SuccessEHS - Technical Specifications 2017-07-05

SuccessEHS Technical
Specifications
Published: 07/05/2017
1. Technical Specs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 SuccessEHS Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Hosted Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Customer Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.2 Existing Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.3 Configuration and Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.3.1 Hosted Client Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.3.2 Hosted Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Premise Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.2 Architectural and Technical Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.2.1 Server and Workstation Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.2.1.1 Windows Domain Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.2.1.2 Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.2.1.3 Database Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.2.1.4 Remote Desktop Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.2.1.5 Member Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.2.2 General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.2.2.1 Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.2.2.2 VPNs --- Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.2.3 Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2.3.1 Login Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2.3.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2.3.3 Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2.3.4 Password Storage and Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2.3.5 Data Storage Encryption on Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2.3.6 System Timeout -- Workstation Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2.3.7 SYSLOG Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.2.3.8 Kerberos Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.2.4 Patch Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.2.5 Anti-Virus Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.2.6 LAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.3 Specifications and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.3.1 SuccessEHS Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.3.2 Server and Workstation Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.3.2.1 Sample Server Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.3.2.2 x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.3.2.3 Workstation Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.3.2.4 Linux Database Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.3.3 Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3.3.1 Database Server Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3.3.2 Other Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3.4 Environmental Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3.5 Power Supplies and UPSes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3.6 Premise Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.4 Periperhal Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.1 Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.2 Dictation Microphones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.3 Digital Signature Pads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.4.4 Routers and Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.4.5 Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.4.5.1 Approved Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.4.5.2 E-Bridge Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Technical Specs
SuccessEHS Version Information
This document is current as of the major release 8.0 of SuccessEHS.
Hosted Specifications
The purpose of this document is to describe the required technical environment for operation of the Greenway SuccessEHS Point-of-Care
suite (POC) in a hosted configuration. A hosted configuration is a configuration where the customer accesses the applications across the
Internet or other WAN circuit to servers within the SuccessEHS data center.
This document will describe the workstations required for operation of SuccessEHS, as well as the approved peripheral devices, such as
printers, scanners, etc. If you desire to use a particular printer or other peripheral that is not listed in this document, please contact Greenway
for testing of your particular peripheral.
Customer Responsibilities
The customer is responsible for all hardware devices and software installed or running within the customer’s facilities (ie, all Local Area
Network (LAN) components are the customer’s responsibility). The only exception to this is that SuccessEHS is responsible for the
management of any firewall or router provided by SuccessEHS to the customer.
The customer is also responsible for connectivity to the SuccessEHS hosted environment by Internet.
As the customer is responsible for all local switches, routers, hubs, cabling, workstations, non-SuccessEHS software issues, etc., it is highly
recommended that an authorized network vendor or well-trained employee be available for these duties.
Existing Infrastructure
A SuccessEHS IS consultant is assigned to each account to help establish technical requirements and readiness for the customer, and to
establish a scope of work required at each customer location. As part of this process, the SuccessEHS IS consultant will help the customer
establish whether parts of the customer’s existing infrastructure (if any) are usable.
Configuration and Architecture Overview

The SuccessEHS POC system is deployed on a mix of different servers and workstations. In the hosted deployment model, the customer
must have only workstations (and peripherals) at their locations. All servers are hosted and managed within the Greenway SuccessEHS
datacenter. End-users of the SuccessEHS system use a workstations, laptop, or wireless device to communicate with terminal servers at the
datacenter.
Hosted Client Workstations
Workstations are the end-user devices used to interact with the POC system. Workstations may be PCs, laptops, iPads (utilizing an
approved application), or wireless devices such as pen tablets. SuccessEHS deploys POC using a thin-client model, which requires only an
up to date version of Remote Desktop Connection, which is present on Windows Vista, Windows 7, Windows 8, and Windows 10. Upgrades
and maintenance of the system do not normally involve any workstation changes.
Printing from the iPad is not supported on the hosted environment.
Client/Workstation Firewall Ports---Required for Outbound Traffic
Port Origin Purpose
1494 WKS Citrix traffic to ASP terminal servers (if using Citrix).
3389 WKS RDP Traffic to ASP terminal servers.
30000-30500 WKS RDP Traffic to ASP terminal servers.
4443 WKS SuccessEHS University ; Self-service Issue tracking.
7778 WKS '' ''
7777 WKS '' ''
4445 WKS '' ''
5730 WKS '' ''
2400 WKS '' ''
80 WKS SuccessEHS Web servers
Hosted Connectivity
Copyright 2017, Greenway Health Page 3

Each location must communicate with the SuccessEHS datacenter via the Internet.
Premise Specifications
In the context of this document, premise refers to any installation which will be installing and configuring servers on its own
premises.
Introduction
Introduction
Purpose
The purpose of this document is to describe the required technical environment for operation of the Greenway SuccessEHS Point-of-Care
suite (POC).
This document will describe the servers required for basic operation of POC, as well as the approved peripheral devices, such as printers,
scanners, etc. If you desire to use a particular printer or other peripheral that is not listed in this document, please contact Greenway for
testing of your particular peripheral. Because of the vast array of peripherals on the market, Greenway normally charges a fee for this testing
and certification service. Please contact your Greenway SuccessEHS IS consultant or sales representative for details.
Responsibility
The customer is responsible for ordering, installation, and maintenance of all technical components, except as noted otherwise in this
document. The customer will ship their servers to Greenway for an initial configuration. After the initial configuration, updates to servers and
workstations other than the database server will be the responsibility of the customer. Updates to the database server will be handled by
Greenway, and coordinated with the customer.
Minimum Recommended
Because of the vast feature set present in POC, and the many different ways that Greenway SuccessEHS customers use POC, it is very
difficult to provide exact minimum hardware specifications for servers. Therefore, this document seeks to provide the customer with minimum
recommended specifications. The difference is that it may be possible to run the POC system satisfactorily on lesser hardware than
specified, but Greenway does not recommend it.
Architectural and Technical Documentation

