This Cerner Security Program is designed around Cerner's hosted Platforms—the hardware and operating systems upon which applications and solutions are deployed by Cerner in Cerner's hosted environments on behalf of its clients—in the United States and Canada. Cerner Millennium®, HealtheIntent® and CareAware® are examples of Cerner Platforms. Cerner provides its hosting services from a variety of locations, including:
Using a Third-Party Data Center does not change the way Cerner manages its Security Program, nor does it provide the Third-Party Data Center with access to Cerner's systems or networks. Cerner builds, maintains and manages Cerner's operating system and infrastructure using at least the same security controls as the controls used to build, maintain and manage the solution stack in a Cerner-owned environment. However, there are some operational differences between Third-Party Data Centers and CTCs as set forth in this Security Program document.
Cerner maintains a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures which are designed to secure the information maintained on Cerner's Platforms. Cerner's program, at a minimum:
Cerner tightly controls and does not distribute written or electronic copies of its security policies and procedures. Cerner regularly reviews and modifies its security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.
Cerner grants access to client systems based upon role, completion of required training, and the principle of least privilege necessary for access. Access approval processes are strictly enforced ensuring access is appropriate and satisfies compliance requirements. Cerner manages identity and access to its Platforms by:
Cerner uses multiple overlapping security applications and countermeasures within its security program to protect the Platforms. The following are some examples of the security technologies Cerner deploys to protect the Platforms:
Cerner tracks access to and activity on network devices, security infrastructure components, and server systems, and monitors usage by transferring logs to a centralized repository for analysis, troubleshooting, compliance, and auditing purposes. The enterprise security logging repository, known as a Security Information and Event Management (SIEM) tool, is leveraged to analyze, monitor and correlate log data. Using the SIEM tool, security personnel devise profiles of common events from given systems to focus on unusual activity, avoid false positives, identify anomalies, and prevent insignificant alerts.
Cerner uses proper encryption mechanisms to safeguard data. Cerner performs risk assessments to evaluate how the data is being consumed and the overall sensitivity of the data. Data is encrypted in transmission between the client and Cerner and at rest within the CTC or Third-Party Data Center. Cerner manages client network public and private key infrastructure. Cerner strives to use FIPS 140-2 algorithms when supported by the cryptographic module. Cerner also supports Advanced Encryption Standard (AES) and Transport Layer Security (TLS) encryption protocols.
Penetration testing is conducted by Cerner security professionals who have appropriate industry certifications and credentials. In addition, Cerner annually engages a third-party to conduct external penetration testing. As part of Cerner's vulnerability and threat management program, Cerner's security professionals analyze and quantify the risk potential of identified vulnerabilities and threats to both Cerner and its clients.
Cerner conducts continuous production scanning of Cerner's Platforms. Cerner scores vulnerabilities based upon the expected impact to the environment and external exposure. Once the vulnerability is scored, a process to mitigate or remediate the vulnerability is initiated.
Identified vulnerabilities are assessed for risk and mitigated or remediated according to their severity level. This analysis includes using industry standards, such as NIST's common vulnerability scoring system (NIST CVSS), and by internal penetration scanning of environments using industry standard tools. Cerner strives to patch vulnerabilities within the timeframes set forth below:
Physical and environmental security measures are implemented in a strategic layered approach to deter, delay, and detect any attempted intrusion. These measures are designed both in accordance with needs unique to the facility and to ensure critical systems are provided a hardened, secure and reliable environment.
At a minimum, Cerner ensures the following physical and environmental security controls are maintained at the CTCs and within any Third-Party Data Center leveraged by Cerner:
The primary duty of the IRC is to answer second and third tier support calls from client help desks and resolve reported issues. Reported issues are documented and stored in a central repository. The IRC team uses system monitoring tools to track and respond to alarms and warnings and take appropriate action. Cerner's IRC is staffed 24x7x365.
Cerner's Computer Security Incident Response Center (CSIRC) is the control center for security incident event management and is responsible for 24x7x365 continuous threat monitoring of Cerner's Platforms. The CSIRC team ingests and coordinates responses to international, federal, and tech industry threat intelligence information, in an effort to safeguard Cerner environments. In addition, the team leverages industry standard tools to systematically analyze logs to identify potential unauthorized activity and focus on potential threats.
Cerner maintains a security incident management process to investigate, mitigate, and communicate system security events occurring within a Platform. Impacted clients are informed of relevant security incidents in a timely manner and advised of recommended corrective measures to be taken.
Cerner does not notify clients or publicly speak about “named” vulnerability events (e.g. WannaCry, Heartbleed, and ShellShock). Cerner will engage in private discussions if clients have questions about Cerner's approach to specific events.
Cerner maintains change management processes, based on Information Technology Infrastructure Library (ITIL) best practices, which are designed around the type of change and level of risk associated with that change. Cerner's policies require Cerner to communicate relevant non-routine changes it makes to a client's system with the impacted client. Changes are validated, reviewed, and receive approvals commensurate with the risk of the change. Cerner uses Change Advisory Boards (CABs) to review significant changes with known downtime or heightened risk. Changes are logged and maintained within Cerner's centralized change request system. Clients are responsible for controlling and documenting any system modifications they perform.
Cerner's contingency program is based on ISO 22301 and is designed to ensure continued operation of essential technology by supporting internal and external client functions during any incident (e.g. a situation that might be, or could lead to, an extended disruption, loss, emergency or crisis).
Cerner provides a redundant and highly available infrastructure to minimize disruptions to the production environments. If a disruptive incident occurs, Cerner follows an established, exercised and documented contingency program to restore service as quickly and effectively as possible, using commercially reasonable measures. The incident management portion of Cerner's contingency planning program is tested, reviewed, and updated annually. Cerner offers different levels of disaster recovery services based on the applicable Platform.
Cerner uses a variety of security tools to perform both static and dynamic analysis of its applications to identify vulnerabilities. As part of Cerner's development process, these vulnerabilities are often addressed during the development lifecycle prior to releasing new code.
Cerner's security awareness program requires associates to participate in mandatory education and training activities related to their specific role. These activities are designed to maintain the effectiveness of Cerner's security posture and include:
In 2003, Cerner began its process of regularly screening its offer-stage employment candidates through a background check process. Beginning in 2012, Cerner started requiring candidates submit to a drug screening prior to beginning employment.
Cerner's applicant background check process varies based on the candidate's potential role and applicable law. To the extent allowed by applicable law, background checks consist of:
Cerner requires subcontractors to assure the competency and eligibility of its employees who provide services to Cerner's clients. Subcontractor personnel are required to complete background checks applicable to the services performed; such background checks must be at least as prescriptive as the background checks Cerner requires for Cerner associates.
Cerner requires business associate agreements and nondisclosure agreements with its Third-Party Data Centers and the suppliers it uses to provide the Platform, as appropriate based on that entity's access to data and other confidential information. Cerner requires that its suppliers complete a data security questionnaire as part of Cerner's evaluation process for the supplier. In addition, Cerner conducts annual supplier security risk assessments on its suppliers based on that supplier's risk profile.
Cerner is a global company with offices and associates throughout the world. Cerner's current operational and support model includes the use of global associates. Cerner may provide temporary access to the Platforms from outside of the country where the applicable Platform is hosted. All associates with access to the Platform are required to participate in mandatory education and training activities related to their specific role and are required to follow Cerner's security policies and processes. Training records are tracked and maintained for compliance purposes.
All storage media used for the delivery of Cerner's hosting services is purged and disposed of in accordance with Cerner's policy for electronic media disposal. The policy adheres to the HIPAA Security Rule, ISO 27001, and NIST 800-88.
Cerner may provide hardware to clients for use at their locations. Any information stored on Cerner-provided hardware but located at a client site is considered the responsibility of the client. In such cases, clients are responsible for decisions regarding sanitization or destruction of data storage media at the end of the hardware's usage life cycle.
Cerner regularly conducts internal assessments and undergoes external audits to examine the controls present within the Platform and Cerner's operations and to validate that Cerner is operating effectively in accordance with its Security Program.
Cerner has established and maintains the necessary controls required for compliance with HIPAA (as amended by HITECH). HIPAA (internal or external) assessments take place on an annual basis and examine all appropriate corporate and client environments.
Third-party attestations are performed on Cerner's hosted environments by measuring and testing the effectiveness of Cerner's risk mitigations related to the AICPAs Trust Service Principles relevant to security, availability and confidentiality. SOC reports are prepared under the AICPAs SSAE-18 guidelines and are specific to the hosting services and controls managed within the CTCs. Third-Party Data Centers commonly provide their own SOC reports covering their physical and environmental controls and are not included as part of Cerner's SOC audit.
Cerner's Information Security Management Framework (ISMF) is compliant with the principles of the ISO 27001/27002:2013 standard and the ISMF's policies are applicable to all of Cerner's Platforms.
Cerner annually engages a third party to perform external penetration tests against Cerner's Platforms. Cerner receives a Penetration Attestation document which describes the penetration testing performed, confirms that an industry standard methodology, testing tools and a national vulnerability database were used in conducting the penetration testing, and identifies known vulnerabilities within the Platforms. Cerner remediates identified vulnerabilities based on risk and addresses those vulnerabilities through an actively monitored plan for remediation.
Cerner receives a third-party Attestation of Compliance (AoC) to demonstrate PCI DSS compliance as a Level 1 Service provider for the processing of payments supported by certain Cerner solutions. For more information about what Cerner solutions are supported by this AoC, please contact your Cerner representative.
Cerner has self-certified to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield.
Third-Party Data Centers are currently not within the scope of the certifications and audits described above. However, Cerner's Third-Party Data Centers maintain a comparable set of certifications and audits, as applicable to the services they provide. Information about security and privacy related certifications and audits received by Third-Party Data Centers is available from the third party. Cerner can help guide you to the relevant information.
Cerner will provide its Standard Information Gathering (SIG) or Consensus Assessment Initiative Questionnaire (CAIQ) in response to Client's request for an audit of Cerner's security policies and procedures. If such documentation is not available, then, no more than once per year and at Client's sole expense, Client may audit Cerner's security policies and procedures, excluding any policies and procedures which may risk Cerner's ability to maintain the privacy and security of the environment if released, as determined by Cerner in its sole but reasonable discretion. In no event may Client perform its own penetration testing of the environment.
EFFECTIVE DATE: February 19, 2019