Skip to main content
Skip to main navigation
Skip to footer

Cerner Security Program

This Cerner Security Program is designed around Cerner's hosted Platforms—the hardware and operating systems upon which applications and solutions are deployed by Cerner in Cerner's hosted environments on behalf of its clients—in the United States and Canada. Cerner Millennium®, HealtheIntent® and CareAware® are examples of Cerner Platforms. Cerner provides its hosting services from a variety of locations, including:

  • CTCs – Cerner Technology Centers are Cerner-owned facilities that provide the hardware, secure hosting, connectivity and IT expertise to keep the Cerner-hosted systems running.
  • Public Clouds – Public cloud data centers provide a method to obtain on-demand delivery of compute power, database storage, applications and other IT resources via the internet to operate Cerner-hosted systems.
  • Colocated Data Centers – Colocation providers rent space to Cerner to enable Cerner to operate Cerner Platforms at off-site data centers using its own servers and other hardware. Generally, the colocation provider furnishes and manages the power, cooling, physical security and other environmental controls of the building.
  • Third-Party Data Centers – As used in this document, Third-Party Data Center means both Public Clouds and Colocated Data Centers.

Using a Third-Party Data Center does not change the way Cerner manages its Security Program, nor does it provide the Third-Party Data Center with access to Cerner's systems or networks. Cerner builds, maintains and manages Cerner's operating system and infrastructure using at least the same security controls as the controls used to build, maintain and manage the solution stack in a Cerner-owned environment. However, there are some operational differences between Third-Party Data Centers and CTCs as set forth in this Security Program document.

Policies and Procedures

Cerner maintains a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures which are designed to secure the information maintained on Cerner's Platforms. Cerner's program, at a minimum:

  • Assigns data security responsibilities and accountabilities to specific individuals;
  • Describes acceptable use of Cerner's Platform;
  • Provides access control and password attributes for Cerner end users, administrators, and operating systems;
  • Enforces Cerner end user authentication requirements;
  • Describes audit logging and monitoring of Cerner-hosted production environments;
  • Details Cerner's incident response plan;
  • Describes appropriate risk management controls, security certifications and periodic risk assessments; and
  • Describes the physical and environmental security requirements for Cerner's networks, CTCs, and Third-Party Data Centers.

Cerner tightly controls and does not distribute written or electronic copies of its security policies and procedures. Cerner regularly reviews and modifies its security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.

Technical Security

Identity and Access Management

Cerner grants access to client systems based upon role, completion of required training, and the principle of least privilege necessary for access. Access approval processes are strictly enforced ensuring access is appropriate and satisfies compliance requirements. Cerner manages identity and access to its Platforms by:

  • Enabling access based on the individual's role.
  • Limiting access to the minimum access necessary to perform the individual's applicable job functions.
  • Authorizing and authenticating individuals prior to enabling access to Cerner's Platforms.
  • Monitoring monthly for inactivity and revoking an individual's credentials as appropriate. Managing access through two-factor authentication when using a VPN connection. Wireless access is not authorized.
  • Revoking credentials within 24 hours of an individual's voluntary separation of employment. Credentials are immediately revoked upon an individual's involuntary separation of employment.
  • Using privileged accounts to modify the applicable Platform. Privileged access is strictly limited to individuals with a business justification for use.

Configuration Management & Network Protections

Cerner uses multiple overlapping security applications and countermeasures within its security program to protect the Platforms. The following are some examples of the security technologies Cerner deploys to protect the Platforms:

  • Anti-Virus Software – Anti-Virus (AV) software is used, as appropriate, throughout the hosted environment and pattern file updates are deployed daily. Inbound data is scanned in real-time and system drives are scanned on a weekly basis. In addition to keeping virus signatures up-to-date, the AV software and scan engines are updated to maintain and improve their effectiveness.
  • Network Firewalls – Perimeter network and critical infrastructure connections are protected by industry standard network firewall technologies.
  • Intrusion Prevention Systems (IPS) – Inline appliances are strategically placed within the network infrastructure to identify malicious or anomalistic behavior. Each connection traversing interfaces of the firewall and each major connection traversing the core network is inspected to ensure validity.
  • Denial of Service – Cerner works closely with its internet service providers to detect and defend against denial of service access attacks.
  • Proxy Servers – External application access across public networks is scanned for worms and viruses prior to establishing the connection with the destination server. Outbound web and FTP requests are filtered against an authorized list and scanned for worms and viruses.
  • System Hardening – Server templates are updated for industry standard practices in secure configurations. New images are loaded onto all new servers and on older servers as necessary.
  • Patch Management – Cerner maintains an automated system inventory and patching system providing visibility to system changes. Cerner obtains up-to-date patch notification through its partner relationships and tests patches using various processes prior to applying the patches within the applicable Platform(s).
  • Separation of Environments – Cerner maintains appropriate logical and physical separation of its development, test and client production environments.

System Management

System Level Logs

Cerner tracks access to and activity on network devices, security infrastructure components, and server systems, and monitors usage by transferring logs to a centralized repository for analysis, troubleshooting, compliance, and auditing purposes. The enterprise security logging repository, known as a Security Information and Event Management (SIEM) tool, is leveraged to analyze, monitor and correlate log data. Using the SIEM tool, security personnel devise profiles of common events from given systems to focus on unusual activity, avoid false positives, identify anomalies, and prevent insignificant alerts.

Encryption and Cryptographic Storage

Cerner uses proper encryption mechanisms to safeguard data. Cerner performs risk assessments to evaluate how the data is being consumed and the overall sensitivity of the data. Data is encrypted in transmission between the client and Cerner and at rest within the CTC or Third-Party Data Center. Cerner manages client network public and private key infrastructure. Cerner strives to use FIPS 140-2 algorithms when supported by the cryptographic module. Cerner also supports Advanced Encryption Standard (AES) and Transport Layer Security (TLS) encryption protocols.

Vulnerability and Threat Management

Penetration testing is conducted by Cerner security professionals who have appropriate industry certifications and credentials. In addition, Cerner annually engages a third-party to conduct external penetration testing. As part of Cerner's vulnerability and threat management program, Cerner's security professionals analyze and quantify the risk potential of identified vulnerabilities and threats to both Cerner and its clients.

Cerner conducts continuous production scanning of Cerner's Platforms. Cerner scores vulnerabilities based upon the expected impact to the environment and external exposure. Once the vulnerability is scored, a process to mitigate or remediate the vulnerability is initiated.

Identified vulnerabilities are assessed for risk and mitigated or remediated according to their severity level. This analysis includes using industry standards, such as NIST's common vulnerability scoring system (NIST CVSS), and by internal penetration scanning of environments using industry standard tools. Cerner strives to patch vulnerabilities within the timeframes set forth below:

  • Urgent – two weeks if an approved work around method is available or 48 hours when no associated workaround is available
  • Critical – 30 days
  • High – 90 days
  • Medium – 180 days
  • Low – 365 days

Physical and Environmental Security

Physical and environmental security measures are implemented in a strategic layered approach to deter, delay, and detect any attempted intrusion. These measures are designed both in accordance with needs unique to the facility and to ensure critical systems are provided a hardened, secure and reliable environment.

At a minimum, Cerner ensures the following physical and environmental security controls are maintained at the CTCs and within any Third-Party Data Center leveraged by Cerner:

  • Access control systems to restrict entry solely to Cerner personnel and authorized third parties.
  • Facility designed with industry standard environmental controls (such as fire detection and suppression systems, cooling systems, humidity controls, power distribution controls, uninterruptible power supply and back-up generator capability).
  • Facility designed with industry standard parameter controls (such as guard stations, physical barriers, video surveillance and appropriate weather resistant design).

Incident Management

Immediate Response Center (IRC)

The primary duty of the IRC is to answer second and third tier support calls from client help desks and resolve reported issues. Reported issues are documented and stored in a central repository. The IRC team uses system monitoring tools to track and respond to alarms and warnings and take appropriate action. Cerner's IRC is staffed 24x7x365.

Computer Security Incident Response Center (CSIRC)

Cerner's Computer Security Incident Response Center (CSIRC) is the control center for security incident event management and is responsible for 24x7x365 continuous threat monitoring of Cerner's Platforms. The CSIRC team ingests and coordinates responses to international, federal, and tech industry threat intelligence information, in an effort to safeguard Cerner environments. In addition, the team leverages industry standard tools to systematically analyze logs to identify potential unauthorized activity and focus on potential threats.

Security Incidents

Cerner maintains a security incident management process to investigate, mitigate, and communicate system security events occurring within a Platform. Impacted clients are informed of relevant security incidents in a timely manner and advised of recommended corrective measures to be taken.

Security Event Management

Cerner does not notify clients or publicly speak about “named” vulnerability events (e.g. WannaCry, Heartbleed, and ShellShock). Cerner will engage in private discussions if clients have questions about Cerner's approach to specific events.

Change Management

Cerner maintains change management processes, based on Information Technology Infrastructure Library (ITIL) best practices, which are designed around the type of change and level of risk associated with that change. Cerner's policies require Cerner to communicate relevant non-routine changes it makes to a client's system with the impacted client. Changes are validated, reviewed, and receive approvals commensurate with the risk of the change. Cerner uses Change Advisory Boards (CABs) to review significant changes with known downtime or heightened risk. Changes are logged and maintained within Cerner's centralized change request system. Clients are responsible for controlling and documenting any system modifications they perform.

Contingency Planning

Cerner's contingency program is based on ISO 22301 and is designed to ensure continued operation of essential technology by supporting internal and external client functions during any incident (e.g. a situation that might be, or could lead to, an extended disruption, loss, emergency or crisis).

Disaster Recovery and Resiliency

Cerner provides a redundant and highly available infrastructure to minimize disruptions to the production environments. If a disruptive incident occurs, Cerner follows an established, exercised and documented contingency program to restore service as quickly and effectively as possible, using commercially reasonable measures. The incident management portion of Cerner's contingency planning program is tested, reviewed, and updated annually. Cerner offers different levels of disaster recovery services based on the applicable Platform.

Software Development Lifecycle

Cerner uses a variety of security tools to perform both static and dynamic analysis of its applications to identify vulnerabilities. As part of Cerner's development process, these vulnerabilities are often addressed during the development lifecycle prior to releasing new code.

Personnel

Security Awareness

Cerner's security awareness program requires associates to participate in mandatory education and training activities related to their specific role. These activities are designed to maintain the effectiveness of Cerner's security posture and include:

  • Continuing education campaigns;
  • Annual security training;
  • Localized security training; and
  • Targeted security bulletins.

Employment Requirement Guidelines

In 2003, Cerner began its process of regularly screening its offer-stage employment candidates through a background check process. Beginning in 2012, Cerner started requiring candidates submit to a drug screening prior to beginning employment.

Background Checks

Cerner's applicant background check process varies based on the candidate's potential role and applicable law. To the extent allowed by applicable law, background checks consist of:

  • Employment history dating back ten years;
  • Education verification (highest degree), as required based on role;
  • Criminal search dating back seven years;
  • Social Security Number verification;
  • Healthcare sanctions check; and
  • Global sanctions and enforcement check.

Subcontractors

Cerner requires subcontractors to assure the competency and eligibility of its employees who provide services to Cerner's clients. Subcontractor personnel are required to complete background checks applicable to the services performed; such background checks must be at least as prescriptive as the background checks Cerner requires for Cerner associates.

Third Party Risk Management

Cerner requires business associate agreements and nondisclosure agreements with its Third-Party Data Centers and the suppliers it uses to provide the Platform, as appropriate based on that entity's access to data and other confidential information. Cerner requires that its suppliers complete a data security questionnaire as part of Cerner's evaluation process for the supplier. In addition, Cerner conducts annual supplier security risk assessments on its suppliers based on that supplier's risk profile.

Offshore Resources

Cerner is a global company with offices and associates throughout the world. Cerner's current operational and support model includes the use of global associates. Cerner may provide temporary access to the Platforms from outside of the country where the applicable Platform is hosted. All associates with access to the Platform are required to participate in mandatory education and training activities related to their specific role and are required to follow Cerner's security policies and processes. Training records are tracked and maintained for compliance purposes.

Destruction of Media

All storage media used for the delivery of Cerner's hosting services is purged and disposed of in accordance with Cerner's policy for electronic media disposal. The policy adheres to the HIPAA Security Rule, ISO 27001, and NIST 800-88.

Cerner may provide hardware to clients for use at their locations. Any information stored on Cerner-provided hardware but located at a client site is considered the responsibility of the client. In such cases, clients are responsible for decisions regarding sanitization or destruction of data storage media at the end of the hardware's usage life cycle.

Certifications and Audits

Cerner regularly conducts internal assessments and undergoes external audits to examine the controls present within the Platform and Cerner's operations and to validate that Cerner is operating effectively in accordance with its Security Program.

HIPAA – Health Insurance Portability and Accountability Act of 1996

Cerner has established and maintains the necessary controls required for compliance with HIPAA (as amended by HITECH). HIPAA (internal or external) assessments take place on an annual basis and examine all appropriate corporate and client environments. 

SOC 1 and SOC 2 Type II Attestations

Third-party attestations are performed on Cerner's hosted environments by measuring and testing the effectiveness of Cerner's risk mitigations related to the AICPAs Trust Service Principles relevant to security, availability and confidentiality. SOC reports are prepared under the AICPAs SSAE-18 guidelines and are specific to the hosting services and controls managed within the CTCs. Third-Party Data Centers commonly provide their own SOC reports covering their physical and environmental controls and are not included as part of Cerner's SOC audit.

ISO 27001/27002:2013

Cerner's Information Security Management Framework (ISMF) is compliant with the principles of the ISO 27001/27002:2013 standard and the ISMF's policies are applicable to all of Cerner's Platforms.

Penetration Attestation

Cerner annually engages a third party to perform external penetration tests against Cerner's Platforms. Cerner receives a Penetration Attestation document which describes the penetration testing performed, confirms that an industry standard methodology, testing tools and a national vulnerability database were used in conducting the penetration testing, and identifies known vulnerabilities within the Platforms. Cerner remediates identified vulnerabilities based on risk and addresses those vulnerabilities through an actively monitored plan for remediation.

PCI-DSS – Payment Card Industry Data Security Standard

Cerner receives a third-party Attestation of Compliance (AoC) to demonstrate PCI DSS compliance as a Level 1 Service provider for the processing of payments supported by certain Cerner solutions. For more information about what Cerner solutions are supported by this AoC, please contact your Cerner representative.

EU-U.S. Privacy Shield Framework

Cerner has self-certified to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield.

Third-Party Data Centers

Third-Party Data Centers are currently not within the scope of the certifications and audits described above. However, Cerner's Third-Party Data Centers maintain a comparable set of certifications and audits, as applicable to the services they provide. Information about security and privacy related certifications and audits received by Third-Party Data Centers is available from the third party. Cerner can help guide you to the relevant information.

Supporting Client Audits and Questionnaires

Cerner will provide its Standard Information Gathering (SIG) or Consensus Assessment Initiative Questionnaire (CAIQ) in response to Client's request for an audit of Cerner's security policies and procedures. If such documentation is not available, then, no more than once per year and at Client's sole expense, Client may audit Cerner's security policies and procedures, excluding any policies and procedures which may risk Cerner's ability to maintain the privacy and security of the environment if released, as determined by Cerner in its sole but reasonable discretion. In no event may Client perform its own penetration testing of the environment.

EFFECTIVE DATE: February 19, 2019