Regulatory Compliance


The Uniquely Secure Application Deployment Solution for HIPAA Covered Entities.

ABSTRACT: This section explains how the Centralized Application Management and Deployment features of WorldExtend® IronDoor™ can help HIPAA Covered Entities meet the numerous burdens imposed by The Health Insurance Portability & Accountability Act of 1996 (HIPAA).

How does WorldExtend IronDoor ease the Implementation of your HIPAA Compliance Strategy?

World Extend IronDoor is an advanced software platform that seamlessly integrates its proprietary application deployment system with Microsoft Terminal Services to deliver fast, simple, and secure access to your information and applications.

It is an extremely reliable, software-only solution that maximizes the capabilities of Terminal Services and offers centralized authentication and access security using LDAP and Windows authentication.

Within minutes centralized applications management and deployment of your server-based applications are fully operational. With IronDoor™ you have the security and power of our proprietary technology, SSL, and Microsoft Terminal Services RDP, to enable any number of users, from anywhere in the world to securely access your mission critical applications and data via your internal network or the Internet.

No additional server-side hardware is required. IronDoor is not a network appliance and does not require any proprietary hardware. It enables instant secure access to your applications from any computer equipped with Microsoft Internet Explorer. IronDoor handles all application processing on a centralized server rather than a user's desktop.

How does IronDoor make your users more efficient?

With IronDoor, every user can work effectively from anywhere. It improves efficiency by allowing users to have a standard, consistent interface with rapid transmission of data over a variety of networks. Management will have the ability to deliver applications, upgrades, files, and information securely to local and remote users.

How does IronDoor help your HIPAA Compliance Team satisfy the primary objectives of HIPAA Legislation Security Standards?

The primary objectives of HIPAA Legislation are:

  • Administrative simplification
  • Reduction of fraud and abuse
  • Comprehensive Audit Capability

IronDoor’s features help you meet the following requirements of the HIPAA Security Standards released in the Final Rule:

  • Information access and control 45CFR Part 164 (SEC 3), Sub-section 308(a)(5)
  • Security configuration management 45CFR Part 164 (SEC 8), 308(a)(8)
  • Audit controls 45CFR Part 164 (SEC 20), Sub-section 308(c)(2)
  • Entity authentication 45CFR Part 164 (SEC 23), Sub-section 308(c)(2)
  • Communications and network controls 45CFR Part 164 (SEC 24), Sub-section 308(d)(1)

HIPAA Requirements for Information and Access Control

HIPAA requires Covered Entities to:

  • Implement consistent access control policies that cover both local and remote users.
  • Privileges must be accountable.
  • Privileges must be modifiable.

With IronDoor, all applications reside on and run from the server. This allows all client machines to be identical. Administrators can provision applications to Users, Groups, and Organizational Units.

The server authenticates users and controls access to their applications, so the server offers the appropriate applications to the client computer based on individual authentications.

IronDoor authenticates valid user IDs for both local and remote users. Administrators can change application access-control parameters in seconds.

IronDoor audit trails track all aspects of access control change, the administrator who made the change, and the time of the change.

HIPAA Requirements for Security Configuration Management

HIPAA requires Covered Entities to: Ensure that changes to the environment are stable.

IronDoor helps ensure consistent software inventory. Administrators add and upgrade software on their servers instead of on individual client terminals. They can monitor real time usage of applications, thus effectively managing software license capacity.

HIPAA Requirements for Audit controls

HIPAA requires Covered Entities to: Provide comprehensive Audit Trails.

IronDoor Administrators can view access to applications, and who uses applications.

HIPAA Requirements for Entity authentication

HIPAA requires Covered Entities to: Ensure the authentic identity of the user.

IronDoor user IDs are password protected, unique identifiers that require authentication by the domain. IronDoor Administrators can force password changes and block access to idle, logged-on users.

HIPAA Requirements for Communication and Network Controls

HIPAA requires Covered Entities to: Take reasonable steps to secure protected health information that is traveling the network.

The combination of IronDoor’s proprietary technology,  SSL, and Microsoft Terminal Services RDP encrypts the data on your network. The following table will help define the features of IronDoor and their specific application to HIPAA 45CFR Part 164 of the Security Rule.
Information Access and Control

ACCESS AUTHORIZATION

Security Standard Description

5.11

Computer systems are subject to the same access authorization policies.

Since applications run on the server, all client systems can be consistent.

5.12

Access control policy must address local and remote access.

IronDoor authenticates all users.

5.13

A policy and process must be in place for revoking authorization.

Administrators have full access control.

ACCESS ESTABLISHMENT

5.15

Accountability for access authorization and establishment must be available for each data system.

IronDoor keeps an audit trail of all changes to the network, or to access privileges. This audit trail includes the access control change, the administrator who made the change, and the time when change occurred.

ACCESS MODIFICATION

5.18

There must be policies and procedures in place for access modification of job status.

Administrators can change access control to applications.

5.18.1

There must be policies and procedures in place for access modification of job transfers.

Administrators can change access control to applications based on Groups and Organizational Units.

5.18.2

There must be policies and procedures in place for access modification of job termination.

Administrators can delete users from the system in seconds.

5.18.3

There must be policies and procedures in place for access modification of other job changes.

Administrators can change access control to applications based on Groups, Organizational Units, and Users.

Security information management

ACCESS AUTHORIZATION

8.1.2

A change control methodology for software is required.

Administrators have control over software applications from the server.

8.12

There needs to be policies and procedures for tracking acquisition of software.

Software licenses can be managed/audited by the administrator.

Audit Control

20.4.2

Assigning and changing of privileges must be audited.

Administrators can view who has access to applications, as well as who has been using applications. Administrators can recognize privilege assignment and modification, software addition, and application access.

20.4.3

Installation, maintenance, and changing of software must be audited.

Administrators can recognize privilege assignment and modification, software addition, and application access.

20.4.7

Individual user access to protected health information must be audited.

Administrators can recognize privilege assignment and modification, software addition, and application access.

20.6

Log Data must be available over time.

This audit log is available until the administrator purges information.

20.7

Log Data must be available until no longer necessary.

This audit log is available until the administrator purges information.

20.8

Appropriate personnel must have access to log data.

Only administrators have access to the logged data.

Entity authentication

23.1.1

The system should have an automatic logoff feature.

IronDoor has an automatic Logoff feature.

23.1.2

Users should have a unique ID.

Each user is a unique user.

23.1.4

Users should have a password.

Each user has a password.

23.7

Authentication must also apply to contractors.

Each user has a password.

23.8

Passwords should be changed periodically.

Users can have their passwords set to expire.

Communications and network controls

24.1.3.1

Sensitive data should be protected whether it is inside or outside the network.

Administrators can: encrypt all sensitive data, encrypt the Terminal Server protocol using the Microsoft RDP encryption, encrypt the local file and print redirection using the encryption algorithm, and encrypt access control via the Web browser using SSL.

24.1.3.2

All sensitive data should be encrypted.

Administrators can: encrypt all sensitive data, encrypt the Terminal Server protocol using the Microsoft RDP encryption, encrypt the local file and print redirection using the encryption algorithm, and encrypt access control via the Web browser using SSL.

24.2.2

An Audit trail needs to be available.

Administrators can recognize privilege assignment and modification, software addition, and application access.

24.2.3

There must be a way to irrefutably identify authorized users.

User IDs are unique, password protected, and authenticated by the domain.



FIPS Compliance

The Uniquely Secure Application Deployment Solution for FIPS Covered Entities.

ABSTRACT: This section explains how the Centralized Application Management and Deployment features of WorldExtend IronDoor conforms to the Federal Information Processing Standards (FIPS) to meet compelling Federal government requirements such as for security and interoperability.

What is the Federal Information Processing Standard (FIPS)?

The Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 specify the best practices for implementing crypto algorithms, handling key material and data buffers, and working with the operating system.

An evaluation process that is administered by National Institute of Standards and Technology's (NIST) Cryptographic Module Validation (CMV) Program allows encryption product vendors to demonstrate the extent to which they comply with the standards, and thus the trustworthiness of their implementations.

Some US Government agencies purchase only FIPS 140-1 or FIPS 140-2 evaluated encryption products. However, the security community at large values products that have completed this evaluation, as it carries the imprimatur of an independent third party.

While NIST CMV accepts validation test reports for cryptographic modules against only FIPS 140-2 as of May 26, 2002, it states on the CMV program web page that “agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002”.

