Emergency Event Geospatial Security and Privacy (HIPAA) Guidance

As COVID-19 continues to quickly expand around the globe some organizations are holding back posting information sets due to fears of not meeting regulatory security and privacy obligations (such as HIPAA), while others push through datasets publicly in a panic, but it does not need to be this way.  Esri geospatial visualization, analytics, and geographic thinking are being leveraged and showcased heavily during this pandemic to help understand and analyze infections, deaths, business continuity and more.  Strong public interest in geospatial services concerning COVID-19 has also resulted in some resources looking for opportunities to inject malware or drive misinformation.

We have extensive security and privacy guidance within the ArcGIS Trust Center covering the above areas, however this blog highlights some of the resources we have available to effectively support COVID-19 scenarios with our products in a manner that meets security and privacy demands.  This includes new whitepapers, tools, and minimum steps you should consider when posting COVID-19 geospatial resources on the web.

Privacy & Healthcare Data

Privacy and healthcare information are at the forefront of concerns with COVID-19 information sets.  We are proud to release Esri’s first Privacy whitepaper, which addresses privacy concerns with ArcGIS location tracking capabilities, but also provides privacy best practice considerations for both ArcGIS Online as well as ArcGIS Enterprise deployments.

In the United States, when a national emergency is declared some aspects of HIPAA Privacy Rules are waived as has been done for COVID-19, however the HIPAA Security Rules remain fully intact.  Since Esri currently does not sign Business Associate Agreements (BAA) relative to their ArcGIS Online SaaS offering, if you want to support emergency communications awareness incorporating Private Health Information (PHI) you should either:

1. De-identify the PHI as outlined by HHS to support usage in alignment with ArcGIS Online’s 3^rd party audited FedRAMP Tailored Low authorization, or
2. Utilize ArcGIS Enterprise either on-premises, or in the cloud, where your organization can manage the operations of the environment to fully meet HIPAA requirements, or
3. Review the ArcGIS Online security and privacy controls in place and determine if they are adequate for your organization’s requirements. You can see the FedRAMP Tailored Low controls currently in place here and how key security principles are addressed are summarized below.

ArcGIS Online Recommendations

If you are utilizing ArcGIS Online, we strongly recommend having your administrator validate your configuration is in alignment with best practices by using Esri’s Security Advisor tool, accessible from the ArcGIS Trust Center home page https://Trust.ArcGIS.com.  Below we have listed how ArcGIS Online addresses twelve principles commonly referenced for securing health solutions:

1. Appropriate identity & authorization – We strongly recommend customers utilize SAML-based Enterprise Logins for securing their organization identities and utilize multi-factor authentication. If you utilize SAML, please ensure you have configured your SAML requests and responses to be signed. If your organization is configured to allow public users to post information via crowdsourcing or via anonymous surveys, we recommend all org admin and publishers utilize multi-factor authentication.
2. Appropriate authorization / Role Based Access Control – ArcGIS Online has Role-Based-Access-Control (RBAC) with both standard and custom roles available.
3. Anti-malware solution – Antivirus is deployed to ArcGIS Online servers and any files uploaded are scanned and rejected when issues are identified.
4. Appropriate certificate/key management – ArcGIS Online keys are maintained by the ArcGIS Online operations team and stored in Cloud Service Provider Key Management Services which are FIPS 140-2 compliant.
5. Encrypt data – All customer data stored within ArcGIS Online is encrypted at rest and encrypted in transit by default. We consider HTTP/clear-text traffic for emergency datasets dangerous, and we strongly recommend organizations enforce HTTPS only immediately. Be aware that HTTP will not be an option for ANY ArcGIS Online organizations by the end of 2020.
6. Third-Party tested – ArcGIS Online undergoes internal testing on a regular basis and is 3^rd party audited annually against FedRAMP Tailored Low controls.
7. Threat modeling services and applications – As new capabilities are added to ArcGIS Online they undergo threat modeling as part of our Security Impact Analysis requirements.
8. Appropriate log events and centralized analysis – ArcGIS Online logs events in alignment with NIST/FedRAMP requirements. Customers can access organization activity logs through the REST API, or view them easily with the Security Advisor tool.
9. Staff provided security training – Baseline security training provided annually, and security champion training meetings held regularly.
10. Patch all systems for updates – ArcGIS Online undergoes web, database, and systems scans at least monthly and is patched based on risk as follows: Critical 7 days, High 30 days, Moderate 90 days, Low 180 days.
11. Service inventory up-to-date – Inventory regularly updated and revalidated at least monthly in preparation for monthly reporting to Authorizing Official team under FedRAMP requirements.
12. Standardized server configurations – ArcGIS Online server instances align with either DISA STIG or CIS Benchmarks as applicable to ensure consistent, security hardened operations.

Looking forwards, the ArcGIS Online team is actively working on advancing their Geocoding services to align with HIPAA which will be discussed further at the 2020 User Conference.

ArcGIS Enterprise Recommendations

If you are hosting ArcGIS Enterprise yourself, whether in the cloud or on-premises, at a minimum you should be checking if your deployment aligns with best practices with the ArcGIS Server and Portal security validation tools, and ensure you have applied the latest ArcGIS security patches.  If you are hosting ArcGIS Enterprise in a cloud provider and want to ensure alignment with HIPAA requirements, we recommend checking out the associated guidance from Microsoft, and AWS.  You will notice that because the cloud providers do not control how the customer utilizes their services, that most of the responsibility for meeting the HIPAA Privacy Rule requirements is with the customer, including the customer reviewing, agreeing to, and obtaining their Business Associate Agreement (BAA).

If you want to take your ArcGIS Enterprise security hardening to the next level (beyond the current tools), we recommend you check out the matrix of best practice configuration guidelines provided in section 8.1 of Esri’s new Privacy paper.

Misinformation & Authoritative Sources

Another major challenge facing organizations posting COVID-19 information to the web is the vast amount of misinformation being disseminated as highlighted by the UN chief announcing misinformation as a new enemy last week.  Esri has been battling misinformation about mapping services, such as the Johns Hopkins University dashboard, where initial reports announced users were being compromised by visiting a mapping site.  The actual vulnerability was someone clicking on a link from a phishing email, then downloading and installing an app that looked like the dashboard.  There are now Java, .NET and even Android versions of downloadable malicious apps out there taking advantage of people operating in a panic mode, and this vector will likely continue throughout the pandemic.

To help counter misinformation, we will be adding more vetting for resources posted to our COVID-19 GIS Hub, this includes both mandatory requirements as well as strongly recommended items which you may want to consider for your organizations own COVID-19 sites.  We will gradually shift towards only featuring apps on the main home page that meet both mandatory and strongly recommended guidelines, to put the most authoritative information upfront and encourage organizations to provide stronger reassurance for all.

Some of the key checks will include:

1. Authoritative source (ex. Government/Scientific Community/Universities/Medical/NGO’s),
2. Utilize HTTPS to better ensure the organization is who they say they are,
3. App scanned for malware/reputation,
4. Organization verified and evidenced by “Authoritative” badge and more…

Lastly, it’s just as important to not accidentally become a source of misinformation, which can happen if you don’t take the time to ensure that your maps and applications are communicating what you mean.  A great article about this was blogged about concerning COVID-19 maps just last month called Mapping Coronavirus Responsibly.

Stay safe, healthy and secure.

• Esri Software Security & Privacy 

Disclaimer

Esri is providing these informational resources as a convenience to our users. The information is not intended to constitute legal advice, and the user should always seek competent, local legal counsel to advise the user in how to properly and securely handle PII and PHI data under regulations such as HIPAA.