Is is possible to get access to the Message Digest (Hash) on the healthvault side?

Question

We are in the process of getting our solution certified and have run into an issue.

In one of the required tests we have to generate a hash of the CCD we are going to transmit. Then after transmission we are required to generate the hash on the receiver side and show the tester that they are the same.  I know all of this is handled within the HealthVault libraries, but we can generate the one on the client side before our data is transmitted.  However I have no idea how we could get one from HealthVault. The test dictates that the hash be generated on the HealthVault side. So exporting the data and generating the hash is not an option.

I'm completely at a loss on how this could be acomplished.

Answer 1

Russ, this is for MU certification? I haven't heard the requirement be tested that way before ... woud like to learn more.

That said, since presumably the purpose of this is to prove that what you send is what the patient receives ... why can't you just use the web interface at healthvault.com, download the item and then reapply your hash? If the hash is the same, that seems like a reasonable proof that the data has come through unscathed.

If that doesn't work, please share some more info about the test context and we can explore other ideas. Thanks ...

---S

Answer 2

Yes, this is for MU cert.  The requirement is for 170.302(s) Integrity. My understanding is that it is not that the document was transmitted unaltered, it's the ability of the system to detect alterations. I know the system does this but how to show it is the issue.

basically the test script we have to show the data for is this:

1. Message digest of Vendor-provided test data is generated
2. The test data and the message digest are transported to the receiving system
3. The test data and the message digest received by the receiving system are displayed by the vendor at the receiving system
4. A message digest of the electronically exchanged Vendor-provided test data is generated on the receiving system
5. The electronically exchanged message digest and the message digest generated on the receiving system are the same for theVendor-provided test data

In reading the guidance from the tester we might be able to use the web interface, but Im not sure:

During the inspection, you must generate the hash value for the test data, display the hash value to the Tester, and then transmit both the hash value and the test data to a receiving system of your choice. In order to generate hash values, you can use 3rd party solutions. You must display the test data received at the receiver system and also generate a hash value of the received data. You must then display the two hash values to the Tester to compare and verify that both are same.

It would be nice if I knew how others were handling this, but i've not been able to get much information.

Answer 3

Russ, thanks for the details here. From my reading --- the guidance does seem to give you the ability to do a download. Would be great to check in with the tester and verify that; if they say no, let us know and we'll see what we need to do to either convince them ourselves :) or support the requirement --- this is obviously key; it's funny that other testers haven't validated the same way. We'll work it out.

Thanks!

---S

Answer 4

We proved this by building an interface that essentially duplicates the "File Hash" dialog presented on this page:

http://www.fileformat.info/tool/hash.htm

And then we exchanged between our production HISP and our test HISP comparing the values. I'm not sure is that helps but that is how we answered this one.