Surescripts Connectivity Questionnaire

Document Last Updated: August 22, 2011

Contents
Purpose....................................................................................................................................... 1
FQDN & IP Requirements............................................................................................................1
Certificate Requirements.............................................................................................................2
Participant Connectivity Information.............................................................................................3
Surescripts Active/Active Data Centers........................................................................................6
Surescripts Prescription Benefits and Medication History Connectivity Information.....................9
Surescripts Prescription Routing Connectivity Information.........................................................10

Purpose
Surescripts objective for its Transport Layer Security (TLS) / Public Key Infrastructure (PKI)
Certificate Interconnection Policy is to ensure the integrity and scalability of the Pharmacy Health
Information Exchange by allowing only authorized Participants to have authenticated and secure
access to the network, while avoiding unnecessary operational complexity or expense to our
Participants.

FQDN & IP Requirements

1. The Fully Qualified Domain Name (FQDN) address must resolve to a static public IP
address.
2. Participants must use Surescripts FQDN with public Domain Name System
(DNS) lookups to support the dynamic resolution of the Surescripts FQDN. Please do
NOT hard-code IP addresses in hosts files or within application software. Failure to
comply will result in an inability to transmit messages to Surescripts primary and
secondary data centers. Surescripts will employ Global Traffic Manager which relies on
DNS to route traffic.
3. Participants must add the Surescripts IP addresses for the secondary data center for all
Surescripts environments into their firewalls in order to transmit to and receive from both
Surescripts data centers.
4. The systems that make connections into the Surescripts network must utilize a public
U.S. based IP address. No private / internal / RFC1918 addresses or non-U.S. IP
address space can be used.
5. Separate Participant source IP addresses for traffic destined to Surescripts
Staging and Production must be established. No overlap of IP addresses is
allowed between the two environments. This requirement eliminates the chance of
accidental transmission of messaging between Staging and Production. This is critical
since the Staging environment should never contain actual Protected Health Information
Page 1

(PHI), and the Production environment should not contain test information. Participant
employees / contractors may have varying levels of access to PHI; therefore, access to
Staging/QA/Development systems should not directly allow access to Production.
6. The IP address provided should be registered with the American Registry for Internet
Numbers (ARIN) using the Participants name and contact information (i.e. Amazon,
AT&T, Yahoo, or Comcast should not be used).
a) If the provided IP address is not registered to the Participant, the Participant must
send an email to Surescripts to affirm that the IP address provided is operated by the
Participant.
b) The email must come from the Participant domain (i.e. no @yahoo.com or
@gmail.com).
7. TLS connections inbound to Surescripts must use TCP port 443.

Certificate Requirements
1. Certificate Common Name must match the FQDN provided in the URL.
2. Certificate Common Name must be an FQDN, not an IP address.
3. Certificate must be signed by a public Trusted Root Certificate Authority (CA) with a
minimum 2048 bit Public Key.
a) A public Trusted Root Certificate Authority (CA) is defined as a provider that
minimally follows the CA operational criteria outlined in either the WebTrust
Principles and Criteria for Certification Authorities (www.webtrust.org) or the
equivalent ANSI / ETSI-TS guidelines.
b) The CA must have completed a WebTrust for Certificate Authorities
(www.webtrust.org) audit or an equivalent third-party attestation.
i. Surescripts must recognize the Root CA as a valid and trusted entity. For a
sample list of Root CAs, go to: http://support.microsoft.com/kb/931125.
ii. Surescripts will NOT accept self-signed certificates or certificates issued by a
private Certificate Authority.
iii. Surescripts will not manually import any Participant Public Key issued by a
Private CA. Surescripts cannot make any exceptions to this requirement.
c) The certificate is not required to be set up specifically or solely for Surescripts (e.g.,
Surescripts.mydomain.com). The same certificate applied on a server can be used
for multiple sites.
d) Generic FQDNs are acceptable in a certificate (i.e. www.mydomain.com), but must
contain the Participants domain name (mydomain.com). Surescripts currently does
not support wildcard certificates (e.g., *.mydomain.com or mydomain.com).
e) Certificate must be current and active (not expired or revoked). Surescripts rejects
TLS connections with invalid certificates.

Participant Connectivity Information

Page 2

Please fill in the information below:

Page 3

Project Details
What services will you be certifying on?

If you selected Prescription Routing above,

select any optional items will you be certifying
on. Changes can be made later on if necessary.
If known, what is the name and version of the
product/application being certified?

Prescription Routing
Prescription Benefit and Medication History
Medication History for Hospitals
Rx Change transaction
Cancel Rx transaction
Sending a Verify message
Receiving a Verify message
EPCS service

Yes
No

Have you been certified by Surescripts in the

past?

If yes, what is the Name and Version of the

certified application
Service certified
Retail Prescription Routing
Mail-order Prescription Routing
Prescription Benefit and History
Other (please specify)
Prescription Routing:
XML
EDIFACT

If known, will you be using XML or EDIFACT

code for your transactions? XML will be setup
by default. Changes can be made later on if
necessary.

Medication History for Ambulatory Applications:

XML
EDIFACT

Medication History for Hospitals:

This service is only available in HL7
What drug database will you be utilizing for drug
formulary information (if applicable)?

Click here to choose from list:

If Other for Prescription Routing, please specify:

What is your target production go-live date:

Staging Environment Prescription Benefits and Medication History

What is the Staging IP address that your traffic
will be coming from (Source IP)?

Prescription Routing:
See next section
Page 4
Prescription Benefit and Medication History:

Yes
No

Page 5

Production Environment - Prescription Benefits and Medication History

What is the Production IP address that your
traffic will be coming from (Source IP)?
Staging IPs must differ from Production IPs.

Prescription Routing:
See next section
Prescription Benefit and Medication History:

Medication History for Hospitals:

Who is the Trusted Public Certificate Authority

(CA) of your Production certificate?

Yes
No

Is the Source IP registered to your

Organizations Name?

If No, the following statement MUST be

included when submitting this form to
Surescripts:
I, [Name], affirm that the IP listed [Note IP here]
is operated by [Your company name]. I authorize
Surescripts to add it to their firewall per the
Surescripts firewall policies.
Signed,
[Authorizing Name & Title]

Production Environment - Prescription Routing

What is the username and password Surescripts
Username:
must use when posting messages to your
Password:
Production server?
Provide the Production URL Surescripts should
use to post transactions to (if applicable Destination FQDN)?

What is the IP address that your traffic will be

coming from (Source IP)?

Messaging Source IP :

For Prescription Routing Only: You may

provide 1 IP for messaging source IP, admin
console IP and Directory IP or you may assign
up to 3 different IPs, one for each.

Admin Console IP:

Directory IP :

Page 6

Contact Information
Who is your Point-of-Contact for
Network/Firewall changes that the Surescripts
Network Services staff can work with?

Name:
Phone Number:
Email Address:

Your First Tier Support Escalation Contact:

Name:

Phone Number:
Email Address:

Your Executive Escalation Support Contact:

Name:

Phone Number:
Email Address:

Your After-Hours Support/Escalation Contact:

Name:

Phone Number:
Email Address:

IT Contact Support Email Address:

IT Support Helpdesk/Data Center Contact

phone, email, or pager (if applicable):

Surescripts Active/Active Data Centers

Even though Surescripts utilizes a different platform between the Surescripts Prescription
Benefits and Medication History services and Surescripts Prescription Routing service,
Participants may use the same environment to access each Surescripts platform. Note that
different logins and end points must be utilized for each Surescripts platform.
Surescripts goal is to provide continuous operation of core transaction routing services while
maximizing ROI for our Participants. To accomplish this, in 2010 Q4, Surescripts reconfigured
the disaster recovery data center as an active data center to support load balancing and
processing transactions in parallel. Each data center (primary and secondary) is capable of
supporting the entire network volume which allows for continuous availability even if one data
center is temporarily unavailable (due to network maintenance, etc).
In order for Internet-connected Participants to take full advantage of this architecture and be
able to both transmit and receive transactions from the two data centers, the following actions
must be taken on the participants infrastructure:

Page 7

Participants must use Fully Qualified Domain Names (FQDN) with public DNS lookups
to support the dynamic resolution of the Surescripts FQDN. DO NOT hard-code IP
addresses in hosts files or within application software. Failure to comply will result in an
inability to transmit messages to Surescripts primary and secondary data centers.
Surescripts will employ Global Traffic Manager which relies on DNS to route traffic.

Participants must add the Surescripts IP addresses for the secondary data center for all
Surescripts environments into their firewalls in order to transmit to and receive from both
Surescripts data centers.

It must be stressed that due to the all-or-nothing nature of our network, because we route
transactions between Participants, that Surescripts is making connectivity to BOTH of our data
centers mandatory. Regardless of Active/Active, Participants will not be able to utilize the
Surescripts disaster recovery center unless they make the required setup.

Each data center (primary and secondary) is capable of supporting the entire network volume
which allows for continuous availability even if one data center is temporarily unavailable (due
to network maintenance, etc).
Additional FAQ:
1. Q: Will we have the ability to test basic connectivity to/from the new data center before
implementation?

Page 8

A: Yes. From a participants transmitting server, telnet to port 443 on the IP address
corresponding to the appropriate FQDN (e.g. telnet 38.126.166.7 443 to test
connectivity to messaging.surescripts.net at the Surescripts secondary data center).

2. Q: What are the new/additional Surescripts IP's we will need to open up on our firewalls
in support of the active-active data centers?
A: See tables below.

