Question
Scott Roth · Feb 4, 2021

What is the best practice when sending data via HTTPS outside a Hospital Network

We are getting more and more request wondering if we could send/receive data via HTTPS to the outside world from within our Hospital Network. As you can imagine our Ensemble/Cache productions are not exposed to the DMZ or has access outside of the network. We only communicate with external vendors through a VPN, so communicating not using a VPN is rather new to us.

Currently there is a project to get rid of using Proxy, and instead of through a Load Balancer that can use rules to filter out traffic, which adds another layer of complexity.

So does anyone out there have a Best Practice, or can share how they setup their Architecture to allow their Ensemble/Cache still be secure but able to also connect to the outside world via HTTPS?

Thanks

Scott

$ZV: Cache for UNIX (IBM AIX for System Power System-64) 2018.1.3 (Build 414U)
Product version:
Caché 2018.1
10
3 0 3 101

Replies

It is far too long since I worked on Hospital systems to give an authoritative answer given extra restrictions you may have but for https the connection and data are already secure.

For outbound infrastructure can ensure it is routed outside appropriately and you could even limit traffic to specific external endpoints.

For inbound a load balancer or reverse proxy in the DMZ can keep your system away from the outside world and limit traffic both between the two and only allow specific external endpoints to have access.

It's fairly common to use mutual TLS authentication as well. In a nutshell, both sides validate the other's cert before allowing a connection.