Implement technical policies and procedures for
electronic information systems that maintain
electronic protected health information to allow
access only to those persons or software programs
that have been granted access rights as specified
in ? 164.308(a)(4).
Under the heading of Access Controls, the
HIPAA security regulation lists the following
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
Together, these four implementation specifications
define the access control requirements for
HIPAA-compliant environments. The following
sections discuss these specifications in more detail.
Unique User Identification (Required)
Assign a unique name and/or number for
identifying and tracking user identity.
As computer networks have matured over the
last twenty years, ever more complex network
services and data are being customized and delivered
based on user identity. For this reason, ?identity?
is the core of Novell's product and solution
strategy. As the world's leading directory solution,
Novell eDirectory (http://www.novell.com/
edirectory/) provides an unsurpassed identity
store and foundation for providing identityrelated
Novell eDirectory functions as the authoritative
source for identity information. GroupWise
leverages eDirectory to provide globally unique
identifiers for each user of the e-mail and
collaboration system. eDirectory uses a
combination of User ID and Context, or location
within the directory tree, to create a globally
unique ID whereby each object can be addressed
within the system. This naming convention is
based on X.500 standards, and leaves GroupWise
free to focus on those tasks that relate directly
to the e-mail and collaboration environment.
With an authoritative identity source in place,
the next logical consideration is securing that
identity against capture or use by unauthorized
individuals. GroupWise provides multiple
protections against such eventualities:
- Guaranteed Identity. GroupWise automatically
synchronizes certain eDirectory identity
information to its own databases where it
is optimized for consumption in the e-mail
environment. Similar to eDirectory, GroupWise
maintains a globally unique ?Full Name? for
each e-mail user based on User ID and Context
(for example, jharris.PostOffice1.NovellDomain).
However, this unique global ID does not
guarantee a unique User ID. For example,
the identical User ID of ?jharris? could exist
on two different Post Offices.
While identical User IDs don't matter
within the GroupWise environment, they can
cause difficulty when interacting with external
e-mail systems. For this reason, GroupWise
6.5 offers the Internet Addressing feature.
When activated, the ?create user? function
in GroupWise performs a check of the system
to make sure that the user's e-mail identity
- Identity by eDirectory. By default, GroupWise
maintains its own password environment that
can be managed separately from eDirectory.
However, the LDAP authentication option
allows GroupWise to leverage eDirectory's
authentication environment; thereby
permitting an organization to use eDirectory
account management processes?including
forced password and password management
features?to protect GroupWise.
Additionally, GroupWise lets administrators
offer single sign-on to users who authenticate
through eDirectory. Administrators can also
set a system-wide default password for
all new GroupWise accounts to prevent
unprotected accounts from being created.
- High/Low Security Setting. GroupWise
includes two security settings: low and high.
The Low setting, enabled by default, does not
protect accounts that do not have passwords.
By using the well-known command line
switch: ?/@U?<User ID>,? accounts without
passwords are freely accessible to anyone
who knows the User ID.
The High security setting prevents a user
from accessing a GroupWise account unless
their authenticated eDirectory ID matches the
GroupWise account ID they are attempting to
access. If the user's eDirectory ID and the
GroupWise account's User ID do not match,
the user must provide the password to the
- Secure Authentication. All authentication
operations between the GroupWise client
and the GroupWise Post Office are encrypted
with a proprietary encryption. This makes it
extremely difficult to intercept authentication
credentials en route. GroupWise also supports
128-bit SSL encryption for both intra- and
All message stores, including caching or
remote data stores, are similarly encrypted
so that messages cannot be read outside the
- Novell Modular Authentication Service
(NMAS). If username/password authentication
doesn't provide the assurance that a
covered entity wants, Novell offers NMAS
(http://www.novell.com/nmas/). NMAS extends
the eDirectory authentication mechanism to
support more secure authentication methods
such as digital certificates, smart cards,
and biometric devices. NMAS also allows
these advanced authentication techniques to
be applied based on data type, so different
data can require different types of authentication.
Multiple authentication techniques
can even be layered together to provide
To ensure unique user identification,
GroupWise also permits event tracking against
specific types of resources. For example:
- E-mail Logs. All sending and receiving of
e-mail is tracked and logged by the various
system agents?that is, the Post Office Agent
(POA), the Message Transfer Agent (MTA),
and the GW Internet Agent (GWIA). These logs
contain valuable information about GroupWise
ID, Network ID (eDirectory ID), IP address,
associated files, and details on the type of
transaction. From this information, it is
possible to track many system events.
