This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

New Security Features Coming to OnBase HL7

Aaron_Truskot
Star Contributor
Star Contributor
‎06-16-2021 01:07 PM

As Hyland continues to focus on quality and security topics, I'd like to share a few new optional security features that will become available in OnBase Foundation EP5 and EP6.  This blog post is going to give a sneak peak into new features and some details may change before release. Please feel free to ask questions or provide any early feedback that you'd like to share. 

 

 

HL7 Import Processor Groups

Prior to OnBase Foundation EP5, all instances of the HL7 Listener service allowed any HL7 Import Processor to execute when processing incoming messages. Starting in OnBase Foundation EP5, administrators will be able to split out processors into distinct groups to allow for improved administrative clarity and security of OnBase solutions. 

 

Administrative Clarity: Breaking processors into groups allows administrators to more easily visualize and maintain processors based on interface, sending application, or some other configurable division.

Security: Breaking processors into groups can allow each group be restricted to specific OnBase user accounts. Additionally, each group will only attempt to execute processors that are mapped to the group which reduces the possibility of a rogue message being able to take any action in OnBase. 

 

Configuration

A new menu item has been added to OnBase Foundation EP5's configuration client.

7898d37db5fd4605979a23f435dfbe1a

 

Groups are created in the configuration client and then assigned to HL7 Listener services via another switch. Groups are configured to only listen on specific ports via configuration client rather than the command line switch.

4c5c3e321f72437495d2439898fdeddc

 

Example command line configurations:

  • EP4 and earlier: "C:\obclnt32.exe -HL7LISTENER -HL7PORT=2575,2576,2577"
  • EP5 and later (if using groups):  "C:\obclnt32.exe -HL7LISTENER -HL7LISTENERGROUPS=GROUP1"

 

Importantly, each group can be configured to only allow it to function when logging into the HL7 Listener service via specific user accounts. This security measure prevents unauthorized user accounts from being able to process HL7 messages. 

1b8af34e69034ac0b96c7138eccab789

 

 

Migration tools have been created that all administrators to bulk migrate existing HL7 Import Processors into new groups. This tool will simplify the process of adopting groups.

b19fc79477fa4da395bbb90b75326858

 

 

The HL7 Import Process dialog has been revamped to allow for easier filtering and sorting of configured HL7 Import Processes!  Notice the filters section on the bottom-right of the screen shot below. Also note that all users can filter this dialog by any of the columns shown below. 

 

e26a53bddb194d19ae51698f2c32d3b5

 

Other quality of life improvements have also been made. For example, double-clicking on any import processor launches the user directly into the Settings dialog. Which has also be cleaned up with OnBase Foundation EP5. 

60932c089a5d4bbdae1433961fa201c7

 

 

 

Secure Connection Policies

Starting in OnBase Foundation EP6, OnBase HL7 will allow administrators to secure HL7 traffic to via TLS.  OnBase can now utilize TLS to provide data integrity and data privacy guarantees. TCP connections used by HL7 can also restricted to only authorized external systems via the use of approved lists. 

 

If third-party applications don't support HL7 over TLS, the Hyland Message Engine can be utilized to establish a secure connection over a LAN or WAN. The message engine is can be deployed alongside third-party applications to encrypt/decrypt HL7 traffic.

 

Configuration

A new menu item has been added to OnBase Foundation EP6's configuration client.

fff60c113c334bd29fba6b235ef54983

 

New policies are applied to the HL7 Listener or HL7 Sender via a command line switch. The thumbprint that is configured on this dialog is used to identify the certificate that is used to represent the OnBase client acting as the HL7 Listener or HL7 Sender. 

ba50ac7606894eb59915723535fb7b4a

 

Administrators have the ability to further restrict access by only approving specific certificates or certificate authorities for a given policy. Regardless of how this setting is configured, the operating system must be able to authenticate the third-party application that is connecting to OnBase. This setting simply provides an additional layer of security by allow administrators to further restrict which certificates or CAs can establish connections to OnBase.

995a42aef1664011b22625697545c7b5

 

 

Both HL7 Import Processor Groups and HL7 Export Destinations can now be configured to only establish secure connections. When using these settings, a secure connection policy must be specified via a command line switch or the service will fail to startup. 

e4e978017497430ea6e356a4e420639199db5327b5e14e59b9cba04eb561675d

 

 

Labels:
Copyright © 2024 Khoros, LLC