Implementing HIPAA Security Rules with GroupWise 6.5

• Implementing HIPAA Security Rules with Novell GroupWise 6.5
• HIPAA Compliance: The Big Picture
• HIPAA Compliance: The Technical Safeguards
• HIPAA Standard: Access Controls
• HIPAA Standard: Audit Controls (Required)
• HIPAA Standard: Integrity
• HIPAA Standard: Person or Entity Authentication (Required)
• HIPAA Standard: Transmission Security
• GroupWise Comfort for the HIPAA Environment

The U.S. Congress, as part of broad healthcare reform legislation, enacted the Health Insurance Portability and Accountability Act of 1996, known as HIPAA. While HIPAA regulations touch many parts of a covered entity's enterprise?including legal, business process, security and Information Technology (IT)?the most recent regulatory wave to wash across covered entities is the Security Rules for the protection of electronic health information.

Under HIPAA, the United States Department of Health and Human Services (HHS) is required to develop standards for maintenance and transmission of health records that protects individually identifiable health information, or Protected Health Information (PHI). In accordance with this requirement, HHS published the Security Rules in the Federal Register on February 20, 2003 (http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp).

Organizations that fall under HIPAA regulations?that is, nearly all healthcare-related organizations from large, integrated healthcare networks to individual healthcare providers ?will have until April 20, 2005, to come into compliance with the newly published Security Rules.

HHS states the purpose of the Security Rules as follows:

The purpose of this final rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information? while it is being stored or during the exchange of that information between entities.
http://a257.g.akamaitech.net/7/257/2422/ 14mar20010800/edocket.access.gpo.gov/2003/pdf/03-3877.pdf

Novell recognizes the importance of protecting a person's private information and the difficulties associated with doing so?particularly in today's world of public networks and a constantly shifting list of partners, suppliers, and providers. As a leading provider of Information Services, Novell delivers solutions designed specifically to protect critical data on modern computer networks. Novell solutions revolve around individual identity and the ability to recognize, secure, customize, and deliver based on that identity. Nowhere are these solutions more important than in the protection and delivery of PHI.

Because of our history and continued leadership with secure, cost-effective, cross-platform solutions, Novell is the clear choice for organizations looking to leverage technology as a means to support their HIPAA compliant efforts.

The purpose of this paper is to identify how GroupWise can be securely deployed in a HIPAAcompliant environment.

The use of technology such as secure e-mail, does not guarantee compliance with HIPAA. Indeed, technology is just one part of the overall HIPAA picture. The recently published HIPAA Security Rules provide guidance on the administrative, physical, and technical safeguards that should be implemented to secure electronic PHI. Coming into compliance with HIPAA will require a coordinated effort on the part of healthcare and healthcarerelated organizations to provide documented policies and procedures, technology solutions, user training, policy enforcement, and regular compliance audits.

Therefore, Novell recommends that covered entities begin their HIPAA compliance efforts by establishing appropriate use policies for user e-mail, provide training to their employees regarding such policies and procedures, and establish enforcement policies.

Once the administrative policies are in place, organizations can then support those policies with technology. Guidelines should be developed to define how technology will be used to implement such things as secure e-mail and messaging. They should also identify the recommended, emerging, and end-of-lifecycle standards the organization will support as part of its secure messaging infrastructure.

With administrative and technology policies in place, covered entities can then perform a HIPAA security assessment on their existing infrastructure, including the e-mail servers and e-mail client systems, to determine if it is consistent with the organization's HIPAA directives.

When evaluating HIPAA compliance, the section of the Security Rules most germane to Novell GroupWise and its related security products is section 164.312, Technical Safeguards. This section outlines five specific standards that covered entities must implement to protect the confidentiality, integrity, and availability of electronic PHI. They are:

• Access Control
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

The following sections map specific GroupWise features and capabilities to these standards to illustrate how GroupWise 6.5 can be used to support your organization's policies regarding the secure electronic transmission of PHI.

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in ? 164.308(a)(4).

Under the heading of Access Controls, the HIPAA security regulation lists the following implementation specifications:

• Unique User Identification (Required)
• Emergency Access Procedure (Required)
• Automatic Logoff (Addressable)
• Encryption and Decryption (Addressable)

Together, these four implementation specifications define the access control requirements for HIPAA-compliant environments. The following sections discuss these specifications in more detail.

