You cannot use ORDER BY inside %DLIST based on the available syntax. %DLIST is documented as:

%DLIST([ALL | DISTINCT [BY(col-list)]] string-expr [%FOREACH(col-list)] [%AFTERHAVING]) [1][2]

So %DLIST supports DISTINCT and DISTINCT BY(col-list), but the retrieved material does not show any syntax for ordering the elements inside the list result itself. [1][2]

A regular ORDER BY can sort the rows returned by the query, for example after GROUP BY, but that affects the result set rows, not the internal order of values concatenated inside %DLIST. [2]

Because of that, sorting the values within your Diagnose column so that (M) comes first, (S) second, and (C008) last is not described in the retrieved documentation. [1][2]

Sources:

There does not appear to be a built-in Caché/ObjectScript date/time format that directly outputs a time zone abbreviation such as EST, PST, or MST as part of $ZDATETIME() formatting. The retrieved material shows $ZDATETIME() producing formatted dates/times, including numeric offsets such as -04:00 and UTC as Z, but not named abbreviations. [1][2]

What Caché does provide natively is the current time zone offset through $ZTIMEZONE or %SYSTEM.SYS.TimeZone(). The retrieved material gives $ZTIMEZONE as returning the current offset in minutes, such as 300. [3]

It also provides %SYSTEM.Process.TimeZone() to set or retrieve the process time zone using the TZ environment variable; the retrieved example shows a value such as CST6CDT. [3]

So for output like 02/27/2025 11:10AM EST, the retrieved material supports appending the abbreviation yourself rather than expecting $ZDATETIME() to generate it directly. The closest built-in values shown are a numeric offset and a process TZ value, not a direct EST/PST suffix formatter. [3][2]

If you need richer time zone formatting, including abbreviations, one retrieved option is the tz library. It is described as using the IANA time zone database, and that database is said to include time zone abbreviations. [4][2][5]

Warning: You should not change the value of $ZTIMEZONE. If you do, you will affect the results of IsDST(), $ZDATETIME, and $ZDATETIMEH, among many other effects. Time for the process will not change the hour properly for Daylight Saving Time. Changing $ZTIMEZONE is not a consistent way to change the timezone that Caché uses. [3]

Note: I believe all the following statements are true about ObjectScript, but please let me know if I misstate how ObjectScript works with time zones and offsets. [2]

Sources:

Health Connect/IRIS for Health can receive HL7 over HTTP/S natively by using EnsLib.HL7.Service.HTTPService as the inbound service. The sender posts the HL7 message in the HTTP request body to a URL such as http://IP:PORT, and the HL7 schema is configured similarly to other HL7 inbound interfaces. [1]

If you choose an HTTPS-based inbound interface, the retrieved material shows that TLS is supported and that inbound and outbound roles use different SSL/TLS configurations: server SSL configurations are used on services to respond to TLS handshakes, while client SSL configurations are used on operations to initiate them. If your system has both inbound services and outbound operations, both types of SSL configuration may be needed. [1][2]

A supported outbound pattern is to avoid exposing Health Connect for inbound internet traffic and instead have the production call outward to a cloud API or HTTPS endpoint. The retrieved material includes examples of using EnsLib.HTTP.GenericOperation for TLS-secured API calls and EnsLib.HL7.Operation.HTTPOperation for sending HL7 over HTTPS, including certificate-based security via the SSLConfiguration setting. [1][3][4]

If you implement TLS or mutual TLS, the documented setup in the returned material is to: choose a certificate authority, create a private key and CSR, obtain your certificate, obtain the peer certificate chain, create the SSL configuration, assign it to the interface, and verify message flow. [1][2]

CAUTION! Make sure that you save your private key in a secure location (preferably in a password-protected format). If you lose this key, your certificate will no longer be usable. If someone else gains access to this key, they will be able to impersonate your server. [1][2]

NOTE: When creating the CSR, make sure that you request an Extended Key Usage of both serverAuth and clientAuth, if you are using mutual TLS. Most CAs are used to signing certificates with only serverAuth key usage. Unfortunately, this means that the certificate can not be used as a client certificate in a mutual TLS connection. [1][2]

For the specific concern about not wanting to open your Health Connect instance directly to the internet, the retrieved material does not provide a definitive recommended architecture or “best path” such as DMZ placement, reverse proxy design, VPN/private connectivity, or other cloud-edge patterns for safely publishing an inbound Health Connect listener. What it does support is that inbound HL7 over HTTP/S is possible, outbound HTTPS patterns are possible, and TLS/mutual TLS can be configured for either direction. [1]

So, based on the returned material, the safest conclusion is:

• inbound HL7 over HTTP/S is supported with EnsLib.HL7.Service.HTTPService [1]
• outbound HL7 over HTTPS is supported with EnsLib.HL7.Operation.HTTPOperation [1][4]
• outbound API-style integrations using HTTP operations over TLS are also demonstrated [1][3]
• the returned sources do not identify a single recommended internet-facing architecture for your environment [1]

Sources: