============================================================================= Run Date: OCT 31, 2024 Designation: WEBP*1*43 Package : WEBP - PATIENT CENTERED MANAGEMENT Priority: Mandatory Version : 1 SEQ #42 Status: Released Compliance Date: DEC 01, 2024 ============================================================================= Subject: PCMM WEB DEFECT AND SECURITY SCAN REMEDIATION VII Category: - Informational - Other Description: ============ The purpose of the patch is to remediate defects, security scan findings and add tools for troubleshooting. There are seven issues, one of which is a defect, six of which are adaptive maintenance. Defects: -------- 1. PCMMW-2540 - INC35145838 PCMM BIR Station 521 - PROVIDER ROLE NOT SHOWING CORRECTLY IN PCMM Adaptive Maintenance: --------------------- 1. PCMMW-2160 - Upgrade ESAPI to version 2.5.x.x 2. PCMMW-2448 - Fortify scan security issues: Critical: Privacy Violation 3. PCMMW-2562 - Remediate/Annotate Fortify 43 Scan 4. PCMMW-2173 - Mass Assignment - Insecure Binder Configuration 5. PCMMW-2277 - When team name changes for team reflected in CPRS Header, mark all assigned patients to be resynchronized. 6. PCMMW-2379 - Add better UI message for optimistic locking exceptions. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- 1. PCMMW-2540 - INC35145838 PCMM BIR Station 521 - PROVIDER ROLE NOT SHOWING CORRECTLY IN PCMM Problem: -------- Detailed Description: In PCMM three (3) providers "staff profile" is showing they are "PRIMARY CARE PROVIDER" and doesn't show they are WH PCP. However, when you go to view the team role/position information it shows their team role to be "WH PRIMARY CARE PROVIDER"-which it should be. I'm concerned this discrepancy is cause for concern. Resolution: ----------- The problem was that because team role on staff assignment is de-normalized from team role on position, sometime they can get out of sync because of timing issues. Fixed issue by consistently referencing position team role everywhere. Adaptive Maintenance Tracking System Ticket(s) & Overview: ---------------------------------------------------------- 1. PCMMW-2160 - Upgrade ESAPI to version 2.5.x.x Problem: -------- The PCMM Development team found that a package was noncompliant to VA TRM guidance. This ticket is to remediate that. Resolution: ----------- ESAPI version was upgraded to the 2.5 major version. 2. PCMMW-2448 - Fortify scan security issues: Critical: Privacy Violation Problem: -------- Critical policy violations were found by the Fortify Scan. The scan found that a logging file could leak input data back to the console Resolution: ----------- Remediated suspected Fortify issues by changing logging to internal and not console output. 3. PCMMW-2562 - Remediate/Annotate Fortify 43 Scan Problem: -------- Several issues were discovered via Fortify Security scans. The scan found that a logging file could leak input data back to the console. Resolution: ----------- Remediated suspected Fortify issues by changing logging to internal and not console output. Also, evaluated and provided justifications in fortify scan files. 4. PCMMW-2173 - Mass Assignment - Insecure Binder Configuration Problem: -------- Several issues were discovered via Fortify Security scans. The scan found that input data could be leaking into different controllers. Resolution: ----------- Controllers have annotations to bind their inputs to certain values. More bindings were added to validate and restrict user input to prevent tampering. 5. PCMMW-2277 - When team name changes for team reflected in CPRS Header, mark all assigned patients to be resynchronized. Problem: -------- Given that user can change team name for team that reflects in CPRS Header, ensure that name change triggers cprs header resync for assigned patients. Resolution: ----------- Added code to update all assigned patients to set flag for cprs header re-calculation/resync. 6. PCMMW-2379 - Add better UI message for optimistic locking exceptions. Problem: -------- When error occurs in the application because of optimistic locking, show a better error message instead of stack trace. Resolution: ----------- Changed UI message from generic error to message indicating optimistic locking error and suggestion to re-try. You can see test plan for new message. Test Sites: ----------- Memphis VA Medical Center (Memphis, TN) VA Montana Health Care System (Ft. Harrison, Miles City) SNOW Change Order #: -------------------- CHG0535954 - Centralized Servers - Austin Information Technology Center, Austin, TX Software and Documentation Retrieval Instructions: -------------------------------------------------- PCMM Web patch, WEBP*1*43, is a centrally managed web-based application and will be implemented and deployed to a central web server. Sites do not need to download any file for the patch installation. Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name --------------------------------------------------------------------- Deployment, Installation Back-Out, WEBP_1.0_43_DIBRG.DOCX and Rollback Guide WEBP_1.0_43_DIBRG.PDF Other Software Files: --------------------- This release also includes other software files. Other software files can be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Name Description -------------------------------------------------------- PCMMR_EAR-1.43.03.EAR Installation file PCMMR_UNATTENDED_EAR-1.43.03.EAR Installation file Patch Installation: =================== PCMM Web patch, WEBP*1*43, is a centrally managed web-based application and will be implemented and deployed to a central web server. No installation is required by sites. Pre/Post Installation overview: --------------------------------------- N/A. Pre-Installation Instructions: ------------------------------ Installation Instructions: ------------------------- ****************************************************************** ** PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH. ** ****************************************************************** This informational patch, WEBP*1.0*43, is for PCMM Web. Installation is done on a centralized server. Please refer to the WEBP_1.0_43_DIBRG.PDF for more details. Post-Installation Instructions: ----------------------------- Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : OCT 08, 2024 Completed By: Date Completed: OCT 31, 2024 Released By : Date Released : OCT 31, 2024 ============================================================================= Packman Mail Message: ===================== No routines included