The major focus of the NIST activities in information technology is to develop tests, measurements, proofs of concept, reference data and other technical tools to create standards and guidelines that support and encourage the development of pivotal, forward-looking technology for Federal computer systems including:

  • Those needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems.
  • When there are compelling Federal requirements and there are no existing voluntary industry standards.

How does IronDoor help your Compliance Team satisfy the primary objectives of the Federal Information Processing Standards (FIPS)?

All of the IronDoor components in the most basic terms run in unison with Microsoft's Terminal Services, Remote Desktop Protocol (RDP), Internet Information Services (IIS) and Windows in its varies forms (98, NT, 2000, XP, etc.) which have all been approved and certified as FIPS compliant.

The following sections give detailed information on how IronDoor combined with Microsoft technologies are FIPS compliant and explains what steps Microsoft has taken and will continue to take to comply with US Government standards for implementing cryptographic software.

How does IronDoor ease the Implementation of your FIPS Compliance Strategy?

IronDoor is an advanced software platform that seamlessly integrates its proprietary application deployment system with Microsoft Terminal Services to deliver fast, simple, and secure access to your information and applications.

IronDoor is an extremely reliable, software-only solution that maximizes the capabilities of Terminal Services. IronDoor’s centralized authentication offers access security using LDAP and Windows authentication.
Within minutes IronDoor’s centralized applications management and deployment of your server-based applications are fully operational.

With the combination of IronDoor’s proprietary technology, SSL, and Microsoft Terminal Services RDP, you can now enable any number of users, from anywhere in the world to securely access your mission critical applications and data via your internal network or the Internet.

No additional server-side hardware is required. IronDoor is not a network appliance and does not require any proprietary hardware.

IronDoor enables instant secure access to your applications from any computer equipped with Microsoft Internet Explorer.

IronDoor’s application deployment system handles all application processing on a centralized server rather than a user's desktop.

How does IronDoor make your users more efficient?

With IronDoor, every user can work effectively from anywhere. IronDoor improves efficiency by allowing users to have a standard, consistent interface with rapid transmission of data over a variety of networks. Management will have the ability to deliver applications, upgrades, files, and information securely to local and remote users.

Microsoft FIPS Compliance Efforts

Microsoft intends to submit cryptographic modules shipping with future Windows Operating System platforms for validation testing against FIPS 140-2. Microsoft also intends to maintain the FIPS 140-1 or FIPS 140-2 (as appropriate) validation status of cryptographic modules already shipped with Windows XP and Windows Server 2003 via their service packs (which may require updates of the cryptographic modules, where necessary).

Four Microsoft cryptographic software components have completed the US Government FIPS 140-1 or FIPS 140-2 (as appropriate) evaluation process. These components are in turn used by a variety of Microsoft products running on a variety of operating system platforms. The Microsoft cryptographic software components, that have completed FIPS-140-1 or FIPS 140-2 (as appropriate) evaluation, are

  • The two Microsoft default cryptographic services providers (CSPs)
  • The Windows Kernel Mode Cryptographic Module
  • The Exchange Cryptographic Services provider (CSP)

Microsoft Cryptographic Components

These evaluated components provide the cryptographic services that are used to secure a variety of protocols across a number of Microsoft products. The products that incorporate these components include the following:

  • Windows 98 (default CSPs)
  • Windows NT Version 4.0 (default CSPs)
  • Windows NT Version 4.0 (default CSPs)
  • Windows XP (default CSPs and Kernel Mode Cryptographic Module)
  • Windows Server 2003 (default CSPs and Kernel Mode Cryptographic Module)
  • Internet Explorer when running as a component of Windows 98, Windows NT Version 4.0, Windows 2000, Windows XP, Windows Server 2003
  • Internet Information Server Versions 4, 5, and 6
  • Microsoft Outlook using the Exchange Cryptographic Services provider when running on Windows 98, Windows NT Version 4.0, Windows 2000, or Windows XP operating systems
  • Windows 2000 and Windows Server 2003 Public Key Certificate Server
  • Live Communications Server 2005 and Windows Messenger 5.1 use the Windows platform FIPS-140 compliant TLS/SSL Security Provider for communication security (i.e. encryption, decryption, and authentication)
  • .NET Framework using the DESCryptoServiceProvider, TripleDESCryptoServiceProvider, SHA1CryptoServiceProvider, RSACryptoServiceProvider, DSACryptoServiceProvider, and RNGCryptoServiceProvider classes as they simple redirect of the caller requests to the Windows Platform FIPS-140 validated crypto modules

