Electronic Ordering of Controlled Substances (Interim Guidelines)

6) Threat Risk Assessment

It is recommended that a Threat Risk Assessment be carried out as per the referenced guidelines.

Guidance can be found in:

• Guide to Threat and Risk Assessment for Information Technology, November 1994.

Available from:

Technical Publications & Information Section
Technical Operations Directorate
Royal Canadian Mounted Police
1426 St. Joseph Boulevard
Orleans, Ontario, K1A 0R2
Telephone: (613) 993-8798 / FAX: (613) 993-2107

Internet address: techpubs@seit.com

The Threat Risk Assessment must address the following areas:

User Security:

• Due diligence process to validate identity of pharmacist;
• Authentication of the ownership of the certificate;
• Safeguarding the validity of personal identification codes;
• Safeguards against loss of personal identification codes.

System Security:

• Protection of private keys;
• Safeguards against tampering with (ship-to address, amounts shipped);
• Confirmation of receipt of order.

Database Security:

• Security of internal system database against tampering.

Encryption and backup:

• Methods used and reliability;
• Certification authority.

Physical Security:

• Web server
• source code security
• redundancy

Internet Security:

• Safeguards against unathorized user access.

The following sample questionnaire can be used to assess the security measures of the proposed system:

1. Workstations at the Pharmacist & Practitioner Location:

   A.1 What physical measures will be taken to protect the data at these locations: (e.g. access to the workstation/servers)?

   A.2 What authentication will be used to ensure the unique identification of individuals?

   A.3 How are these individuals authorized to gain access to the systems both locally and at the distributor/source sites?

   A.4 Are there any rules and regulations that need to be signed to indicate agreement?

   A.5 Will backups of the data be made? How long will the records be kept? Where will they be kept?

   A.6 How long will records be kept-on-line? How long will the records be kept?

   A.7 What happens to the order if the communications link or the distributors/source is not reachable?

   A.8 Are surge protectors / UPS used to protect the equipment?

   A.9 Who maintains the equipment? Are there processes in place to ensure that the information is not tampered or a copy taken during regular maintenance work (e.g. replacing hard disks under warranty)?

2. Value Added Network (VAN)

   B.1 What protocols will be used? How do they ensure integrity and availability?

   B.2 Is there any alternative routing?

   B.3 Will the Internet be used directly (as a means to communicate information) or indirectly (available on the system but not used for the application)?

   B.4 What auditing procedures and safeguards will be implemented to prevent access by unauthorized users?

3. Distributor/Source

   C.1 What specific algorithms are being used for the encryption and digital signature?

   C.2 Public key management - how is the issuance, certification, revocation, changing, etc. managed? What is in place to ensure that digital signatures can be verified in the future, e.g. in 10 years time?

   C.3 Who provides the certification authority function? What is the security designation of the provider? How well is the provider known and trusted?

   C.4 What functions are carried out by the certification authority? Will the certification authority maintain and update the list of authorized users, and if so, how will the accuracy of this list be verified?

   C.5 Do pharmacists and practitioner always deal with the same sources? If so, how is cross certification handled?

   C.6 What logs are in place for the entire system to ensure that all activity can be audited and verified, from the pharmacist to the dealer

   C.7 Is there sufficient separation of duties to prevent fraud, e.g. can the operators or the system manager modify the database?

   C.8 Are passwords required? Do they meet the following minimum characteristics?

   • 6 characters in length
   • changed at least annually
   • kept secret
   • generated, controlled and distributed in a manner that ensures its confidentiality and integrity
   • excluded from automatic login scripts
   • generation produces passwords that are pseudo random in nature or verified by an automated process designed to counter triviality and repetition.

   C.9 Is there sufficient separation to prevent unathorized users from gaining access to the information?

   C.10 Who maintains the server equipment and the clients' workstations? What safeguards have been implemented to protect access to the information and the data integrity during periodic maintenance, or servicing of the server

   C.11 Who develops and maintains the application?

   C.12 What controls are in place to ensure that only authorized users obtain a copy of the software?

4. General

   D.1 How are abortive transactions handled (e.g. transactions stopped part way through the process)?

   D.2 What audit and verification procedures are being proposed to ensure the compliance of any third parties with whom service agreements have been concluded?

   D.3 How will orders be verified? What procedures will be followed to deal with unusual orders? Clarify who will be performing this function and provide the decision criteria, as well as a copy of the procedures to be used.

   D.4 The proposed electronic method of ordering controlled substances may be subject to audits, or inspections by the Health Protection Branch, requiring evidence that the system continues to provide adequate security to prevent diversion of narcotics and controlled drugs. What printed reports will be available to support such audits?

   D.5 What procedures will be in place to document and notify HPB of changes to the system, alteration of the encryption technology, change to the certification authority, the server location, or modification of any features in a way that would impact on security? Depending on the nature of these changes a revised threat risk assessment may also have to be submitted.

This is a draft document and is subject to change.

For additional information please contact:

Manager,
Information Services Division
Bureau of Drug Surveillance
Therapeutic Products Programme
Health Canada
Tunney's Pasture
Ottawa, Ontario
K1A 1B9

Phone: (613) 946-1141
Fax: (613) 952-7738

E-mail: peter_hlavats@hc-sc.gc.ca