3. Q: How should we connect to Surescripts with active-active data centers?

A: Use the Fully Qualified Domain Name FQDN.

4. Q: Are we allowed to use HOST Files for connecting to Surescripts?

A: No.

5. Q: Should we use public DNS to resolve Surescripts URLS?

A: Yes.

6. Q: Hard coded IP's are not allowed?

A: No, they are not allowed and don't make sense in an active-active datacenter
networking model anyway.

Page 9

Surescripts Prescription Benefits and Medication History Connectivity Information

Legend: May need to be
added for Inbound to
Surescripts (Secondary
Data Center)
Environment
Name

Fully Qualified Domain Name (FQDN) and

URL

Outbound from
Inbound to Surescripts Surescripts Primary
Primary Data Center
Data Center

Port

Legend: Must be added

for Outbound from
Surescripts (Secondary
Data Center)

Outbound from
Inbound to Surescripts Surescripts Secondary
Secondary Data Center Data Center

Prescription Benefits (270, 271) and Medication

History (RXHREQ, RXHRES, and ADT)
Certification
Production

https://switch-cert01.rxhub.net/rxhub
https://switch.rxhub.net/rxhub

443

208.86.145.233

208.86.145.228

209.117.210.233

209.117.210.132

443

208.86.145.253

208.86.145.228

209.117.210.253

209.117.210.132

22

208.86.145.238

208.86.145.228

209.117.210.238

209.117.210.132

22

208.86.145.239

208.86.145.228

209.117.210.239

209.117.210.132

80

208.86.145.235

208.86.145.228

209.117.210.235

209.117.210.132

80

208.86.145.254

208.86.145.228

209.117.210.254

209.117.210.132

Secure File Transfer for E-Prescribing Activity Report

Certification
Production

https://transport-cert.rxhub.net
https://transport.rxhub.net

WebDav Server for Secure Formulary File Transfers

Certification
Production

https://files-cert.rxhub.net/webdav/
https://files.rxhub.net/webdav/

PCI Transaction Log and Review

Certification

https://cert.rxhub.net/pci/app/login/for
m

N/A

N/A

N/A

N/A

N/A

N/A

N/A - Unavailable in Production

N/A

N/A

N/A

N/A

N/A

Surescripts Prescription Routing v10.6 and Directories v4.0/v4.4 Connectivity Information

Environment
Name

Fully Qualified Domain Name (FQDN) and URL

Port

Inbound to
Surescripts
Primary Data
Center

Legend: May need

to be added for
Inbound to
Surescripts
(Secondary Data
Center)

Legend: Must be
added for Outbound
from Surescripts
(Secondary Data
Center)

Outbound from
Surescripts
Primary Data
Center

Inbound to
Surescripts
Secondary Data
Center

Outbound from
Surescripts
Secondary Data
Center

Prescription Routing (NEWRX, REFREQ, REFRES, ERROR, STATUS, VERIFY,

etc.)
Staging*

https://staging.surescripts.net/XXX/AuthenticatingXmlServer.aspx

Production*
https://messaging.surescripts.net/XXX/AuthenticatingXmlServer.aspx
Directory Messaging v4.0 (DirectoryDownload, AddPrescriber, AddPharmacy,
etc.)
Certification*

https://staging.surescripts.net/XXX/DirectoryXmlServer.aspx

Production*
https://messaging.surescripts.net/XXX/Directoryxmlserver.aspx
Directories Messaging v4.4 (DirectoryDownload, AddPrescriber, AddPharmacy,
etc.)

443

69.25.46.8

69.25.46.11

38.126.166.8

38.126.166.11

443

69.25.46.7

69.25.46.10

38.126.166.7

38.126.166.10

443

69.25.46.8

N/A

38.126.166.8

N/A

443

69.25.46.7

N/A

38.126.166.7

N/A

Staging

https://staging.surescripts.net/Directory4dot4/directoryxmlserver.aspx

443

69.25.46.8

N/A

38.126.166.8

N/A

Production

https://admin.surescripts.net/directory4dot4/directoryxmlserver.aspx

443

69.25.46.5

N/A

38.126.166.5

N/A

Directories Files for Prescriber and Pharmacy File Downloads

Staging

https://staging.surescripts.net/Downloads/

443

69.25.46.8

N/A

38.126.166.8

N/A

Production

https://admin.surescripts.net/Downloads/

443

69.25.46.5

N/A

38.126.166.5

N/A

Admin Console Transaction Log and Review

Staging

https://staging.surescripts.net

443

69.25.46.8

69.25.46.11

38.126.166.8

38.126.166.11

Production

https://admin.surescripts.net

443

69.25.46.5

69.25.46.10

38.126.166.5

38.126.166.10

*You will post messages to these URLs, where XXX will be replaced with your Surescripts assigned information. Your assigned information will be sent out at a
later date, in your connectivity form. Green denotes new IPs for Directories.