The Shared Encryption Key

To use Ocean with your patients, your site must first choose a shared encryption key. You should only proceed to set up this key if you are an authorized representative of your clinic.

What is a Shared Encryption Key?

  • A secure key that Ocean sites use to safely and securely exchange patient data.
  • All transmitted patient data is encrypted using this private key, defined by and known only by the clinic administrator.
  • Any of your devices that are connected to Ocean (workstations, tablets, EMR) will require this key.

Shared Encryption Key Security

  • This key must be kept private within the clinic and shared only with authorized personnel as needed.
  • This key is stored in Ocean Cloud Connect. The Ocean Cloud Connect application runs on a separate server from the main Ocean application. This separation means ensures that only authorized Site Admins can access it, while still allowing Support Site team members to assist with setup without having access to PHI.
  • Even OceanMD system administrators do not have access to this key and they will never require it. This ensures that even the most trusted OceanMD administrators are completely unable to read patient health information.

Setting Up Your Shared Encryption Key

    • Login to the Ocean Portal. Click the "Menu" button in the top left corner and select "Admin".
  1. Enter the "Encryption" section from the Admin Settings page to set up your shared encryption key. You may choose to either type in a shared encryption key of your choice or keep the randomly-generated key that is generated for your site automatically. The shared encryption key must meet the following requirements:

    • It must be 16-characters long.
    • It must contain at least one digit, one uppercase letter, one lowercase letter and one punctuation mark (e.g. !, ., _, @, etc.).
    • It should NOT be one of your personal passwords because it may be shared with other users at your site.
  2. Leave yourself a hint and store your encryption key in a safe spot in case you need to enter it again in the future (e.g. if you get a new computer or use a new browser). You must also acknowledge that you have done so.
  3. Click "Save" to save your shared encryption key. You can return to the "Encryption" section of the "Admin" Settings page in the Ocean Portal to view your shared encryption key at any time.
  4. Store your Shared Encryption Key in Cloud Connect as part of the Cloud Connect Set Up process.

Important Notes about the Shared Encryption Key

Your shared encryption key is an important guard against unauthorized access to your patient's data, and should therefore be handled with great care and stored in a safe place. For safekeeping, we recommend that you download, print, and complete this Clinic Reference Card and keep it in a safe location for future reference.

It’s also recommended that access to the key be limited to trusted administrative account holders.

If you have misplaced your encryption key, try following the steps outlined in "Recovering a Lost / Forgotten Shared Encryption Key" to recover it.

In the worst case scenario where your encryption key really has been lost, OceanMD will NOT be able to find or retrieve your unique key on your behalf (this is one of the ways we help to ensure patient data is always secure).


Entering Your Shared Encryption Key

There are different scenarios in which Ocean may require you to enter your Ocean Site's Shared Encryption Key. This can be done by following the steps below:

  • Navigate to the 'Patients' page. For most users, this is the default home page after logging in.
  • Click the 'Enter Your Shared Encryption Key' button.
  • Type your Shared Encryption Key in the text box, and click 'Enter'.

    Note: If you do not know your Shared Encryption Key, please contact your clinic's Ocean Site Admin(s). OceanMD employees cannot find or retrieve your unique key on your behalf.

  • The patient information in your Ocean Site will be decrypted.

Recovering a Lost / Forgotten Shared Encryption Key

If your Shared Encryption Key has been lost, unfortunately, OceanMD has no way to find or retrieve your unique key on your behalf (this is one of the ways we help to ensure patient data is always secure). However, there are some troubleshooting steps you can take to try to recover it on your own.

  1. Try the Ocean Portal.

    • Log in to the Ocean Portal. Click the "Menu" button in the top left corner and select Admin.
    • Click "Encryption" on the Admin Settings page and your Shared Encryption Key should appear there. If not, the "hint" may help you track down where you should be looking and/or what you chose your key to be.
  2. Try Ocean Cloud Connect.

    If your site uses Cloud Connect to integrate Ocean with your EMR, your key will also be stored in this configuration.

    • To review your key, sign into Ocean Cloud Connect, and click the blue button labelled "View Shared Encryption Key", which is located under the Shared Encryption Key panel on the righthand side of the page.

      After confirming this action, the key will be displayed on screen.

    Note: accessing your key via Cloud Connect will alert your site's clinical administrator as a security precaution.

  3. Try your EMR.

    • If you are using PS Suite or OSCAR, you may be able to access the encryption key from within your EMR.
    • If you are using PS Suite, open the Ocean custom form and click "Settings" on the custom form. Enter your Ocean credentials (username and password) and a menu of options should appear. Click on "Shared Encryption Key" to view your shared encryption key.

    • If you are using OSCAR, open the Ocean eForm in OSCAR (using the Ocean shortcut on the appointment schedule or in the "Manage eForms" section in the Administration panel) and select the "Settings" button.
    • Click "Advanced Settings" and then select "Reset Encryption Key". You will then see your existing shared encryption key value listed in the input box in that window. Once you copy the key from the box, select the "Cancel" option.
  4. Try a colleague's web browser.

    • An Ocean user who can view patient data in their web browser can do so because they have the encryption key saved in their browser's local storage. If you set up Ocean using your web browser, it might be available by logging in to the Ocean Portal using this same web browser. If another colleague set Ocean up, you can ask them to log into their Ocean Portal account.
    • In either case, you will see the shared encryption key in the Admin view of the Ocean Portal (which only site administrators can see) in the "Encryption" section (selected from Admin Settings page).
  5. Try an Ocean Tablet.

    • If you have an Ocean Tablet, you can view the encryption key in Administration Menu (which an Ocean user with admin privileges can access by tapping on the Ocean logo or "cog" icon in the bottom left). From this Admin menu, choose "View Shared Encryption Key" to view your site's Shared Encryption Key.

If you've tried all of the above and still can't find your encryption key...

If your Shared Encryption Key (SEK) is truly lost, you will need to create a new one and update all your devices. Please note that once an SEK is reset, any previous patient responses or referrals will be unrecoverable by your staff or the Ocean team. 

If you have exhausted all other options and are ready to reset your SEK (and lose any outstanding patient records in Ocean), please ask an administrator on your Ocean site to contact the OceanMD Support team.

Please note that Ocean will only accept SEK reset requests from a clinic staff member with Ocean administrator privileges. 

Protecting Your Shared Encryption Key in the Future

Your Shared Encryption Key is an important safeguard against unauthorized access to your patient's data, and should therefore be handled with great care and stored in a safe place. It’s also recommended that access to the key be limited to trusted administrative account holders. In order to prevent against the worst case scenario of a lost key (and lost patient data), we recommend taking the following steps:

  • Administrative access in Ocean is required to change the Shared Encryption Key. As a result, you should limit admin privileges to a small number of trusted users. However, always ensure that you have redundancy, in case an admin user leaves the organization.
  • Ocean allows you to save a "hint". Make an effort to ensure that the hint will always allow an admin user to recover the key. This might include noting a secondary storage location.
  • You can download, print, and complete this Clinic Reference Card and keep it in a safe location for future reference.
  • Consider a safe online password storage tool designed for shared team use such as Common Key or 1Password.

Ocean Prompts for Your Clinic's Shared Encryption Key

The Shared Encryption Key

The shared encryption key is used by Ocean to decrypt private patient health information (PHI) locally, within your web browser. This prevents third parties (including OceanMD) from accessing your clinic's PHI.

Web browsers are often "locked down" by site IT departments, as a general security measure. These restrictions can sometimes prevent Ocean and other web sites from storing information like the shared encryption key. If you are repeatedly prompted for the encryption key despite entering it successfully in the past, please consider the following possible explanations.

A computer is being used for the first time

The encryption key is stored only within a particular browser, on a particular machine. It must be entered individually on each browser/computer combination that you use. We recommend that you enter it on each onsite computer browser as part of an initial setup.

A different browser than the usual one is being used on the computer

The encryption key may have been previously stored on one browser, but not on the one currently open. For example, it may have been stored within Chrome on the computer, but not within Firefox.

A new user account is being used on the computer, with its own browsing history and other settings

Some shared computers are configured to store different settings for each user who logs in. If a particular user has not yet logged into a particular machine, and the machine stores different settings for this user, he/she will be prompted for the key for the first time.

The browser is in "Incognito" mode or "Private Browsing" mode

Modern browsers provide users with the ability to open web pages in a "secret" or "private" mode, where information such as the encryption key, cookies, browsing history and so on are hidden. In this setting, the user needs to enter the encryption key for each session.

The browser is configured to "forget" or "never remember" browsing history

Since the encryption key is part of the browser's "local storage" and browsing history, it will be discarded with each session with this privacy setting in place. Please check your browser's Privacy and/or Security settings tabs to ensure this is not the case.

The computer is configured to "forget" all user session data with each login.

Some IT configurations prevent any user information from being stored across login sessions for privacy/security reasons. In this setting, the encryption key will be discarded between each session. Please discuss with your IT team if this is a concern.

The computer is configured with a remote login (e.g. Terminal Services), which does not store browser history

Similar to the issue above, many remote login (terminal services) products such as Windows Terminal Services can be configured to store the browser's history ("localStorage") for individual users or remote terminals. However, if the remote login is configured to clear the entire browsing history with each session (particularly the localStorage), then the browser will not have the shared encryption key available when a new session is started.

Someone has changed the site's encryption key

If the Ocean Site's encryption key has changed, each browser/user configuration must be updated one time with the new encryption key.

The site has referrals encrypted with an old encryption key

To decrypt old referrals after the key has changed, the old key must be entered on the browser as well.

If none of the above scenarios are applicable, or you have any further questions, please contact OceanMD Support.


Updating Ocean with a New Shared Encryption Key

Generating a new Shared Encryption Key for an existing Ocean Site should only be done under specific circumstances and requires a detailed review and approval process by the OceanMD Support team. This guide assumes this process has already been completed.

Note: If you have lost or forgotten your existing Shared Encryption Key, please attempt to recover it before deciding to reset it.

Once a new Shared Encryption Key has been generated with the assistance of the OceanMD Support team, the following areas of the Ocean Portal will need to be updated with the new key:

Ocean Cloud Connect

An Ocean Site Admin can log in to Ocean Cloud Connect using their existing Ocean user account credentials. After logging in:

    • Click the 'View Shared Encryption Key' button.
    • In the prompt that appears, reconfirm this choice by clicking'View Shared Encryption Key'.
    • Your old Shared Encryption Key will be presented. Click the 'Edit' button.
    • Enter your new Shared Encryption Key and click 'Save'.
Ocean Portal

All users who access the Ocean Portal will need to enter the new Shared Encryption Key into their web browser(s) to view new patient information.

    • Click the 'Enter Your Shared Encryption Key' button on the left hand side of the Ocean Portal.

      Note: This button can be found in the Patients, eReferrals & eConsults, Online Booking, and Website Forms areas.

    • Enter the new Shared Encryption Key and click 'Enter'.

Note: If you do not see the 'Enter Your Shared Encryption Key' button appearing in the areas mentioned above, you will first need to clear your web browser's cache and local storage to manually remove the old Shared Encryption Key.

Ocean Toolbar (Telus PS Suite)

The PSS Ocean Toolbar settings are global for your entire PS Suite EMR instance. This means that updating the Shared Encryption Key via one workstation will propagate across all workstations.

    • From within a test patient's chart, click the Ocean logo on the toolbar to open up the Ocean Custom Form.
    • From within the Custom Form window, click the 'Settings' button and enter your Ocean user account credentials.
    • Select the 'Shared Encryption Key' menu open from the dialogue window
    • Your current (i.e., old) Shared Encryption Key will be displayed. Click the 'Set Shared Encryption Key' button and enter your new Shared Encryption Key.
Ocean Toolbar (OSCAR)

The OSCAR Pro Ocean Toolbar settings are global for your entire OSCAR Pro EMR instance. This means that updating the Shared Encryption Key via one workstation will propagate across all workstations.

    • From within a patient's chart, expand the Ocean Toolbar and click the 'Settings' button.
    • Select Advanced Settings and click 'Reset Shared Encryption Key'.
  1. In the 'Shared Encryption Key" dialogue box, erase the current (old) key and enter your new Shared Encryption Key.
  2. Click 'Submit'to save your changes.
Ocean CDS Links (Accuro)

An Ocean Site Admin must perform the following steps for each CDS link configured in your Accuro EMR. This will update the global CDS links for all EMR users.

    • Log in to the Ocean Portal, open the Menu, and select 'Admin'.
    • Click 'Manage Credentials'.
    • Click 'Configure Accuro CDS Links'.
  1. Enter your Ocean username, password, and new shared encryption key (if prompted).
    • Click the 'copy' button next to the CDS link URL that you would like to update in Accuro.
    • In Accuro, click the red target icon in the bottom-left of the EMR to open the main menu and select 'CDS', and click 'Manage Global CDS'.
    • Select the global CDS link that you would like to update and then click the pencil icon to edit it.
    • Replace the existing URL with the new URL that you copied from within the Ocean Portal.
  2. Click 'OK' to close the window.
  3. Repeat these steps for each Ocean CDS link that needs to be updated in Accuro, using the respective URLs from within the Ocean Portal for each CDS action.
Ocean Tablets

The following steps must be performed on each registered Ocean tablet.

    • From within the Ocean Tablet application, click the icon located in the bottom-left corner (this may appear as either the Ocean logo or a single gear icon).
  1. You will be prompted to enter your Ocean username and password.
    • Select 'Reset Shared Encryption Key'.
    • Enter your new Shared Encryption Key and press 'OK'.
  2. If you have multiple registered Ocean tablets, repeat the steps above on each device.
Internal Clinic Documentation

Any existing internal clinic documentation should be updated to reflect the new Shared Encryption Key.

For example, if you use an Ocean Credential Reference Card, it should be updated to reflect the new value.