The SuccessEHS POC system is deployed on a mix of different servers and workstations, allowing each technology to be used to its fullest
potential, and providing the most flexibility. End users of the SuccessEHS POC system use a workstation, laptop, or wireless device to
communicate with terminal servers, which in turn communicate with the database server. At the heart of the POC system are workstations
and three different server types: terminal servers (frequently called application servers); the member server; and the database server. The
function of each of these is described in the following subsections.
Server and Workstation Components
Windows Domain Controller
The Windows domain controller can be used in the SuccessEHS environment for securing the workstations and Windows servers in the
environment, but the Windows Domain Controller is not required. You cannot run the SuccessEHS application on a Windows Domain
Controller.
Workstations
Workstations are the end-user devices used to interact with the POC system. Workstations may be PCs, laptops, RDS server, iPads (utilizing
the approved app), or wireless devices such as pen tablets. SuccessEHS deploys POC using a thin-client model, which requires only an up
to date version of Remote Desktop Connection, which is present on Windows Vista, Windows 7, Windows 8, and Windows 10. Upgrades and
maintenance of the system do not normally involve any workstation changes.
Database Server
The POC database server houses the POC data store running the Oracle Relational Database Management System (RDBMS). SuccessEHS
uses Oracle for a number of reasons, including scalability, reliability, and feature set, among others. With Oracle, SuccessEHS can scale
from the smallest installation all the way to a large installation running thousands of concurrent users. In addition to storing data,
SuccessEHS uses Oracle's programmability to perform many data-intensive functions of the software that make sense to run on the
database server as opposed to the terminal server.
Because the database server houses all of the customer's data (including application data, security credentials, and all transactional details),
SuccessEHS uses a well-proven configuration to protect against data loss. Because of the highly specialized nature of this server,

SuccessEHS's Oracle database administrators (DBA) remotely manage the database server. No direct customer interaction is required or
desired with the database server, other than changing tapes or performing manual operations on an as-needed basis as directed by
SuccessEHS customer support.
Backup software and hardware configurations are used to prevent corrupt data. The Oracle backup has the capability to restore to the point
of failure by using backup plus change logs which are stored (in a redundant configuration) on a separate volume. SuccessEHS also
configures each database server with redundant disks as RAID-1 mirroring, RAID-1+0 mirroring plus striping, or RAID-5 (parity protection).
The backup includes all application data, as well as security credentials and other application information such as log tables. All of this
information is contained within the Oracle database.
The Oracle database is backed up in online mode, or a hot backup, which means that the system is available during the backup.
SuccessEHS recommends that the backup be scheduled during the night/early morning hours for best performance, but the backup can run
while the system remains operational. By default, the backup is configured to run at 0100 each morning.
Integration of the database server with directly attached APC UPSes is possible in order to present an orderly shutdown of the database
server. Integration with some other manufacturers, and also some network UPS configurations is possible.
Remote Desktop Server
The Remote Desktop Server (RDS), or SuccessEHS application server, is where the vast majority of the POC suite software is installed. The
terminal server is a Microsoft Windows Server 2008R2 or 2012R2 based server, so the look and feel of the SuccessEHS suite will be very
familiar to most people. To provide thin-client access to the terminal server, the customer may use one of three different products:
1. MS Terminal Services---Often referred to by the protocol name, RDP.
RDP is the name of a protocol. However, in everyday communication SuccessEHS frequently uses RDP to mean MS
Terminal Services without Citrix or HB.
Terminal services is an optional component of the Windows server OS, and has a couple of different licensing options. For smaller
installations, this option is very attractive due to the low per-user cost involved. Downsides are the lack of application publishing and
server load balancing.
2. HB---HB is an SuccessEHS-developed solution which sits on top of Microsoft Terminal Services (see the bullet above), providing
load balancing and application publishing at no additional cost over basic terminal services. Load balancing means that each
end-user will attach to a potentially different terminal server every time they login. This helps insure that each server is utilized
evenly, and provides for fail-over when a server fails. Application publishing provides a method for controlling which applications are
published on which servers, as well as to which users those applications are published. A web interface is provided, as a launching
point for those applications. Even though the HB launch page is configured with SSL, no PHI, nor credentials, nor other aspects of
protected or private information are ever transferred between the client workstation and the HB launch page web service.
3. Citrix Metaframe---Citrix builds upon basic terminal services by providing application publishing and server load balancing. Citrix
works very well but can be an expensive option. Citrix is primarily an option when the customer's existing environment uses Citrix.
_The customer must provide their own support for Citrix by contracting directly with Citrix.
Member Server
The member server provides non-terminal service facilities to the SuccessEHS user, such as CareAnywhere and M-Modal. Smaller
implementations will typically install services such as CareAnywhere and M-Modal on a terminal server, but larger installations may want to
have a separate, dedicated server.
General Information
Time Synchronization
All date and time information (including logging and auditing) in POC is synchronized to the database server time, which is in turn
synchronized using the NTP protocol. The POC database server is initially configured to synchronize with the United States Navy's time
servers. This means that all POC auditing records, as well as database server auditing records, will use the synchronized time for the time
stamps.
For non-POC auditing records on the Windows O/S terminal servers, the network technician can either configure time synchronization for
each individual server if not using a Windows Domain, or, in a Windows Domain, the domain server should be configured to use the NTP
server on the database. (Other NTP servers may be used as well.) In a Windows domain, each server that is part of the domain will
automatically synchronize its time to the domain controller. The Windows time services are well documented, but here is the abbreviated
version:
1. Click the Start menu, then click Run.

a. Type in: cmd.exe
2. In the Command window:
a. Type in: net time /setsntp:DB_server's IP address
b. Type in: net stop w32time
c. Type in: net start w32time
VPNs --- Virtual Private Networks
Virtual Private Network

A form of encryption and tunneling which allows two separate networks to act as one local network over the public-internet in a
secure fashion.

