Frequently Asked Questions: Information Security

From ground up, Brillians is designed to comply with VHA’s information security requirements. This document provides detailed information about Brillians software’s information security aspects. We have tried to anticipate and answer as many questions as possible. If you still have questions, please write to: support@supravista.com. Additional OIT related information is available at:  FAQ for IT Staff.

Introduction

Brillians is in use in VHA since 2006. Currently, it is deployed in 25+ VAMCs in many VISNs.

  1. There have NEVER been any technical or information security issues.
  2. Brillians has always kept up with VHA’s security requirements. For example, when VA required 2FA login, Brillians implemented that feature ahead of schedule, while many other vendors lingered.
  3. At heart, Brillians is a data analysis application. All data analysis occurs in real-time on the user’s workstation. No sensitive data is stored by the application, and no data ever leaves VA’s secure environment. There are no databases, web-servers or even the need for internet connection. Brillians can NOT lose the data it does not have!
  4. Brillians has gone through multiple national reviews. After detailed evaluations, twice (2010 and 2013) the VACO clinical leadership has considered making it a national application. The latest review, initiated by the VA Center for Innovation, was performed in 2016-17. After months of detailed presentations and evaluations, Brillians was approved by IT Enterprise Service Line for diffusion in VHA.

What is Brillians?

Brillians is a cognitive support software designed to work with VistA. It analyzes large volume of clinical data like a human expert and informs the user about the clinical issues which need his/her attention. Its value for reducing clinical errors and increasing provider efficiency was recognized by VA OIG back in 2009 (https://www.va.gov/oig/CAP/VAOIG-08- 03077-04.pdf).

  1. Brillians is a 32-bit Windows desktop application like CPRS. It is NOT a web-based application. It is NOT a web-portal to display patient data.
  2. Brillians users are VA employees who use this software on their official workstations during routine patient care activities. Contractors and non-VA employees do not benefit from Brillians’ features, thus they do not use it.
  3. Brillians performs all the data processing work on the user’s workstation. It does NOT need or use internet connection!
  4. Brillians does NOT have any external “web portal” or “dash-board.”
  5. There is NO site-to-site communication with any external website/webserver.
  6. No data leaves VA’s intranet. Therefore, no data crosses VA’s firewall.
  7. There are no databases and no mechanism to store the sensitive data. As a result, Brillians cannot lose what it does not have.

Which devices can run Brillians? 

As a Windows desktop application, Brillians runs on VAMC provided Windows workstations. By definition, these workstations meet VA’s security guidelines (e.g., full disk encryption). Further, VAMC can enforce user-level access controls via Active Directory.

How does it work?

Users run Brillians on their official workstations just like they run CPRS. At user’s request, it loads a subset of patient’s clinical data and analyses it just like a human expert.

All the data analysis occurs in real-time in the workstation’s memory (RAM), without storing any data on the disk. When the user switches to the next patient, previous patient’s data is cleared from the RAM and the new data is loaded. Therefore, Brillians has no need to store sensitive data and has no need to send it elsewhere for processing.

How about Data Access, Information Security and Encryption?

Brillians retrieves clinical data from the VistA system using EXACTLY the same mechanism as CPRS (VHA provided Delphi RPC Broker). Also, like CPRS, it processes and displays data to the user on his/her workstation WITHOUT sending that data to any external site, device or storage. How? Brillians code includes EXACTLY the same Delphi RPC Broker which is in the current version of CPRS. The RPC Broker makes a local connection with the VistA system using TCP/IP and SSH. The SSH tunneling is built into the RPC Broker.

  1. Brillians supports 2FA (PIV+PIN) login and time-out after inactivity, just like CPRS.
  2. Due to built-in SSH, the data communication between the user’s workstation and the VistA server is considered secure.
  3. Note that all the communication between Brillians and the VistA system occurs INSIDE vha’Sintranet – nothing ever leaves the VA’s secure intranet.
  4. The only users accessing the data via Brillians are the VHA employees who have CPRS/VistA access, AND are authorized to use Brillians. So, if you understand how CPRS works, you understand how Brillians works! They have the same security mechanisms, and both use the same mechanism to fetch and process data.

What security layers protect access to Brillians and the sensitive data? 

The access to patient information is controlled by multiple security layers:

  1. The user must have valid Windows Login on the VA’s network. This requires PIV (2FA) authentication.
  2. The user must have permissions to the Network folder where Brillians application is installed. This permission is granted on as-needed basis using Active Directory group.
  3. The user must have a valid Access code/verify code pair (or 2FA with PIV card) to log into the VistA system. This is exactly the same mechanism as CPRS.
  4. Brillians uses the latest Delphi RPC broker which supports 2FA login and secure connection with VistA (SSH).
  5. NO data ever leaves VAMC’s secure environment (i.e., there are no external servers/connections). Technically, Brillians does not even need the internet connection.

    Summary

    Brillians is a Windows desktop application which works EXACTLY like CPRS in terms of accessing, processing and protecting sensitive data. Therefore, its “information security risk” is exactly the same as CPRS. Therefore, if you are comfortable with use of CPRS in your environment, you should be just as comfortable with Brillians.

    Finally, as Veteran advocates, we must weigh any perceived risk against the proven benefits to the Veterans’ healthcare. Since 2009, Brillians has excellent track record of improving patient care while ensuring Information Security and maintaining compliance with VA’s standards. It is a rare application which actually saves lives by preventing clinical errors!

    As noted by OIG (above), “Brillians …has reduced clinical errors and increased provider efficiency…” — something we owe to our Veterans. How many applications have that kind of endorsement from the OIG?

    If you have any questions, please feel free to contact us: support (at) supravista.com.