GroupWise log files are created in 1MB
increments and can be managed on the server
using two parameters: ?length of time to store?
or ?amount of disk space to consume.? Log
files are comma-delimited and can be easily
archived to tape, CD, or any other external
system for long-term storage.
- Document Management Activity. Each
document maintained in a GroupWise document
management library has an associated activity
log that tracks when and how the document
is accessed. Users in proxy mode are
prevented from accessing the proxy user's
Emergency Access Procedure (Required)
Establish (and implement as needed) procedures
for obtaining necessary electronic protected
health information during an emergency.
One of the relatively unique aspects of
healthcare is that emergency situations can arise
for which PHI must be available at a moments
notice. Say, for example, that a doctor is out of
town and cannot be reached when one of his or
her patients has an emergency that requires access
to electronic PHI maintained by that doctor. One of
his staff should be able to quickly and easily access
the required information without having the
doctor's personal password.
While the specific protocols associated with
accessing PHI in these circumstances should be
defined as a business process, the IT infrastructure
must be able to make allowances for such
eventualities. Here, GroupWise does a fine job
of supporting this need.
- Proxy. User Proxy is one way of preparing for
this type of emergency situation. A proxy user
is granted access to another user's e-mail
account. The account owner is solely capable
of granting these rights, and specifying the
type of access that is being granted: Read,
Write, Modify and Subscribe. Once access is
granted, proxy users can access an e-mail
account in accordance with their level of
rights. Documents in a user's document
library are not accessible by proxy users.
- Shared Folders. Organizations may also
choose to use GroupWise Shared Folders to
make electronic PHI available. Shared folders
are accessible to all users on the shared folder
list from their GroupWise cabinet. Shared
folders are stored in the user's database,
with a pointer provided to all members of the
list. Users on different Post Offices receive a
copy as with proxy users, the user sharing the
folder can define the specific rights that are
granted to each user of the shared folder.
- Document Management. Similar to shared
folders, GroupWise document management
(DocMan) can be used to create document
libraries that may be shared among groups
of users. The DocMan system keeps track of
document versions and changes. Once a
document is imported or created in a
document library, it can only be viewed
through GroupWise, thereby increasing the
security of the environment.
- Password Change. If none of the previous
methods have been implemented, it is possible,
in an emergency situation, for a network
administrator to reset a user's password and
access information in the account. Note that
the administrator can change the password,
but not find out what the existing password
is. Therefore, users will always be able to
detect this kind of breach since they will not
be able to login using their old password.
Automatic Logoff (Addressable)
Implement electronic procedures that terminate
an electronic session after a predetermined time
As an addressable specification, there is
significant leeway in how Automatic Logoff can
be accomplished. GroupWise does not provide
a specific logout feature, nor does eDirectory.
However, there are methods to fulfill the spirit of
this requirement without any additional software:
- Windows Screen Saver. The Window's screen saver option is the most obvious way
to provide a lockdown option for GroupWise
and other applications running on your Windows
workstation. The screen saver has a password
option that effectively locks the workstation
after the screen saver delay has passed.
Using a desktop management solution such
as Novell ZENworks for Desktops, network
administrators can configure this feature
uniformly across the workforce, if desired.
Should a covered entity choose to use
NMAS, the default Windows screen saver is
integrated with the NMAS authentication
process, so that users must use the same
method to unlock the workstation as was
used to authenticate originally.
- GroupWise WebAccess. GroupWise WebAccess,
the GroupWise Web client, has a ?time out?
feature that automatically cancels the user's
session after a specified period of inactivity.
To gain access to GroupWise after the time out
period has passed, a user must re-authenticate.
This time out option can be configured for
?distribution lists,? so that one type of user
can be assigned a different time out value
than another. For example, doctors may be
given a different time out interval than nurses.
Encryption and Decryption (Addressable)
Implement a mechanism to encrypt and decrypt
electronic protected health information.
Encryption and decryption is a topic that can
cover a lot of ground, depending on your focus.
But in general terms, security can be added to
GroupWise messages by encrypting them prior to
delivery. Encrypting a message lets the sender be
sure that the intended recipient is the only one
who can read it.