Unique User Identification (Required)

Assign a unique name and/or number for identifying and tracking user identity.

As computer networks have matured over the last twenty years, ever more complex network services and data are being customized and delivered based on user identity. For this reason, ?identity? is the core of Novell's product and solution strategy. As the world's leading directory solution, Novell eDirectory (http://www.novell.com/ edirectory/) provides an unsurpassed identity store and foundation for providing identityrelated services.

Novell eDirectory functions as the authoritative source for identity information. GroupWise leverages eDirectory to provide globally unique identifiers for each user of the e-mail and collaboration system. eDirectory uses a combination of User ID and Context, or location within the directory tree, to create a globally unique ID whereby each object can be addressed within the system. This naming convention is based on X.500 standards, and leaves GroupWise free to focus on those tasks that relate directly to the e-mail and collaboration environment.

With an authoritative identity source in place, the next logical consideration is securing that identity against capture or use by unauthorized individuals. GroupWise provides multiple protections against such eventualities:

• Guaranteed Identity. GroupWise automatically synchronizes certain eDirectory identity information to its own databases where it is optimized for consumption in the e-mail environment. Similar to eDirectory, GroupWise maintains a globally unique ?Full Name? for each e-mail user based on User ID and Context (for example, jharris.PostOffice1.NovellDomain). However, this unique global ID does not guarantee a unique User ID. For example, the identical User ID of ?jharris? could exist on two different Post Offices.
  
  While identical User IDs don't matter within the GroupWise environment, they can cause difficulty when interacting with external e-mail systems. For this reason, GroupWise 6.5 offers the Internet Addressing feature. When activated, the ?create user? function in GroupWise performs a check of the system to make sure that the user's e-mail identity is unique.
  
  
• Identity by eDirectory. By default, GroupWise maintains its own password environment that can be managed separately from eDirectory. However, the LDAP authentication option allows GroupWise to leverage eDirectory's authentication environment; thereby permitting an organization to use eDirectory account management processes?including forced password and password management features?to protect GroupWise.
  
  Additionally, GroupWise lets administrators offer single sign-on to users who authenticate through eDirectory. Administrators can also set a system-wide default password for all new GroupWise accounts to prevent unprotected accounts from being created.
• High/Low Security Setting. GroupWise includes two security settings: low and high. The Low setting, enabled by default, does not protect accounts that do not have passwords. By using the well-known command line switch: ?/@U?<User ID>,? accounts without passwords are freely accessible to anyone who knows the User ID.
  
  The High security setting prevents a user from accessing a GroupWise account unless their authenticated eDirectory ID matches the GroupWise account ID they are attempting to access. If the user's eDirectory ID and the GroupWise account's User ID do not match, the user must provide the password to the GroupWise account.
• Secure Authentication. All authentication operations between the GroupWise client and the GroupWise Post Office are encrypted with a proprietary encryption. This makes it extremely difficult to intercept authentication credentials en route. GroupWise also supports 128-bit SSL encryption for both intra- and inter-system communications.
  
  All message stores, including caching or remote data stores, are similarly encrypted so that messages cannot be read outside the GroupWise environment.
  
  
• Novell Modular Authentication Service (NMAS). If username/password authentication doesn't provide the assurance that a covered entity wants, Novell offers NMAS (http://www.novell.com/nmas/). NMAS extends the eDirectory authentication mechanism to support more secure authentication methods such as digital certificates, smart cards, and biometric devices. NMAS also allows these advanced authentication techniques to be applied based on data type, so different data can require different types of authentication. Multiple authentication techniques can even be layered together to provide multi-level protection.
  
  To ensure unique user identification, GroupWise also permits event tracking against specific types of resources. For example:
  
  
  
• E-mail Logs. All sending and receiving of e-mail is tracked and logged by the various system agents?that is, the Post Office Agent (POA), the Message Transfer Agent (MTA), and the GW Internet Agent (GWIA). These logs contain valuable information about GroupWise ID, Network ID (eDirectory ID), IP address, associated files, and details on the type of transaction. From this information, it is possible to track many system events.
  
