Professional Documents
Culture Documents
The Sentinel Service System provides remote support for Hitachi Medical Equipment.
It also provides up-to-date System Status Information with periodic intervals.
Questra Corporation
nowadays
Axeda Corporation (axeda.com)
What can we do with the Sentinel Service ?
Application Support
Remote Desktop support by the applications helpdesk
System Logging
In case problems occur, system logging can be activated remotely to be downloaded and evaluated
2
How does the Sentinel Service work? HMC Sentinel Japan
RD Server 133.145.173.152 Database Server
133.145.173.151
Internet
Firewall
SYSTEM STATUS INFO
Firewall
HITACHI
Internet
Firewall
Web Server 133.145.173.150
Customer
Firewall
HITACHI
Internet
RD trigger
Firewall
Web Server 133.145.173.150
Customer
to Database Server
Firewall
HITACHI
Internet
RD trigger
Firewall
NEW SYSTEM STATUS INFO
Firewall
HITACHI a session with the RD Server
Internet
REMOTE
REMOTEDESKTOP
DESKTOPSESSION
SESSIONREQUEST
REQUEST
Firewall
Web Server 133.145.173.150
Customer
Firewall
HITACHI
Internet
Firewall
Firewall
Web Server 133.145.173.150
Customer
HMSA NTS
Firewall
Firewall
HITACHI
The Hitachi Oasis, Echelon and Oval MRI Workstations and the CT Scenaria Workstations communicate with
Hitachi Sentinel servers using the TLSv1 cryptographic protocol for the safe transportation of data. It uses
mutual authentication (2SSL) providing extra security between the client and server authentication processes.
The Sentinel servers do not respond to ICMP ping commands from the internet and will only allow connections
when there is an agreement on the correct cipher suite TLS_RSA_with_RC4_128_MD5 (using 128 bit depth
encryption w/o compression) in combination with a valid certificate exchange.
This method of operation is very secure and hard to intercept/hack from the “outside world”.
In addition, before a remote desktop session can be initiated, the operator or technologist has to approve the
session.
Before the approved session will be established, all patient sensitive information will be anonymized (HIPAA
safe)
9
What ports need to be opened on the hospital firewall??
NTS will access the Graphical User Interface (GUI) of Webserver 133.145.173.150
(https://www.sentinel-service.com/qss) to review all installed devices.
When a remote desktop session is needed, a trigger will be sent to the database desktop server
ws.sentinel-service.com (133.145.173.151 to trigger the modality to send a RD request.
Therewith, the initial RD request will be send by the modality via an outbound SSL packet (not inbound that
may be blocked by the hospital’s firewall).
The rd.sentinel-service.com server will accept the RD session and the connection is established.
In order to make the connection with the server, outbound port 443 needs to be open for the modality, nothing
more !
We do not use a VPN for the connection, “just” a regular SSL/TLSv1 connection.
10
What kind of Remote Desktop program is used?
When the Questra software wants to establish a Remote Desktop session (RD session), the ultraVNC program is
used.
VNC was originally developed (by Olivetti and Oracle Research Labs) to be used only in a LAN, due to security
issues.
Wen used over the internet, a secure connection (SSL: Secure Socket Layer or TLSv1: Transport Layer 1) is
required for safety.
Nowadays, there are several companies who deliver the VNC concept of platform independent remote desktop
control. One of the most popular versions is RealVNC (from RealVNC Ltd.), by the original developers of VNC.
RealVNC is free for use (http://www.realvnc.com). The paid versions of RealVNC offer more functionality which
is not needed for our purposes.
UltraVNC is comparable with Microsoft’s RDP (Remote Desktop Protocol) that uses TCP Port 3389.
11
Sentinel Technical Information Sheet