1. Security Guide
  2. Oracle LSH and Oracle DMW Security
  3. Oracle DMW Secure Development
  4. Cryptographic Failures

Cryptographic Failures

First thing is to determine the protection of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws (for example, EU's General Data Protection Regulation (GDPR)) or regulations (for example, financial data protection such as PCI Data Security Standard (PCI DSS)).

Oracle DMW uses compliant cryptographic algorithms. Uses SSL for data in transit.

Sensitive Data Exposure - Attackers may obtain unauthorized access to poorly protected sensitive data. Caution should be used to hide sensitive information from unauthorized users.

When using the Oracle DMW APIs, the SQL*Net connection to the database should be secured with cryptographic controls such as a VPN tunnel.

Clinical trial data stored in Oracle DMW may contain blinded data, which shouldn't be viewed by some application users. By default, the blinded data is not returned to the user through the Generic Visualization Business Areas (GVBA) access. The user must specifically request access to the blinded data through one of the API calls, and is granted access only if the appropriate "blind break" privileges have been granted to the user. Access to blinded data is audited in the Oracle DMW application.

When initializing access to a GVBA using the API procedure CDR_PUB_API_GVA.setInitializeBa, users cannot set incompatible blinding access types for different business areas during the same session. If this is attempted, an error occurs. In order to modify the blinding access type, the user must reset the business area access by calling the appropriate GVBA procedure, and then initialize each business area using the same blinding access type.

Users who are allowed to view data, especially blinded data, should be careful to ensure that the data is never displayed to colleagues who should not see it, either because the data is blinded or because it belongs to a study or clinical data model where they do not have access.

Parent topic: Oracle DMW Secure Development