If the customer has multiple locations, a VPN may be required between each remote location and the central server location, depending upon
configuration and end-user needs. Some types of printing are best handled using a VPN so that the printer may be configured permanently
on the print server (which is typically the admin server).
Security Information
Login Auditing
Login auditing (into the POC application) reports are available through the security reports menu. Audit events are created for successful and
failed logins. If IP restrictions are enabled through the application, IP restricted results are shown as failures. (Note that through network
mechanisms you may also restrict traffic to certain IP ranges.)
Login auditing is also available through the operating system (Windows domain). This auditing shows which accounts have accessed the
network, which is a prerequisite for accessing the POC application.
Network Security
The POC application does not transmit PHI (Protected Health Information)data over an open network. In a typical configuration, the terminal
server communicates with the database server in a local LAN (this traffic may be encrypted if desired using Oracle's Advanced Networking
Options). Thin client layer from the terminal server to the PC or thin client device is transmitted using 128-bit encryption, and may be
transported over TLS. See the Windows Server documentation to enable TLS for RDP traffic. *Note that traffic from the terminal server to the
workstation is encrypted, regardless of whether a LAN, WAN, or wireless LAN is in use.*
For certain health information interfaces, the POC system will transmit over a configured VPN circuit, or other mechanisms using SSL,
depending upon the interface. The VPN protects against false nodes and snooping.
If the customer employs wireless networks, they should protect the system against unauthorized access by employing an appropriate
wireless security protocol, as long as the protocol does not interfere with the RDP client's TCP-IP communication with the RDS (wireless
security protocols in wide-spread use generally permit TCP-IP traffic without any issues). Note, once again, that whether or not a wireless
network is secured, the traffic from the workstation or pen tablet to the terminal server (and vice-versa) is fully encrypted (See text above).
Web Services
Even though the HB launch page is configured with SSL, no PHI, nor credentials, nor other aspects of protected or private information are
ever transferred between the client workstation and the HB launch page web service.
Password Storage and Complexity
Passwords in SuccessEHS are stored in the native Oracle format not plain text. This format uses the SHA-1 hashing algorithm. Passwords
are transmitted over the closed LAN from terminal server to database server using the hashed value. The passwords are never transmitted in
plain text, nor are they shown to the user as they are entered into the system.
Password strength and complexity rules may be configured in the Security Module, but these are disabled by default. This also includes
password aging and recycle rules, as well as protection against basic dictionary words. Further, accounts will be locked for several minutes
after three consecutive invalid access attempts. The parameters (such as recycle password length, expire time, lock time, etc) are modifiable
for each customer installation using the Security Module.
The following table describes the default rules that are in effect when password strength and complexity are enabled.
SuccessEHS Application Password Strength and Complexity Rules
The password is case sensitive.
The password cannot be the same as the user name
The password cannot be less than 8 characters
The password cannot match a set of simple words
The password must contain at least one character and at least one punctuation or one digit.
The password must differ from the previous password by at least 3 characters.
The password cannot be the same as any of your previous 4 passwords.
POC logins that fail are presented with only minimal information such as "invalid username/password". This message is presented regardless
of whether the username is invalid, the password was invalid, or both.
Authorized users may change their password at any time, and are subject to any complexity rules which are in effect.
Data Storage Encryption on Mobile Devices
When a mobile device is used for dictation, the local data store is encrypted with AES encryption using a 128 bit key.
System Timeout -- Workstation Locking
Workstation or application inactivity should cause the system to lock, requiring re-entry of the user's password to resume use of the

application. This is configured on each Windows workstation, or this may also be configured on the terminal server.
Idle sessions are typically forced to completely disconnect at a period determined by the administrator, but typically ranging from fifteen
minutes to three hours.
SYSLOG Integration
Auditing messages may be sent to a central SYSLOG server (in addition to their permanent storage within the application database). The
SYSLOG server destination may be configured in the SuccessEHS POC Security Module. Auditing messages may be transferred to the
SYSLOG server using the format specified by RFC-3881.
The audit trail is normally stored in two tables within the Oracle database by the POC application. When the SYSLOG server is configured,
triggers on these two audit trail tables capture all audit records and send them to the SYSLOG server.
Audit records are maintained permanently in the Oracle database, regardless of whether the auditing messages are also sent to a SYSLOG
server.
Kerberos Integration
SuccessEHS POC has the ability to interact with Kerberos authentication, using mechanisms of the Oracle Database Engine. Refer to the
Oracle manual, Oracle Database Advanced Security Administrator's Guide for configuration details.
Once configured to interoperate with Kerberos, individual users may be configured to use external authentication in the SuccessEHS POC
Security module. Once configured to use external authentication, the SuccessEHS POC password rules and complexity configuration no
longer apply to the selected account.
Patch Process Overview
Patching the system is roughly divided into three types of patches:
SuccessEHS POC Application patches ---Application patches are treated as minor upgrades and are coordinated via the
SuccessEHS application support group. The upgraded build is applied to the Windows terminal servers by the local IT staff, while the
database server is patched to the correct application revision by the SuccessEHS DBA staff. Please refer to the installation and
upgrade instructions for specifics (refer to the Minor Build Upgrade portion.) The SuccessEHS support staff will email the release
notes for any required patch or upgrade to the office administrator whose contact information is on file.
Windows O/S patches---Sometimes referred to as hotfixes. Patches for the Windows terminal server operating system are handled
by the premise system administration staff. Requirements for patches at this level are extremely rare. In the event that a new patch
becomes required, your office manager will be contacted by the SuccessEHS application support group with the appropriate patch
and installation information. Each patch will contain its own instructions for how the patch is to be applied. The turnkey system
administration staff should otherwise keep the Windows servers reasonably updated with the latest security fixes.
Database Server patches---Patches required by Solaris or Oracle. The SuccessEHS DBA staff will handle these directly, as
scheduled with the customer by the SuccessEHS application support group. It should be noted that patches of this type are
exceptionally rare. When patches are required, the SuccessEHS DBA staff will use the following mechanisms:
Solaris O/S: as root, smpatch -i <patchnumber> apply. This command will download the specified patch number and
apply it to the system. The system should be restarted as a precaution after applying the patch.
Oracle Server Software:
as root, shutdown the database with /etc/init.d/oracle stop.
Next, as the oracle user, unzip patch.zipfile; cd patchdir; OPatch apply.
Finally, as root restart the database: /etc/init.d/oracle start.
Anti-Virus Software
There are no known issues with current anti-virus software. SuccessEHS recommends that all Windows workstations have proper anti-virus
software installed and configured. Installation on terminal servers is also recommended. On terminal servers, SuccessEHS recommends
disabling on-access scanning for performance and stability reasons. Daily full scans should be run during off-peak hours. The SuccessEHS
database server runs on the Solaris operating system and is generally less susceptible to viruses. Because of this, and the fact that no
end-user activity occurs on the database server, SuccessEHS does not recommend running virus scanning on the database server.
Host-based firewalls on workstations should work as long as the well-defined ports are opened (as listed later).
SuccessEHS uses up-to-date anti-virus software to check installation media and systems configured at SuccessEHS prior to their shipment.
Upon receiving update media, or upon downloading update files, the customer should use a commercial virus scan package to check that the
files are not infected. These instructions will vary according the virus scan package in use.
LAN Information
LAN
The LAN, or Local Area Network, for the purposes of this discussion, is the network segment into which the database server and
terminal server are attached.
In a typical configuration, the database server and terminal servers will sit in a single room connected via a high-speed (minimum 100
Mbit/sec) LAN supporting TCP/IP. Within the LAN environment, the SuccessEHS configuration has essentially three types of traffic:
Internal Data Traffic---Traffic between the terminal servers and the database server.
Data traffic is heavy in nature, and is typically not encrypted though it can be as required (see Oracle's
documentation on Advanced Security options).

