============================================================================= Run Date: JUL 09, 2021 Designation: PREC*6.2*1 Package : PREC - PHARMACY ENTERPRISE CUSTOM S Priority: Mandatory Version : 6.2 SEQ #1 Status: Released Compliance Date: AUG 09, 2021 ============================================================================= Subject: PECS 6.2 Initial Security Compliance INFORMATIONAL PATCH Category: - Informational - Other Description: ============ ========================================================================== Run Date: APR 01, 2020 Designation: PREC*6.2*1 Package : PHARMACY PRODUCT SYS-NATL Priority : MANDATORY Version : 6.2 Status : UNDER DEVELOPMENT ========================================================================== Subject: PECS 6.2 Initial Security Compliance INFORMATIONAL PATCH Category: INFORMATIONAL OTHER Description: =========== Pharmacy Enterprise Customization System (PECS) is a Java 2 Enterprise Edition (J2EE) application used to research, review, report, and manage customized drug information from First Data Bank's (FDB) MedKnowledge Framework (formerly Drug Information Framework (DIF)), which is a Commercial-off-the-Shelf (COTS) product, used in the enhanced order checking process. The PECS application, through a web-based Graphical User Interface (GUI), allows VHA pharmacists and clinicians to research and request custom changes to Drug-Drug Interaction, Drug Pairs, Dose Range, Duplicate Therapy, and Professional Monograph records, controlling access through a role based authorization. VHA Pharmacy Benefits Management (PBM) periodically (as needed in support of VA procedures and priorities) prepare, review and approve the customizations, which result in VA Custom drug data, which will supersede or enhance the industry standard FDB-drug data. The PECS 6.2 application code has been updated to comply with VA Security Standards by remediating the PECS security vulnerabilities. Using the Fortify Scan Report as guidance, the false positive findings have been identified and documented in the .fpr file. Fortify scan defects and all defects discovered during remediation of the findings are fixed. Any Fortify Scan defect that cannot be remediated has the justification documented in the .fpr file. The following technologies have been upgraded to the compliant Technical Reference Model (TRM) versions for this Informational Patch release: WebLogic 12.1.3, Spring-4.2.9, Hibernate 5.1.1, and log4j-api-2.10.0. Rational Task Id ---------------- Number: 1127799 Files & Fields Associated: -------------------------- N/A Forms Associated: ----------------- N/A Options Associated: -------------------- N/A Protocols Associated: --------------------- N/A Security Keys Associated: ------------------------- N/A Templates Associated: --------------------- N/A Additional Information: ----------------------- N/A New Service Requests (NSRs) --------------------------- N/A Patient Safety Issues (PSIs) ---------------------------- N/A TICKET OVERVIEW: ================ Problem ------- PECS application contains Java Enterprise components which are subject to compliance with VA security and code quality standards to maintain authority to operate (ATO). Routine Fortify scanning and remediation is performed to maintain compliance. Patch PREC*6.2*1 was initiated to identify and remediate security vulnerabilities and code quality issues in the current Java code. Resolution ----------- The PECS 6.2 application code has been updated to comply with VA Security and Code Quality Standards by remediating the PECS security vulnerabilities. Using the Fortify scan report as guidance, the application code has been scanned with the Fortify tool to identify security vulnerabilities and code quality issues. Code fixes have been applied to mitigate these findings and the application has been validated by the VA Software Assurance Team to ensure compliance with the standards. No application functionality has changed. All frameworks have been upgraded to a compliant Technical Reference Model (TRM) for this informational patch release. Test Sites: ----------- User acceptance testing successfully completed by the Business Office. Software and Documentation Retrieval Instructions: ------------------------------------------------- The PREC*6.2*1 Informational Patch is available on FORUM. The PREC*6.2*1 documentation can be found on the VA Documentation Library (VDL) at: https://www.domain.ext/vdl/ Documentation can also be obtained at: https://download.vista.domain.ext/index.html/SOFTWARE. The documentation includes: ------------------------------------------------------------------------- Title File Name Transfer Mode ------------------------------------------------------------------------- PECS v6.2 Release Notes PREC_6_2_1_RN.PDF Binary PECS v6.2 Troubleshooting Guide PREC_6_2_1_TG.PDF Binary PECS v6.2 Installation Guide PREC_6_2_1_IG.PDF Binary PECS V6.2 User Guide PREC_6_2_1_UG.PDF Binary PECS V6.2 Deployment, Installation,PREC_6_2_1_DIBR.PDF Binary Back-Out, and Rollback Guide (DIBR) Installation Instructions: -------------------------- This is a Web Application JAVA Build. This is a Centralized Server promotion. NO installation is required at Local sites. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : FEB 19, 2019 Completed By: Date Completed: JUL 09, 2021 Released By : Date Released : JUL 09, 2021 ============================================================================= Packman Mail Message: ===================== No routines included