RxCheck Connection Technical Assistance Guide

Transcription

1 RxCheck Connection Technical Assistance Guide This Technical Assistance Guide (TAG) is intended to provide PDMP Administrators with information on how to connect to the RxCheck Hub to share information across state prescription drug monitoring programs (PDMPs). The RxCheck Hub was designed with the involvement of the PDMP community, private industry, and the federal government to enable a nationwide capability for the timely, secure exchange of prescription information. Status of the RxCheck Hub The RxCheck Hub is operational and ready to support real time data exchange between PDMPs. The system s infrastructure has been tested and validated, and includes the latest design improvements identified since its inception. The RxCheck Hub will be maintained by the IJIS Institute with oversight from the RxCheck Governance Body. Information on costs can be obtained from the IJIS Institute. Establishing Connectivity to the RxCheck Hub Prior to connecting to the RxCheck Hub, a PDMP must first meet the following criteria: at least one other state to serve as an exchange partner enabling legislation to engage in interstate operability a Memorandum of Understanding (MOU) governing data sharing among partners Contacts for Technical Assistance IJIS Institute Donald Gabbin (703) Donald.gabbin@ijis.org

2 History The National Drug Control Strategy of 2010, issued by the White House Office of National Drug Control Policy, identified the need to establish data linkages between PDMPs as a national priority. Data sharing among PDMPs permits cross state tracking of patients prescription history, suspected doctor shopping, prescription fraud, and prescribing trends. In response, the Bureau of Justice Assistance (BJA), with project management and acquisition support from the IJIS Institute, and in collaboration with PDMPs, developed the Prescription Monitoring Information Exchange (PMIX) National Architecture. The PMIX National Architecture was developed as a direct response to the concerns and needs expressed by states who were members of the BJA/IJIS PDMP Committee. While the PMIX National Architecture was being developed, the RxCheck Hub was developed to implement the PMIX National Architecture and deliver a functional interstate data sharing hub. Additional information about the PMIX National Architecture can be found on the PDMP Training and Technical Assistance Center s (TTAC) website.

3 Interface Connection Options Overview The PDMPs technical management team should first review the PMIX Service Specification Package, in particular the Service Description Document (SDD), which describes the basic functions comprising the information sharing attributes of the service. The technical team will then need to consider the PMIX RxCheck connection options and determine the option that best suits their environment. The following diagram depicts the two PMIX RxCheck connection options. O C PDMP Option 1: PDMP system uses a trusted web service connection to a PMIX SRS. Trusted Web Ser vice PMIX State Rout ing Service (SRS) Secure Web Ser vice The SRS handles all X.509 cert ificat e based message level security O C PDMP Secure Web Ser vice PMIX RxCheck Hub Option 2: PDMP systemimplement s the secure web service connect ion directly with the RxCheck Hub. X.509 cert ificat es required f or advanced message level securit y. Figure 1: PMIX Connection Options

4 Option1: PMIX SRS Option 1, as shown in the Figure 1 diagram, involves a state PDMP system connecting to the PMIX RxCheck Hub via the PMIX State Routing Service (SRS). The PMIX SRS enables PDMPs to offload PMIX functionality such as PMIX compliant service hosting, request/response message validation, role based site authorization and full message routing. In addition, the PMIX SRS handles all X.509 certificate based message encryption/decryption involved in communicating over the PMIX secure web service interface. The PMIX SRS has been certified via the PMIX Springboard Conformance Test process, therefore the interface and corresponding functionality is guaranteed to interoperate with the RxCheck Hub. For additional information regarding the Option 1 connection specification, refer to the PMIX Service Specification Package (SSP) Trusted SIDD (PMIX_SIDD_WS_Trusted_v_1.1.0). Option 2: Custom Proxy Option 2, on the other hand, affords a PDMP greater flexibility to develop their own proxy interface service using their native platform and technology. A custom proxy interface must comply with all requirements documented in the service interface specification, including web service communication using WS Security message level encryption. For additional information regarding the Option 2, custom proxy, connection specification, refer to the PMIX Service Specification Package (SSP) Secure SIDD document (PMIX_SIDD_WS_Secure_v_1.1.0). Note: The PMIX SSP includes several reference implementations, for various Java platforms, which provide broad programmatic guidance in the form of functional software.