  
  
  GroupWise log files are created in 1MB increments and can be managed on the server using two parameters: ?length of time to store? or ?amount of disk space to consume.? Log files are comma-delimited and can be easily archived to tape, CD, or any other external system for long-term storage.
  
  
• Document Management Activity. Each document maintained in a GroupWise document management library has an associated activity log that tracks when and how the document is accessed. Users in proxy mode are prevented from accessing the proxy user's document library.

Emergency Access Procedure (Required)

Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

One of the relatively unique aspects of healthcare is that emergency situations can arise for which PHI must be available at a moments notice. Say, for example, that a doctor is out of town and cannot be reached when one of his or her patients has an emergency that requires access to electronic PHI maintained by that doctor. One of his staff should be able to quickly and easily access the required information without having the doctor's personal password.

While the specific protocols associated with accessing PHI in these circumstances should be defined as a business process, the IT infrastructure must be able to make allowances for such eventualities. Here, GroupWise does a fine job of supporting this need.

• Proxy. User Proxy is one way of preparing for this type of emergency situation. A proxy user is granted access to another user's e-mail account. The account owner is solely capable of granting these rights, and specifying the type of access that is being granted: Read, Write, Modify and Subscribe. Once access is granted, proxy users can access an e-mail account in accordance with their level of rights. Documents in a user's document library are not accessible by proxy users.
  
  
• Shared Folders. Organizations may also choose to use GroupWise Shared Folders to make electronic PHI available. Shared folders are accessible to all users on the shared folder list from their GroupWise cabinet. Shared folders are stored in the user's database, with a pointer provided to all members of the list. Users on different Post Offices receive a copy as with proxy users, the user sharing the folder can define the specific rights that are granted to each user of the shared folder.
  
  
• Document Management. Similar to shared folders, GroupWise document management (DocMan) can be used to create document libraries that may be shared among groups of users. The DocMan system keeps track of document versions and changes. Once a document is imported or created in a document library, it can only be viewed through GroupWise, thereby increasing the security of the environment.
  
  
• Password Change. If none of the previous methods have been implemented, it is possible, in an emergency situation, for a network administrator to reset a user's password and access information in the account. Note that the administrator can change the password, but not find out what the existing password is. Therefore, users will always be able to detect this kind of breach since they will not be able to login using their old password.

Automatic Logoff (Addressable)

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

As an addressable specification, there is significant leeway in how Automatic Logoff can be accomplished. GroupWise does not provide a specific logout feature, nor does eDirectory. However, there are methods to fulfill the spirit of this requirement without any additional software:

• Windows Screen Saver. The Window's screen saver option is the most obvious way to provide a lockdown option for GroupWise and other applications running on your Windows workstation. The screen saver has a password option that effectively locks the workstation after the screen saver delay has passed. Using a desktop management solution such as Novell ZENworks for Desktops, network administrators can configure this feature uniformly across the workforce, if desired. Should a covered entity choose to use NMAS, the default Windows screen saver is integrated with the NMAS authentication process, so that users must use the same method to unlock the workstation as was used to authenticate originally.



• GroupWise WebAccess. GroupWise WebAccess, the GroupWise Web client, has a ?time out? feature that automatically cancels the user's session after a specified period of inactivity. To gain access to GroupWise after the time out period has passed, a user must re-authenticate. This time out option can be configured for ?distribution lists,? so that one type of user can be assigned a different time out value than another. For example, doctors may be given a different time out interval than nurses.

Encryption and Decryption (Addressable)

Implement a mechanism to encrypt and decrypt electronic protected health information.

Encryption and decryption is a topic that can cover a lot of ground, depending on your focus. But in general terms, security can be added to GroupWise messages by encrypting them prior to delivery. Encrypting a message lets the sender be sure that the intended recipient is the only one who can read it.

It is important to note that GroupWise provides robust, end-to-end options for protecting data including the following:

• Packet-level encryption between the client, the system, and all intra-system agents such as the Post Office Agent (POA), Message Transfer Agent (MTA), and GroupWise Internet Agent (GWIA)). This is accomplished by the administrator's choice of a proprietary GroupWise encryption method (default) or with 128-bit Secure Sockets Layer (SSL) encryption.
• Encryption of each GroupWise post office message stores, and all individual message stores that users might maintain on their personal computers through the use of GroupWise Remote or Caching mode.
• Optional SSL encryption for all external communications through GroupWise Internet Agent (GWIA) or GroupWise WebAccess.

GroupWise can also leverage Public Key Infrastructure (PKI) to provide message-level cryptographic services. Cryptography is based on the concept of ?keys??that is, mathematical sequences used to encrypt and decrypt messages. PKI uses mathematically related key pairs that are assigned to users. A message encrypted using one key in a pair can only be decrypted with the other key in that pair. To facilitate secure messaging, one key in a pair is distributed publicly through a Certificate Authority (CA) or through an e-mail sent by the key owner; the other is carefully guarded as the user's private key.

To provide a standard for implementing PKI in the messaging environment, a standard known as S/MIME (Secure Multi-Purpose Internet Mail Extensions) has been developed. S/MIME describes how encryption information and a digital certificate can be included as part of the message body. GroupWise supports, and has been certified compliant with, S/MIME v3?the most current version of the standard.

To encrypt a message, the sender uses the recipient's public key, knowing that by doing so; only the intended recipient can decrypt the message. Implementing encryption for GroupWise involves the following tasks:

• Create certificates for GroupWise Users. GroupWise supports common cryptographic standards with regards to PKI, so it can work with digital certificates from several public CAs such as Verisign, Entrust, Thawte, and GlobalSign (http://www.novell.com/products/ groupwise/certified.html). Organizations can deploy their PKI solution of choice.
  
  Organizations may also choose to leverage Novell Certificate Server (http://www.novell. com/products/certserver/), which is included with Novell NetWare to create their own CA. Digital certificates, regardless of source, can be stored in eDirectory and associated with each user object so they are universally available.
  
  Digital Certificates typically expire one year after creation, but this expiration is configurable, particularly if you are using Novell Certificate Server for an in-house CA. Once a certificate expires, a new one must be created. This process is not automated due to the need to protect the security of the process.
  
  Certificates can also be revoked if an employee leaves an organization. Revoked certificates are maintained in a Certificate Revocation List (CRL), and GroupWise can be configured to automatically check a given CRL for certificate status.



• Install Cryptographic Support on the Workstation. Security features in GroupWise are available only if you have installed one of the following types of security providers on the workstation: Entrust 4.0 or higher, Microsoft Base Cryptographic Provider version 1.0 or higher, Microsoft Enhanced Cryptographic Provider version 1.0 or higher.
  
  Note: Microsoft cryptographic providers are installed by default on Windows 2000 and later operating systems.
  
  
• Import Certificates into GroupWise. Once a digital certificate has been created, it can be exported in a format that is consumable by external applications such as GroupWise. To configure the GroupWise environment for encryption, the user imports his or her certificate into the GroupWise environment. Similarly, GroupWise users import certificates from those to whom they will be sending encrypted messages.
  
  For implementation information regarding GroupWise and digital certificates, see ?Sending Secure and Encrypted Messages With GroupWise 6.5? in the upcoming May 2003 issue of Novell AppNotes?.
  
  
• Configure Cryptographic options in GroupWise. There are several options in GroupWise 6.5 that allow users and administrators to better manage security. For example, to enforce security policies, administrators can require users to digitally sign and encrypt their messages. They can also define a specific URL where users can get their certificates.
  
  Additionally, GroupWise 6.5 can ensure signed messages are authentic. When a user receives a signed message, GroupWise can check a Certificate Revocation List (CRL), specified by the CA, to see if the signature certificate is valid. If the inbound message was signed using a revoked certificate, GroupWise sends a warning message to the message recipient, who can choose to accept the message anyway, or reject it.
  
  At the client level, users can set their own certificate trust options. They can choose to trust all certificates, block all certificates signed by a designated CA, or receive notification of certificates signed by a CA they haven't approved.

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

The ability to monitor and track what transpires on an e-mail system is critical when trying to piece together a problem or prove the guilt or innocence of a given party. GroupWise provides several tools and options for monitoring and tracking activity. It also boasts some powerful third-party tools that extend its capabilities even further. But first the GroupWise offerings:

• GroupWise Log Files. As previously mentioned, GroupWise provides several agent log files. One of these is the POA log. It offers a verbose logging mode that captures the following information in a comma-delimited file:
  • Post Office name
  • Login GroupWise ID
  • Network Login ID if user has authenticated through eDirectory
  • IP address of the workstation the user is logging in from
  • Message Destination: If coming from the Internet, the message sender will be identified
  • Originator of sent messages
  This information can be evaluated, either in real time or after the fact with archived log files, to identify system activities and associate them with specific time frames, users, and network addresses.
  
  
• Non-repudiation. GroupWise supports the use of digital signatures to guarantee the origin of a message. Furthermore, GroupWise provides a unique ability to view the ?properties? of a sent message including time of delivery, recipients, and the actions of those recipients along with time stamps (for example, when the message was opened; when it was deleted; and was it deleted without first being opened).
  
  
• Account Audit Report. The Mailbox Library Maintenance Report lets you view those accounts that have been used over a given period of time (say, for example, the last 60 days). This report identifies ?Active? and ?Inactive? accounts based on how they have been used. For example, an account is designated as Active if it has sent, opened, or deleted messages during the specified period of time. This report can be used to detect forgotten accounts that should be disabled or removed from the Post Office.
  
  
• GroupWise Monitor. For the ability to ?watch from anywhere,? GroupWise Monitor lets administrators monitor GroupWise agents and gateways from any Web browser. It provides a real-time view of GroupWise system activities. Although this utility is designed primarily for monitoring GroupWise server health, it is possible track the path of a message from sender to recipient(s) if you know the message ID.

Although GroupWise provides a significant amount of audit and monitoring information, it is scattered among multiple tools and logs. To help simplify and strengthen GroupWise audit capabilities, IntelliReach (http://www.intellireach.com/products/control/control-GW/control-GW.html) offers a management suite, Control for GroupWise, that leverages the various GroupWise logs to create a consolidated interface for auditing and monitoring your GroupWise environment. Control for GroupWise includes monitoring, reporting on usage and abuse, archiving, and security.

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

The only implementation specification within the Integrity standard is the ?Mechanism to Authenticate Electronic PHI.? This specification provides guidelines to ensure that stored data is protected from tampering and safeguarded from system failures.

Mechanism to Authenticate Electronic Protected Health Information (Addressable) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

The upshot of this implementation specification is that systems need to be able to properly protect electronic PHI from alteration or destruction, whether intentional or otherwise. Another dimension of the Integrity play is non-repudiation?being able to positively identify the source of a message.

• Message Encryption. GroupWise provides robust end-to-end options for protecting data, including encryption of communications between client and system (using proprietary or SSL encryption); encryption of communications between all system agents (using proprietary or SSL encryption); message encryption using S/MIME; and encrypted storage of messages stored within the GroupWise system.
  
  
• Smart Purge. Smart Purge allows GroupWise administrators to prevent users from purging a message before it has been archived. This feature, which can be configured on a Domain, Post Office, or User level, sets a flag on all new messages coming into the system that prevents their deletion. Once the message store is backed-up, the flag is cleared and messages can be purged. SmartPurge prevents the potential loss of important messages.
  
  
• AuthLogin. This feature is new to GroupWise 6.5. It was implemented to support the British National Health System (NHS), which requires that that e-mail systems mutually authenticate before messages are exchanged. GWIA can now require authentication before accepting messages from an external system. Conversely, it can also provide authentication credentials to systems that request them.
  
  
• Non-repudiation. GroupWise supports the ability to digitally sign a message so that its origin is not in doubt. This is particularly important for Internet communications over protocols that do not provide sufficient security or protection against external attacks and hackers.
  
  
• System Stability. Novell GroupWise has gained a well-deserved reputation for security and resistance to attacks. By thinking about security as an architectural consideration, rather than trying to bolt it on after the fact, GroupWise has avoided the failures of some of its competitors. Decisions such as limiting the number and type of programming hooks and properly securing the address book make GroupWise much less susceptible to security attacks. Moreover, when attacked, GroupWise systems experience significantly less damage than competing systems.
  
  In fact, Viable Solutions, a large reseller that maintains both Exchange and GroupWise, tracked the downtime of their clients due to viruses. According to their statistics, Exchange users typically experienced downtime ranging from one to four days per virus attack. On the other hand, GroupWise users had downtime averages so low they didn't even register. (http://www.novell.com/collateral/4820914/ 4820914.pdf )

In addition to the above-described options, GroupWise partners can add significantly to GroupWise system integrity with products that provide enhanced message archive and anti-virus protection.

