Introduction

Overview

Your Oracle Health Insurance applications will probably store sensitive patient- and patient health information. Security measures must be put in place and comply with standards such as the Health Insurance Portability and Accountability Act (HIPAA) in the US.

This guide explains how to secure an Oracle Health Insurance installation, including the configuration and installation steps needed to meet security goals. It provides the types of security features and services that are available to detect and prevent a potential security breach. This encompasses secure system deployment, reliability and availability of the application, authentication, authorization, and protection of sensitive data. mechanisms.

Secure System Deployment

To keep your deployment of the Oracle Health Insurance applications secure make sure that you:

  • Keep software versions and patches up to date. Regularly check My Oracle Support for Critical Patch Updates (CPU) for the Oracle Health Insurance execution platform (Oracle Database and Oracle WebLogic application server).

  • Carefully check the Installation Guide and Release Notes before installing a new release.

  • Restrict Network Access to Critical Services.

    Keep both the Oracle Health Insurance application’s middle-tier and database behind a firewall. In addition, configure a firewall between the middle-tier and the database. The firewalls assure that access to these systems is restricted to a known network route, which can be monitored if necessary.

  • Minimize the Attack Surface

    The "attack surface" of a system is the sum of the different entry points that an unauthorized user can exploit to gain access to system services or to the data is maintained in the system. Common strategies for reducing the attack surface or hardening the system include (but are not limited to):

    • Minimize the number of services running, i.e. make sure to only run required services.

    • Make sure that all entry points, like the system’s user interface and its web services are secured. For example make sure that SSL/TLS is used between clients and load balancer / DMZ.

Specifically for Oracle Health Insurance applications make sure you:

  • do not install software on the machines that execute the Oracle Health Insurance applications technology stack if they are not required for running the Oracle Health Insurance applications. Check the Installation Guide for detailed requirements. This guide, for example, specifically mentions the services that need to be installed for Oracle’s WebLogic server.

  • do not install additional applications in the WebLogic domains that run Oracle Health Insurance applications.

  • track and trace use of the system, e.g. by logging the access of users and external services.

Authentication and Authorization

Know your users and give your users the least amount of privileges they need to perform their jobs! Oracle Health Insurance uses role-based user authorization for accessing system functions. System functions can be either UI-functions or Services.

Protection of Sensitive Data

Oracle Health Insurance offers the possibility to conceal or restrict access to sensitive data. Examples for the use of this feature include privacy (secret addresses), sensitive medical information (diagnoses and procedures) and user skill level (adjudicating high-value claims).