December 3, 2020 – Multiple HealthShare Advisories

This message contains six recent HealthShare Advisories, which are available below.

• Advisory: Using Browser Back Button may result in user seeing two patient's data at once in Classic Clinical Viewer
• Advisory: Consent May Be Overridden at the System-Level for Clinical Information Type Consent Regardless of the "Allow Override Consent" Setting
• Advisory: Clinical Viewer Password Auto Completes when Saved
• Advisory: Migrating from Full HealthShare Kit to HSAP kit may later cause Caché to IRIS Conversion Issues
• Advisory: Moving to IRIS-based Health Connect or IRIS for Health from HSAP when there was a prior HealthShare kit
• Advisory: Incorrect Login Behavior using HealthShare as a SAML Service Provider
• Advisory: When an End-user Updates Contact Information on the "My Account" page, the Email Account for Clinician Message Delivery is not Updated

The following Advisory was updated:

• Advisory: FHIR Medication asNeededBoolean Not Always Correct (Updated December 3, 2020)

These advisories are also on the InterSystems Product Alerts and Advisories page

December 3, 2020 - Advisory: Using Browser Back Button may result in user seeing two patient's data at once in Classic Clinical Viewer

InterSystems has identified an issue affecting the Classic Clinical Viewer, when users use the back button in a specific sequence.

This problem exists for:

• HealthShare Unified Care Record 15.03x, 2018.1.x, 2019.1.x, 2019.2.x
• HealthShare Clinical Viewer 2020.1.x, 2020.2.x

This issue occurs when users use the browser back button within the Classic Clinical Viewer in this precise sequence:

1. Access patient A through Patient Search Results page
2. On Clinical Summary of patient A, select Patient Search
3. Select patient B
4. When on Clinical Summary of Patient B, click browser back button twice (now user will be on the Clinical Summary for Patient A)
5. Select "View Summary"  "Download Summary"  or "Send Summary": Data for Patient B appears
6. The patient identifiers and data matching are consistent (i.e. Patient A data displays with Patient A identifiers Patient B data displays with Patient B identifiers).

This issue requires the user to follow the precise workflow above as outlined and only occurs in the Classic Clinical Viewer. It does not occur in the Clinical Viewer. InterSystems recommends all users review patient identifiers when viewing patient data in either the Classic Clinical Viewer or the Clinical Viewer.

If you have any questions regarding this advisory, please contact the Worldwide Response Center (WRC) at support@InterSystems.com or  +1.617.621.0700.

December 3, 2020 - Advisory: Consent May Be Overridden at the System-Level for Clinical Information Type Consent Regardless of the "Allow Override Consent" Setting

InterSystems has identified a defect affecting the ability to block the overriding of Clinical Information Type consent at the system level.

This problem exists for:

• HealthShare Information Exchange 2018.1.x 
• HealthShare Unified Care Record 2019.1.x, 2019.2.x, 2020.1.x, and 2020.2.x

Consent in HealthShare may be applied in two contexts, MPI and Clinical Information Type (CIT), and at three levels, patient-, facility-, and system-level. It is possible to configure HealthShare to permit emergency access by allowing a user to override consent to access a patient record or clinical information. This override is also known as "break the glass". If overriding consent is permitted, users will see options to enable this in the Patient Search screen.

When configuring MPI consent at the system-level, there is a checkbox to "Allow Override Consent Policy". By default, this checkbox is unchecked, meaning that users will not be able to override consent in any situation. If the checkbox is checked, users will be permitted to override consent. The same "Allow Override Consent Policy" checkbox exists when configuring CIT consent at the system-level. However, this checkbox has no effect regardless of whether it is checked or unchecked. The system will apply the same setting from the MPI system-level consent. Therefore, it is possible to have "Allow Override Consent Policy" permitted at the MPI level and appear to not be permitted at the CIT level; however, if a user overrides consent in the Patient Search screen that override will apply to both MPI and CIT consent.

As a result of this issue, there is no way to block the overriding of CIT consent at the system level. It may be blocked at the patient level by checking "Prevent Override Consent Policy".

A fix is not yet available for this issue. While the fix is under development, InterSystems recommends the following actions:

Step 1: Review your system-level MPI and CIT consent policies:

Step 2: In Scenario 1, if customers need to block overriding CIT consent, use the "Prevent Override Consent Policy" setting at the patient-level of CIT consent.

The correction for this defect is identified as HSIEC-3893 and once completed an update to this Advisory will be posted.

If you have any questions regarding this advisory, please contact the Worldwide Response Center (WRC) at support@InterSystems.com or  +1.617.621.0700.

December 3, 2020 - Advisory: Clinical Viewer Password Auto Completes when Saved

InterSystems has corrected a defect affecting the browser saving Clinical Viewer user's passwords

This problem exists for:

• HealthShare Clinical Viewer 2020.1

This defect occurs when a new name and password are entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache.

The correction for this defect is identified as HSCV-6135 and will be included in all future product releases. It is also available via Adhoc change file (patch) or full kit distribution from the Worldwide Response Center (WRC).

If you have any questions regarding this advisory, please contact the Worldwide Response Center (WRC) at support@InterSystems.com or  +1.617.621.0700.

December 3, 2020 - Advisory: Moving to IRIS-based Health Connect or IRIS for Health from HSAP when there was a prior HealthShare kit

InterSystems has identified an issue for Windows users who convert from an Ensemble-based HSAP kit to an IRIS-based Health Connect or IRIS for Health kit, who previously had a HealthShare kit.

