The Shared Encryption Key

To use Ocean with your patients, your site must first choose a shared encryption key. You should only proceed to set up this key if you are an authorized representative of your clinic.

What is a Shared Encryption Key?

  • A secure key that Ocean sites use to safely and securely exchange patient data.
  • All transmitted patient data is encrypted using this private key, defined by and known only by the clinic administrator.
  • Any of your devices that are connected to Ocean (workstations, tablets, EMR) will require this key.

Shared Encryption Key Security

  • This key must be kept private within the clinic and shared only with authorized personnel as needed.
  • Even CognisantMD system administrators do not have access to this key and they will never require it. This ensures that even the most trusted CognisantMD administrators are completely unable to read patient health information.

Setting Up Your Shared Encryption Key

    • Login to the Ocean Portal. Click the "Menu" button in the top left corner and select "Admin".
  1. Enter the "Encryption" section from the Admin Settings page to set up your shared encryption key. You may choose to either type in a shared encryption key of your choice or keep the randomly-generated key that is generated for your site automatically. The shared encryption key must meet the following requirements:

    • It must be 16-characters long.
    • It must contain at least one digit, one uppercase letter, one lowercase letter and one punctuation mark (e.g. !, ., _, @, etc.).
    • It should NOT be one of your personal passwords because it may be shared with other users at your site.
  2. Leave yourself a hint and store your encryption key in a safe spot in case you need to enter it again in the future (e.g. if you get a new computer or use a new browser). You must also acknowledge that you have done so.
  3. Click "Save" to save your shared encryption key.
  4. You can return to this "Encryption" section of the "Admin" Settings page in the Ocean Portal to view your shared encryption key at any time.

Important Notes about the Shared Encryption Key

Your shared encryption key is an important guard against unauthorized access to your patient's data, and should therefore be handled with great care and stored in a safe place. For safekeeping, we recommend that you download, print, and complete this Clinic Reference Card and keep it in a safe location for future reference.

It’s also recommended that access to the key be limited to trusted administrative account holders.

If you have misplaced your encryption key, try following the steps outlined in "Recovering a Lost / Forgotten Shared Encryption Key" to recover it.

In the worst case scenario where your encryption key really has been lost, CognisantMD will NOT be able to find or retrieve your unique key on your behalf (this is one of the ways we help to ensure patient data is always secure).

Recovering a Lost / Forgotten Shared Encryption Key

If your encryption key has been lost, unfortunately, CognisantMD has no way to find or retrieve your unique key on your behalf (this is one of the ways we help to ensure patient data is always secure). However, there are some troubleshooting steps you can take to try to recover it on your own.

  1. Try the Ocean Portal.

    • Log in to the Ocean Portal. Click the "Menu" button in the top left corner and select Admin.
    • Click "Encryption" on the Admin Settings page and your shared encryption key should appear there. If not, the "hint" may help you track down where you should be looking and/or what you chose your key to be.
  2. Try Ocean Cloud Connect.

    If your site uses Cloud Connect to integrate Ocean with your EMR, your key will also be stored in this configuration.

    • To review your key, sign into Ocean Cloud Connect, and click the blue button labelled "View Shared Encryption Key", which is located under the Shared Encryption Key panel on the righthand side of the page.

      After confirming this action, the key will be displayed on screen.

    Note: accessing your key via Cloud Connect will alert your site's clinical administator as a security precaution.

  3. Try your EMR.

    • If you are using PS Suite or OSCAR, you may be able to access the encryption key from within your EMR.
    • If you are using PS Suite, open the Ocean custom form and click "Settings" on the custom form. Enter your Ocean credentials (username and password) and a menu of options should appear. Click on "Shared Encryption Key" to view your shared encryption key.

    • If you are using OSCAR, open the Ocean eForm in OSCAR (using the Ocean shortcut on the appointment schedule or in the "Manage eForms" section in the Administration panel) and select the "Settings" button.
    • Click "Advanced Settings" and then select "Reset Encryption Key". You will then see your existing shared encryption key value listed in the input box in that window. Once you copy the key from the box, select the "Cancel" option.
  4. Try a colleague's web browser.