External Data Traffic---Interface traffic between the SuccessEHS system and third party vendors, such as lab or
other systems.
External data traffic is typically medium weight in nature, and is typically secured using VPN technologies. Consult the third party
documentation, or your client-specific documentation for any interfaces that have been custom developed.
Presentation Traffic---Traffic between the terminal servers and the end users.
Presentation traffic is very light weight in nature and is encrypted using the RC4 protocol in Windows 2000. (Using Windows 2003,
traffic is encrypted with 3DES in CBC mode, and is hashed with HMAC or MAC. TLS may also be configured for RDP traffic---please
see the Windows Server documentation.) It is important to note that PHI is not delivered over the presentation layer; only the
presentation of such is delivered.
HL7 Patient Demographic Interfaces
For patient demographic interfaces we use HL7 2.3, 2.4 or 2.5. We transport the messages by point to point TCP socket communication via a
VPN connection, or in lieu of a VPN relay from the socket client to a secure Web Service by wrapping the HL7 in a SOAP message.
Laboratory Information Handling
We have two models for Laboratory information handling. We have an aggregation model in which clients post orders and receive results
from our message center. We also have a local model that provides data interchange between an in house or regional Laboratory and the
client's EHR. The aggregation model uses Oracle 10g Release 2 Advanced Queues operating through a VPN to move HL7 2.3/2.4 ORM and
ORU messages to and from the message center. The SuccessEHS message center then moves the messages to the National Vendor by
either socket communication over a VPN or by a SOAP message containing an HL7 payload. The local model typically uses HL7 2.3/2.4
ORM and ORU sent to and received from the LIS via socket communication and a VPN may be require if the LIS is not on the same network
as the EHR.
Electronic Prescribing
Electronic Prescribing utilizes SureScripts version 4.02 XML messaging which is based on NCPDP Scripts v8.1. These messages are sent
from the client to our message center through Oracle 10g Release 2 Advanced Queues or using SOAP. The message center then posts
these messages to RelayHealth for processing using an HTTP post. Status updates are received from a HTTP post to our Message Center
and are propagated back to a client utilizing the same route in which the message took to be sent for processing.
Servers
The Solaris database server is correctly configured by SuccessEHS in the initial setup. For informational purposes, ports below 1024 require
root permissions on the Solaris server. Database services and ports do not need special permissions, as they are all above 1024. (Which is
to say, a standard Unix user account with limited permissions is used. The account has access to the data directories that it controls.)
Database services are configured to run under a single, limited user account.
Port Numbers on the local LAN
The following table details the port numbers which must be available on the local LAN.
Port Protocol Dest Source Purpose

Server Server
22 SSH DB TS Provides remote access to the database server. In addition to LAN access,this port is typically
exposed through the firewall for remote support from SuccessEHS.
1521 TNS DB TS Oracle listener. This port need be exposed only to the terminal servers.
3389 RDP TS WKS Each end-user's terminal session must be able to access 3389 on each terminal server for
presentation traffic, if using terminal services.
80 HTTP DB WKS (Optional) For convenience, Port 80 is used as an automatic redirection to the SSL port on 4443. No
information is ever transferred using this port. If this port is not configured, the user must use the
correct port address (4443) in order to get their application list (for example,
http://customercode:4443, instead of http://customercode).
4443 HTTPS DB WKS Provides an application launch page to the end-user. It is important to note that no password
information, nor any PHI is ever transmitted over this port. This page is strictly a convenience for an
application launch page. HTTPS (HTTP over SSL) is configured out of the box, and requires no
further configuration on the administrator's part. Once the user launches the application, the web
page plays no further part.
Directly attached scanners and printers require no additional ports or protocols, as traffic is encrypted over the RDP or ICA protocols using a
virtual channel driver.
Specifications and Requirements

SuccessEHS Remote Access
SuccessEHS requires remote connectivity to the customer’s system in order to insure correct operation of the system and also to effectively
troubleshoot problems the customer may encounter. To this end, SuccessEHS requires the customer to have a permanent internet
connection that utilizes a static ip address. A reliable connection speed of 256 Kbps is required.
Static IP Address
A static IP address does not change form day to day and must be assigned to the customer by the customer's Internet Service
Provider (ISP).
Remote access to the database server is via Secure Shell (SSH), a form of encrypted command line access that allows administrators to
quickly and effectively interact with the database server. Remote access to other servers is typically via Remote Desktop, using RDP or
Citrix. For smaller installations, a customer will typically allow remote desktop access to one server over the internet, from which
SuccessEHS can remotely access other non-database servers on the network as necessary. Please see the firewall specifications for those
ports which must be open to allow this.
Server and Workstation Specifications
Sample Server Specifications
These pages contain sample specifications. Please note that these are subject to change; a prospect or customer should always check with
a Greenway Health Implementation Services Consultant (ISC) prior to ordering hardware.
Overview
Process
Desirable Features
Terminal Servers/Windows Application Servers
Sample Terminal Server Configuration
Database Servers
*** Greenway Health charges a fee for replacing existing database servers. Please contact Greenway Health Support for a
current quote. ***
Solaris 11 Operating System
Database Server Requirements and Example Server Configurations
50 Users or less
Component check-list for 50 users or less
Recommended Oracle example server for 50 users or less
50 to 150 Users
Component check-list for 50 to 150 users
Recommended Oracle example server for 50 to 150 users
150 to 600 Users
Database Server Backup Configurations
Option 1 - Tape Backup with Encryption
Option 2 - Tape Backup without Encryption
Option 3 - Backup without a Tape Drive
Option 4 - Backup to NFS
Existing Customer Storage Addendum
Additional Storage Requirements For Existing Customers
Supported storage
Volume and Storage Minimum Requirements
Disk Array
Any pricing information listed here is only approximate. Customers must validate pricing through their own purchasing channels.
Overview
A prospect or customer will typically select one database server of the correct size, and one or more terminal servers depending upon
ultimate user load as well as availability requirements. If the customer wishes to have a standby database, then the two database servers
should be configured identically.
Process
1. Take the total number of users (let this be N)

2. Use a number of terminal terminal servers = N / 150 , rounded up (ie, 1.3 becomes 2)
3. Use a database server that handles at least N users
Desirable Features
Each server should have:

Redundant Power Supplies
Remote Console Access — Provides the ability to interact with the server from remote locations as if the administrator were sitting at
the machine. Useful for re-installing or troubleshooting boot time issues.
Battery-Backed Caching Hardware RAID Disk Controllers
SAS Enterprise Drives. SATA and SAS MDL drives should only be used for secondary or rich content storage.
Terminal Servers/Windows Application Servers
Customers should plan to service up to 200 users with each terminal server, provided that the server(s) are only being utilized for
the SuccessEHS application.
Sample Terminal Server Configuration
The terminal server is an Intel-based server running the Windows 2012 R2 operating system. Microsoft Word 2007 or 2010 must also be
installed by the client's IT.
The following is the recommended sample configuration. To support more users, multiple servers are needed. Consult Greenway Health for
details.
May 2016
Component Recommended Specifications Notes
Server HP DL360 Gen9
Processors 2 x Intel® Xeon® E2600 Series with 12 cores 24 physical cores total.
Memory 128 GB RAM
RAID Controller HP Flexible Smart Array P440ar/2G FIO Controller
Disk Drives 2 x 300 GB SAS disk drives, or Intel 750 Series SSD drive If SSD is chosen, the RAID controller is unnecessary.
Remote Access iLO with advanced license
Power Supply Redundant
OS Windows 2012 R2 with appropriate OS and RDS licenses
Database Servers
*** Greenway Health charges a fee for replacing existing database servers. Please contact Greenway Health
Support for a current quote. ***
Customers should pick the database server that meets their user counts per database. If the customer will house several
databases, they can choose to put each database on a separate server, or combine them onto a single server, or any other
combination.
Singular configurations may require different approaches. For example, an organization looking to house 100 different customers
with 5 users each will likely not be able to use a single 600 user database server because of the overhead per database.
Solaris 11 Operating System
All Solaris 11 servers must have and maintain an annual Solaris Premier Subscription. The Solaris Premier Subscription is a
support contract and the required OS license for Solaris 11 in a production environment. After registering the new server with Oracle,
the Oracle Solaris 11 support files can be obtained at the following website: https://pkg-register.oracle.com/. Click on "request certificates"
and download the two support files from the "Oracle Solaris 11" repository. The two support files must come from the "Oracle Solaris 11"
repository. The Oracle Solaris 11 support files must be provided to Greenway Health. The current filenames for the two Oracle Solaris 11.3
license/support files are "pkg.oracle.com.key.pem" and "pkg.oracle.com.certificate.pem".
Greenway Health does not support non-Oracle database servers.
Greenway Health does not support self-encrypting (FIPS) hard drives in the database server.

Greenway Health does not support virtual database servers.
The new database server(s) must be shipped to Greenway Health for the initial OS/software install.
Greenway Health
One Metroplex Drive
Suite 500
Birmingham, AL 35209
Phone:(888)879-7302
Database Server Requirements and Example Server Configurations
Greenway Health requires an Oracle X6-2 or an Oracle X6-2L server for the database server.
Greenway Health does not support non-Oracle hardware for the database server.
50 Users or less
Component check-list for 50 users or less
Quantity Part Description
1 Intel Xeon E5 2400/2600 CPU (8-core)
1 32 GB RAM (additional RAM may be required)
1 SAS RAID controller with 1GB battery-backed cache
4 900 GB SAS 10k disk drive (OS and Data)
2 900 GB SAS 10k disk drive (Backup Stage)
1 900 GB SAS 10k disk for hot spare (additional hot spares optional)
1 ILO/ILOM/Remote management module (full access remote IP console)
1 SAS HBA for tape drive
2 Redundant power supplies
1 APC Smart-UPS system with USB interface
1 Sun x4 PCI Express Quad Gigabit Ethernet Networking Card
1 Oracle Premier Subscription for Solaris 11 (OS license)
Recommended Oracle example server for 50 users or less
Oracle/Sun X6-2L Required
1 x Intel Xeon E5-2600 v2 series processor (8 cores) Required
32 GB RAM (additional RAM may be required) Required
RAID controller, 6 Gbps SAS HBA with 512 MB battery-backed cache Required
4 x 900 GB 10k RPM disks for system and data volumes Required
1 x 900 GB 10k RPM disk for hot spare Required
2 x 900 GB 10k RPM disks for staging volume Required
SAS HBA controller for external tape drive - 6 Gbps Required
Redundant Power Supply Required
50 to 150 Users

1 SAS RAID controller with 1 GB battery-backed cache
4 900 GB SAS 10k disk drive (OS and Data)
2 900 GB SAS 10k disk drive (Backup Stage)
1 900 GB SAS 10k disk for hot spare (additional hot spares optional)
4 x 900 GB 10k RPM disks for system and data volumes Required
1 x 900 GB 10k RPM disk hot spare Required
2 x 900 GB 10k RPM disks for staging volume Required
150 to 600 Users

1 SAS RAID controller with 1GB battery-backed cache
3 900GB SAS 10k disk drive (OS with hot spare)
1 HP MSA 1040 SFF FC Dual controller disk array
12 1.2 TB 10K SAS drives for disk array
2 StorageTek dual-port 8G FC HBA
4 OM3 Fiber patch cables with LC connectors

3 x 900 GB 10k RPM disks for OS plus hot spare Required
1 x HP MSA 1040 SFF FC Dual controller Required
12 x 1.2 TB 10K SAS drives for disk array Required
2 x StorageTek dual-port 8G FC HBA Required
4 x OM3 Fiber patch cables with LC connectors Required
Database Server Backup Configurations
Option 1 - Tape Backup with Encryption
HP Storage Works 1/8 G2 external tape library with encryption kit

Requires an Oracle Solaris 11 certified compatible SAS HBA (or FC HBA)
Option 2 - Tape Backup without Encryption
Standard LTO tape drive without encryption

Requires an Oracle Solaris 11 certified compatible SAS HBA (or FC HBA)
Does not support encryption and cannot be upgraded to provide encryption
Option 3 - Backup without a Tape Drive
Backups write to a local volume on the database server (no external tape drive)
The local backup volume is shared out as a Windows share
The customer must maintain copies of their backups on a secondary network device managed by the customer.
The customer must provide NFS access to the secondary storage device if a file restore is required on the database server
Requires a dedicated local backup volume on the database server - raid 1 or raid 5
Can use SAS 10k or SAS MDL 7.2k drives
Option 4 - Backup to NFS
The customer is responsible for configuring and maintaining their NFS share and NFS device
Greenway recommends the use of a dedicated storage device for the NFS share
Greenway does not recommend the use of Microsoft Windows NFS Services.
* Customers can use a local backup share volume and a tape drive if they choose.
** Backups to USB are not supported.
Existing Customer Storage Addendum
Additional Storage Requirements For Existing Customers
Supported storage
Internal SAS disks

