUIDANCE SPECIFYING THE TECHNOLOGIES AND

METHODOLOGIES THAT RENDER PROTECTED HEALTH INFORMATION UNUSABLE, INREADABLE OR

CERNER GUIDANCE AND REFERENCE MATERIALS

AUGUST 28, 2009

The purpose of this document is to provide an outline of technical security capabilities,

Cerner Corporation Confidential Information

 Data in motion (moving through a network including wireless transmission)

A Little Perspective – To Encrypt or Not To Encrypt

Cerner Corporation Confidential Information

(a) If a given addressable implementation specification is determined to be reasonable and

Cerner Corporation Confidential Information

Cerner Guidance and Resources

AREA SUMMARY OF CAPABILITY REFERENCE MATERIALS

Cerner Corporation Confidential Information

Middle Tier – Specific security materials used for WebSphere MQ Security

Planning for SSL on the WebSphere MQ

Cerner Corporation Confidential Information

Business Business Objects is typically

Cerner Corporation Confidential Information

Cisco Storage Media Encryption:

Storage Array Security Links

HP XP20000 and XP24000 (encryption performed

Key Management Links

IBM Tivoli Key Lifecycle Manager:

HP StorageWorks Secure Key Manager:

CareAware CareAware MDBus stores

Where to Go For More Information or Who to Contact If Interested

The federal guidance as originally issued by HHS may be accessed at

Cerner Corporation Confidential Information

Potrebbero piacerti anche