It is important to note that GroupWise provides
robust, end-to-end options for protecting data
including the following:
- Packet-level encryption between the client,
the system, and all intra-system agents such as
the Post Office Agent (POA), Message Transfer
Agent (MTA), and GroupWise Internet Agent
(GWIA)). This is accomplished by the administrator's
choice of a proprietary GroupWise
encryption method (default) or with 128-bit
Secure Sockets Layer (SSL) encryption.
- Encryption of each GroupWise post office
message stores, and all individual message
stores that users might maintain on their
personal computers through the use of
GroupWise Remote or Caching mode.
- Optional SSL encryption for all external
communications through GroupWise Internet
Agent (GWIA) or GroupWise WebAccess.
GroupWise can also leverage Public Key
Infrastructure (PKI) to provide message-level
cryptographic services. Cryptography is based
on the concept of ?keys??that is, mathematical
sequences used to encrypt and decrypt messages.
PKI uses mathematically related key pairs that are
assigned to users. A message encrypted using one
key in a pair can only be decrypted with the other
key in that pair. To facilitate secure messaging,
one key in a pair is distributed publicly through a
Certificate Authority (CA) or through an e-mail
sent by the key owner; the other is carefully
guarded as the user's private key.
To provide a standard for implementing
PKI in the messaging environment, a standard
known as S/MIME (Secure Multi-Purpose Internet
Mail Extensions) has been developed. S/MIME
describes how encryption information and a digital
certificate can be included as part of the message
body. GroupWise supports, and has been certified
compliant with, S/MIME v3?the most current
version of the standard.
To encrypt a message, the sender uses the
recipient's public key, knowing that by doing
so; only the intended recipient can decrypt the
message. Implementing encryption for GroupWise
involves the following tasks:
- Create certificates for GroupWise Users.
GroupWise supports common cryptographic
standards with regards to PKI, so it can work
with digital certificates from several public
CAs such as Verisign, Entrust, Thawte, and
groupwise/certified.html). Organizations can
deploy their PKI solution of choice.
Organizations may also choose to leverage
Novell Certificate Server (http://www.novell.
com/products/certserver/), which is included
with Novell NetWare to create their own CA.
Digital certificates, regardless of source, can be
stored in eDirectory and associated with each
user object so they are universally available.
Digital Certificates typically expire one
year after creation, but this expiration is
configurable, particularly if you are using
Novell Certificate Server for an in-house CA.
Once a certificate expires, a new one must be
created. This process is not automated due to
the need to protect the security of the process.
Certificates can also be revoked if an
employee leaves an organization. Revoked
certificates are maintained in a Certificate
Revocation List (CRL), and GroupWise can be
configured to automatically check a given
CRL for certificate status.
- Install Cryptographic Support on the
Workstation. Security features in GroupWise
are available only if you have installed one
of the following types of security providers
on the workstation: Entrust 4.0 or higher,
Microsoft Base Cryptographic Provider
version 1.0 or higher, Microsoft Enhanced
Cryptographic Provider version 1.0 or higher.
Note: Microsoft cryptographic providers are
installed by default on Windows 2000 and
later operating systems.
- Import Certificates into GroupWise. Once a
digital certificate has been created, it can
be exported in a format that is consumable
by external applications such as GroupWise.
To configure the GroupWise environment
for encryption, the user imports his or her
certificate into the GroupWise environment.
Similarly, GroupWise users import certificates
from those to whom they will be sending
For implementation information
regarding GroupWise and digital certificates,
see ?Sending Secure and Encrypted Messages
With GroupWise 6.5? in the upcoming May
2003 issue of Novell AppNotes?.
- Configure Cryptographic options in
GroupWise. There are several options
in GroupWise 6.5 that allow users and
administrators to better manage security.
For example, to enforce security policies,
administrators can require users to digitally
sign and encrypt their messages. They can
also define a specific URL where users can
get their certificates.
Additionally, GroupWise 6.5 can ensure
signed messages are authentic. When a user
receives a signed message, GroupWise can
check a Certificate Revocation List (CRL),
specified by the CA, to see if the signature
certificate is valid. If the inbound message
was signed using a revoked certificate,
GroupWise sends a warning message to
the message recipient, who can choose to
accept the message anyway, or reject it.
At the client level, users can set their own
certificate trust options. They can choose to
trust all certificates, block all certificates
signed by a designated CA, or receive
notification of certificates signed by a CA
they haven't approved.