    • An Ocean user who can view patient data in their web browser can do so because they have the encryption key saved in their browser's local storage. If you set up Ocean using your web browser, it might be available by logging in to the Ocean Portal using this same web browser. If another colleague set Ocean up, you can ask them to log into their Ocean Portal account.
    • In either case, you will see the shared encryption key in the Admin view of the Ocean Portal (which only site administrators can see) in the "Encryption" section (selected from Admin Settings page).
  5. Try an Ocean Tablet.

    • If you have an Ocean Tablet, you can view the encryption key in Administration Menu (which an Ocean user with admin privileges can access by tapping on the Ocean logo or "cog" icon in the bottom left). From this Admin menu, choose "View Shared Encryption Key" to view your site's encryption key.

If you've tried all of the above and still can't find your encryption key...

If your shared encryption key is truly lost, you will need to create a new one and update all your devices.

However, if you do this, you will not be able to retrieve any previous patient responses or referrals (and we, sadly, cannot help retrieve them either).

We can help you choose a new key at this point, as long as you are ready to abandon old Ocean patient records that have yet to be downloaded to your EMR.

Protecting Your Shared Encryption Key in the Future

Your shared encryption key is the ultimate guard against unauthorized access to your patient's data, and should therefore be handled with great care and stored in a safe place. It’s also recommended that access to the key be limited to trusted administrative account holders. In order to prevent against the worst case scenario of a lost key (and lost patient data), we recommend taking the following steps:

  • Administrative access in Ocean is required to change the shared encryption key. As a result, you should limit admin privileges to a small number of trusted users. However, always ensure that you have redundancy, in case an admin user leaves the organization.
  • Ocean allows you to save a "hint". Make an effort to ensure that the hint will always allow an admin user to recover the key. This might include noting a secondary storage location.
  • You can download, print, and complete this Clinic Reference Card and keep it in a safe location for future reference.
  • Consider a safe online password storage tool designed for shared team use such as Common Key or 1Password.

Ocean Prompts for Your Clinic's Shared Encryption Key

The Shared Encryption Key

The shared encryption key is used by Ocean to decrypt private patient health information (PHI) locally, within your web browser. This prevents third parties (including CognisantMD) from accessing your clinic's PHI.

Web browsers are often "locked down" by site IT departments, as a general security measure. These restrictions can sometimes prevent Ocean and other web sites from storing information like the shared encryption key. If you are repeatedly prompted for the encryption key despite entering it successfully in the past, please consider the following possible explanations.

A computer is being used for the first time

The encryption key is stored only within a particular browser, on a particular machine. It must be entered individually on each browser/computer combination that you use. We recommend that you enter it on each onsite computer browser as part of an initial setup.

A different browser than the usual one is being used on the computer

The encryption key may have been previously stored on one browser, but not on the one currently open. For example, it may have been stored within Chrome on the computer, but not within Firefox.

A new user account is being used on the computer, with its own browsing history and other settings

Some shared computers are configured to store different settings for each user who logs in. If a particular user has not yet logged into a particular machine, and the machine stores different settings for this user, he/she will be prompted for the key for the first time.

The browser is in "Incognito" mode or "Private Browsing" mode

Modern browsers provide users with the ability to open web pages in a "secret" or "private" mode, where information such as the encryption key, cookies, browsing history and so on are hidden. In this setting, the user needs to enter the encryption key for each session.

The browser is configured to "forget" or "never remember" browsing history

Since the encryption key is part of the browser's "local storage" and browsing history, it will be discarded with each session with this privacy setting in place. Please check your browser's Privacy and/or Security settings tabs to ensure this is not the case.

The computer is configured to "forget" all user session data with each login.

Some IT configurations prevent any user information from being stored across login sessions for privacy/security reasons. In this setting, the encryption key will be discarded between each session. Please discuss with your IT team if this is a concern.

The computer is configured with a remote login (e.g. Terminal Services), which does not store browser history

Similar to the issue above, many remote login (terminal services) products such as Windows Terminal Services can be configured to store the browser's history ("localStorage") for individual users or remote terminals. However, if the remote login is configured to clear the entire browsing history with each session (particularly the localStorage), then the browser will not have the shared encryption key available when a new session is started.

Someone has changed the site's encryption key

As a general security measure, we recommend that sites change their encryption key periodically. When this happens, each browser/user configuration must be updated once with the new key.

The site has referrals encrypted with an old encryption key

To decrypt old referrals after the key has changed, the old key must be entered on the browser as well.

If none of the above scenarios are applicable, or you have any further questions, please contact CognisantMD support.