5 Getting Started Procedures The steps listed below are intended to provide PDMP technical staff with general guidance which serves to augment the information contained in the PMIX SSP documentation. Please note that implementation may vary depending upon a PDMP s computer system. The IJIS Institute is available to provide technical assistance as needed. Step 1: Software Installation (Option 1 only) Install the latest version of the.net Framework Install the latest version of the PMIX State Routing Service Install & configure Windows IIS Server Role Install the latest version of the PMIX Admin Console Install the latest version of the PMIX RAS Service Bind the security certificate to the SRS HTTP endpoint o i.e. netsh http>add sslcert ipport= :18802 certhash=8 2 appid={8 2} Establish a PMIX SRS Directory Structure: o Dedicated, standalone LDAP: Install Microsoft ADLDS Setup a new ADLDS instance Instance name should be: CN=PMIX,DC=rxcheck,DC=org Run the LDAP scripts provided with the SRS software o Existing, Enterprise LDAP: Run the LDAP scripts provided with the SRS software Configure the PMIX SRS LDAP Directory Service o Communication Endpoints RxCheck Hub PDMP System o Message Filtering o Role based Site Authorization

6 Step 2: Network Preparation Configure and validate network connectivity between the State Routing Service (Option 1) or the Custom Proxy (Option 2) and the two endpoint systems: o External RxCheck Central Hub o Internal PDMP System The following steps, which are based on a typical configuration process, reflect general network configuration guidance and may need to be tailored to apply to specific environments. o Network Access Enable the SRS to access the RxCheck Hub Provide the PMIX RxCheck Administrator with the SRS external IP address, so they can configure the IJIS network firewall Configure the networking components: o Add the necessary network address translation (NAT) o Add the routing rules needed to route outbound traffic o If necessary, add any outbound firewall rules o If the external IP address is virtual, ensure any added routing provisions are implemented Enable the SRS to access the State PDMP Configure the networking components: o Add the necessary network address translation (NAT) o Add the routing rules needed to route outbound traffic o If necessary, add any outbound firewall rules o If the external IP address is virtual, ensure any added routing provisions are implemented Enable the RxCheck Hub to access the SRS Provide the PMIX RxCheck Administrator with the SRS externally accessible IP address used to connect to the listener Configure the networking components: o Add the necessary inbound firewall rules o If the external IP address is virtual, ensure any added routing provisions are implemented o Domain Name Resolution RxCheck Hub Identity the domain name and network address Ensure the SRS is able to resolve the domain name to the IP State PMP System Identity the domain name and network address Ensure the SRS is able to resolve the domain name to the IP

7 Step 3: Security The following outline provides instructions (Windows Server) to help acquire and install the X.509 certificate for the PMIX SRS (Option 1) or the Custom Proxy (Option 2): Generate SSL/TLS Custom CSR (if necessary) o Using the Certificates snap in for computer manager, from the Action menu, select All Tasks Advanced Operations and then Create Custom Request o Select Proceed without enrollment policy, the (No template) Legacy key and PKCS #10 for Request format o Configure the following CSR options so to use the certificate for TLS/SSL o On the CSR Form General tab: Enter the Friendly name o On the CSR Form Subject tab: In the Subject name area under Type, click Common Name In the Subject name area under Value, enter the fully qualified domain name of the server In the Alternative name area under Type, click DNS In the Alternative name area under Value, enter the fully qualified domain name of the server o On the CSR Form Extensions tab: Under Key usage, in Available options, select Digital signature Under Key encipherment, Extended Key Usage (application policies), in the Available options, select Server & Client Authentication o On the CSR Form Private Key tab: In the Cryptographic Service Provider section, deselect all CSPs and select Microsoft RSA SChannel Cryptographic Provider (Encryption). Under Key options, in the Key size list, select a key size of Select the Make private key exportable check box. o Reference: us/library/ff625722(v=ws.10).aspx Import certificates (SRS certificate and any exchange patterns certificates) o Using the Certificates snap in for computer manager, from the Action menu, select All Tasks, and then select Import to start the Certificate Import Wizard o Type (or navigate to) the file name containing the certificate to be imported o Select "Place all certificates in the following store" and select "Personal" Ensure the certificates have a Friendly Name o Using the Certificates snap in for computer manager, navigate to "Personal\Certificates" and verify the "Friendly Name" is set to the subject Copy the certificates o Using the Certificates snap in for computer manager, navigate to "Personal\Certificates" and copy the newly imported certificate o Then, navigate to "Trusted People\Certificates" and past the certificate Note: Any secure http URL must include the domain name that matches the certificate

