CCHIT and the Advantage Database Server

CCHIT - Certification Commission for Health Information Technology

2011 Certification
Upon inspection of the criteria for 2011 certification, it has been determined that applications using the Advantage Database Server can comply with the certification criteria, often with only minor modifications.

Authentication
SC 03.11 – When passwords are used, the system shall support the ability to protect passwords when transported or stored through the use of cryptographic-hashing with SHA1 and/or cryptographic-encryption with Triple Data Encryption Standard (3DES).

After confirmation from the commission, it has been determined that the authentication criteria SC 03.11 applies to user credentials and authentication to your application, not to the database. 

While Advantage data dictionary authentication does protect passwords during authentication, its protection is based on the RC4 algorithm, not one of the algorithms mentioned in the authentication criteria.

To pass the authentication criteria, you will need to use a third party mechanism other than the Advantage data dictionary (Windows Active Directory, Kerberos, etc.) to authenticate users.

If you need to store user credentials in the database, you will need to use your own passwords table, and your application will need to store an acceptable hash of the password in the table (using SHA1, 3DES, etc.). Relying on an encrypted Advantage table in this case is not satisfactory.

Technical Services
SC 06.06 – The system, when storing PHI on any device intended to be portable/removable (e.g. thumb-drives, CD-ROM, PDA, Notebook), shall support use of a standards based encrypted format using triple-DES (3DES).

The Advantage Database Server uses an RC4 encryption algorithm, which is not acceptable to meet this CCHIT criteria. If your application stores protected health information on a portable/removable device, you will need to use a third-party encryption library (OpenSSL, Cirticom, etc.) to secure the information.

Note if your application provides backup functionality to any destination that might be portable media, you will need to address SC 06.06. For example, if you allow the user to choose the path for the backup, the user could enter the path to a USB thumb drive.

Internet and/or Open Network Communication
SC 06.01, SC 06.04, SC 06.05 – Protection of protected health information over the internet or an open network. 

Advantage Database Server internet connections are secured using authentication and communication encryption based on the RC4 algorithm. While secure, this algorithm is not mentioned in the criteria. To meet the CCHIT criteria, traffic between an Advantage client and server must be tunneled through one of the accepted protocols (IPSec, SSL, etc.). VPN solutions can be used to accomplish this task if necessary.

Additional Questions
If you have questions about certification criteria that where not addressed above, feel free to send additional questions to AdvantageInfo@Sybase.com and we will be happy to assist you.