PopMedNet Software Security Specifications

The overall security of a PopMedNet network is determined by a combination of the PopMedNet software, the hosting environment, and the procedures and processes of the network's administrators and users. This page details the security features available in the PopMedNet software itself. For more information on the other components, please see System Security.


The PopMedNet software is designed to be highly secure and suitable for transferring sensitive data. The PopMedNet software has passed a detailed independent security audit. The following information details the major system security specifications of PopMedNet v6.


  • All communications between the DataMart Client application and the Portal use HTTPS/SSL/TLS connections to securely transfer queries and results between the application and the Portal. 
  • Enhanced system procedures
    • Securely stores credentials as Salted Hashes
    • Uses cryptographically secure random values for session IDs (.Net Type 4 GUID)
    • Cookies marked as ‘SECURE’, ‘SESSION’ & ‘HTTPONLY’ and the cookie domain
  • Web Service and Portal Authorization
    • Ensures all submissions are performed via POST method
    • Does not publish WSDL
    • Limits the number and size of file submissions
  • All credential and connection information needed by the DataMart Client to communicate with the PopMedNet portal or to DataMart data sources are stored in the Windows Credential Manager using AES-256 encryption.

  • Requires users to select strong passwords. The password strength rules are configurable by each network implementation. The default rules are as follows: at least 15 characters, maximum length of 100, at least 1 number, at least one nonnumeric character, at least one capital letter, at least one lower case letter, and at least one special character. 
  • Forces users to change their passwords on a scheduled basis. The time period after which a password must be changed is configurable by each network implementation, the default time period is every 3 months.
  • Previously used passwords are not allowed to be re-used for a 6 month time period. 
  • Automatically logs users off after thirty minutes of inactivity.
  • Backs up files or deleted queries on the disaster recovery database for 4 days and automatically deletes on day 5.
  • Audits all network activity (e.g., access, user ID changes, query initiation, results upload, etc.).
  • Provides a highly granular access controls system to enable customized access control configuration.
  • Requires all users accounts to be approved or created by an authorized user.
  • Provides DataMart Audit logs and Network Activity Reports for specified network users.