To use Ocean with your patients, your site must first choose a shared encryption key. You should only proceed to set up this key if you are an authorized representative of your clinic.
What is a shared encryption key?
- A secure key that Ocean sites use to safely and securely exchange patient data.
- All transmitted patient data is encrypted using this private key, defined by and known only by the clinic administrator.
- Even CognisantMD system administrators do not have access to this key and they will never require it. This ensures that even the most trusted CognisantMD administrators are completely unable to read patient health information.
- This key must be kept private within the clinic and shared only with authorized personnel as needed.
- Any of your devices that are connected to Ocean (workstations, tablets, EMR) will require this key.
Setting Up Your Shared Encryption Key
- Log in to the Ocean Portal and navigate to the Admin tab.
- Enter the "Encryption" section (selected from the menu on the left) to set up your shared encryption key. You may choose to either type in a shared encryption key of your choice or keep the auto-generated key.
Requirements for the Shared Encryption Key:
- It must be 16-characters with at least one digit, one uppercase letter, one lowercase letter and one punctuation mark (e.g. !, ., _, @, etc.).
- It should NOT be one of your personal passwords because it may be shared with other users at your site.
- Feel free to choose the randomly-generated key that is generated for your site automatically or create your own key.
- You must acknowledge that you've stored your shared encryption key in a safe spot (step 2) and left a hint (step 3) in case you need to enter your encryption key again in the future (e.g. if you get a new computer or use a new browser).
- Click "Save" to save your shared encryption key.
- You can return to this "Encryption" section of the Admin tab to view your shared encryption key at any time.
Important Notes about the Shared Encryption Key
Your shared encryption key is the ultimate guard against unauthorized access to your patient's data, and should therefore be handled with great care and stored in a safe place. For safekeeping, we recommend that you download, print, and complete this Clinic Reference Card and keep it in a safe location for future reference.
It’s also recommended that access to the key be limited to trusted administrative account holders.
If you have misplaced your encryption key, try following the steps outlined in "Recovering a Lost / Forgotten Shared Encryption Key" to recover it.
In the worst case scenario where your encryption key really has been lost, CognisantMD will NOT be able to find or retrieve your unique key on your behalf (this is one of the ways we help to ensure patient data is always secure).
If your encryption key has been lost, unfortunately, CognisantMD has no way to find or retrieve your unique key on your behalf (this is one of the ways we help to ensure patient data is always secure). However, there are some troubleshooting steps you can take to try to recover it on your own.
Try the Ocean Portal.
- Log in to the Ocean Portal and navigate to the Admin tab.
- Enter the "Encryption" section from the menu on the left and your shared encryption key should appear there. If not, the "hint" may help you track down where you should be looking and/or what you chose your key to be.
Try your EMR.
- If you are using PS Suite or OSCAR, you may be able to access the encryption key from within your EMR.
- If you are using PS Suite, open the Ocean custom form and click "Settings" on the custom form. Enter your Ocean credentials (username and password) and a menu of options should appear. Click on "Shared Encryption Key" to view your shared encryption key.
- If you are using OSCAR, open the Ocean eForm in OSCAR (using the Ocean shortcut on the appointment schedule or in the "Manage eForms" section in the Administration panel) and select the "Settings" button. Click "Initial Configuration" and enter your Ocean login credentials, to view your shared encryption key.
Try a colleague's web browser.
- An Ocean user who can view patient data in their web browser can do so because they have the encryption key saved in their browser's local storage. If you set up Ocean using your web browser, it might be available by logging in to the Ocean Portal using this same web browser. If another colleague set Ocean up, you can ask them to log into their Ocean Portal account.
- In either case, you will see the shared encryption key in the Admin tab of the Ocean Portal (which only site administrators can see) in the "Encryption" section (selected from the menu on the left).
Try an Ocean Tablet.
- If you have an Ocean Tablet, you can view the encryption key in Administration Menu (which an Ocean user with admin privileges can access by tapping on the Ocean logo or "cog" icon in the bottom left). From this Admin menu, choose "View Shared Encryption Key" to view your site's encryption key.
If you've tried all of the above and still can't find your encryption key...
If your shared encryption key is truly lost, you will need to create a new one and update all your devices.
However, if you do this, you will not be able to retrieve any previous patient responses or referrals (and we, sadly, cannot help retrieve them either).
We can help you choose a new key at this point, as long as you are ready to abandon old Ocean patient records that have yet to be downloaded to your EMR.
Protecting Your Shared Encryption Key in the Future
Your shared encryption key is the ultimate guard against unauthorized access to your patient's data, and should therefore be handled with great care and stored in a safe place. It’s also recommended that access to the key be limited to trusted administrative account holders. In order to prevent against the worst case scenario of a lost key (and lost patient data), we recommend taking the following steps:
- Administrative access in Ocean is required to change the shared encryption key. As a result, you should limit admin privileges to a small number of trusted users. However, always ensure that you have redundancy, in case an admin user leaves the organization.
- Ocean allows you to save a "hint". Make an effort to ensure that the hint will always allow an admin user to recover the key. This might include noting a secondary storage location.
- You can download, print, and complete this Clinic Reference Card and keep it in a safe location for future reference.
- Consider a safe online password storage tool designed for shared team use such as Common Key or 1Password.
The Shared Encryption Key
The shared encryption key is used by Ocean to decrypt private patient health information (PHI) locally, within your web browser. This prevents third parties (including CognisantMD) from accessing your clinic's PHI.
Web browsers are often "locked down" by site IT departments, as a general security measure. These restrictions can sometimes prevent Ocean and other web sites from storing information like the shared encryption key. If you are repeatedly prompted for the encryption key despite entering it successfully in the past, please consider the following possible explanations.
A computer is being used for the first time:
- The encryption key is stored only within a particular browser, on a particular machine. It must be entered individually on each browser/computer combination that you use. We recommend that you enter it on each onsite computer browser as part of an initial setup.
A different browser than the usual one is being used on the computer:
- The encryption key may have been previously stored on one browser, but not on the one currently open. For example, it may have been stored within Chrome on the computer, but not within Firefox.
A new user account is being used on the computer, with its own browsing history and other settings:
- Some shared computers are configured to store different settings for each user who logs in. If a particular user has not yet logged into a particular machine, and the machine stores different settings for this user, he/she will be prompted for the key for the first time.
The browser is in "Incognito" mode or "Private Browsing" mode:
- Modern browsers provide users with the ability to open web pages in a "secret" or "private" mode, where information such as the encryption key, cookies, browsing history and so on are hidden. In this setting, the user needs to enter the encryption key for each session.
The browser is configured to "forget" or "never remember" browsing history:
- Since the encryption key is part of the browser's "local storage" and browsing history, it will be discarded with each session with this privacy setting in place. Please check your browser's Privacy and/or Security settings tabs to ensure this is not the case.
The computer is configured to "forget" all user session data with each login.
- Some IT configurations prevent any user information from being stored across login sessions for privacy/security reasons. In this setting, the encryption key will be discarded between each session. Please discuss with your IT team if this is a concern.
The computer is configured with a remote login (e.g. Terminal Services), which does not store browsing history:
- Similar to the issue above, many remote login (terminal services) products such as Windows Terminal Services can be configured to
Someone has changed the site's encryption key:
- As a general security measure, we recommend that sites change their encryption key periodically. When this happens, each browser/user configuration must be updated once with the new key.
The site has referrals encrypted with an old encryption key:
- To decrypt old referrals after the key has changed, the old key must be entered on the browser as well.
If none of the above scenarios are applicable, or you have any further questions, please contact CognisantMD support.