Passport OneSource -
Security Guide
|
OneSource Security Model
The OneSource security model consists of four elements:
1) network
firewall, 2) encryption, 3) authentication, and 4) access control lists.
Firewall
Passport uses industry standard firewall protection and monitoring which
provide a broad range of security services that govern access to network
resources and protects these same resources from both internal and
external threats.
Encryption
OneSource uses the Secure Socket Layer (SSL) protocol. SSL is a program
layer created by Netscape for managing the security of message
transmissions in a network. The primary goal of the SSL Protocol is to
provide privacy and reliability between two communicating applications.
The SSL protocol provides connection security that is private, can be
authenticated using asymmetric or public key cryptography, and is
reliable.
SSL encryption is used for any data being transferred between the
Passport system and the users. This encryption means that, should any
person intercept this data it will be unreadable and cannot be decoded
without the proper “keys”. Passport is able to restrict access to
clients with only 128-bit browsers on a payer-by-payer basis.
Authentication
Two authentication methods exist for OneSource. The preferred and most
prevalent method is Username and passwords. Clients already connected to
a corporate network or intranet can also have that network pass
authentication information to Passport, so the user only has to be
authenticated once.
Username / Password
OneSource can use usernames and passwords to authenticate users.
OneSource users are required to change their passwords every 90 days.
OneSource employs a “three strikes you’re out” methodology to failed
username / password attempts. If a user fails to provide the correct
password in three attempts, that username will be locked out of
OneSource until the customer support staff has been notified and assigns
the user a new password. When username / password authentication is used
users are logged out after two hours of inactivity and required to login
again after twelve hours regardless of activity.
Corporate Network or Intranet Authentication
We recommend this authentication method for clients that have a large
number of users who are already connected on a corporate network or
intranet since it may be possible to utilize pass-through authentication
to transmit authentication information to Passport transparently,
network to network. This way the user only logs in to the local network
once and then can access Passport from the local network or intranet.
Passport has experience utilizing secure industry standard tools to
accomplish the pass-through authentication. Minimal programming is
required, but our technical staff is available to assist implementation.
For more information on this option, contact the Passport sales
representative.
Access Control Lists
OneSource establishes security and access control using its Membership
Manager component. When a user makes an inquiry request, OneSource
accesses the Membership Manager to determine whether the requestor has
been granted permission to that particular data or functionality. The
user is only allowed to see and access the data and functions set up
through the Membership Manager by Passport administration.
HCFA Internet Security Compliance Statement
The Passport OneSource security model meets the Centers for Medicaid and
Medicare Services (formerly Healthcare Finance and Administration (HCFA))
policy governing communications of Privacy Act-protected and other
sensitive HCFA information over the Internet as defined in the document
titled HCFA INTERNET SECURITY POLICY dated November 24, 1998.
The policy states in Section 7, Paragraph 8, “In summary, a complete
Internet communications implementation must include adequate encryption,
employment of authentication or identification of communications
partners, and a management scheme to incorporate effective password/key
management systems”. OneSource addresses each of these areas as outlined
below.
Encryption is the organized scrambling of data to avoid inappropriate
disclosure or modification. For this requirement, OneSource uses
software-based encryption, specifically Secure Sockets Layer (SSL),
version 3.0 (Section 7, Option 2 under ACCEPTABLE ENCRYPTION
APPROACHES). Passport is able to restrict access to clients with only
128-bit browsers on a payer-by-payer basis.
Authentication or identification technologies allow users to prove they
are who they say they are. For most clients, OneSource uses
locally-managed digital certificates (Section 7, Option 2 under
ACCEPTABLE AUTHENTICATION APPROACHES) for authentication. For the
remaining clients, the identification of the user is verified
telephonically before a password is issued (Section 7, Option 1 under
ACCEPTABLE IDENTIFICATION APPROACHES). Passwords transmitted over the
Internet are encrypted (Section 7, Option 4 under ACCEPTABLE
AUTHENTICATION APPROACHES).
Physical Security
The data center at Passport which houses the hardware that runs
OneSource is secured by a locked door accessible through a combination
keypad. Only authorized data center employees are allowed to access the
data center.
Explanation of IP Restrictions
To improve our ability to protect sensitive healthcare information,
Passport is beginning to require verification of a user’s Internet
Protocol (IP) address before adding Client Administrator permission.
Restricting access by IP address limits the access to employees logged
into your internal network and blocks users from having access to this
data from their home computers or PC's not associated with a specific
facility network.
Since our customers typically work in a network environment and access
the internet with a *NAT'd or static IP addresses, we can use that range
of IP addresses from the hospital's network as validation at our
firewall. For example, your Hospital may use a range of IP addresses to
access the internet from 192.111.111.1 to 192.111.111.228. This
information can be obtained from your network administrators. They can
contact us with any questions related to this change.
*Network Address Translation (NAT) is a way to map an entire network,
(or networks), to a single IP address. NAT is necessary when the number
of IP addresses assigned to you, by your Internet Service Provider, is
less than the total number of computers that you wish to provide
Internet access for. Typically, your internal network will be setup to
use one or more of these network blocks. They are:
10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
|