Spok Mobile is a solution that works hand in hand with a Spok contact center suite to provide point-to-point HIPAA-compliant secure messaging. The following provides information about the security of the complete Spok Mobile environment and guidance around the security measures customer sites need to have in place to ensure a safe messaging system.
Spok Mobile Environment Architecture
The diagram below shows a recommended High Availability Spok Mobile environment.
Why does Spok Mobile require both the Spok Mobile Server and the Care Connect Server?
The Care Connect Server is the heart of Care Connect. All business logic (registration, status, directory searches) and transaction handling of message flows are handled through the Care Connect Server. It also facilitates cross-product integration and communication brokerage between Spok applications.
To improve security, the business logic of Spok Mobile resides in the Care Connect Server. This allows the Care Connect Server APIs and services to reside safely within the LAN, while the Spok Mobile Server resides in the DMZ for messaging access. The Spok Mobile server only brokers connections between registered devices and the Internet. This configuration ensures the utmost in security by limiting and locking down access.
Why is a High Availability Configuration so important?
Spok highly recommends that the Care Connect Server be set up for high availability because it is the central component of Spok Mobile and Care Connect solutions in general. The Care Connect Server and Spok Mobile Servers support active-passive, fault tolerant configurations in the load balancers on the Web server application tier and database storage tier.
When the Care Connect Server is configured for high availability in an active-passive mode, no human intervention is required to trigger a failover. There is little to no disruption of service because the load balancer easily moves traffic from the primary master server to the secondary passive server as needed.
Flow of Data Through the Spok Environment
PHI is never passed through the Apple or Android push notification clouds. Spok Mobile app users receive notice that messages are available via Apple or Android push notifications. The Spok Mobile app client makes contact with the Spok Mobile server directly via TLS 1.2 to retrieve the message.
See Spok Mobile Message/Data Flow Diagrams for detailed diagrams and data information.
Spok Mobile Environment Firewall Requirements
Firewall and Communication Requirements
The Spok Mobile application is dependent on communication between in-house servers, smartphone and tablet devices on the wireless LAN, and Spok’s hosted server. Ports must be opened within the internal intranet as well as on the firewall to facilitate the exchange of information via the Internet. The firewall can be configured to accommodate outbound access via URL or IP ranges.
NOTE: Using URL’s eliminates the need to update the configuration if any underlying IP address changes.
The Spok Mobile application communicates between servers at your location, smartphone and tablet devices on your wireless LAN, and Spok’s hosted location. To enable Spok Mobile to operate, Spok is required to have access to the URLs listed below.
For Spok Mobile, allowing outbound access by URL is recommended; however, access can be allowed by IP ranges. Information for creating outbound access by URL and by IP ranges are both included below.
Please note that if these firewall changes are not performed, Spok Mobile cannot function.
Allowing Outbound Access by URL
- https://amclr1.amcomamc.com (443/8091)
- https://amclr2.amcomamc.com (443/8091)
- https://amccore1.amcomamc.com (443/8091)
- https://www.amcomamc.com (443/2001/8091)
Allowing Outbound Access by IP Ranges
If you have enabled access by a specific IP address, using the URL or opening access to the following IP ranges is recommended:
- 126.96.36.199, 188.8.131.52 (East Coast Data Center)
- 184.108.40.206 (West Coast Data Center)
If you have enabled firewall rules based on the URLs, you do not need to make any changes. As Spok migrates the URLs to new IP addresses by updating the DNS (Domain Name System) records, your systems and devices automatically connect to the new systems.
Spok Mobile sends email messages that are vital to the implementation and use of the solution. To ensure that these messages are received, the environment should be configured to allow *@amcomamc.com through any configured email filters. These emails are sent from the following SMTP servers: planodb1.amcomenotify.com and mspdb1.amcomenotify.com.
Wi-Fi Access Points Requirements
Sites that have Spok Mobile clients using a Wi-Fi connection need a wireless router that meets the following minimum requirements:
- Wireless-N 802.11n router
- Lower power state Wi-Fi connection
- Instant reconnect from sleep
IMPORTANT: Wireless 802.11g routers disconnect when a device goes to sleep, which results in messages being missed until the device is woken up. Wireless 802.11n routers keep devices connected in a low power way to support push notifications.
Spok Mobile Environment Server/System Security
Windows Security Protocols for Spok Mobile Environments
Spok Mobile Data Security
Spok provides assistance in helping our customers take responsibility for their data security. Data security falls into two main areas: data in transit and data at rest.
