Security Audit Stuff

Posted: Thursday March 31 2016 @ 8:28am

Category: Main

Genius Solutions products such as eTHOMAS, ehrTHOMAS and other PHI programs such as WritePad should be run on a secure network:

The operating system must require a login to only allow authorized users to access the \*THOMAS*\ shares. The file system should be encrypted.

That logon should be a specific person and set to access only what is appropriate. You must update the user's access upon termination. Passwords should be changed from time to time. Passwords should be complex. Passwords should not be saved for automatic logons.

Logoff upon time-out should be enabled. Computer screens should be shielded from unauthorized people.

The operating system and programs (including Adobe, Java, and virus scanners) should be up to date.

Users should be trained on proper use of PHI, Internet, and THOMAS.

Backup must be completed at least daily and report failures and success to appropriate monitoring administrators. It should contain multiple "generations" of backup. Backups should be encrypted. Copies of encryption keys should be securely stored. A copy should be kept off-site. It should be complete and designed to withstand "ransomeware" malware. At least annually it should be tested on a separate computer system to simulate a disaster and verity it is complete. CrashPlanPro (or other similar service) along with an external encrypted drive is recommended.

The network and Internet should be firewall protected. VPN for remote connections is recommended.

Computers should be examined for maintenance by a qualified professional from time to time. At least annually is suggested.

You are responsible for your security, configuration, and use of the software, not Genius Solutions, even if subscribed to SoftCare Support, installed, worked on, or purchased from Genius.

Only Authorized Callers should contact Genius Solutions. All Authorized Callers should be trained by Genius Solutions on the use of THOMAS software. Authorized Callers and office email address on file at Genius should be kept up-to-date. One primary point of contact person should be the one contacting Genius and facilitating with the users.

Third-party program companies such as WritePad should be consulted for proper use of their software and PHI concerns.

Firewall Configuration and Ports for THOMAS external communications:

BCBSM EDI Client Outbound for electronic claims uses SFTP protocol over port 22 to IP Note: although BCBSM has never changed their IP, we offer a dns name of that we point to their IP in case it ever changes. BCBSM does not respond to pings.

Single-Click VNC Outbound encrypted VNC over ports 6030 through 6250 to and

RDP (Microsoft Remote Desktop Protocol) (optional) Inbound to your network from and

eTHOMAS and ehrTHOMAS AutoUpdate. Our internal update server is Port80. Our external update server is Port80. When the client is getting an update, they will start with our internal server first then out to the external server to download files. Autoupdate contains program changes and updates, no patient data is transferred. Some proxy servers can interfere with the authentication process causing 401 errors.

ehrTHOMAS SQL Server Internal workstations and terminal servers need to access the ehrTHOMAS server's filesystem and SQL server. The default SQL Server port is 1433, and client ports are assigned a random value between 1024 and 5000. We would not expect this open over the public Internet.

ADAMS3 Appointment Reminders (new version) outbound to on port 2223 using SFTP protocol

WWW.AGENIUS.COM has a https secure upload page. It uses a self-signed certificate, but the data upload is https secured.

Electronic Statements port 80 Files are encrypted before uploading

ehrTHOMAS (optional) Microsoft Health Vault port 443

ehrTHOMAS Lab (optional) port 443


Other Links

RSS 2.0 Feed