By Richa Asarawala, Lead Solutions Architect, VeloCloud
EPIC Community Connect is a program that allows smaller healthcare organizations to partner with a larger hospital system using Epic's electronic health record (EHR) system. It aims to bridge the gap for smaller healthcare organizations that might not be able to afford or implement Epic's EHR on their own.
In this model, the larger hospital system — the provider — acts as a host and manages the EPIC system. The provider allows their partners — individual physician practices, smaller clinics, or even community hospitals — to use EPIC Community Connect to access patient data including X-rays, CT scans, MRIs, medical record charting etc. using VPN connections. Physical practices, clinics — the partner — are responsible for installing and operating their network infrastructure and connectivity to connect to the healthcare provider.
While the VPN approach allows smaller partners the choice of leveraging their existing network infrastructure to have EHR management, it also brings other challenges to both the provider and the partners. VeloCloud SD-WAN offers an alternative that enhances security, reliability, and operational efficiency for these healthcare partnerships.
Challenges with VPN approach
- Any time a WAN outage or WAN degradation happens, a VPN requires manual failover. This adds a lot of operational overhead and potential downtime for critical healthcare applications, resulting in interrupted patient care.
- Overlapping IP address spaces amongst different partners are very common. With a VPN approach, a network address translation (NAT) technology must be implemented to change overlapping IPs.
- Bringing up VPN installation can take days or even months, because it requires provider IT staff to sit for hours with partner IT staff to deploy and configure VPN services in their firewalls. With this approach, standardization becomes difficult and reduces operational efficiency.
- Troubleshooting VPN issues become very challenging and can take days, because the provider has to wait on partners to provide datapoints from their system which the provider has no control over.
- If any partner's infrastructure is compromised by a security breach or under cyber attack, the nature of basic VPN can increase the attack surface and security risk to the provider.
- Clinics will need to have IT people on-staff or have someone managing their IT, which increases operation cost.
How VeloCloud SD-WAN enables seamless experience and secure access to EHR
VeloCloud SD-WAN is a cloud-delivered solution that simplifies and optimizes network connectivity for enterprises, offering features like Dynamic Multipath Optimization (DMPO), application-aware routing, and enhanced security. Healthcare providers who use VeloCloud SD-WAN have experienced these benefits and more:
- Up to 10X reduction in application performance incidents
- Up to 3X reduction in outages
- Automatic failover, per-packet steering, and real-time monitoring using DMPO
Figure 1 shows a VeloCloud SD-WAN architecture which goes beyond one enterprise. In this model, a VeloCloud Partner Gateway — a multi-tenant SD-WAN virtual appliance — is deployed into the provider PoP or data center.
Provider Side VeloCloud Architecture
Figure 1: Provider side VeloCloud architecture
The VeloCloud Partner Gateway (PGWs) are deployed with a public interface (shown as Eth0 in Figure 1 above) behind a firewall DMZ. This allows seamless outbound communication to the VeloCloud Orchestrator for PGW management traffic and establishing SD-WAN encrypted tunnels over a public WAN connections. Private interface (shown as Eth1 in Figure 1 above) is used to decrypt the traffic and reach internal data center resources as well as establishing SD-WAN tunnels from private WAN connections.
By deploying PGWs, an EPIC connectivity provider can connect the Community Connect partners by eliminating IPsec config. This provides the benefits of automatic failover with multi-site resiliency, simplified operation, rapid deployment and security by segmenting the traffic flow between each partner. This simplified architecture is also easy to scale.
Partner Side VeloCloud Architecture
Figure 2: Partner side VeloCloud architecture
This architecture on partner sites allows them to be more flexible. A provider can activate the VeloCloud SD-WAN Edge and simply ship it to a partner site where it can be placed before or after a firewall, or in a DMZ.
Security at the edge: VeloCloud comes with enhanced security capabilities such as stateful L7 firewall with URLF, IPS/IDS, and more which can replace or co-exist with an existing firewall on the partner site. VeloCloud Edge Firewall features can help reduce damage if a customer is hacked.
High availability: To increase availability, high availability (HA) can be configured at bigger locations such as hospitals that must run 24 hours a day, where downtime is not affordable.
Visibility: A provider can now see any issues that may cause degradation or outages. This speeds time to resolution or any proactive remediation, high link utilization, packet loss, etc. vs. being blind and waiting for hours to days to troubleshoot in the VPN case. Because it's managed, the provider can troubleshoot issues remotely.
Figure 3: End-to-end VeloCloud architecture to provide EPIC community connect access for partners
Steps to implement VPN vs. VeloCloud
This architecture not only helps eliminate IPsec config, but also provides automatic failover, simplified operation and rapid deployment and drastically reduces steps for the provider during partner onboarding.
|
|
Steps to implement and manage VPN
|
Steps to implement and manage VeloCloud SD-WAN
|
|
1.
|
Install and configure VPN on the provider firewall
|
Configure and activate VeloCloud SD-WAN virtual gateways and edges at the provider site
|
|
2.
|
Install and configure VPN on the partner firewall
|
Connect to SD-WAN via Wi-Fi / wired connection
|
|
3.
|
Start using EPIC
|
Start using EPIC
|
|
4.
|
No visibility on partner side, leading to longer troubleshooting times
|
Central monitoring via VeloCloud Orchestrator and troubleshoot issues faster, remotely
|
Summary
Providers can see the following benefits using VeloCloud SD-WAN with EPIC Community Connect:
- Monitoring and improved performance: DMPO provides real-time link monitoring, adaptive per-packet steering, sub-second failover, improved app performance through on demand remediation, QoS and bandwidth aggregation.
- Reduced operational overhead and standardization: By eliminating overlapping IP addresses and the requirement of IPsec, the provider can simplify operations while maintaining control.
- Rapid deployment: VeloCloud activation and configuration at central location and drop-shipping to partners provides rapidly delivered services.
- Security: Inherent partner segmentation gives the security needed along with centralized security in the DMZ and additional security on the VeloCloud SD-WAN Edge.
- Simplified Day2 operations: Central visibility through VeloCloud Orchestrator and remote monitoring now help keep the WAN environment up with faster response to incidents, healthy, secure, and optimized for business needs.
- Revenue generation: Instead of requiring partners to bring their own VPNs, a managed SD-WAN service can strengthen partnerships by taking the technical burden off smaller partners. Providers can also monetize their investment by using VeloCloud to offer WAN as-a-service to partners.