Data in transit is the movement of data between systems. Spok encrypts data transmissions using SHA/SSL/TLS encryption technologies, and depending on the system configuration, may also be compliant with NIST 800-52 Rev 1. A TLS 1.2 certificate is applied to the host, Care Connect server, and Spok Mobile server within the Spok ecosystem. The Spok Mobile application uses AES 128-bit encryption.
Data at rest is data that is stored on the customer servers and mobile devices. For customers running an all Microsoft configuration that requires data-at-rest protection, Spok recommends the built-in data encryption tools in Microsoft SQL Server Enterprise edition. For customers running Linux and Oracle (typically Smart Suite customers), Spok recommends the Vormetric encryption device (Spok part number VORMETRIC-DSM25) for data-at-rest protection.
Due to the variability of customer security policies Spok does not enforce security procedures for customers. This includes data encryption, both at rest and in transit, and anti-virus/malware protection.
It is the customer's responsibility to ensure the protection and security of their organization's LAN.
Software Security Testing
Software security has two major goals: to ensure that the software is as bug free as possible, and to ensure that the software controls and data structures cannot be accessed by unauthorized players. Cyber probing takes place as part of the QA process in addition to normal software testing.
System Setup, Delivery, and Patching
Operating systems delivered by Spok are up to date with the manufacturers' latest patches.
Spok is responsible for providing patches to its customers to correct security and critical processing flaws in Spok systems. As documented in the Spok Service Level Expectations, Spok does not provide patches to Microsoft products used for most of our implementations (Windows Workstation, Windows Server, and SQL Server). However, Spok provides Linux and Oracle patches to those Smart Suite customers requiring support for those implementations.
Spok Mobile works in an environment that resides on hardware local to the healthcare facility and on end users' mobile devices. Authentication across the solution is seamless thanks to technologies that allow users to authenticate on one device and have that authentication shared across the enterprise.
Authentication methodologies may be stand-alone or used in conjunction with other methodologies. The Security Configuration File designates the methodology(ies) to be used.
User name and password are the primary means of authentication on servers that host Spok systems. The server hardware itself, either on premise or hosted, should be housed in a controlled access location.
Contact Center Workstation Authentication
If the contact center environment is integrated with the Spok Mobile solution, workstations running contact center software should be located in restricted access locations.
The following rules apply to the three contact center workstation configurations:
- Smart Console (Smart Suite): Separate authentication is required for both workstation and application.
- MediCall Console (MediCall Suite): Separate authentication is required for both workstation and application when not using Windows domain authentication.
- Spok Console (Spok Console Suite): Supports Microsoft Active Directory integration.
Web-Based Program Authentication
There are a number of Web-based programs used in Spok Mobile environments. These include contact centers' Web portals: Smart Web (Smart Suite), WebXchange (MediCall Suite), and Spok Web (Spok Console Suite). The Spok Enterprise Administration used to administer Spok Mobile services is also a Web-based program. These programs should be set up to be available only on the customer's secure network inside the firewall. These programs all support single sign on (SSO).
Spok Mobile requires a two-part authentication schema. The first is registering the mobile device with the Spok Mobile server, and the second is authenticating the user via a user name and password. The authentication process is a one-time event since it is presumed that it is the authorized user who logged into the mobile device.
When Spok Mobile is set up and used on multiple mobile devices with a single registration, only the device that most recently had been registered receives incoming messages. It is important to note that using one registration on multiple devices is not recommended.
- For contact center consoles and Web-based programs, passwords must be 8-20 characters in length, and must contain at least two of each of the following: upper case letters, lower case letters, numbers, and special characters. The default password length is 10 characters. Sequential duplication of characters of more than two (2) is not permitted. The user may not use any of the previously used ten passwords. Minimum and maximum password length is configurable at time of product installation. The user is locked out after three bad password entries.
- For Spok Mobile servers, passwords must include at least eight and less than 100 characters; there are no restrictions on password character usage.
- For the Spok Mobile application, passwords must be between 8 and 32 characters and spaces cannot be used.
Spok Mobile Server and App Environments
- See Spok Mobile Server Operating Environment for information about all Spok Mobile Server versions.
- See Spok Mobile App Support Policies for information about OS support for the Spok Mobile app.
The Spok Mobile app takes advantage of iOS and Android security to provide secure, HIPAA-compliant messaging workflows. Detailed information about the security settings available in the apps themselves are available in the following User Guides: