pmix rxcheck connection technical assistance … · ensure the srs is able to resolve the domain...

Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org

RxCheck Connection Technical Assistance Guide

This Technical Assistance Guide (TAG) is intended to provide PDMP Administrators with

information on how to connect to the RxCheck Hub to share information across state prescription

drug monitoring programs (PDMPs). The RxCheck Hub was designed with the involvement of the

PDMP community, private industry, and the federal government to enable a nationwide

capability for the timely, secure exchange of prescription information.

Status of the RxCheck Hub

The RxCheck Hub is operational and ready to support real‐time data exchange between

PDMPs. The system’s infrastructure has been tested and validated, and includes the latest

design improvements identified since its inception. The RxCheck Hub will be maintained by

the IJIS Institute with oversight from the RxCheck Governance Body. Information on costs can

be obtained from the IJIS Institute.

Establishing Connectivity to the RxCheck Hub

Prior to connecting to the RxCheck Hub, a PDMP must first meet the following criteria:

at least one other state to serve as an exchange partner

enabling legislation to engage in interstate operability

a Memorandum of Understanding (MOU) governing data sharing among partners

Contacts for Technical Assistance

IJIS Institute Donald Gabbin (703) 726‐3647 [email protected]


History

The National Drug Control Strategy of 2010, issued by the White House Office of National

Drug Control Policy, identified the need to establish data linkages between PDMPs as a

national priority. Data sharing among PDMPs permits cross‐state tracking of patients’

prescription history, suspected doctor‐shopping, prescription fraud, and prescribing

trends. In response, the Bureau of Justice Assistance (BJA), with project management and

acquisition support from the IJIS Institute, and in collaboration with PDMPs, developed

the Prescription Monitoring Information Exchange (PMIX) National Architecture. The

PMIX National Architecture was developed as a direct response to the concerns and needs

expressed by states who were members of the BJA/IJIS PDMP Committee. While the PMIX

National Architecture was being developed, the RxCheck Hub was developed to

implement the PMIX National Architecture and deliver a functional interstate data sharing

hub. Additional information about the PMIX National Architecture can be found on the

PDMP Training and Technical Assistance Center’s (TTAC) website.


Interface Connection Options

Overview

The PDMPs’ technical management team should first review the PMIX Service Specification

Package, in particular the Service Description Document (SDD), which describes the basic

functions comprising the information sharing attributes of the service. The technical team

will then need to consider the PMIX RxCheck connection options and determine the

option that best suits their environment. The following diagram depicts the two PMIX

RxCheck connection options.

Figure 1: PMIX Connection Options

PMIXState Routing Service (SRS)

PMIX RxCheck Hub

Option 1: PDMP system uses a trusted web service connection to a PMIX SRS.

SecureWeb Service

TrustedWeb Service

PDMP

OC

PDMP

OC Secure

Web Service

Option 2: PDMP system implements the secure web service connection

direct ly with the RxCheck Hub.

X.509 cert ificates required for advanced message level

security.

The SRS handles all X.509 cert ificate based message level security


Option1: PMIX SRS

Option 1, as shown in the Figure 1 diagram, involves a state PDMP system connecting to

the PMIX RxCheck Hub via the PMIX State Routing Service (SRS). The PMIX SRS enables

PDMPs to “offload” PMIX functionality such as PMIX compliant service hosting,

request/response message validation, role‐based site authorization and full message

routing. In addition, the PMIX SRS handles all X.509 certificate‐based message

encryption/decryption involved in communicating over the PMIX secure web service

interface. The PMIX SRS has been certified via the PMIX Springboard Conformance Test

process, therefore the interface and corresponding functionality is guaranteed to

interoperate with the RxCheck Hub. For additional information regarding the Option 1

connection specification, refer to the PMIX Service Specification Package (SSP) Trusted

SIDD (PMIX_SIDD_WS_Trusted_v_1.1.0).

Option 2: Custom Proxy

Option 2, on the other hand, affords a PDMP greater flexibility to develop their own proxy

interface service using their native platform and technology. A custom proxy interface

must comply with all requirements documented in the service interface specification,

including web service communication using WS‐Security message‐level encryption. For

additional information regarding the Option 2, custom proxy, connection specification,

refer to the PMIX Service Specification Package (SSP) Secure SIDD document

(PMIX_SIDD_WS_Secure_v_1.1.0).

Note: The PMIX SSP includes several reference implementations, for various Java

platforms, which provide broad programmatic guidance in the form of functional

software.


Getting Started Procedures

The steps listed below are intended to provide PDMP technical staff with general guidance

which serves to augment the information contained in the PMIX SSP documentation. Please

note that implementation may vary depending upon a PDMP’s computer system. The IJIS

Institute is available to provide technical assistance as needed.

Step 1: Software Installation (Option 1 only)

Install the latest version of the .NET Framework

Install the latest version of the PMIX State Routing Service

Install & configure Windows IIS Server Role

Install the latest version of the PMIX Admin Console

Install the latest version of the PMIX RAS Service

Bind the security certificate to the SRS HTTP endpoint

o i.e. netsh http>add sslcert ipport=0.0.0.0:18802 certhash=8…2 appid={8…2}

Establish a PMIX SRS Directory Structure:

o Dedicated, standalone LDAP:

Install Microsoft ADLDS

Setup a new ADLDS instance

Instance name should be: CN=PMIX,DC=rxcheck,DC=org

Run the LDAP scripts provided with the SRS software

o Existing, Enterprise LDAP:

Run the LDAP scripts provided with the SRS software

Configure the PMIX SRS LDAP Directory Service

o Communication Endpoints

RxCheck Hub

PDMP System

o Message Filtering

o Role‐based Site Authorization


Step 2: Network Preparation

Configure and validate network connectivity between the State Routing Service

(Option 1) or the Custom Proxy (Option 2) and the two endpoint systems:

o “External” ‐ RxCheck Central Hub

o “Internal” – PDMP System

The following steps, which are based on a typical configuration process, reflect

general network configuration guidance and may need to be tailored to apply to

specific environments.

o Network Access

Enable the SRS to access the RxCheck Hub

Provide the PMIX RxCheck Administrator with the SRS external

IP address, so they can configure the IJIS network firewall

Configure the networking components:

o Add the necessary network address translation (NAT)

o Add the routing rules needed to route outbound traffic

o If necessary, add any outbound firewall rules

o If the external IP address is “virtual”, ensure any added

routing provisions are implemented

Enable the SRS to access the State PDMP


o Add the necessary network address translation (NAT)

o Add the routing rules needed to route outbound traffic

o If necessary, add any outbound firewall rules



Enable the RxCheck Hub to access the SRS

Provide the PMIX RxCheck Administrator with the SRS

externally accessible IP address used to connect to the listener


o Add the necessary inbound firewall rules



o Domain Name Resolution

RxCheck Hub

Identity the domain name and network address

Ensure the SRS is able to resolve the domain name to the IP

State PMP System

Identity the domain name and network address

Ensure the SRS is able to resolve the domain name to the IP


Step 3: Security

The following outline provides instructions (Windows Server) to help acquire and install

the X.509 certificate for the PMIX SRS (Option 1) or the Custom Proxy (Option 2):

Generate SSL/TLS Custom CSR (if necessary) o Using the Certificates snap‐in for computer manager, from the Action menu,

select All Tasks ‐ Advanced Operations and then ”Create Custom Request” o Select “Proceed without enrollment policy”, the (No template) Legacy key

and PKCS #10 for Request format o Configure the following CSR options so to use the certificate for TLS/SSL o On the CSR Form General tab:

Enter the Friendly name o On the CSR Form Subject tab:

In the Subject name area under Type, click Common Name In the Subject name area under Value, enter the fully qualified domain

name of the server In the Alternative name area under Type, click DNS In the Alternative name area under Value, enter the fully qualified

domain name of the server o On the CSR Form Extensions tab:

Under Key usage, in Available options, select Digital signature Under Key encipherment, Extended Key Usage (application policies), in

the Available options, select Server & Client Authentication o On the CSR Form Private Key tab:

In the Cryptographic Service Provider section, deselect all CSPs and select Microsoft RSA SChannel Cryptographic Provider (Encryption).

Under Key options, in the Key size list, select a key size of 2048. Select the Make private key exportable check box.

o Reference: http://technet.microsoft.com/en‐us/library/ff625722(v=ws.10).aspx

Import certificates (SRS certificate and any exchange patterns’ certificates) o Using the Certificates snap‐in for computer manager, from the Action menu,

select All Tasks, and then select Import to start the Certificate Import Wizard o Type (or navigate to) the file name containing the certificate to be imported o Select "Place all certificates in the following store" and select "Personal"

Ensure the certificates have a Friendly Name o Using the Certificates snap‐in for computer manager, navigate to

"Personal\Certificates" and verify the "Friendly Name" is set to the subject

Copy the certificates o Using the Certificates snap‐in for computer manager, navigate to

"Personal\Certificates" and copy the newly imported certificate o Then, navigate to "Trusted People\Certificates" and past the certificate

Note: Any secure http URL must include the domain name that matches the certificate


Step 4: Conduct Loopback Testing

Perform a loopback test in which a PDMP simulates both the requesting and disclosing

states. As such, the PDMP sends the PMIX request to their own PDMP system

endpoint via either the PMIX SRS (Option 1) or the Custom Proxy (Option 2).

Note: The response will follow the same steps in the reverse direction

Note: After successfully completing a local loopback test, the test “loop” can be

expanded to include a pass through the RxCheck Hub

Step 5: Integration Testing

Perform integration testing with an exchange partner; the request will flow from the

requesting‐state PDMP application to the requesting‐state SRS (Option 1) or the

Custom Proxy (Option 2), to the RxCheck Hub, to the disclosing‐state PDMP

application (note: the response will follow the same steps in the reverse direction)

Step 6: Springboard Testing (Optional, Option 2 Only)

Conduct Springboard Conformance Testing to validate the interoperable aspects of

the service interface specification in order to assert that a participating system

conforms to the PMIX Specification. The conformance specification and the

associated test cases define a series of tests designed to exercise each interoperability

aspect of the specification at least once.


Appendix A: Pre‐Installation Checklist

The following architecture diagram and pre‐installation checklist table will orient the

deployment team by identifying important system information prior to the software

installation and configuration.

Figure 2: Typical PMIX Component Architecture Overview

ID Description Value

1. SRS Service Host Base URL Address

1.1 Domain Name:

1.2 IP Address:

2. RxCheck Hub Service Host URL Address https://test.rxcheck.org:18803/2010/12/pmx/router

2.1 Domain Name: test.rxcheck.org

2.2 IP Address:

3. SRS RxCheck Hub Listener URL Address https://

3.1 Domain Name:

3.2 IP Address:

4. New site PDMP Application URL Address

4.1 Domain Name:

4.2 IP Address:

5. New site unique qualifier (NW)

6. Exchange partner unique qualifier (EP)

A. The new site’s PMIX SRS certificate

B. The partner site’s PMIX SRS certificate

# Network Configuration (Firewall, Router)

Table 1: Pre‐Installation Checklist

PMIXSRS

RxCheckHub

PDMP

OC

New (NW)Site

Exchange Partner (EP)

1 2

4 3

A B

5 6

#


Appendix B: PMIX SRS AdminConsole Overview

The following screen images show how the checklist data values collected prior to installation

can be entered into the AdminConsole. For additional information, refer to the AdminConole

documentation.

Figure 3: Service Endpoint Configuration Screen

Figure 4: Client Endpoint Configuration Screen

Figure 5: Digital Certificate Configuration Screen


Appendix C: Implementation Plan Template

Server Administration (~ 1 hours)

Install the latest version of the .NET Framework

Install the latest version of the PMIX State Routing Service (SRS)

Install & configure Windows IIS Server Role

Install the latest version of the PMIX Admin Console

Install the latest version of the PMIX RAS Service

Establish a PMIX SRS LDAP Directory Structure

Configure the PMIX SRS LDAP Directory Service

Network Administration (~ 1 hours)

Configure the SRS to RxCheck Hub (Outbound) network

Configure the SRS to State PDMP (Internal) network

Configure the RxCheck Hub to SRS (Inbound) network

Establish Domain Name (DNS) Resolution

Security Administration (~ 1 hours)

Generate SSL/TLS Custom CSR (if necessary)

Import the certificate to Personal Store

Ensure the certificates have a Friendly Name

Copy the certificate to Trusted People Store

Bind the certificate to the SRS HTTP endpoint

Testing (~ 1 hours) Verify State PDMP outbound request/response via SRS to disclosing site

Verify State PDMP inbound request processing through SRS from requesting site


Additional Resources

PMIX National Architecture Overview

PMIX National Architecture version 1.0

PMIX Springboard Service Conformance Package

MOU Guideline for Interstate Data Sharing

Sample MOU for the Exchange of Live Patient Data

pmix rxcheck connection technical assistance … · ensure the srs is able to resolve the domain...

Documents