Cybersecurity Requirements

Shared Responsibility

ProKnow DS is built on Microsoft Azure, and follows Azure security best practices pertaining to the design of its network architecture and access model. As a cloud-based vendor, it is our responsibility to design, develop, and deploy a secure system to help protect the confidentiality of both our customers and their patients. However, realizing a secure, cloud-based environment is ultimately a shared responsibility shared between ProKnow and our customers. ProKnow can relieve customers' operational burden as it pertains to managing the information technology infrastructure, but it is the customer's responsibility to employ responsible access rights, manage the security of individual client workstations (including the operating systems and browsers used to access ProKnow DS), and ensure that their users have the necessary training related to safe computer usage. This article describes the recommended and suggested cybersecurity controls that should be employed by organization administrators and users of ProKnow DS to ensure a safe and secure environment.

Principle of Least Privilege

The principle of least privilege (PoLP, also commonly referred to as the principle of minimal privilege or the principle of least authority) requires that within a particular environment, every agent (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate business purposes. Practically speaking, this principle implies that user accounts should only be granted access to the specific functions that they require to perform their assigned job duties.

ProKnow DS manages the access and permissions of users via its Identity and Access Management services—specifically through the use of Users, Roles, and Workspaces. In this respect, it is the responsibility of the organization administrator to ensure that the organization's users are only granted the necessary privileges that are essential to performing their intended functions. For example, the ability to create API Keys should be restricted to users who have demonstrated that they understand the importance of securing any API Keys that they create for their account.

Workstation Security

It is important to understand that a system is only as secure as the least secure component in the system. Imagine that you are in a public place working on sensitive information on your laptop. What is more likely: that a hacker halfway across the world is able to intercept and decode your network packets or that the person sitting behind you looks over your shoulder at your computer screen? This simple example illustrates the importance of being aware of basic workstation security. Workstation security involves being mindful of simple but critical safety measures related to your physical workstation. All personnel using ProKnow DS should be aware of and abide by the following guidelines and best-practices:

• Do not open, browse, or compose content in ProKnow DS in public areas where it would be easy for others to eavesdrop. If you need to use ProKnow DS in a public area (or on a public web meeting), use Anonymized Mode to temporarily hide PHI from the user interface.
• Do not open, browse, or compose content in ProKnow DS while connected to insecure or public wireless networks.
• All computing devices used to access ProKnow DS should be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less.
• Users should be instructed to always lock the screen or log off when leaving a device unattended.

In addition to utilizing proper secure workstation behavior, it is also critical that:

• All client workstations used to access ProKnow DS are up to date with necessary operating system security patches and updates,
• All client workstations utilize one of the supported browsers and that all browsers are updated to the latest version,
• All client workstations employ sufficient anti-virus and malware protection to ensure that client operations or behavior is not compromised.

Ultimately, it is the responsibility of each user to employ safe computer-use practices to help ensure that the entire system remains secure.

Password Safety

The easiest way to secure your accounts is to ensure your users utilize strong, unique passwords for all of their accounts. Strong passwords are long—the more characters you have the stronger the password. It is recommended that a minimum of 14 characters be used in each of your passwords. In addition, the use of passphrases (passwords made up of multiple words) is highly encouraged. Examples include “It’s time for vacation” or “block-curious-sunny-leaves”. Passphrases are both easy to remember and type, yet meet the strength requirements. Poor or weak passwords have the following characteristics:

• Contain less than eight characters.
• Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, companies, and fantasy characters.
• Contain alphabetical, numerical, or key patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
• Are some version of Welcome123, Password123, Changeme123, etc.

For an overview of the characteristics of a strong password, see Implement Proper Password Strength Controls on the OWASP website. NIST recommends a minimum character length of 8, and suggests that length is a better indicator of strength than complexity. In addition to constructing sufficiently strong passwords, it is important to keep in mind the following additional aspects of password safety:

• Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, confidential information.
• Passwords must not be inserted into email messages or other forms of electronic communication, nor revealed over the phone to anyone.
• Passwords should only be stored in approved "password managers" with sufficient encryption protection.

ProKnow DS provides two methods to enforce password safety across your organization. The first is through requiring sufficiently strong passwords during user creation. ProKnow DS allows each organization to configure their required password strength to 3 different levels:

• Fair: at least 8 characters including a lower-case letter, an upper-case letter, and a number.
• Good: at least 8 characters including at least 3 of the following 4 types of characters: a lower-case letter, an upper-case letter, a number, a special character (such as !@#$%^&*).
• Excellent: at least 10 characters including at least 3 of the following 4 types of characters: a lower-case letter, an upper-case letter, a number, a special character (such as !@#$%^&*). Not more than 2 identical characters in a row (e.g., 111 is not allowed).

By default, ProKnow DS is configured to require all passwords to be at least "Fair" strength, however, you may contact ProKnow DS support at any time to change the password requirements for your organization.

The second method that can be used to enforce password safety is to utilize a federated login system (e.g., SAML 2.0). By leveraging a federated login system, your organization is able to completely control the management of the password requirements (including expiration) as well as access rules. Oftentimes this also has the added benefit that your users will be able to use their existing network credentials to access ProKnow DS. In order to use a federated login system, it must be a supported identity provider. Once you've confirmed that your login system is supported, you may contact ProKnow DS support to integrate your identity provider with your ProKnow DS account.

Multi-Factor Authentication

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence, i.e., your credentials, when logging in to an account. Your credentials fall into any of these three categories: (1) something you know (like a password or PIN), (2) something you have (like a smart card or phone), or (3) something you are (like your fingerprint). Your credentials must come from two different categories to enhance security, so entering two different passwords would not be considered multi-factor. In fact, you have probably already use multi-factor authentication in some form, for example, you’ve used MFA if you’ve:

• swiped your bank card (something you have) at the ATM and then entered your personal identification number (something you know), or
• logged into a website with your username and password (something you know) and then had to enter a time-based one-time password from an application like Google Authenticator from your phone (something you have).

MFA helps protect you by adding an additional layer of security, making it harder for others to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone (for instance). You would definitely notice if your phone went missing, so you’d report it before a thief could use it to log in. In addition, your phone should be locked—requiring a PIN or fingerprint to unlock—rendering it even less useful if someone wants to use your MFA credentials.

Using 2FA is one of the top three things that security experts do to protect their security online, according to a recent Google survey.

ProKnow DS allows users to individually configure two-factor authentication for their account, as well as organization administrators to require that all of their users use Multi-Factor Authentication (please contact ProKnow DS support in order to enable this option for your organization). It is highly recommended that all users of ProKnow DS utilize two-factor authentication to reduce the risk of unauthorized access.