Open wanghaisheng opened 9 years ago
Security Questionnaire V5
Instructions:
This questionnaire is used to evaluate the technical security of your component or product. Please complete and return the form to applicationsecurity@allscripts.com. Once the Application Security team has given your integration’s security a passing grade, the Security team will write SECURITY APPROVES at the top of this document. At that point, please send proof of your Passing grade to the Developer Support Team by forwarding this updated Security Questionnaire from the Security team, and all of the other required documentation to being OpenQA testing, to ADP-DeveloperSupport@allscripts.com.
This is a blanket security questionnaire. If a question does apply to you, please answer “NA” (not applicable). If you have any comments or additional information not contained within this questionnaire, please use the comments section.
Please attach the following documents along with the completed questionnaire:
• Use case diagram
• Sequence flow diagram
Provide a high level overview of the application
Authentication
1. Is a username & password required for user access?
Threshold: Users are required to login with a unique account before accessing PHI.
Expectation: Users are required to login with a unique account before accessing PHI.
2. Are the usernames and passwords encrypted in motion?
Threshold: Data in motion across a public network (e.g., the Internet) must be encrypted using SSL/TLS, VPN, or message level encryption.
Expectation: All data in motion is encrypted using SSL/TLS or VPN
3. Are usernames and passwords ever persisted? If so, how are they stored? Are they encrypted?
Threshold: Never stored or, if stored, encrypted using AES 256.
Expectation: Never stored or, if stored, encrypted using AES 256.
4. Is the username password unique for each user, including support & admin users?
Threshold: Each user who accesses PHI has a unique login.
Expectation: Each user who accesses PHI has a unique login.
5. Describe any service accounts used in the application.
Authorization
6. Describe the user authorization handled at the application level (e.g., roles, permissions, claims, etc.).
7. Please list the Unity/Helios/AWS services that the ADP application will be calling.
Data Protection
8a. Is PHI persisted in any of the following contexts? If so, please describe how it is stored and how it is protected.
On an end-user device (e.g., workstation, laptop, mobile device)?
Threshold: Not stored or, if stored, encrypted.
Expectation: Not stored or, if stored, encrypted
8b. In a database on a server?
Threshold: Sensitive data such as passwords stored encrypted.
Expectation: PHI stored encrypted.
8c. In other data stores on a server (e.g., flat files)
Threshold: Not stored or, if stored, encrypted.
Expectation: Not stored or, if stored, encrypted.
9. If data is in motion over a public network (e.g., Internet, cellular carrier network), PHI must be encrypted. When data traverses a public network, please describe the type of encryption used.
Threshold: AES 128 or better (for encryption), SHA-2 w/ salt (for hashing).
Expectation: AES 256 (for encryption), .SHA-2 w/ salt w/ multiple iterations (for hashing)
10. Where the application is using encryption, please describe your key management strategy. Please include:
• Key generation
Threshold: Randomly generated.
Expectation: Generated in accordance to NIST 800-133.
• Key distribution
Threshold: Distributed through secure means.
Expectation: Distributed through secure means
• Are keys unique per client?
Threshold: Unique keys per client.
Expectation: Unique keys per client.
• How are keys stored?
Threshold: Stored securely (e.g., the Windows certificate store or in an HSM).
Expectation: Stored securely (e.g., the Windows certificate store or in an HSM).
• How often are keys rotated?
Threshold: Every two years.
Expectation: Annually.
• Key revocation
Threshold: A secure revocation mechanism exists.
Expectation: A secure revocation mechanism exists.
11. Is encryption configurable for data traversing an internal network?
Threshold: Configurable encryption (e.g., SSL).
Expectation: Configurable encryption (e.g., SSL).
Auditing
12. Please list the events that trigger an audit record.
Threshold: Create, read, update, delete, copy, and print operations on PHI.
Expectation: Create, read, update, delete, copy, and print operations on PHI; failed authentication & authorization attempts; update & delete operations on the audit trail; break glass events; prescription events; administrative functions such as creating new users; and system configuration events.
13. What data is captured in an audit log entry?
Threshold: Date, time, user ID, patient ID, action, and type of data affected.
Expectation: Date, time, user ID, patient ID, action, and type of data affected.
14. Can users generate an audit report of system activities?
Threshold: Users can generate reports that are sortable by date, time, user ID, patient ID, action, and type of data.
Expectation: Users can generate reports that are sortable by date, time, user ID, patient ID, action, and type of data.
15. Does the application store identifiable PHI values (e.g., patient name, SSN, etc.) in the audit trail?
Threshold: No identifiable PHI values are stored in the audit trail.
Expectation: No identifiable PHI values are stored in the audit trail.
16. Are you relying on Unity/Helios/AWS or our application to do the auditing?
17. Do you track accounting of disclosures?
18. Does your application send PHI collected from an Allscripts system to another 3rd party system? If so, please list them.
Inactivity and Other Access
19. Does the application have an inactivity timeout? If so, what is the default timeout?
Threshold: The application has an inactivity timeout.
Expectation: The application has a configurable inactivity timeout that has a default of 20 minutes or less.
20. Does the application support a break glass feature?
Threshold: Many applications will rely on the EHR to provide break glass features. If supported, break glass must be implemented securely, e.g., break glass is an assigned right that is only given to certain users, and an audit entry is created for each break glass event.
Expectation: Same as threshold.
SDLC
21. Please describe your secure software development lifecycle.
Threshold: a secure software development lifecycle exists and is followed.
Expectation: a secure software development lifecycle exists and is followed. It was developed based on industry standards, and metrics are collected and tracked for performance
22. Has the application undergone any vulnerability testing? Does Allscripts have access to the reports and/or executive summaries?
Threshold: Vulnerability testing performed using a reputable third party.
Expectation: Vulnerability testing performed using a reputable third party. Vulnerability testing includes testing against vulnerabilities at different levels, e.g., code-level vulnerabilities (static analysis scans) and design-level vulnerabilities (penetration testing)
23. Please describe your strategy for mitigating risks from:
a. SQL injection
b. Cross-site scripting
c. Parameter manipulation
d. OS command injection
e. Path manipulation
f. XML/XPath injection
g. Open redirects
h. Forced browsing
i. Buffer overflows
24. Does the application contain any third party components? If so, please list them
25. Does the application contain any open source, Is so please list
Comments
http://developer.allscripts.com/files/DA/3rd-Party-Security-Questions-v5-template.docx