Microsoft Cryptographic Protocols

The protocols whose cryptographic processing takes advantage of the components that have completed FIPS-140-1 or FIPS 140-2 (as appropriate) evaluation include:

  • The IETF RFC 2246 Transport Layer Security (TLS) protocol that is used between web browser (Internet Explorer) and web server (Internet Information Server);
  • The IPSEC family of protocols that may be used for IETF standard end-to-end encryption with Windows 2000, XP, or Server 2003 systems, which includes
    • L2TP/IPSec VPN client and server for remote access,
    • L2TP/IPSec tunnels for gateway-to-gateway VPN connections, and
    • IPSec Tunnels for gateway-to-gateway VPN connections;
  • The S/MIME email encryption protocol that may be used to protect the confidentiality and integrity of email messages;
  • The SQL TDS (Tabular Data Stream) protocol that is used with the Windows TLS/SSL Security Provider between SQL clients and SQL SERVER 2000 or above;
  • The Microsoft Remote Desktop Protocol (RDP) 5.2 (or above) of Terminal Service Client (available from Windows Server 2003) running on a Windows XP (or above) machine, connecting to a Terminal Server session on a Windows 2003 Server that is configured for FIPS-compatible encryption;
  • The SMS 2003 SP1 Management Protocol between SMS Advanced Clients running on Windows 2000 SP2 or above and SMS Management Point Servers running on Windows 2000 SP3 or above in deployment environments that use Windows Active Directory for public key certificates repository and look up;

In Windows XP and later product releases (including Windows Server 2003), a new Group Policy managed security option called “system cryptography: Use FIPS compliant algorithms for encryption” is provided so that administrators will have an easier way to configure specific Windows XP protocol services for FIPS 140 compliance.

Microsoft User Mode CSPs

The evaluated User Mode CSPs can be invoked via standard Windows APIs (CryptoAPI). Thus, third party and end-user developed software that requires cryptographic services can call on the services provided by the FIPS-140-1 or FIPS 140-2 (as appropriate) User Mode CSPs in the operating systems. Components of Windows such as the Windows 2000, Windows XP, or Windows Server 2003 data protection API also use FIPS-140-1 or FIPS 140-2 (as appropriate) evaluated CSPs to protect private keys; for example, the Windows 2000, XP, or Server 2003 Encrypting File System (EFS) uses evaluated CSPs to protect file encryption keys that are included in the EFS data decryption and data recovery fields.

Both IPSEC and EFS in Windows 2000, XP, and Server 2003 use the FIPS-140-1 or FIPS 140-2 (as appropriate) evaluated Kernel Mode Cryptographic Module to encrypt the traffic packet data and file contents respectively if configured appropriately with the selections of FIPS compliant algorithms. The officially assigned numbers of the FIPS 140 certificates that have been awarded to Microsoft are 60, 68, 75, 76, 103, 106, 110, 238, 240, 241, 381, 382, 405.

The following table lists supported and FIPS-validated cryptographic algorithm implementations on Microsoft Windows OS Platforms.

FIPS-46-3
DES
(ECB, CBC)

Windows NT4, 2000, XP, Server 2003 rsaenh.dll and dssenh.dll, Windows 2000, XP, Server 2003 fips.sys

FIPS-46-3
3DES
(ECB, CBC)

Windows NT4, 2000, XP, Server 2003 rsaenh.dll and dssenh.dll, Windows 2000, XP, Server 2003 fips.sys

FIPS-197
AES-128, -192, -256
(ECB, CBC)

Windows XP SP1, Windows Server 2003 rsaenh.dll

FIPS-186-2
DSA

Windows NT4, 2000, XP, Server 2003 dssenh.dll

FIPS-186-2
RSA

Windows NT4, 2000, XP, Server 2003 rsaenh.dll

FIPS-180-2
SHA-1

Windows NT4, 2000, XP, Server 2003 rsaenh.dll and dssenh.dll, Windows 2000, XP, Server 2003 fips.sys

FIPS-198
HMAC-SHA-1

Windows XP, Server 2003 rsaenh.dll, Windows XP, Server 2003 fips.sys