LAB FORWARD. WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS

Similar documents
LAB FORWARD. WITH PROService REMOTE SERVICE APPLICATION. Frequently Asked Questions

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Protecting systems and patient privacy

White Paper. BD Assurity Linc Software Security. Overview

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Cornerstones of Security

Unisys Internet Remote Support

Topics in Network Security

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Network Configuration Settings

Executive Summary and Purpose

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

How Reflection Software Facilitates PCI DSS Compliance

Network Security Administrator

FAST FILE TRANSFER INFORMATION ASSURANCE ASSESSMENT REPORT

Complying with PCI Data Security

How To Understand And Understand The Security Of A Key Infrastructure

Case Study for Layer 3 Authentication and Encryption

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Network Management System (NMS) FAQ

Network Security and Firewall 1

Sync Security and Privacy Brief

Managed Security Services for Data

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

redcoal SMS for MS Outlook and Lotus Notes

Famly ApS: Overview of Security Processes

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

Citrix MetaFrame XP Security Standards and Deployment Scenarios

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Network Access Security. Lesson 10

McAfee Firewall Enterprise 8.2.1

Security Protocols/Standards

NETWORK SECURITY (W/LAB) Course Syllabus

GoToMyPC Corporate Advanced Firewall Support Features

VPN. Date: 4/15/2004 By: Heena Patel

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

FISMA Cloud GovDataHosting Service Portfolio

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

VNC User Guide. Version 5.0. June 2012

MEDIAROOM. Products Hosting Infrastructure Documentation. Introduction. Hosting Facility Overview

McAfee Firewall Enterprise 8.3.1

WebEx Remote Access White Paper. The CBORD Group, Inc.

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Remote Services. Managing Open Systems with Remote Services

Building Energy Security Framework

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Chapter 17. Transport-Level Security

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

FileCloud Security FAQ

Benefits of Network Level Security at the RTU Level. By: Kevin Finnan and Philippe Willems

System i and System p. Customer service, support, and troubleshooting

Introduction to the HP Server Automation system security architecture

Global Client Access Managed Communications Solutions. JPMorgan - Global Client Access. Managed Internet Solutions (EC Gateway)

How To Pass A Credit Course At Florida State College At Jacksonville

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Acano solution. Security Considerations. August E

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Recommended IP Telephony Architecture

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

WW HMI SCADA-08 Remote Desktop Services Best Practices

Healthcare Compliance Solutions

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

MIP 5000 VoIP Radio Console VPN Solution Guide

Prerequisites: Fundamentals of Networking, Knowledge of Operating Systems

SCADA SYSTEMS AND SECURITY WHITEPAPER

Cisco Application Networking Manager Version 2.0

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Why a Reverse Proxy with My Instant Communicator for mobiles??

DRAFT Standard Statement Encryption

Installing and Configuring Websense Content Gateway

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Avaya G700 Media Gateway Security - Issue 1.0

Who is Watching You? Video Conferencing Security

Virtual Private Networks

Novell Access Manager SSL Virtual Private Network

SECURELINK.COM ENTERPRISE REMOTE SUPPORT NETWORK

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Transport Layer Security Protocols

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

Configuration Guide BES12. Version 12.2

Xerox DocuShare Security Features. Security White Paper

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Remote Access Platform. Architecture and Security Overview

High speed Ethernet WAN: Is encryption compromising your network?

WS_FTP Professional 12. Security Guide

What s New in Fireware XTM v11.5.1

BlackBerry Enterprise Service 10. Version: Configuration Guide

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems

EMC CLARiiON Secure Remote Support Solutions Technical Notes P/N REV A03 October 5, 2010

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Recommended Wireless Local Area Network Architecture

Transcription:

LAB FORWARD WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS

Medical diagnostics are a vital part of the modern healthcare system, and instrument uptime is critical to diagnostics throughput and profitability. Improved instrument uptime can be attained by: Reducing unscheduled service Making service visits more efficient by remote and proactive monitoring through knowledge of mass trends of instrument trends across the installed base Allowing some service visits to be Assuring that the technician has done remotely the right parts for on-site visits These are all worthwhile goals, and Beckman Coulter can support your organization s need for secure, efficient instrument management through PROService. PROService Enhancing Instrument Performance Service Dashboard Remote Desktop Sharing (RDS) Remote Upload PROService FEATURES * BENEFITS Maximize uptime and productivity Reduce unscheduled downtime Troubleshoot and service efficiency Remote Download Remote software updates Remote database update Remote on-line Help file update Remote reagent file/setting update Immediate access to documents (i.e. Customer Notifications) Triggers Proactive and predictive support to avoid/reduce unscheduled downtime by facilitating the resolution of issues before they affect instrument performance Reduce customer-initiated service calls Improve system uptime and efficiency Remote Setup/Configuration Shorten onsite visit time for instrument/middleware setup Eliminate onsite visit to configure add-on test Accelerate revenue generation for add-on tests mproservice PROService Service Dashboard mobile accessibility for Beckman Coulter Service Engineers. Enhances service efficiency * PROService availability or features vary by instrument/system platform.

PROService Design Highlights PROService utilizes RMS, Beckman Coulter s proprietary data pipeline that remotely connects Beckman Coulter and its systems in customer laboratories, to provide a single, secure interface for multiple instruments, with minimal impact to your IT systems. The RMS Remote Application Process (RAP) box connects to the instrument Transmission Control Protocol/Internet Protocol (TCP/ IP) port and creates a firewalled subnet for the connected instruments. It does not touch the Laboratory Information System (LIS) data connection unless the customer requests Network Connectivity feature. Instrument status is sent via Hypertext Transfer Protocol Secure (HTTPS)/Secure Sockets Layer (SSL) to PROService. Remote management is available and is performed through an outbound-initiated Virtual Private Network (VPN) tunnel. Using firewall-friendly technology, the RMS RAP box securely transfers information pertinent to instrument health to Beckman Coulter servers via the Internet. PROService is enabled by a small, headless computer that links your Beckman Coulter instruments to servers, software, and a support team at Beckman Coulter. This computer, also known as a RMS RAP box, is installed in your lab and connects to your Beckman Coulter instruments via TCP/IP. The RMS RAP box coordinates secure, encrypted communication between your instruments and the secure Beckman Coulter servers. RMS Remote Application Processor (RAP) box Architecture The PROService application uses the RMS RAP box, the Internet, and sophisticated enterprise software to connect your Beckman Coulter instruments to support staff. At the Client The RAP box is a dedicated communications processor which buffers and forwards status reports from software agents on each instrument to Beckman Coulter servers. It also provides authentication, VPN services, and supports remote management. En Route All data is encrypted with 128 bit Advanced Encryption Standard (AES) and sent over the Internet via SSL. PROService uses the popular open source SSL/Transport Layer Security (TLS) VPN called OpenVPN. OpenVPN utilizes OpenSSL cryptographic modules for data encryption, and it is used for Remote Desktop Sharing (RDS). At Beckman Coulter Beckman Coulter s dedicated database and servers handle data collection and analysis. The system (Figure 1) supports sophisticated reporting and Triggers, which alert Beckman Coulter Service and Support staff to potential instrument issues. Access to instrument data and status is controlled according to training, role, and location of the Beckman Coulter staff.

PROService PRIVATE INSTRUMENT NETWORK CUSTOMER INSTITUTION NETWORK Serial Instrument Instrument Instrument TCP/IP BECKMAN COULTER NETWORK Database Cluster Optional Feature TCP/IP Customer LIS and Network Beckman Coulter Router Enterprise Application Cluster Ethernet, Wi-Fi, or Cellular 2 RMS RAP Box Customer Firewall Beckman Coulter Firewall Beckman Coulter Network 1 Middleware VPN Server Farm Analytics Metering eqap PROService Figure 1. Standard RMS Connection 1 Middleware Internet connection through the RAP Box provides an additional level of security for the middleware, but it is not required except in US Department of Defense (DoD) environments. 2 Availability of Wi-Fi and cellular Internet connectivity varies by geography. Hardware The RMS RAP box is a small, custom computer running Red Hat Enterprise Linux (RHEL). For reliability, it has a solid state drive (SSD), fanless cooling and no moving parts. It has Ethernet ports for each connected instrument plus one for the network/ Internet connection. Beckman Coulter performs all RAP box software updates and maintenance, typically done remotely.

Software The RMS RAP box includes a custom software stack running on RHEL with appropriate updates. It uses Open SSL for data in transit and a Federal Information Processing Standards (FIPS) 140-2 validated protocol. The PROService enterprise software gathers and analyzes inputs from all connected instruments and performs lookups and comparisons, driving instrument status and health dashboards for the PROService support team. Instrument performance is compared against the body of evidence to raise alerts to the Beckman Coulter Service and Support staff and permit timely action. Security Appropriate configuration standards are applied to achieve and assure data security (Figure 2). Specific areas include operating system (OS) configuration and security enhancements, web server security enhancements, and message processing security. RMS RAP box operating system security enhancements Security Technical Information Guides (STIGs) 1 are applied for RHEL Version 5 and Desktop, including the following areas: Update all installed Red Hat Version 5 software Common Vulnerabilities and Exposures (CVE) Enhance physical access security Disable unnecessary user accounts and software Limit access to RAP box files Enhance password to meet the United States Department of Defense (DoD) requirement by using FIPS 140-2 approved hashing algorithm Enhance Network Security per DoD requirement Disable interactive unencrypted communication to RAP Box Configure Red Hat operating system auditing per DoD requirement Enable remote audit logging Enable FIPS 140-2 approved ciphers for remote shell Enable Basic Input/Output System (BIOS) authentication RMS RAP box web server security enhancements Applied STIGs for web server include the following areas: Enable SSL to local web server Disable unnecessary Apache Modules from loading Enable complete web server logging Display DoD network warning on all served pages (configuration pages, etc.) Restrict access to served pages Enhance Network Security per DoD requirement Disable all Common Gateway Interface (CGI) scripts RMS RAP box message processing security The Application Security and Development (ASD) STIG 2 is applied, which includes the following: Enable FIPS 140-2 approved algorithm for data encryption using Java SunPKCS11 provider in FIPS mode Collect audit logs and update to remote server

1 2 3 4 5 RMS RAP Box For DoD customers IPSEC VPN Internet For DoD customers IPSEC VPN Servers Analytics Metering eqap Customer Firewall Beckman Coulter Firewall 6 7 Instruments PROService 1 2 3 4 5 6 7 RMS RAP box protects connected systems from network Additional DIACAP compliant security features for DoD customers. Communications pass through both customer and Beckman Coulter firewalls Communications protected with industry-standard encryption. Remote Desktop Sharing (RDS) is protected from interception with VPN tunnel. Dual certificate authentication helps prevent unauthorized access to transmitted data. Remote Desktop Sharing (RDS) requires manual onsite approval Beckman Coulter Service and Support staff access is customized by training, role, and location. Three levels of access controls to authenticate users Figure 2. Security Features with IPSEC VPN option for US Department of Defense (DoD) customers Communications There are two main forms of communication: Regular status messaging and remote management sessions. Regular status messages are sent from the RAP box using HTTPS POST. Remote management uses VPN sessions. The system uses minimal bandwidth using messaging and only needs 128 kbps for a remote management session. Communications are encrypted and only established between known and authorized addresses. When remote service is performed, it must be authorized by a user at the instrument to be addressed. A secure VPN tunnel is established only for the duration of that session. The RAP box s firewall rejects external communication requests. The system can accommodate HTTP and Socket Secure (SOCKS) proxy servers. It requires Internet access with port 443 available, except in IPSEC VPM connections.

Communications Security Security features includes two-way SSL authentication to secure all communication between your Beckman Coulter instruments and the Beckman Coulter data center. Beckman Coulter leverages third party Certification Authority (CA) to issue digital SSL certificate for verification of RAP box identity. The software encryption modules are National Institute of Standards and Technology (NIST) compliant 3, assuring they are securely developed and maintained throughout the system s life cycle. VPN uses OpenVPN with OpenSSL in FIPS mode, two-way SSL authentication. US Department of Defense Information Assurance Certfication and Accreditation Process (DIACAP) The RMS RAP box security design meets the DIACAP standards. DIACAP accreditation validates the security design of the RAP box and reaffirms Beckman Coulter s commitment to software security. Interconnection Security Agreement and Memorandum of Understanding (ISA/MOU) Beckman Coulter also completed the Interconnection Security Agreement and Memorandum of Understanding (ISA/MOU) with the US Department of Veterans Affairs (VA) to connect and utilize all PROService features at all VA sites.