External FC (with dual host controllers)
Volume and Storage Minimum Requirements
We recommend the following volumes for an existing customer's new database server:
Volume Name Volume Type Volume RAID Volume Initial/Min Size Hot Spare
Level

OS/boot 10K RPM SAS 1 900GB recommended
Backup Staging 10K RPM SAS, FC, or 7.2K RPM Midline 1, 5 or 10 4x backup size recommended
SAS
Oracle ASM 10K RPM SAS or FC 1 or 10 2.5x production Oracle recommended

Storage storage
Oracle ASM storage has a per-volume limit of 2TB. Plan your logical volumes accordingly.
Multiple RAID 1 volumes should be created until 2.5x production Oracle storage is reached.
Minimum recommended density for Oracle ASM storage is 900G (if utilizing the HP MSA 1040 array)
Disk speed availability will depend on disk form-factor (small or large) and the disk density.
Disk Array
We recommend the following disk array and related accessories. This system will provide expandable storage and higher I/O performance.
HP MSA 1040 SFF FC Dual controller

1.2 TB 10K SAS drives (see table above to calculate number of required disk drives)
QTY 2: StorageTek dual-port 8G FC HBA
QTY 4: OM3 Fiber patch cables with LC connectors
x
Workstation Specifications
In general, workstations will be based upon AMD or Intel processors. Requirements for workstations are detailed below, in table Workstation
Requirements.
Workstation Requirements
Item
Windows Vista Pro, Windows 7 Pro, Windows 8, or WIndows 10 is required to use integrated scanning
Windows Vista Pro, Windows 7 Pro, Windows 8
1024x768 minimum resolution with 16 million colors
Anti-Virus software.
RAM amount recommended by the operating system.
In some cases, client devices that do not use Windows Vista, Windows 7 Pro, or Windows 8 for the operating system may still be used.
Some features will only work on workstations with Windows Vista, Windows 7 Pro, and Windows 8; in particular, integrated-scanning,
signature pads, and dictation.
iPads
The Apple iPad 1 and 2 will work with SuccessEHS provided that it has the recommended application installed. Any memory storage size
(example: 16GB/32GB) is fine. Printing from the iPad will work in a premise environment if the terminal server has printers installed to it
directly.
Linux Database Servers
Linux
We recommend Solaris 11 running on Oracle hardware. For new customers, we are now providing the option to utilize Oracle Linux as the
database server OS platform. The server specifications need to meet or exceed the sample server specifications as outlined below. In
addition to the sample server specifications, each hardware component must be listed as "Certified (Supported)" on the Red Hat Enterprise
Linux 6 hardware certification list for x86_64 (HCL) - http://hardware.redhat.com
Please note that we do not support Linux as a platform in our DR hosting facility. Customers using Linux will not be able to take advantage
of this service. Also, SuccessEHS cannot offer backup functionality testing if the customer is on the Linux platform.
Due to the wide variety of hardware, the hardware must be checked for compatibility prior to ordering/shipping. Verification must be

performed by the tech person ordering the hardware, or the hardware vendor. SuccessEHS is not responsible for hardware compatibility. If
the component is not compatible, it must be replaced.
Backups
System backups for the database server are mandatory, as all application data, security credentials, and audit logs (ie, all SuccessEHS data)
is stored within the Oracle database. For other servers, the backup process is optional, but highly recommended.
Database Server Backups
In the typical configuration, the database server will have a directly attached tape drive. The SuccessEHS DBA staff will preconfigure the
customer's server to correctly backup the Oracle database. SuccessEHS uses Oracle-supplied tools and backup software to handle this. All
that is required on a daily basis is for the customer to change out tapes.
Larger configurations may use a tape changer provided through either SCSI or Fibre connectivity. In such a configuration, the customer
should change out tapes in the changer on at least a weekly basis.
As part of the initial database configuration, the SuccessEHS DBA staff will configure the customer's database server to send email
notifications back to the DBA staff each day in the event that the database is not being backed up correctly (for example, a tape is full or is
missing). While this is no guarantee of data security, it will help customers avoid many potential backup or recovery problems.
We do not support any backup method other than directly attached tape. All other methods are not supported and we will not field
support calls concerning non-tape backup methods.
We recommend using a tape system that can support hardware encryption. The HP 1/8 LTO5 library with encryption kit is
recommended.
Other Backups
In the typical configuration, the customer will use a product like Veritas installed on the member server to perform server, file sharing, and
workstation backups as appropriate. This software will be purchased and configured by the customer or the customer's IT Vendor.
Environmental Requirements
Computing machinery typically requires specific environmental conditions to ensure continuous and reliable operation. Such requirements
vary heavily depending upon the actual equipment in use. Please refer to the sections below for environmental guidelines with each
component of the system. However, the user must always consult the manufacturer's specifications for the particular equipment in use.
Factors to consider in the environment include power availability, power cleanliness, atmospheric cleanliness, atmospheric temperature,
atmospheric humidity, and physical stability.
Servers, Disk Arrays, Tape Drives and Tape Libraries
Generally servers need to be kept in an environment with controlled humidity and temperature. Typically humidity levels need to be kept
between 30 and 50% relative humidity, with temperatures in range 60 to 80 degrees Fahrenheit. In larger environments where building
climatic controls cannot keep the environment in this range, the customer should purchase supplemental systems capable of maintaining this
environment. For example, larger installations will need units capable of measuring and maintaining the humidity of the environment by
providing or removing moisture to or from the air.
Power for servers should be clean and steady. Most servers will operate correctly on voltages between 100 and 240 volts A/C, with a cycle
hertz between 50 and 60. A UPS should be provided that will clean the power provided to the server, and also carry the server's power
requirement during fluctuations and brown-outs. Refer to section Power Supplies and UPSes for further information.
SuccessEHS highly recommends that emergency power generation be employed to provide an alternative to utility power during extended
outages. Such a system would automatically switch on and provide power until utility power returns to an available and clean state. Further,
emergency power generation should supply power to any climate control equipment necessary for server operation.
The environment provided to servers should be relatively free from dirt and other airborne particles. Care should be taken to avoid
introducing excessive dirt into the environment. The air should generally be circulated through a filtering system of some kind. If a climate
control system is in place, be sure to regularly change the filters. It is generally not a good idea to sanitize or use chemicals in the server
area. Therefore, these machines should be kept well away from patient areas.
Servers also typically require an environment that is stable. Consult the equipment's specifications for vibration. Generally, servers should be
stored in racks or on solid work surfaces that have minimum or no flex.
Routers and Switches
Data center class routers and switches, like those typically collocated with the servers, require about the same environmental requirements;
see the section on servers above.
Routers and switches deployed into the office environment are typically much more rugged and have fewer environmental requirements.
They should still be supplied with UPSes to filter power and sustain services through momentary failures. If the devices have fans, ensure
that air is allowed to flow easily through the device and that exhaust ports are not blocked.
Power Supplies and UPSes
Uninterruptable Power Supply

An uninterruptable power supply, or UPS, is designed to provide temporary power to your server in the event that utility power fails.
Generally a UPS provides power long-enough to cover power flickers, to ensure a transition to generator power, or to facilitate an
orderly shut-down of the server.
SuccessEHS recommends that each non-redundant server have dual power supplies. In the case where a customer has many terminal
servers, the customer may choose not to purchase redundant power supplies for each terminal server.
Each server should be plugged into a UPS capable of powering the server for several minutes. This will help prevent down time due to power
fluctuations, brown-outs, and power spikes.
This small expense can make a major difference in system availability and should not be skipped.
Further, the user should strive to have the database server shutdown cleanly whenever possible. The easiest way to accomplish this is to
attach an APC-brand UPS to the database server using a USB connection. After plugging in the UPS to the USB connection, restart the
database server. The server will automatically detect the UPS and will be configured to shutdown the server cleanly if available battery power
falls below 20% capacity, or below 3 minutes estimated battery time remaining. Please contact SuccessEHS if you need these parameters
changed to a different value.
For other devices and servers, SuccessEHS recommends that a surge protecting power strip be used at a minimum, especially on switches,
routers, and other network devices whose failure can mean down time.
Premise Firewalls
Premise Firewalls
SuccessEHS requires that each customer location be protected from unauthorized public Internet traffic using a hardware firewall device.
Software firewalls are supported on workstations, but are not recommend for use as the site’s primary firewall. While SuccessEHS has the
most experience with Cisco ASA devices, premise clients are able to use any hardware firewall which allows the correct ports to be opened,
and that provide the customer with the necessary scalability for the number of Internet connections planned. Table 2 on page 14 summarizes
the firewall ports that must be open for incoming traffic, along with the purpose of the port. Table 3 on page 15 lists outbound ports which
must not be blocked. Both of these tables use the abbreviations TS, DB, and WKS to mean Terminal Server, Database Server, or
Workstation. For hosted customers, or premise clients operating as a hosted client, remote workstations must be able to have outbound
traffic on the ports described in Table 4 on page 15.
These port numbers as well as other firewall port requirements are subject to change.
Turnkey Firewall Ports — Required for Inbound Traffic
Port Destination Purpose

Device
22 DB Secure Shell access to the database server
3389 TS For remote server access provided to SuccessEHS support, one terminal or admin server should have this port
open. Also, this port must be open for any terminal server which will be accessed remotely.
80:4443 DB Only required if turnkey site is providing external access. Port 80 will redirect to the secure port on 4443.
Turnkey Firewall Ports — Required for Outbound Traffic
Port Destination Purpose

Device
20,21 TS FTP. If using Per-Se, the turnkey site must allow outbound FTP traffic destined towards Per-Se. FTP traffic is
encrypted using the Per-Se client and 3DES standards.
25 DB Database outbound email traffic. The database server sends updates and notifications to the SuccessEHS staff
using email. The database server must be allowed to directly send email without forwarding through a local email
server. No secure or confidential information is transmitted in these emails.
123 DB Network time synchronization (NTP). The database server should be allowed to send outbound port 123.
UDP Firewall VPN, when necessary. UPD port 500 (ISAKMP) is used for tunnel negotiation.
500
Client/Workstation Firewall Ports---Required for Outbound Traffic
Port Origin Purpose

1494 WKS Citrix traffic to ASP terminal servers (if using Citrix).
3389 WKS RDP Traffic to ASP terminal servers.
30000-30500 WKS RDP Traffic to ASP terminal servers.
4443 WKS SuccessEHS University ; Self-service Issue tracking.
7778 WKS '' ''
7777 WKS '' ''
4445 WKS '' ''
5730 WKS '' ''
2400 WKS '' ''
80 WKS SuccessEHS Web servers
Periperhal Specifications
Peripherals constitute all non-primary computing devices, including primarily printers, scanners, and cameras. Because of the very wide
variety in these devices, Greenway cannot provide a list of all equipment that works with the POC suite. Instead, Greenway provides
recommendations and additional notes to customers to help in the selection of peripherals. As mentioned in the introduction, if the customer
is interested in a particular device which has been neither approved nor disapproved, the customer should contact either the Greenway
SuccessEHS IS consultant or sales representative about formal testing of the peripheral. Because of the wide variety of peripherals
available, SuccessEHS normally charges a small fee for this service.
Printers
The SuccessEHS POC suite provides approximately three different types of printing:
1. Laser Claims Printing---Claims printing can be very demanding due to form alignment issues.
2. Label and Receipt Printing---Again, this type of printing can be very demanding due to form alignment and particularly form height.
The SuccessEHS suite supports the DYMO 400 turbo or DYMO 450 Turbo.
3. Laser Report Printing---This type of printing covers the vast majority of printing in POC, and places the fewest technical demands
upon the printer (though the volume can be very high for large customers). Nearly any business class laser printer will work correctly
to print this class of report. HOST-based printers are not supported.
Please note that many low-end inkjet printers and some low-end laser printers may not be supported because of the vastly
different drivers required. In any event, Greenway SuccessEHS does not normally recommend inkjet printers for office use
because of their very expensive consumables (ink) prices. Some printers are semi-host-based and support both host-based
drivers and PCL/PS drivers; for these printers the host-based drivers must not be used. The Non-Supported Printers table
below lists printers that are known to not function correctly. However, the Non-Supported Printers table is not an
all-inclusive list. As with all peripherals, please have your Greenway SuccessEHS SIE consultant verify that your printer is
supported, or choose a printer from the recommended list.
Approved Printers
Manufacturer Model Features Notes
Lexmark E260dn Laser Printing, Claims Printing Most recommended printer
Canon iR3235/iR3245 Laser Printing, Claims Printing High end. Also a network scanner.
Dymo LabelWriter Turbo 450 Label Printing
Non-Supported Printers
Manufacturer Model Notes
HP LJ1000 Not supported
HP LJ1010/11/12/13 Not supported
Epson C66 Not supported
Dell 1100 Not supported
Dictation Microphones

The following Supported Microphones are to be recommended to new clients:
Supported Microphones
Model
Philips SpeechMike III – 3215 (LFH-3215)
High Fidelity Monaural PC Headset with Noise Canceling Microphone (NC181)
***The following discontinued microphones are not recommended for new clients but are still supported for existing clients:***
Discontinued, Older, Supported Microphones
Model
SpeechMike Pro: LFH 5274
SpeechMike Pro PLUS: LFH 5276
SpeechMike Classic: LFH 5260 (Philips)
SpeechMike Classic: LFH 5262 (International)
SpeechMike Classic PLUS: LFH 5270 (Philips)
SpeechMike Classic PLUS: LFH 5272 (International)
Digital Signature Pads

Digital signature pads allow the capture of digital signatures with the SuccessEHS system. Table Signature Pads lists the supported digital
signature pads which may be used with SuccessEHS.
Signature Pads
Topaz T-S261-HSB none
Topaz T-LBK460-HSB none
Routers and Firewalls
Firewalls used at a customer's remote sites should not close idle out-bound connections, or should provide the ability to adjust this
timeout value to periods greater than an hour. Otherwise, the customer may be frequently disconnected from their central site.
Greenway has noticed that some lower-end firewalls can close these connections in as little as five minutes, which means that the
customer application will be closed.
While Greenway cannot identify all firewalls that have this problem, lower-end firewalls are much more likely to have this limitation. As
Greenway encounters these firewalls, they will be identified as not supported. The Cisco Pix ASA series firewalls do not have this problem,
and are fully supported by Greenway SuccessEHS.
Scanners
The SuccessEHS suite supports the addition of scanned images as attachments in a number of convenient places in the system. Nearly any
scanner can be used in a file-browse mode (ie, saving the attachment using scanner software, then browsing to the attachment from within
SuccessEHS). For direct interaction with the scanner, the scanner should be capable of saving jpeg (JPG) images, and must be TWAIN
compliant. Most TWAIN compliant scanners should work correctly. However, SuccessEHS cannot guarantee that all TWAIN compliant
scanners will work because some manufacturers have issues with their drivers. The customer should contact SuccessEHS for testing of

particular scanners.} A good way for the customer to test the TWAIN driver they have installed is to use Twacker utilty from twain.org. The
install is located here: http://install.ehsmed.com/utilities/Twack_32.msi . When troubleshooting scanners, use this utility, as some clients are
able to scan in MS Paint or Word but not inside SuccessEHS.
The table Approved Scanners lists the scanners tested and approved by SuccessEHS.
Customers working with the outsourcing group will need to use the E-Bridge scanning solution. E-Bridge requires one of the scanners listed
in the table E-Bridge Scanners.
Approved Scanners
Approved Scanners
Manufacturer Model Features Notes
Fujitsu FI-6130z Document Feeder, Card Scan High end, most recommended scanner
Epson WorkForce Pro GT-S50 Document Feeder, Card Scan
ScanShell 800NR Card Scan
ScanShell 800DXN Card Scan Duplex
ScanShell 3000DN Document Feeder, Card Scan Portable
E-Bridge Scanners
Customers working with the outsourcing group at SuccessEHS will need to use the E-bridge scanning solution. E-bridge requires one of the
scanners listed below:
E-Bridge Scanners
Canon DR 2080 None
Canon DR 3060 None
Canon DR 3080 None
Canon DR 5020 None
Canon DR 5080 None
Futjitsu 4120 Contact SuccessEHS

SuccessEHS - Technical Specifications 2017-07-05

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SuccessEHS - Technical Specifications 2017-07-05

Caricato da

Copyright:

Formati disponibili

SuccessEHS Technical

Configuration and Architecture Overview

Printing from the iPad is not supported on the hosted environment.

Client/Workstation Firewall Ports---Required for Outbound Traffic

Port Origin Purpose

3389 WKS RDP Traffic to ASP terminal servers.

30000-30500 WKS RDP Traffic to ASP terminal servers.

4443 WKS SuccessEHS University ; Self-service Issue tracking.

7778 WKS '' ''

7777 WKS '' ''

4445 WKS '' ''

5730 WKS '' ''

2400 WKS '' ''

80 WKS SuccessEHS Web servers

Copyright 2017, Greenway Health Page 3

Architectural and Technical Documentation

Copyright 2017, Greenway Health Page 4

Remote Desktop Server

1. MS Terminal Services---Often referred to by the protocol name, RDP.

1. Click the Start menu, then click Run.

VPNs --- Virtual Private Networks

Virtual Private Network

Copyright 2017, Greenway Health Page 5

Password Storage and Complexity

SuccessEHS Application Password Strength and Complexity Rules

The password is case sensitive.

The password cannot be the same as the user name

The password cannot be less than 8 characters

The password cannot match a set of simple words

The password cannot be the same as any of your previous 4 passwords.

Data Storage Encryption on Mobile Devices

System Timeout -- Workstation Locking

Copyright 2017, Greenway Health Page 6

Copyright 2017, Greenway Health Page 7

HL7 Patient Demographic Interfaces

Laboratory Information Handling

Port Numbers on the local LAN

Port Protocol Dest Source Purpose

Specifications and Requirements

Copyright 2017, Greenway Health Page 8

1. Take the total number of users (let this be N)

Each server should have:

Copyright 2017, Greenway Health Page 9

Terminal Servers/Windows Application Servers

Sample Terminal Server Configuration

Component Recommended Specifications Notes

Server HP DL360 Gen9

Memory 128 GB RAM

RAID Controller HP Flexible Smart Array P440ar/2G FIO Controller

Remote Access iLO with advanced license

Power Supply Redundant

OS Windows 2012 R2 with appropriate OS and RDS licenses

Solaris 11 Operating System

Greenway Health does not support non-Oracle database servers.

Copyright 2017, Greenway Health Page 10

Database Server Requirements and Example Server Configurations

Quantity Part Description

1 Intel Xeon E5 2400/2600 CPU (8-core)

1 32 GB RAM (additional RAM may be required)

1 SAS RAID controller with 1GB battery-backed cache

4 900 GB SAS 10k disk drive (OS and Data)

2 900 GB SAS 10k disk drive (Backup Stage)

1 ILO/ILOM/Remote management module (full access remote IP console)