This problem exists for:

• Any Ensemble-based Health Connect instance running on Windows that was converted from a full HealthShare kit (likely Information Exchange) to a HealthShare Health Connect (HSAP) kit.

As background, in order to convert an Ensemble-based Health Connect or HealthShare for Application Partners (HSAP) product to an IRIS-based version like IRIS-based Health Connect or IRIS for Health, you must be on an HSAP kit rather than a full HealthShare kit.  In the past, customers could be on either type of kit.  If you are on an Ensemble-based HealthShare kit, you must first convert to an Ensemble-based HSAP kit before moving to an IRIS-based Health Connect or IRIS for Health kit. The move from a HealthShare kit to an HSAP kit may have left behind certain keys in the Windows Registry which must be removed before you attempt to convert to an IRIS-based kit. If you fail to remove the keys, your conversion will fail, because the installer will fail to find the instance.

Because a HealthShare to HSAP conversion may have occurred in the past, all customers attempting to convert from HSAP to IRIS should carefully follow the instructions in the InterSystems IRIS In-Place Conversion Guide which can be found on the InterSystems Documents Distribution site. This document includes instructions on how to resolve this Windows Registry issue as part of the conversion process. In particular, see Step 20 of Section 1, "Performing Pre-Conversion Tasks", and Appendix F, "Converting a Health Connect/HSAP Instance That Was Previously Upgraded from a Full HealthShare Instance".

If you have any questions regarding this advisory, please contact the Worldwide Response Center (WRC) at support@InterSystems.com or  +1.617.621.0700.

December 3, 2020 - Advisory: Incorrect Login Behavior using HealthShare as a SAML Service Provider

InterSystems has corrected a defect affecting the use of HealthShare as a SAML Service Provider when Single Sign-On (SSO) is also enabled.

This problem exists for:

• HealthShare Unified Care Record 2019.1.x, 2019.2.x, and 2020.1.x

Any user using the Management Portal UI to configure HealthShare as a SAML Service Provider may experience an issue in which they are able to gain access to HealthShare as a different user than they expect to when using Single Sign-On (SSO) to access HealthShare from a third-party application such as an EHR.

The impact is that the user may be able to access HealthShare resources that they would otherwise be restricted from.  In addition, they may be restricted from resources they would otherwise be granted.

Customers using HealthShare as a SAML Service Provider should disable SSO until they receive and apply the fix to their system.

The correction for this defect is identified as HSIEO-3029, is fixed in Unified Care Record 2020.2 and will be included in all future product releases. It is also available via Ad hoc change file (patch) or full kit distribution from the Worldwide Response Center (WRC).

If you have any questions regarding this advisory, please contact the Worldwide Response Center (WRC) at support@InterSystems.com or  +1.617.621.0700.

December 3, 2020 - Advisory: When an End-user Updates Contact Information on the “My Account” page, the Email Account for Clinician Message Delivery is not Updated

InterSystems has identified a design limitation where updates made to contact information in the “My Account” screen are not subsequently used in Clinical Message Delivery.

This issue exists for:

• All Versions of HealthShare Unified Care Record, HealthShare Clinical Viewer and HealthShare Information Exchange

If a HealthShare end-user updates their email address in the contact information in the “My Account” screen (which may be accessed from the Clinical Viewer, Classic Clinical Viewer, or Clinician Portal), the email address for Clinical Message Delivery is not similarly updated. Instead, a HealthShare Administrator must manually update the email address in the User/Clinician Registry in order to direct Clinical Message Delivery notifications to the new email address.

InterSystems recognizes that customers may expect that when an end-user updates their email address on the "My Account" page that the email address for Clinical Message Delivery would be updated as well. InterSystems plans to provide an enhancement to Clinical Message Delivery that allows an end-user entered change to email address to update the preferred email address for Clinical Message Delivery.

When this enhancement is available (identified as HSIEO-3021), an update to this Advisory will be posted and customers will be able to request an Ad hoc to enhance this behavior.

If you have any questions regarding this advisory, please contact the Worldwide Response Center (WRC) at support@InterSystems.com or  +1.617.621.0700.

October 15, 2020 - Advisory: FHIR Medication asNeededBoolean Not Always Correct (Updated December 3, 2020)

InterSystems has corrected an issue that occurs in certain cases with the dosageInstruction.asNeededBoolean property of MedicationRequest and MedicationStatment.

This problem exists for Customers who use one of the following versions:

• HealthShare Unified Care Record 2019.1.x, 2019.2.x, 2020.1.x
• HealthShare Health Connect 2019.1.x and above (update)
• IRIS for Health 2019.1.x and above (update)

When transforming SDA to FHIR, if certain conditions are met, the dosageInstruction.asNeededBoolean property of MedicationRequest and MedicationStatment may be improperly set to 0. This occurs when the instructions for the medication is listed as "PRN”, but the Dosage Steps in SDA are not populated.

The correction for this defect is identified as IF-910 and will be included in all future product releases. It is also available via Ad hoc change file (patch) or full kit distribution from the Worldwide Response Center (WRC).

If you have any questions regarding this advisory, please contact the Worldwide Response Center (WRC) at support@InterSystems.com or  +1.617.621.0700.

December 3, 2020 Update: Added HealthShare Health Connect 2019.1.x and above and IRIS for Health 2019.1.x and above to the list of versions affected