• Nexic. E-mail retention is a critical issue for organizations today. Nexic Discovery (www.Nexic.com) archives GroupWise e-mail messages in standards-based formats? including HTML and ASCII text?or to Oracle databases. Once archived, the files and records can easily be viewed, searched, and managed without requiring access to GroupWise. Archival storage can be file system-based including compressed drives, document management programs, or external databases like Oracle that can scale to billions of records. Archived records can even be packaged for offloading to DVD or other portable media. Nexic can also support the efforts of covered entities to address the HIPAA Security Physical Safeguards for Data backup and Storage (?164.310(d)(2)(iv)).
  
  
• Beginfinite. Beginfinite GWAVA (www.beginfinite.com) is a comprehensive suite of eSecurity tools for GroupWise. GWAVA protects GroupWise systems from viruses, blocks file attachments, and filters e-mail content. By protecting against both internal and external threats, it infuses security throughout the messaging environment, rather than simply setting up barriers at the edges of the network. Beginfinite can also support the efforts of covered entities to address the HIPAA Security Administrative Safeguards for protection from malicious Software (?164.308(a)(5)(ii)(B)).

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Novell eDirectory (http://www.novell.com/ edirectory/) is more than a directory; it's the world's leading platform for identity management. No other directory in the world provides a more comprehensive or robust collection of identity management capabilities than eDirectory. So, by building a GroupWise system on the foundation of eDirectory, an organization inherently gains the benefit of unparalleled identity management. Consider the following:

• Secure Architecture. eDirectory was designed from the ground up to be the world's best directory, including a full cryptographic infrastructure, extremely well protected identity credentials (such as passwords), and secure authentication algorithms and communication protocols. eDirectory wasn't cobbled together based on last year's ideas and technology, and 10 years after its introduction eDirectory is proving the value of this design commitment.
  
  
• Unique Identity. As mentioned in the previous Access Controls section, eDirectory provides a guaranteed, globally unique ID for every object in the directory. And eDirectory's scalability ensures that an organization can define a secure, unique identity for as many people as you need. One million is a pittance; 100 million and eDirectory doesn't even break a sweat. How about one Billion? eDirectory has been tested to nearly two Billion objects with no sign of breakdown!
  
  
• Advanced Authentication. The default username/password authentication in eDirectory is as secure as such a method can get, but sometimes a password just won't cut it. Access to electronic PHI may be just one of those situations. If your organization requires something more than username/ password authentication, Novell Modular Authentication Service (NMAS) provides the answer.
  
  NMAS (http://www.novell.com/nmas/) extends the eDirectory authentication mechanism to support more secure authentication methods such as digital certificates, smart cards, and biometric devices. These advanced authentication techniques can be applied based on the type of data that is being protected, so different data can require different types of authentication prior to access. Multiple authentication techniques can even be layered together to provide even more assured protection.

A final consideration of Person or Entity Authentication relates not to authentication itself, but feeling confident of the identity of the person with whom you are communicating. Non-repudiation, as it is known, is achieved with digital signatures. Digital signatures identify a person with certainty through the use of digital certificates and public/ private key pairs. This technology is further discussed in the next section.

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Transmission Security represents the final security standard for HIPAA compliance. Within the Transmission Security standard there are two implementation specifications that define how HIPAA-compliant transmission security can be achieved. They are Integrity Controls and Encryption.

Integrity Controls (Addressable)

Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed.

Digital signatures are a powerful method for achieving non-repudiation. They leverage the PKI standards used to encrypt GroupWise messages to create an irrefutable identifier for a system user. It allows message recipients to feel confident that a connection has not been ?spoofed? or hijacked to send a forged message.

Basically, a digital signature consists of basic user information that is subsequently encrypted with the user's private key. Remember in our discussion of PKI, a message encrypted with the private key can only be decrypted with the associated public key. With a digital signature attached to a message, the recipient can confirm the identity of the sender by attempting to decrypt the digital signature with the sender's public key. If it decrypts properly, the recipient is assured that the digital signature was created with the correct private key.