Summary PROService enables the secure transmission of instrument status and health information to Beckman Coulter so you can focus on patient care. Designed to Information Security standards established by the industry, the VA, and the DoD 4. Reduces unscheduled downtime by enabling proactive, preventive action to be taken by you or Beckman Coulter. Minimizes interruptions when service is needed by expediting issue isolation and readiness of parts. About Beckman Coulter Beckman Coulter is a leader in the medical diagnostics field and is uniquely qualified to provide oversight and support for your Beckman Coulter system. Term ASD STIG DIACAP DoD FIPS FIPS 140-2 IA ISA/MOU RAP box SSL STIGs Triggers VA Definition The Application Security and Development Security Technical Information Guide - A series of application security requirements that apply to "all DoD developed, architected, and administered applications and systems connected to DoD networks." 4 DoD Information Assurance Certification and Accreditation Process - The United States Department of Defense process to ensure that risk management is applied on information systems. United States Department of Defense Federal Information Processing Standards - Publicly announced standardizations developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract. The purpose of FIPS is to ensure that all federal government and agencies adhere to the same guidelines regarding security and communication. A United States government computer security standard that specifies the minimum cryptographic modules requirement for data encryption and is validated by the National Institute of Standards and Technology (NIST). Information Assurance - DoD Information Assurance Actions that protect and defend information systems by ensuring availability, integrity, authentication, confidentiality, and nonrepudiation. ISA/MOU memorializes the agreement between VA and Beckman Coulter regarding the management, operation, and security of a connection between the Beckman Coulter RAP box connected to laboratory instruments, owned by VA, and PROService, owned by Beckman Coulter. The hardware (a small, headless computer) responsible for facilitating the communication between connected Beckman Coulter instruments and the Beckman Coulter data center via its trusted subnet. It is responsible for deciding when to use local storage, dispatching and executing local commands, and controlling the VPN tunnel, including starting and authentication. Secure Sockets Layer - A session layer security protocol used on the Internet to secure web pages and transactions by means of public key cryptography. Security Technical Information Guides - The Defense Information Systems Agency, part of the Department of Defense (DoD), provides STIGs in various areas as guidance in best security practices. STIGs are configuration standards for the DoD Information Assurance (IA) and IA-enabled devices/systems. STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. In the PROService application - A set of conditions that, when matched to instrument data, causes the PROService support team to be alerted. United States Department of Veterans Affairs References 1 STIGS used to validate the PROService RAP box system (http://iase.disa.mil/stigs/a-z.html): Red Hat Enterprise Linux Version 5 Apache Server for Unix Network Policy Desktop Applications General Application Security and Development Apache Site for Unix Anti-malware 2 Department of Defense. (2014) Application Security and Development Security Technical Implementation Guide, Version 3, Release 6, January 24 2014. Retrieved from http://iase.disa.mil/stigs/app_security/app_sec/app_sec.html 3 NIST (2014). Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules. Retrieved from http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140val-all.htm (1320 and 1384 Cryptographic Modules) 4 NIST (2014). FIPS PUB 140-2 - Effective 15-Nov-2001: Security Requirements for Cryptographic Modules. Retrieved from http://csrc.nist.gov/groups/stm/cmvp/standards.html * All trademarks are property of their respective owners. Beckman Coulter, the stylized logo, UniCel, DxI and Access are trademarks of Beckman Coulter Inc. and are registered with the USPTO. Lab Forward is a trademark of Beckman Coulter, Inc. For Beckman Coulter s worldwide office locations and phone numbers, please visit www.beckmancoulter.com/contact BR-50238 2015 Beckman Coulter, Inc. www.beckmancoulter.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information