8 Step 4: Conduct Loopback Testing Perform a loopback test in which a PDMP simulates both the requesting and disclosing states. As such, the PDMP sends the PMIX request to their own PDMP system endpoint via either the PMIX SRS (Option 1) or the Custom Proxy (Option 2). Note: The response will follow the same steps in the reverse direction Note: After successfully completing a local loopback test, the test loop can be expanded to include a pass through the RxCheck Hub Step 5: Integration Testing Perform integration testing with an exchange partner; the request will flow from the requesting state PDMP application to the requesting state SRS (Option 1) or the Custom Proxy (Option 2), to the RxCheck Hub, to the disclosing state PDMP application (note: the response will follow the same steps in the reverse direction) Step 6: Springboard Testing (Optional, Option 2 Only) Conduct Springboard Conformance Testing to validate the interoperable aspects of the service interface specification in order to assert that a participating system conforms to the PMIX Specification. The conformance specification and the associated test cases define a series of tests designed to exercise each interoperability aspect of the specification at least once.

9 Appendix A: Pre Installation Checklist The following architecture diagram and pre installation checklist table will orient the deployment team by identifying important system information prior to the software installation and configuration. O C PDMP 1 # A B New (NW) Sit e 5 PMIX SRS RxCheck Hub Exchange 6 Partner (EP) Figure 2: Typical PMIX Component Architecture Overview ID Description Value 1. SRS Service Host Base URL Address 1.1 Domain Name: 1.2 IP Address: 2. RxCheck Hub Service Host URL Address Domain Name: test.rxcheck.org 2.2 IP Address: 3. SRS RxCheck Hub Listener URL Address Domain Name: 3.2 IP Address: 4. New site PDMP Application URL Address 4.1 Domain Name: 4.2 IP Address: 5. New site unique qualifier (NW) 6. Exchange partner unique qualifier (EP) A. The new site s PMIX SRS certificate B. The partner site s PMIX SRS certificate # Network Configuration (Firewall, Router) Table 1: Pre Installation Checklist

10 Appendix B: PMIX SRS AdminConsole Overview The following screen images show how the checklist data values collected prior to installation can be entered into the AdminConsole. For additional information, refer to the AdminConole documentation. Figure 3: Service Endpoint Configuration Screen Figure 4: Client Endpoint Configuration Screen Figure 5: Digital Certificate Configuration Screen

11 Appendix C: Implementation Plan Template Server Administration (~ 1 hours) Install the latest version of the.net Framework Install the latest version of the PMIX State Routing Service (SRS) Install & configure Windows IIS Server Role Install the latest version of the PMIX Admin Console Install the latest version of the PMIX RAS Service Establish a PMIX SRS LDAP Directory Structure Configure the PMIX SRS LDAP Directory Service Network Administration (~ 1 hours) Configure the SRS to RxCheck Hub (Outbound) network Configure the SRS to State PDMP (Internal) network Configure the RxCheck Hub to SRS (Inbound) network Establish Domain Name (DNS) Resolution Security Administration Generate SSL/TLS Custom CSR (if necessary) Import the certificate to Personal Store Ensure the certificates have a Friendly Name Copy the certificate to Trusted People Store Bind the certificate to the SRS HTTP endpoint (~ 1 hours) Testing (~ 1 hours) Verify State PDMP outbound request/response via SRS to disclosing site Verify State PDMP inbound request processing through SRS from requesting site

12 Additional Resources PMIX National Architecture Overview PMIX National Architecture version 1.0 PMIX Springboard Service Conformance Package MOU Guideline for Interstate Data Sharing Sample MOU for the Exchange of Live Patient Data