Federal law holds that a digital signature is a valid proof of identity and is just as binding in a court proceeding as a manual signature. GroupWise 6.5 supports dual certificates, allowing users to have one certificate for encrypting messages and another for digital signature. This is important because it allows organizations to provide an ?escrow? of cryptographic keys (in case a message must be decrypted without a user's assistance), without affecting the integrity of the digital signature process. (The user is the ONLY person that maintains a copy of the signature key.) GroupWise provides support for digital certificates through the S/MIME v3 specification used to encrypt messages.

Digital signature support is configured in GroupWise in the same way that message encryption is enabled. (See Encryption/Decryption on page 8.)

Encryption (Addressable)
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

In the context of data transmission, encryption varies from message encryption, but they can be used together to create an extremely secure environment. While we have already discussed the actual encryption of a message prior to delivery, now we will look briefly at the idea of encrypting the entire communications channel used to transfer the message from sender to recipient.

• Securing the Channel. This is typically accomplished by providing an encrypted connection between the messaging client (sender and recipient) and the messaging server (the GroupWise server.) For communications within the enterprise, this is accomplished by default. GroupWise automatically encrypts client connections as well as all server-toserver connections.
  
  The problem arises when introducing a public network, such as the Web, into the mix. In order to support communications with heterogeneous messaging systems, GroupWise supports common message formats such as POP, IMAP, SMTP, and HTTP. However, since none of these messaging protocols includes cryptographic support, an additional protocol is necessary to secure the communications link between messaging systems. There are a couple of methods for accomplishing this:
  SSL/TLS and GroupWise WebAccess.
  
  
• TLS (Transport Layer Security) and SSL (Secure Sockets Layer). SSL and TLS both work by allowing the server and the client to mutually authenticate, negotiate a mutually supported encryption method, and share the cryptographic key that will be used during the session. These technologies are those you typically see protecting e-commerce sites on the Web.
  
  By supporting both SSL v3 and TLS, GroupWise 6.5 provides secure access to GroupWise mailboxes and agents from any point of entry. So, regardless of how messages are retrieved, GroupWise makes sure the client-to-server communications are secure.
  
  
• GroupWise WebAccess. Because it can be configured to require an SSL connection, GroupWise WebAccess is an excellent way to force secure transmission of potentially sensitive data. And best of all, no special setup, configuration, or user training is necessary to enable this protection. If users can browse the Web, they can use WebAccess.

One of the difficulties associated with encryption is the tremendous overhead required for encrypting/ decrypting messages. One way to avoid this is to offload the encryption operations from the messaging server. Tovaris (www.tovaris.com) offers a turnkey e-mail encryption appliance that integrates seamlessly with GroupWise. The Tovaris E-mail Security Solution (TESS) for GroupWise is a rack-mount appliance that encrypts and decrypts e-mail messages at the mail server level. TESS for GroupWise can be deployed easily across your enterprise with little to no interruption to vital business processes.

With the final HIPAA security rules published, and the April 14, 2003 privacy deadline looming, covered entities must take a close look at their IT infrastructure from the perspective of the HIPAA standards for the security of electronic PHI.

The final HIPAA rules specify a series of administrative, physical, and technical security safeguards for covered entities to implement to assure the confidentiality of electronic PHI. The standards are delineated into either required or addressable implementation specifications.

However, one thing the rules do not do is dictate how you are to comply. HIPAA regulations are written as technology neutral. The security standards do not endorse the use of any specific technologies, but instead, provide guidance on the desired outcome. While applauded by those who eschew government intervention in the direction of technology, it does place an increased burden on the covered entity, which is left to answer the questions of ?How?? and ?How much??

As a messaging and collaboration solution, Novell GroupWise won't give you pre-defined answers to those questions, but it does provide a well-stocked toolbox of security features designed to work within a HIPAA environment. Building on Novell's long heritage of identity and security, the industry-leading eDirectory, and a strong offering of integrated, third-party solutions, GroupWise can support the policies and processes that covered entities develop to manage the flow of electronic PHI; and what's more, it can do it in a secure and stable manner. After all, technology shouldn't dictate to the organization any more than the hammer should dictate to the craftsman.

Download the pdf version of this white paper here.