External Service Integration - What is the Good Practice? #6323
-
|
Hello All, Good day. One quick question. Say we have a requirement to integrate with external services outside the organization via DMZ server, where we need to send some data to the external service. Two Ways:Inhouse Data --> Internal Mirth --> DotNet Webservices running in DMZ to post the data --> External service Which one you will choose and why? Or is there other better option ? Our main concern is the security and maintenance. Thank you. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
None probably. I am not sure there is a large risk here having "internal mirth" post directly to external endpoints. For inbound traffic I might consider more of a DMZ topology - but even then (in AWS) I would likely do this via mutual TLS on an AWS ALB letting it dump bad requests and then forwarding inbound to mirth for approved connections. A reminder that the ALB can have a WAF with it of course. |
Beta Was this translation helpful? Give feedback.
-
|
To answer your question though. That's your call depending on the expertise you have in house. Probably traffic volume and message ordering matter here. Would seem a bit odd to have two tech stacks though for this. And I would expect the DMZ machine would need to post back its success or failure back to internal databases or post back to the internal mirth box. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, Pacmano, for your reply. Actually, our EHR sends data to our internal interface engine, which in turn sends it to other 3rd party systems within the hospital. Now, some of this data is required to be sent to an external system like HIE platform. But this internal server is not allowed to connect external systems directly (as per the hospital policy). So, we need to go through the hospital DMZ server. Feeling a bit of hesitation to install another Mirth on the DMZ server. Somewhere I read that exposing interface engines directly to the external world is not a good practice. Another option is to have a DoNet proxy webservice to connect the external service. So just wondering how we proceed in a better way. |
Beta Was this translation helpful? Give feedback.
-
|
I simply disagree with your security people / hospital policy for outbound connections from your facility. Do they block browsing to the HIE to see if a record posted exists? It's sort of the same. You can of course use some transparent proxy in this scenario in the DMZ and not need a mirth box. For inbound connections I can understand the need to be more protective, but I already suggested a reasonable topology to protect your endpoints in AWS - but |
Beta Was this translation helpful? Give feedback.
-
|
Yes, we can browse HIE portal through SAML SSO through a dedicated server only. Noted the points. Thanks for your generous inputs as usual. |
Beta Was this translation helpful? Give feedback.
To answer your question though. That's your call depending on the expertise you have in house. Probably traffic volume and message ordering matter here. Would seem a bit odd to have two tech stacks though for this. And I would expect the DMZ machine would need to post back its success or failure back to internal databases or post back to the internal mirth box.